Robert Maxwell, Security Operations Leader, has a peacetime versus wartime operating model that gives analysts flexibility during normal operations to balance out the 16-hour days that often happen during incidents. He also automated Google Drive "did you share this publicly on purpose?" alerts into Slack bot interactions, eliminating repetitive analyst work.

Robert also amplifies team successes upward and absorbs criticism downward, but scope creep kills incident response teams when executives reassign them to vulnerability management because "the IR team is good at fixing things." He touches on how eliminating entry-level roles destroys the talent pipeline for Tier 2 and Tier 3 and that alert prioritization judgment comes from processing thousands under time pressure. 

Topics Discussed:

• Using "explain how the internet works" interview questions to identify candidates who demonstrate intellectual honesty and research skills 
• Peacetime vs wartime operating models that balance analyst flexibility during normal operations with intensive incident response expectations
• Automating repetitive Google Drive security alerts through Slack bot interactions to free analysts from time-consuming workflow tasks
• Maintaining 8-12 direct report spans of control to enable meaningful people development rather than administrative timecard management
• Preventing scope creep that transforms effective incident response teams into catch-all security functions
• Preserving Tier 1 analyst roles as essential talent pipelines for developing Tier 2 and Tier 3 expertise through alert triage experience
• Building alert prioritization judgment through thousands of real-world investigations rather than skipping directly to complex security work
• Addressing staffing redundancy failures that ignore team vacation patterns and create unsustainable SOC coverage gaps

Listen to more episodes: 

Apple 

Spotify 

YouTube