Narrator

You're listening to the Cyberwire Network, powered by N2K.

Kim Jones

Welcome to the season finale of CISO Perspectives. I'm Kim Jones and I want to start by thanking you for joining us throughout this incredible journey. Over the past season, we've taken the deep conversations out of the conference, or more realistically, the conference bar, and brought them to the forefront. We've unpacked the complexities of the cyber talent ecosystem, heard from a range of thoughtful voices, and challenged conventional thinking from every angle. Today, we're closing out the season with a special twist. I'll be turning the mic on our very own Ethan Cook. Ethan is the writer, researcher, and the sharp mind behind many of the conversations you've heard this season. He's been with us behind the scenes, and now he's stepping into the spotlight again to share his reflections on the season's biggest insights. Let's get into it. The last time you and I did this, Ethan, the rules were reversed. Got to tell you, I'm much more comfortable on this side of the bike, so.

Ethan Cook

So welcome.

Kim Jones

And how you doing?

Ethan Cook

I'm doing well, Kim. It is a beautiful day in the DMV area, so I can't complain.

Kim Jones

All right, all right. So you and I came together and met as you were doing the production work and the uplift work and the editorial work on this podcast. What was your exposure to cybersecurity prior to taking on this role?

Ethan Cook

Yeah, great question. So traditionally, little to none. I graduated from college and it had literally nothing to do with cyber. And as we've kind of found throughout the show, everyone seems to find a stumble of a way into cyber. And so I would say I have a understanding. Not a technical understanding, but an understanding.

Kim Jones

Cool.

Ethan Cook

Cool.

Kim Jones

And that's one of the reasons I wanted my audience to understand and one of the reasons I wanted you to do the season. Wrap up with me because you will be as close to having a non biased, tabula rasa view on the topic and the things you've heard, et cetera. So I'm hoping we can turn this episode into a, for lack of a better term, a highlight reel as to some of the guests, some of the themes, et cetera, from someone who is taking a big air quotes, outsider's view looking in versus the biased, cantankerous old farf who's actually hosting within the environment. So let's take a larger step back first and take a look regarding the theme of the cyber talent ecosystem as a whole. Given what you have heard, read, researched, because you run my blog, what Are your thoughts regarding the ecosystem as a whole before we start deep diving on different portions of it? Ethan?

Ethan Cook

Yeah. So taking a step back and looking at it from a zoomed out view, I would say the first thing of my observations is fear. There's a lot of fear in the ecosystem right now where it feels that people are unwilling to take a risk, whether that be on developing training and development programs because they're sinking a lot of money in that could go somewhere else. Whether it could be fear of upsetting C suite other C suite members and kind of rocking the ship to a degree. Whether it is fear of bringing on someone who is maybe not the perfect employee, maybe they're a fresh out of college or a year out of college, they don't have a ton of technical experience or the technical experience that you quote unquote need right away and they may make a mistake and because of that you just choose to not do that and go for a very seasoned and probably more expensive person. So first observation I would say is fear. The second observation that I would say is opportunity. While there was a lot of talk throughout the season of wow, this is a problem, that's a problem none of it ever came away with. This is an unsolvable problem or this is something we can't fix or we can't address or we can't do something about. It's more so we need to come together as a group, whether that be in a quote unquote system, like a medical system, or like the bar. We've always come up a couple times and have a consistent, defined way that we want to approach this or acknowledge that that's not going to happen and be content with the results of that. None of it ever felt like, oh, this is a, we just have to accept the fact that we are never ever going to get the budget we need or we are never ever going to get the perfect town pipeline or whatever it was. We have to take a step back and really assess what we actually want.

Kim Jones

So yeah, you, you, you going to double click on a couple of those things. So let's start with the fear aspect and in terms of how it relates to talents. And you talked a little bit regarding a lack of desire to accept the possibility where a mistake could be made. So back in episode 11 we brought in Ed Vasco, CEO serial entrepreneur and he talked a lot about regarding that last component that seems to be missing as we're upskilling people and that is practical skills and real world experience within the environment.

Ed Vasco

Just like in medical, medical Space. We have training hospitals, we have training programs that not all hospitals, not all doctor's offices accept residents, you know, except residencies there, you know, there are a select number. And it's by that selection process that the industry within the medical program gets, gets moved forward. And so there's this self selection. Most of these teaching hospitals are attached to a university. They are attached to. They combine the academic program and the experiential learning program. So I took the same kind of metaphor, same sort of alignment and said, well, the benefit I have here is that I'm attached into a university. They've given me the opportunity to build these kinds of platforms. Let's say in your experience as an operational cyber leader, would you be willing to allow early career professionals that opportunity to come in into a commercial SoC or into an operational SoC like NewGround and have consequence?

Kim Jones

But it's really interesting that I think one of the things that I also felt from the season is you're right, everybody wants that level of experience, but there's still that couple of things that still that reluctance to create the mechanisms that allow people that experience.

Ethan Cook

Absolutely.

Kim Jones

The reluctance to, okay, that's great, we need you to get experience somewhere. But you first, you hire the intern, you do X, you do Y. And you know, it seems like we're talking out of both sides of our mouth about those things, you know, within the environment. So let's, let's double click on the other piece that you said regarding the opportunity. And I'm, I see you're right. In terms of the overall, in terms of that this is something that nobody has thrown up their hands and said it can't be done, which is great. But it seems to me that the nature of that opportunity is still ill defined. And where I'm going back to is Will Marco's. Will Marco's episode where he talked about the data regarding what is the nature of the cyber opportunity out there and the openings that are out there. You want to talk to me a little bit about that one?

Ethan Cook

Yeah. So, you know, for, for context, for those who hadn't heard that episode, Will Markow came on and talked about cybersec data. He was one of the, one of the head people behind that. And one of the things that I thought was just super illuminating about that conversation was the how people are misusing cybersec data. Whereas people look on cybersec data and they see there's 700,000, 600, whatever the number is, thousand of jobs that are open. And we say, oh my God, we look at this massive talent gap we have, we have nearly a million jobs unfilled. And he said that's not the case. Reality actually is that that's data collected over a period of time. I believe you mentioned one year. And instead that is not at a current moment. That is what we've seen over this year.

Will Markow

I have heard so many people at very high levels of the federal government and other places misuse the data. What that number actually is is that's how many unique job openings we saw over the past 12 months, which were unique online. It also isn't just what we think of as core cybersecurity workers. We're also looking at the network administrators who are responsible for cyber within an SMB or other IT professionals or even some cases, maybe even non IT professionals who still have a significant security component.

Ethan Cook

To what they do. When I think back to Will's episode, something that really stuck out to me was the impression. I think one of his best moments in that was his quote surrounding entry level jobs.

Will Markow

When we looked at this, we found that for every 100 entry level jobs, we had 110 entry level workers vying for that. That means that we actually had about 35,000 more entry level individuals looking for cybersecurity jobs than we actually had entry level cybersecurity jobs that they could fill.

Kim Jones

And I will take it a step further. There's another piece there regarding not just what he said about data, but in terms of how the world, the industry, the world, business, et cetera, is looking at and is hiring cyber professionals within the environment.

Will Markow

I call it hiring for mercenaries, not missionaries. This has been the default in the industry for years. You go after the mercenary who has the best resume. They look the best on paper. Maybe they went to some fancy school, they got some fancy certifications. They look amazing on paper. Problem is, you want to hire them, so do all of your 20 biggest competitors and you are going to be in a bloodbath for talent if this is what you do.

Kim Jones

So shifting gears again, I think part of some of the things we've heard centered around what makes a good cybersecurity professional. And you talked about putting structures like maybe legal around things, et cetera, within the environment. But one of the conversations that came up several times during our discussions and was the focus of episode two was, are we a trade or are we a profession? You want to dig into that a little bit, Ethan?

Ethan Cook

Yeah. So this is a conversation that came up not just in episode two. While that was the main focus of episode two, it came out routinely throughout the season. And it was something that I grappled with because, you know, when I first saw the statement, my first thought was as an outsider was why does it matter? Right? You know, that was my first instinct. I then dug into the conversation and dove into it more and got into the nitty gritty, nitty gritty details and understood the cost and benefit of both. And I really liked both Larry's who was in episode two and Ed's characterization of the two with Larry arguing that it transforms midway through.

Larry

I've actually given some thought to that simply because, and I'm going to say I think we're both, I think we're both because of a couple of factors. When you think about the entry level component, right, the entry level component of getting into cyber is very trade adjacent, right? It's not about certifications, it's not about degrees, it's about skills. Which is why we say you can come out of high school and do this because if you, if you create right or foster certain skills on your own in high school, you can technically come into a cyber role and become proficient in the way that an organization needs you and go execute. So at that level, I see it akin to a trade.

Ethan Cook

And then Ed arguing or stating that he believes that we're a profession with technical components.

Ed Vasco

I lean towards the idea and I mean, I, I expect that we are a profession that has technical representation. We have an opportunity to ensure that the pathways we create allow for people of not just diverse background, but diverse skills to engage in this field and achieve certain kinds of milestones at a career level. If we don't treat ourselves as a profession that has technical orientation, then we'll ultimately be relegated into a position.

Ethan Cook

That.

Ed Vasco

Doesn'T have business orientation, that doesn't have all the other things that we talked.

Ethan Cook

About for years between the two of them, and I think they bit the nail on the head, is that we are a profession, cyber is a profession, and we have to treat it as one. But that doesn't mean we just ignore the technical aspects and just blindly tune those off and put our blinders on and pretend like those aren't there. Those are a reality that we should acknowledge and build in to our systems. Similar to how, you know, if you look at other professions that are, have a technical system, maybe not technical in terms of technology, but technical aspects of them, they have a defined pathway that goes through it and a, in a logical progression system, but they still have professional elements guiding the whole process.

Kim Jones

And this is, you mentioned pathways, so this is A great opportunity to segue into some of the discussions we've had regarding the different pathways that you can take to get into cyber. One of the themes that we kept running into was, is college the only way to go into a cyber? Do you need a technical background to get into cyber? And then of course, there's the value of certifications and taking a certification path in cyber. So let's start with. And I'll tee up the first one in terms of the need for a technical background in some sort. And I'll actually go back to Ed Adams.

Ethan Cook

I was thinking the same thing first.

Kim Jones

Episode, you know, and one of the things his viewpoint is on that problem.

Ed Adams

You don't need to have a technical background to have a successful career in cybersecurity, full stop. I think that's a very understated but incredibly important comment. Almost as important as the five words that I've heard come out of your mouth on many occasions, which is entry level means no experience. There are so many talented people that I have personally hired and worked with at other companies that don't have technical backgrounds that are fantastic in cybersecurity.

Kim Jones

So let's shift from that approach to the viewpoint from college within the environment. And we actually had Dr. Laura Ferry, who is the VP of Research and development at Arizona State, who has been involved in building or helped me when I built the cyber program at ASU and some of the challenges she has from a college standpoint and the expectations of our partners and their viewpoints on college. So let's start with that expectation piece in terms of what industry partners seem to be looking for within the environment from college.

Dr. Laura Ferry

When we talk to our industry partners, each one wants something different.

Kim Jones

Shocked, I am.

Dr. Laura Ferry

Each company would like us to teach these students to code the way they code and to use the software they use and to be prepared to step into a job at their particular industry so that that company does not have to do any on the job training at all.

Kim Jones

And now let's take that back and reference an earlier comment from Ed Adams, back from the first episodes in response to me saying, if you ask 50 CISOs what they're looking for in a cyber professional, you're going to get 436 different answers.

Ed Adams

Well, I did ask 50 CISOs the exact same question and I took those 50 answers and what I was able to determine is that there is a distinction pattern. The most common trait or characteristic that CISOs are looking for had nothing to do with any degree, any certification or any experience. The ability to be taught like that was it. And however, when I still read cybersecurity job descriptions, whether they're entry level or not, I do not see those words showing up. I see things like degrees and certifications and technical skills.

Kim Jones

So as we look at pathways, Ethan is part of the problem in terms of defining what a reasonable pathway is still center around my peers and I not knowing what the hell we want within an environment, except perhaps the dreaded purple unicorn with pink butterfly wings that is out there.

Ethan Cook

What are you.

Kim Jones

What, what, what, what was your takeaway from the dozen or so conversations we've had about this?

Ethan Cook

So certainly there is that purple unicorn hunting, which is a problem and from everything. And to me, you know, as someone, as an outsider, it makes no like logical sense in my mind, right? Like I come in and I'm sure there's people who have done that and go, well, it helps me do X, Y and Z. This is blah, blah, blah, and there's value for them, right? But as an outsider, I see it as you are really misallocating your approach and funds and time to find something that you're probably not going to find or you're going to find it, and then they're going to get poached almost instantly because they're going to get a better offer and they're going to job on. Part of it is, I think there's almost like, and this is outside of this conversation, something that I've noticed among cyber, this explosion of the number of vendors. And we talked about this in the vendor episode, which was episode 12, but there's, and I wrote about it, how there is. Gartner found there's over 3,000 vendors. Each one of them do their own system, their own way, and people are contracting in a numerous ways and everyone has their own system and everyone wants the system done the way they do. They don't want to train people up. They want someone who comes in with coding knowledge for that specific system to come in and be impactful. And Laura talked about that.

Dr. Laura Ferry

It is profoundly frustrating when I've met with a group of 15 representatives from different industry to say now, have I built the degree you want? And finally they all said, yes, you've built a degree you want. And then I can't place any in any interns at their industry.

Ethan Cook

So I think that this unwillingness to accept that humans are humans, that they're not going to be perfect, they are not going to have every training. I find it really weird how in this industry, every other industry that I've ever been a Part of I've ever had friends in, etc. Has a tolerance for allowing people to learn. The company, whether that's learning internal operating procedures, whether that's learning technological systems, whether that's training, whether it's anything, there's an allowance of okay, come in. Yes, we expect you to be capable, we expect you to be able to do what you say you were going to do. But we expect bumps, we expect mistakes, we expect you to maybe you send a wrong email to a client, maybe you don't hit the right thing the right way or save a file, you lose some data, things happen. But within Cyber, that is unacceptable. It's one of the few industries that I have ever heard of like that there's zero tolerance there for new people, let alone older people who have been in it for years. And this to me feels like it's an impossible race. And I am really, it makes pathways. And I think the one thing that really stood out to me as I was trying to think of solutions from an outside perspective, the conversation we had with Simone about skills based hiring. And I know Jeff also talked about this and I've obviously worked with him, so I've known this approach for a bit, but that to me struck as a very valuable tool to adjust.

Narrator

We have seen in the last four years a push, not as big as a push as I think either you or I would like in the direction of skills based hiring. Being able to rely on a credential alone can't be indicative of someone's true competence to perform the job.

Ethan Cook

Rather than saying I want you to have four years of coding experience with this thing, say I want coding experience or a high level concept. And then instead of looking for very hyper specific things that are probably unrealistic, instead looking for general concepts that can be universally applied.

Kim Jones

And one of the things you also mentioned is in terms of how we link that training to our actual needs within the environment. Not only from a what are the skills needed but what are the levels needed? And in episode three, our guest talked a little bit about that when we were talking about planning workforce and taking the time to plan workforce.

Narrator

If you're looking to build your workforce, really sit down and try to think what would be the development, what would be the career track from your entry level person to your seat or to a seat that sits next to you at the executive table? And how can you craft that within your organization because that is the way you can solve the problem.

Kim Jones

And then shifting again. One of the things that you had mentioned, Ethan, when you Were talking about Jeff Wilkin and his viewpoint in Skillrex. He had a very, very interesting viewpoint and perspective on the problem in terms of the data that we were looking at, the results of that data that we were looking at in the environment and whether or not we were utilizing that data to help us plan what we need and think about training and uplift and onboarding in a strategic level within the environment.

Jeff Wilkin

We need to throw the pebble in the pond. You know when you throw a pebble in the pond it has a ripple effect.

Kim Jones

Right.

Jeff Wilkin

And the pebble for us starts with work role analysis. Really understanding the core expectations from skill sets perspective for any given job role at any given level, that's like the step one and then the ripples out from there. So once you have that data, you want to understand like, well, now I know what I need, what am I going to do with that data? Well, I can go back to my job descriptions as you mentioned and update job descriptions based on an analysis of the expectations. But then two, you're going to want to understand where are my people compared to my expectations?

Kim Jones

Before we head down any further, I want to take a step back and we spent some time or we spent an episode and you and I talked about it mid season as well, talking about whether or not diversity matters within cyber again, you know, and as an outsider, what are your thoughts?

Ethan Cook

Yeah. So as someone who is an Asian American, diversity is very important to me. It's always been something that, you know, the reality is, is America sometimes this is not what I would like it to be, diversity wise. And right now it has become a contentious issue for whatever reason. And I think that that episode was to me, when I saw you list it, I. My first reaction as an outsider was to say of course, why did, why would it matter? Like it brings tangible benefits Because I didn't even consider for the fact that it wasn't a common thing within cyber. And then as I dove into the research and looked at the demographic reports and I want to note it's not just race, it's not just gender, but it's also in terms of background. And I can even say this from a perspective of myself coming in with a non cyber background, there have been conversations that I have had where we are talking and I have a bunch of cyber people around me and they are seeing it one specific way. It is A to B to C and it's not making sense or they're trying to make it take four extra steps longer or whatever the case is. And I kind of take a step back and say, well, why don't we do it this way? Why don't please explain to me the logic, right? And it's not to counter, it's more to understand. And when I get the explanation and respond back, I view I. It's, it's like, wow, we'd even consider that. And I think that right there is the value of diversity. It's not about checking off some box that oh, I've hired X amount of minorities or women or etc. Like, that's, I think that's what it's been politicized into. I think the better way to view it is what I am bringing is different ways of thinking into my organization. Because when you have one mono, mono focused way, one monolithic way of viewing the problem, sure, maybe that way works a couple times, but it's probably not going to work every time and it's probably not sustainable because the system that we live in with cyber is constantly changing. There are new threats every single day and they think differently than you do. They are approaching the way they tackle you differently than you view defending yourself. So having multiple people come in with different lines of background, different ways of thinking, different ways of approaching problems, whether they are defense based, whether they are internal structure based, whether they are problem solving or acquisition based, et cetera, these mentalities are going to result in a more productive, more efficient and more sustainable line of business. And I think that as someone who is an Asian American and Kim, I thought the episode was very, very important to have. And I think people who are ignoring that and pretending like that's not real are people who don't really want to actually dive into the data. And the data is very, very overwhelmingly in support of the value that diversity brings. And I wrote about it in the blog. There have been numerous studies that talk about it's not just a oh, my team looks different than your team, my team produces more than your team. My team is more effective in what we produce. They produce less errors, they account for more facts, they correct facts, they correct errors faster, et cetera.

Kim Jones

Let's pull that all together. Ethan, I thought your answer was spot on. I get equally passionate about it. It's important for cyber. It's not a political issue. So let me begin, try and pull things together. You've heard lots of perspectives, you've heard lots of challenges, you've heard lots of points of view from lots of subject matter experts regarding this topic. So I'm going to ask you a similar question that I've asked Ed Vasco when he was on and some others as well. How do you solve it? We've done a very, very good job of identifying the problems plural with the cyber talent ecosystem now. And we've hit it from about every conceivable angle we could think of for this season's arc. So we've done a good job of identifying the problem. I obviously am too close to the problem, having been in this profession for almost four decades. So I would welcome your perspective as someone who has been handled this stack of stuff to fix, how would you solve the problem? If you could wave the magic wand and were supreme ruler and emperor cyber for a day, how would you solve it?

Ethan Cook

Great question. I first what I would say is you cannot have a monolithic approach. There is no one way that this gets solved because there is no one way to view this problem. As we have found throughout the season, there are issues with talent pipelines, there's issues with talent acquisition, there's issues with talent sustainability, talent development, et cetera. Name it, it's there. So the first thing I would say is we can't say, oh, if we just fix the universities, this solves the problem. If we just fix the way business leaders approach it, it solves the problem. That's not how it works. I would say the two things that I would really drill down on and think are the most impactful for short term fixes are. One would be Ed's engagement with state governments. It helped the state of Idaho and giving people tangible, real world experience for free. Right. And that was helping out. And that gives more technical experience and creates a system that's similar to what nurses go through and how the medical industry approaches training people up rather than just dropping you out of college and saying, okay, fend for yourselves. And that also removes the need to have as many internships or get private involvement and ensure private involvement is always going to be a factor and there's always going to be that aspect. But if you can't motivate privately owned companies to get involved, this is a great way to still continue getting technical experience for younger talent coming in and still train them up while still ensuring that they hit their university requirements, et cetera, and actively provide a service to the community and better cyber as a as a whole. My next thing I would say is I'm a huge advocate for and it was talked about several times by both, I believe, Jeff, by Simone, maybe I think Larry as well about the value of instituting a bar like association for Cyber. And I don't think that a nationwide approach can do that. I think that that would something that would have to be driven on the state level. But to me, I'm a big systems guy. I'm a big, you know, setting up organization and systems and what I see right now in the industry is a lot of people running around doing whatever they want and there's no consistency across the board. And I don't think you can ever have a nationwide. Okay, this is the mandate nationally that we're going to follow. But having a regional or state centered approach to drive up consistency I think would be a huge step to solving this problem.

Kim Jones

So let me, let me stop you for half a second there. And what would you say to the folks who would say setting up some sort of system within the environment would potentially be exclusionary within. I mean take the example you've used from the medical profession and the legal profession. Both of those require college degrees within the environment in order for them to be a profession. And what is there a. I mean there's always a possibility, but could such a system be more exclusionary to talent that doesn't necessarily have the funds to.

Ethan Cook

Get a four year degree first Community college engagement and that's a huge state driver right there. There are, we are. You've already talked about before Kim, but I 100% agree there are and I think the value of community colleges are continuing to go up as people real that they're way more affordable and that they can be mapped to state requirements and that would be a natural benefit for state and local communities while at the same time such as like with that SOC program. Right. So I would say that that would be a great entry or longing off point.

Kim Jones

So reflecting back the requirements can and more likely in your mind should be set such that a four year degree is not necessarily a mandate to meet the state requirements. We understand what the KSA are and we need to demonstrate those cases. College is not a mandate for demonstrating them. The issue is demonstrating them. And there may be multiple pathways. If I'm reflecting back what I'm hearing. Yes, but, but let's also talk about some of. Let's talk about. Yes, it can be an advantage but within cyber as well as a lot of other places, college is being seen as elitist, costly and disadvantageous to an exclusionary. To a lot of folks with a lot of backgrounds, this is a great opportunity to drop the quote in about sitting on the laurels on the ivory towers and saying trust us that Laura made in episode seven.

Dr. Laura Ferry

We have sat back on our laurels in our ivory towers and said, just trust us.

Ethan Cook

Right.

Dr. Laura Ferry

We're doing great things. We're helping the young people think. And that is true. I mean, I do. I'm in very much in favor of helping young people to learn how to think. But we haven't taken it upon ourselves to explain the value of a university degree and to explain the ways in which we are trying to adapt and change and meet modern demands.

Kim Jones

And so I will end this interview the same way I've ended all of my interviews to date. What is the one thing that we haven't talked about that you want to make sure that we talk about, that we mentioned, et cetera, before we close this off?

Ethan Cook

Yeah. So as I look at this problem and problems, I mean, with a plural is probably the better description. The problems that are related to this system is. This has been a issue that I have heard about since I've entered several years ago. And it doesn't seem like we're any closer to solving. It seems like we're, if anything, further away from solving. And I think as this season has progressed and as I look forward, what I would say is there needs to be, especially in the absence of. And the decline of certain things like scissors programs or some of these things that are happening right now, there needs to be more industry leaders. I think one of the best quotes that you had, Kim, was when you talked about the first person to do it. It's always hard.

Kim Jones

When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply for a position in a company because there's no one already there like them. Every time someone says this to me, my answer is the same. How the hell is it going to get any better if you don't show up? Folks, being the first at anything is hard. Actually, it kind of sucks in most cases. But if no one steps up to be the first person, nothing ever changes. Worse, you provide individuals in that company the excuse to keep their hiring practices unchanged since they can't find underserved candidates to apply. The world doesn't change through complaining. It changes through direct action. That old story about everybody blaming someone when nobody did what anybody could have done is still true. Be the courageous hero. If there's no role model, become one. Show up.

Ethan Cook

And while you were referencing diversity in that conversation, I think that applies to just about everything in life, which is it's never easy to be the person to say, I'm going to solve a talent gap. Like, that's a huge. That's a massive problem. As We've talked about that's not going to be something that is going to happen, but I think. Or that's going to happen easily, I think, or overnight. I think the better way in the thing is getting people together as CISOs, as industry leaders to come together and actually make progress and not do the same thing that we've already been doing for 10, 15 years. Don't say, okay, let's design another program. We've already done the designing another program and then it hasn't worked. Let's not say, oh, let's create a, you know, this, this training boot camp. Right. That we've already done those and it's not working. Let's develop this thing that we've already done, whatever this thing is instead coming together and saying, okay, what have we all tried and failed? So we don't repeat those mistakes and then say, okay, what have we not tried? And I'd rather us try something that we haven't done. And it's gonna mean someone's gonna have a lot of long nights.

Kim Jones

Yep.

Ethan Cook

Someone's going to mean. It's going to mean someone's taking a risk that may cause an issue that may involve taking someone who's not ready, quote, unquote, to be a SOC analyst. It may mean you having to work with someone and rely on someone who you would not have normally worked with. And that is scary and that is. Can be intimidating. And that can mean a lot of extra work that you may not be financially compensated for. Right. But if it matters, and if you're passionate about this, and from everyone that I have talked to throughout the season and from the people that I've heard over the years, cyber is one of those industries where people are nothing if not passionate about this industry.

Kim Jones

Amen.

Ethan Cook

Then if you're passionate about this and you're doing it for the right reasons, then yes, while it is exhausting and tiring, it is worthwhile and gives tangible value not just to yourself, not to just your organization, not to just the neighboring organization, but to the people who are coming in the next 10 years. The people who your customers, who you are guarding their information or who you are protecting their financials, etc, whatever your industry may be, there is value to this outside of just, oh, I gotten a paycheck raise or oh, my industry, my job is secure for another two months or whatever it may be and.

Kim Jones

We'Re going to have to leave it at that. Ethan, I really appreciate you taking the time to give us your perspective and your insight, and I look forward to working with you you again for the next season?

Ethan Cook

Absolutely. I'm excited.

Kim Jones

Deeds, not Words I first ran across this phrase some 40 years ago while indulging in one of my longtime secret pastimes, watching Be great action movies. While I remember the movie as being cheesy beyond belief, for some reason the phrase etched itself into my teenage psyche. The idea that what you do is more important than what you say, that your actions define who you are and what you're about. That resonated with me. I've taken this philosophy into my adult life, approaching the world with a show don't tell attitude. Specifically, don't tell people who you are, show them, do what you say you're going to do, and above all else, be consistent in word and in deed. Ironically, I find that these three tenets appear to be what's lacking in today's cyber talent ecosystem, and that deficit seems to be one of the root causes of our challenge. It's clear from this season's explorations that there is no one correct path to enter into and progress along the path in cybersecurity, but there are certainly a number of wrong paths. All of those wrong paths have one thing in common they are riddled with inconsistencies on the part of the profession. Common themes are 1 the lack of agreed upon job descriptions 2 the prominence of nonsensical job descriptions, 3 the seemingly endless complaining about a lack of skills without defining skill requirements 4 the continued prominence of talent theft versus talent growth and 5 the prominence of myopic tactical approaches to the talent problem, focusing on the immediate needs of an organization but ignoring long term operational goals. There continues to be a cacophony of loud discussions on these themes without any change taking place, which has left us with a lack of credibility both within and outside the cybersecurity profession. If we want to get serious, truly serious about the Cyber Talent Challenge, there are a handful of things that we need to do. 1. Map the terrain in response to our industry's complaints, as well as our misreading of the data, there are now a plethora of pathways for entry level candidates that are producing well in excess of the entry level opportunities that exist. The first step must be for us to delineate clearly what positions we consider to be entry level positions. SOC Analyst, for example, comes to mind or infosec Security Specialist. Next, we need to reframe our message to talent creation organizations to focus on those entry level positions and the true quantity of opportunities available. This approach will most likely disappoint organizations and institutions who have invested time and resources in creating now bloated pipelines, but it remains disingenuous of us as a profession not to address this situation with candor. Lastly, we need to reset experience expectations for entry level candidates. As discussed in an earlier episode, we need to realize that entry level experience may be a combination of internships and other cyber related or IT work. If you're expecting new hires to have more than a year's experience though, you're not looking for entry level candidates, but rather looking to steal experienced assets.

Ethan Cook

2.

Kim Jones

Create internal pathways for Cyber talent Many organizations treat cyber talent like mercenaries who are there to perform a specific task. There are no clear pathways for promotion nor to expand one's capabilities by taking on other cyber roles within the security organization. Indeed, many companies, and sadly many so called leaders within the cyber community are afraid to educate, train and promote their personnel for fear of losing a resource that is performing a specific task right now. With this attitude, is it any wonder that talent tends to rotate out of organizations routinely? While promotions should never be automatic, it should always have a large merit component driving them. Holding resources back for fear of losing talent is a surefire way to, well, lose talent. Make sure your team understands all requirements for promotion, including skill levels, abilities and knowledge required, and that you are providing them opportunities to acquire the necessary tools to be considered for advancement. 3. Create consistency throughout your talent life cycle. This point has serious rant potential for me, so please bear with me. If I were to pick the one major source of our challenges, this would be it folks. I genuinely do not care which of the myriad opinions you hold regarding creating and advancing talent. I do care that for the most part we are failing to walk the talk around our opinions. If you believe, for example, that we are more trade than profession, great. If that's the case, then stop recruiting for talent exclusively at colleges and universities and create interview processes that focus on knowledge and skill demonstration. If you believe that a good cyber professional needs solid IT experience before entering the field, also great. If that's the case, then adjust your starting salaries for junior cyber professionals to account for the additional years of experience and start creating programs within your organization to migrate IT professionals into cyber. If you believe the best way to acquire cyber folks is to grow them organically from anywhere within the company, that's wonderful. Wonderful. If that's the case, then you need to create the organic pathways and training programs to allow this to occur. In one of my former organizations, I proposed creating a pathway for our customer care people to become entry level cyber professionals. These folks had already been vetted and hired as assets to the company. This initiative would give them a pathway to progress from holding a job to having a career. As an added bonus, since customer care staff tend to be more diversified than technology teams, it produced a mechanism to organically create more diverse organizations. If you believe that cybersecurity requires a degree, that's positively fantastic. If so, then you need to support the degree programs that are out there by providing meaningful internships, guest lecturing, or joining extended faculty in their degree programs and hiring graduates. Above all else, though, you need to stop nattering about how it should be without also fighting to create the ecosystem that can get you there. Stop complaining about it and act. Rant over. This season, we talked about the various pathways to entry into the cybersecurity arena and the advantages and disadvantages of each. We explored some of the misconceptions, prejudices and myopia cybersecurity leaders can cling to about these pathways. While there is no one right way to enter the field, we've shown this season that there are some wrong ways, and those all center around the inconsistencies that we as cyber leaders promulgate in the environment. If we want to restore our credibility and arete, we badly need to standardize our definitions and expectations of cyber candidates and stop being so afraid of having to backfill positions. We refuse to educate, train and mentor our people. It's time to stop talking and start doing, in other words, deeds, not words. My two cents. We'd love to hear what you think of this season of SEESO Perspectives. There's a link to share your your perspectives with us via the survey in our show Notes. And that's a wrap for today's episode and for this season of CISO Perspectives. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one, and we couldn't do it without you. We're so grateful to have had you with us this season. From all of us here, thank you for listening. We look forward to bringing you more expert insights and meaningful discussions in the next season. This episode was edited by Ethan Cook with content strategy provided by Mayan, Plot produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next season.