CyberWire Daily – "Bringing it all together. [CISOP]"

Host: Kim Jones
Guest: Ethan Cook
Date: March 31, 2026

Episode Overview

The season finale of CISO Perspectives reflects on the cyber talent ecosystem and how the cybersecurity industry can close the persistent talent gap. Host Kim Jones welcomes Ethan Cook—show researcher, writer, and so-called “outsider”—to share key insights drawn from a season's worth of deep conversations with industry experts. Together, they revisit major themes: the role of fear in hiring, the tension between skills vs. credentials, the profession vs. trade debate, entry pathways, the value of diversity, and actionable steps leaders can take to move the needle on sustainable cyber workforce development.

Key Discussion Points & Insights

The State of the Cyber Talent Ecosystem

• Fear Holds the Industry Back ([04:22]):

  • Ethan Cook: Observes that “fear” is a prevailing theme—fear of hiring the “wrong” candidate, investing in the wrong training, or destabilizing existing teams.
  • Quote: “There’s a lot of fear in the ecosystem right now where it feels that people are unwilling to take a risk, whether that be on developing training and development programs... bringing on someone who is maybe not the perfect employee... they may make a mistake and because of that you just choose to not do that and go for a very seasoned and probably more expensive person.”

• Opportunity Remains ([05:19]):

  • Despite challenges, guests consistently voiced that the problems are solvable with collective industry effort and clearly defined approaches.

Practical Skills and Real-World Experience

• Training Healthcare Model for Cybersecurity ([06:57]):

  • Ed Vasco draws a parallel with teaching hospitals: “Most of these teaching hospitals are attached to a university...They combine the academic program and the experiential learning program.”
  • Highlights the need to allow early professionals into operational environments to gain real-world experience.

• Industry Paradoxes ([08:13]):

  • Organizations claim to require experience but are reluctant to provide opportunities for talent to get it, leading to 'catch-22' situations.

Data Misuse and Entry-Level Myths

• Cyber Seek Data Misinterpretation ([09:38]):

  • Will Markow: "What that number actually is is that’s how many unique job openings we saw over the past 12 months...” ([10:22])
  • The widely cited “massive talent gap” is often a misunderstanding of rolling annual job posting data, not current open positions.

• Entry-Level Oversupply ([11:18]):

  • Will Markow: “For every 100 entry level jobs, we had 110 entry level workers vying for that.” There is actually an overabundance of entry-level applicants compared to positions.

• Hiring “Mercenaries,” Not “Missionaries” ([12:05]):

  • Will Markow: “You go after the mercenary who has the best resume...Problem is you want to hire them. So do all your 20 biggest competitors and you are going to be in a bloodbath for talent...”

Trade vs. Profession

• Is Cybersecurity a Trade or a Profession? ([13:11]):
  • Larry: Cyber entry is “very trade adjacent” at the start, focusing on skills over credentials. ([13:53])
  • Ed Vasco: Argues for “a profession that has technical representation...we have an opportunity to ensure that the pathways we create allow for people of not just diverse backgrounds, but diverse skills...” ([14:51])
  • Ethan: Sums up, “We are a profession and we have to treat it as one. But that doesn’t mean we can ignore the technical aspects...” ([15:46])

Pathways Into Cyber: Degree, Certs, or Neither?

• Do You Need a Technical Background? ([17:21]):

  • Ed Adams: “You don’t need to have a technical background to have a successful career in cybersecurity, full stop...entry-level means no experience.” ([17:21])

• What Do Employers Want from Degree Programs? ([18:44]):

  • Dr. Laura Ferri: “Each company would like us to teach these students to code the way they code and to use the software they use and to be prepared to step into a job at their particular industry so that that company does not have to do any on the job training at all.” ([18:51])

• CISOs Want Teachability, Not Just Credentials ([19:28]):

  • Ed Adams: “The most common trait or characteristic that CISOs are looking for had nothing to do with any degree, any certification or any experience. The ability to be taught. Like that was it.” ([19:28])

• Unrealistic Job Requirements – The Purple Unicorn Problem ([20:48]):

  • Ethan: “You are really misallocating your approach and funds and time to find something that you’re probably not going to find or you’re going to find it and then they’re going to get poached almost instantly.”

• Over-Specialization and Vendor Sprawl ([21:53]):

  • Dr. Laura Ferri: On the futility of building the “perfect” degree for every employer: “It is profoundly frustrating...I can’t place any in any interns at their industry.” ([21:53])

• Cultural Reluctance for On-the-Job Learning ([22:10]):

  • Compared to other fields, cyber has zero tolerance for mistakes, making it hard for new talent to learn and grow.

• The Value of Skills-Based Hiring ([23:45]):

  • “Being able to rely on a credential alone can’t be indicative of someone’s true competence to perform the job.” ([23:45])
  • Ethan: Advocates for hiring on broad competencies, not niche requirements: “Rather than saying I want you to have four years of coding experience with this thing, say I want coding experience or a high level concept...” ([24:13])

• Work Role Analysis as a Ripple Effect ([25:56]):

  • Jeff Wilkin: “The pebble for us starts with work role analysis. Really understanding the core expectations from skill sets perspective for any given job role at any given level, that’s like the step one and then the ripples out from there.” ([25:56])

Diversity in Cybersecurity

• Why It Truly Matters ([27:21]):

  • Ethan (Asian American perspective): “What I am bringing is different ways of thinking into my organization...When you have one monolithic way of viewing the problem, sure, maybe that way works a couple times, but... it’s probably not sustainable...”
  • Cites data showing more diverse teams are more effective, correct errors faster, and are more productive.

• Diversity is Not a Political Issue, But an Operational Need ([30:33]):

  • Kim echoes: “It’s important for cyber. It’s not a political issue.”

Solutions and Recommendations

• There’s No Silver Bullet ([32:07]):

  • Ethan: “You cannot have a monolithic approach. There is no one way that this gets solved because there is no one way to view this problem...Can’t say, ‘Oh, if we just fix the universities, this solves the problem.’”

• Tangible Steps Forward:

  • State-Government Engagement and Real-World Experience Programs ([33:02]):
    • Model after nursing/medical residencies, leveraging public sector involvement for practical training.
  • Regional (State-Level) Professional Structures ([34:18]):
    • Advocates for a bar-like professional system, regionally driven, to create consistency and standards.
  • Multiple Entry Pathways, Not Just College ([35:23]):
    • Use community colleges as affordable and accessible launch points—degree should not be a gatekeeper; demonstrable skills matter most.

• Cautions Against Exclusion ([36:55]):

  • Dr. Laura Ferri: “We have sat back on our laurels in our ivory towers and said, just trust us...But we haven’t taken it upon ourselves to explain the value of a university degree and...adapt and change and meet modern demands.”

On Courage and Industry Responsibility

• Being the First ([38:47]):

  • Kim Jones: “Every time someone says [they’re reluctant to apply because no one like them is there], my answer is the same. How the hell is it going to get any better if you don’t show up? Folks, being the first at anything is hard...But if no one steps up to be the first person, nothing ever changes...Be the courageous hero. If there’s no role model, become one. Show up.”

• Incremental Progress Requires Action Despite Fear ([41:00]):

  • Ethan: “It’s going to mean someone’s taking a risk...having to work with someone you might not have worked with before...That is scary, and that can mean a lot of extra work...But if you’re passionate about this...then, yes, while it is exhausting and tiring, it is worthwhile and gives tangible value.”

Timestamps for Key Segments

• 04:22 – Fear and the risk-aversion culture in cybersecurity talent
• 06:57 – Need for practical, real-world experience; medical training analogies
• 09:38 – Misuse of Cyber Seek data and the “false” talent gap
• 11:18 – Entry-level supply gluts and hiring for “mercenaries”
• 13:11 – Are we a trade or a profession?
• 17:21 – Skills vs. credentials: “Entry level means no experience”
• 19:28 – Top trait for CISOs: teachability, not credentials
• 21:53 – Frustration with “the perfect fit” and employer expectations
• 23:45 – Skills-based hiring advocacy and work role analysis
• 27:21 – Value of diversity—beyond the token and towards real operational gain
• 32:07 – Why there is no single solution; suggestions for a multifaceted approach
• 35:23 – Community colleges, entry pathways, and preventing exclusion
• 38:47 – The responsibility to be “the first” and create change
• 41:00 – Making hard choices and the need to act, not just discuss

Notable Quotes

• Ethan Cook (04:22):
  • “First observation I would say is fear...people are unwilling to take a risk.”
• Ed Vasco (06:57):
  • “Most of these teaching hospitals are attached to a university...combine the academic program and experiential learning program. So I took that metaphor...”
• Will Markow (10:22):
  • “So many people at very high levels...misuse the data.”
• Will Markow (11:18):
  • “For every 100 entry level jobs, we had 110 entry level workers vying for that.”
• Larry (13:53):
  • “I think we’re both...the entry level component...is very trade adjacent...”
• Ed Adams (17:21):
  • “You don’t need to have a technical background to have a successful career in cybersecurity, full stop.”
• Dr. Laura Ferri (18:51):
  • “Each company would like us to teach these students to code the way they code...so [their] company does not have to do any on the job training at all.”
• Ed Adams (19:28):
  • “The ability to be taught. That was it.”
• Ethan Cook (27:21):
  • “When you have one monolithic way of viewing the problem...it’s probably not sustainable...I think that right there is the value of diversity.”
• Kim Jones (38:47):
  • “How the hell is it going to get any better if you don’t show up?...If there’s no role model, become one. Show up.”

Summary and Closing Reflection

At the season's close, Kim Jones gives a final call-to-action:
"It’s time to stop talking and start doing, in other words, deeds, not words...there is no one correct path to enter into and progress along the path in cybersecurity, but there are certainly a number of wrong paths. All of those wrong paths have one thing in common—they are riddled with inconsistencies on the part of the profession." ([Outro Essay, ~44:00])

The episode urges cybersecurity leaders to:

• Map realistic entry pathways
• Create internal development opportunities
• Act consistently with their stated beliefs
• Champion diversity as a practical imperative
• Reject fear-based gatekeeping
• Take courageous (sometimes uncomfortable) action for the sake of real change

For aspiring professionals, students, and industry leaders alike, the message is clear: Sustainable progress means everyone—especially leaders—needs to move from words to actionable commitment, fostering both diversity of thought and practical opportunity at every level of the talent pipeline.