Ethan Cook (4:22)

Ethan yeah, so taking a step back and looking at it from a zoomed out view, I would say the first thing of my observations is fear. There's a lot of fear in the ecosystem right now where it feels that people are unwilling to take a risk, whether that be on developing training and development programs because they're sunking a lot of money in that could go somewhere else. Whether it could be fear of upsetting C suite other C suite members and kind of rocking the ship to a degree. Whether it is fear of bringing on someone who is maybe not the perfect employee, maybe they're a fresh out of college or a year out of college, they don't have a ton of technical experience or the technical experience that you quote unquote need right away and they may make a mistake and because of that you just choose to not do that and go for a very seasoned and probably more expensive person. So first observation I would say is fear. The second observation that I would say is opportunity. While there was a lot of talk throughout the season of wow, this is a problem, that's a problem none of it ever came away with. This is an unsolvable problem or this is something we can't fix or we can't address or we can't do something about. It's more so we need to come together as a group, whether that be in a quote unquote system, like a medical system, or like the bar. We've always come up a couple times and have a consistent, defined way that we want to approach this or acknowledge that that's not going to happen and be content with the results of that. None of it ever felt like, oh, this is a we just have to accept the fact that we are never ever going to get the budget we need or we are never ever going to get the perfect talent pipeline or whatever it was. We have to take a step back and really assess what we actually want.

Kim Jones (6:09)

So yeah, you got to double click on a couple of those things. So let's start with the fear aspect and in terms of how it relates to talents. And you talked a little bit regarding a lack of desire to accept the possibility where a mistake could be made. So back in episode 11, you know, we brought in Ed Vasco, CEO serial entrepreneur, and he talked a lot about regarding that last component that seems to be missing as we're upskilling people and that is practical skills and real world experience within the environment.

Ed Vasco (6:57)

Just like in medical, in the medical space we have training hospitals, we have training programs that not all hospitals, not all doctor's offices accept residents except residencies. There are a select number and it's by that selection process that the industry within the medical program gets moved forward. There's this self selection. Most of these teaching hospitals are attached to a university. They are attached to. They combine the academic program and the experiential learning program. So I took the same kind of metaphor, same sort of alignment and said, well, the benefit I have here is that I'm attached into a university. They've given me the opportunity to build these kinds of platforms. Let's say in your experience as an operational cyber leader, you know, would you be willing to allow early career professionals that opportunity to come in into a commercial SoC or into an operational SoC like NewGround and have consequence?

Kim Jones (8:13)

But it's really interesting that I think one of the things that I also felt from the season is you're right, everybody wants that level of experience. But there's still that couple of things that still that reluctance to create the mechanisms that allow people that experience.

Ethan Cook (8:39)

Absolutely.

Kim Jones (8:39)

The reluctance to, okay, that's great, we need you to get experience somewhere. But you first, you hire the intern, you do X, you do Y. And know it seems like we're talking out of both sides of our mouth about those things, you know, within the environment. So let's, let's double click on the other piece that you said regarding the opportunity. And I'm, I see you're right in terms of the overall, in terms of that this is something that nobody has thrown up their hands and said it can't be done, which is great. But it seems to me that the nature of that opportunity is still ill defined. And where I'm going back to is Will Marco's episode where he talked about the data regarding what is the nature of the cyber opportunity out there and the openings that are out there. You want to talk to me a little bit about that one?

Ethan Cook (9:38)

Yeah. So, you know, for context, for those who hadn't heard that episode, Will Markow came on and talked about cyber seek data. He was one of the, one of the head people behind that. And one of the things that I thought was just super illuminating about that conversation was how people are misusing cyber seek data. Whereas people look on cyber seek data and they see there's 700,000, 600, whatever the number is, thousand of jobs that are open. And we say, oh my God, we look at this massive talent gap we have, we have nearly a million jobs unfilled. And he said that's not the case. Reality actually is that that's data collected over a period of time. I believe he mentioned one year. And instead that is not at a current moment. That is what we've seen over this year.

Will Markow (10:22)

I have heard so many people at very high levels of the federal government and other places misuse the data. What that number actually is is that's how many unique job openings we saw over the past 12 months, which were unique online. It also isn't just what we think of as core cybersecurity workers. We're also looking at the network administrators who are responsible for cyber within an SMB or other IT professionals, or even in some cases, maybe even non IT professionals who still have a significant security component to what they do.

Ethan Cook (11:03)

When I think back to Will's episode, something that really stuck out to me was the impression, and I think one of his best moments in that was his quote surrounding entry level jobs.

Will Markow (11:18)

When we looked at this, we found that for every 100 entry level jobs, we had 110 entry level workers vying for that. That means that we actually had about 35,000 more entry level individuals looking for cybersecurity jobs than we actually had entry level cybersecurity jobs that they could fill.

Kim Jones (11:43)

And I will take it a step further. There's another piece there regarding not just what he said about data, but in terms of how the world, the industry, the world, business, et cetera, is looking at and is hiring cyber professionals within the environment.

Will Markow (12:05)

I call it hiring for mercenaries, not missionaries. This has been the default in the industry for years. You go after the mercenary who has the best resume, they look the best on paper. Maybe they went to some fancy school, they got some fancy certifications, they look amazing on paper. Problem is you want to hire them. So do all of your 20 biggest competitors and you are going to be in a bloodbath for talent, if this

Ethan Cook (12:35)

is what you do.

Kim Jones (12:37)

So shifting gears again, I think part of some of the things we've heard centered around what makes a good cybersecurity professional. And you talked about putting structures like maybe legal around things, et cetera, within the environment. But one of the conversations that came up several times during our discussions and was the focus of episode two was are we a trade or are we a profession? You want to dig into that a little bit, Ethan?

Ethan Cook (13:11)

Yeah. So, you know, this is a conversation that came up not just in episode two. While that was the main focus of episode two, it came out routinely throughout the season. And it was something that I grappled with because, you know, when I first saw the statement, my first thought was that as an outsider was why does it matter? Right. You know, that was my first instinct. I then dug into the conversation and dove into it more and got into the nitty gritty, nitty gritty details and understood the cost and benefit of both. And I really liked both Larry's who was in episode two and Ed's characterization of the two with Larry arguing that it transforms midway through.

Larry (13:53)

I've actually given some thought to that simply because, and I'm going to say I think we're both. I think we're both because of a couple of factors. When you think about the entry level components, right? The entry level component of getting into cyber is very trade adjacent, right? It's not about certifications, it's not about degrees, it's about skills. Which is why we say you can come out of high school and do this.

Kim Jones (14:22)

Because if you, if you create. Right.

Larry (14:25)

Or foster certain skills on your own in high school, you can technically come into a cyber role and become proficient in the way that an organization needs you and go execute. So at that level, I see it akin to a trade.

Ethan Cook (14:43)

And then Ed arguing or stating that he believes that we're a profession with technical components.

Ed Vasco (14:51)

I lean towards the idea and I mean, I expect that we are a profession that has technical representation. We have an opportunity to ensure that the pathways we create allow for people of not just diverse background, but diverse skills to engage in this field and achieve certain kinds of milestones at a career level. If we don't treat ourselves as a profession that has technical orientation, then we'll ultimately be relegated into a position that doesn't have business orientation, that doesn't have. All the other things that we talked

Ethan Cook (15:46)

about for years between the two of them, and I think they bit the nail on the head, is that we are a profession, cyber is a profession and we have to treat it as one. But that doesn't mean we just ignore the technical aspects and just blindly tune those off and put our blinders on and pretend like those aren't there. Those are a reality that we should acknowledge and build in to our systems. Just similar to how, you know, if you look at other professions that are have a technical system, maybe not technical in terms of technology, but technical aspects of them, they have a defined pathway that goes through it and a in a logical progression system. But they still have professional elements guiding the whole process. Process.

Kim Jones (16:31)

And this is. You mentioned pathways. So this is a great opportunity to segue into some of the discussions we've had regarding the different pathways that you can take to get into cyber. One of the themes that we kept running into was is college the only way to go into a cyber? Do you need a technical background to get into cyber? And then of course there's the value of certifications and taking a certification path in cyber. So let's start with. And I'll tee up the first one in terms of the need for a technical background in some sort. And I'll actually go back to Ed Adams.

Ethan Cook (17:14)

I was thinking the same thing first

Kim Jones (17:16)

episode, you know, and one of the things his viewpoint is on that problem.

Ed Adams (17:21)

You don't need to have a technical background to have a successful career in cybersecurity, full stop. I think that's a very understated but incredibly important comment. Almost as important as the five words that I've heard come out of your mouth on many occasions, which is entry level means no experience. There are so many talented people that I have personally hired and worked with at other companies that don't have technical backgrounds that are fantastic in cybersecurity.

Kim Jones (17:57)

So let's shift from that approach to the viewpoint from college within the environment. And we actually had Dr. Laura Ferri, who is the VP of Research and development at Arizona State, who has been involved in building or helped me when I built the cyber program at ASU and some of the challenges she has from a college standpoint and the expectations of our partners and their viewpoints on college. So let's start with that expectation piece in terms of what industry partners seem to be looking for within the environment from college.

Dr. Laura Ferri (18:44)

When we talk to our industry partners, each one wants something different.

Kim Jones (18:49)

Shocked, I am.

Dr. Laura Ferri (18:51)

Each company would like us to teach these students to code the way they code and to use the software they use and to be prepared to step into a job at their particular industry so that that company does not have to do any on the job training at all.

Kim Jones (19:10)

And now let's take that back and reference an earlier comment from Ed Adams, back from the first episodes, in response to me saying, if you ask 50 CISOs what they're looking for in a cyber professional, you're going to get 436 different answers.

Ed Adams (19:28)

Well, I did ask 50 CISOs the exact same question and I took those 50 answers. And what I was able to determine is that there is a distinction pattern. The most common trait or characteristic that CISOs are looking for had nothing to do with any degree, any certification or any experience. The ability to be taught. Like that was it. And however, when I still read cybersecurity job descriptions, whether they're entry level or not, I do not see those words showing up. I see things like degrees and certifications and technical skills.

Kim Jones (20:21)

So as we look at pathways, Ethan is part of the problem in terms of defining what a reasonable pathway is still center around my peers and I not knowing what the hell we want within an environment, except perhaps the dreaded purple unicorn with pink butterfly wings that is out there. What are you, what, what, what, what was your takeaway from the dozen or so conversations we've had about this?

Ethan Cook (20:48)

So certainly there is that purple unicorn hunting, which is a problem and from everything. And to me, you know, as someone, as an outsider, it makes no like logical sense in my mind, right? Like I come in and I'm sure there's people who have done that and go, well, it helps me do X, Y and Z. This is blah, blah, blah and there's value for them, right? But as an outsider, I see it as you are really misallocating your approach and funds and time to find something that you're probably not going to find or you're going to find it and then they're going to get poached almost instantly because they're going to get a better offer and they're going to job on. Part of it is, I think there's almost like, and this is outside of this conversation, something that I've noticed among cyber this explosion of the number of vendors. And we talked about this in the vendor episode, which was episode 12, but there's, and I wrote about it how there is. Gartner found there's over 3,000 vendors. Each one of them do their own system, their own way, and people are contracting in a numerous ways and everyone has their own system and everyone wants the system done the way they do. They don't want to train people up. They want someone who comes in with Coding knowledge for that specific system to come in and be impactful. And Laura talked about that.

Dr. Laura Ferri (21:53)

It is profoundly frustrating when I've met with a group of 15 representatives from different industry to say now, have I built the degree you want? And finally they all said, yes, you've built a degree you want. And then I can't place any in any interns at their industry.

Ethan Cook (22:10)

So I think that this unwillingness to accept that humans are humans, that they're not going to be perfect, they are not going to have every training. I find it really weird how in this industry, every other industry that I've ever been a part of, I've ever had friends in, etcetera, Has a tolerance for allowing people to learn. The company, whether that's learning internal operating procedures, whether that's learning technological systems, whether that's training, whether it's anything, there is an allowance of, okay, come in. Yes, we expect you to be capable, we expect you to be able to do what you say you were going to do. But we expect bumps, we expect mistakes, we expect you to maybe you send a wrong email to a client, maybe you don't hit the right thing the right way or save a file, you lose some data, things happen. But within Cyber, that is unacceptable. It's one of the few industries that I have ever heard of like that there's zero tolerance there for new people, let alone older people who have been in it for years. And this to me feels like it's an impossible race. And I am really, it makes pathways. And I think the one thing that really stood out to me as I was trying to think of solutions from an outside perspective, the conversation we had with Simone about skills based hiring, and I know Jeff also talked about this and I obviously worked with him, so I've known this approach for a bit, but that to me struck as a very valuable tool to adjust.

Podcast Host (23:45)

We have seen in the last four years a push, not as big as a push, as I think either you or I would like, in the direction of skills based hiring. Being able to rely on a credential alone can't be indicative of someone's true competence to perform the job.

Ethan Cook (24:13)

Rather than saying I want you to have four years of coding experience with this thing, say I want coding experience or a high level concept and then instead of looking for very hyper specific things that are probably unrealistic, instead looking for general concepts that can be universally applied.

Kim Jones (24:32)

And one of the things you also mentioned is in terms of how we link that training to our actual needs within the environment. Not only From a what are the skills needed but what are the levels needed? And in episode three, our guest talked a little bit about that when we were talking about planning workforce and taking the time to plan workforce.

Podcast Host (24:57)

If you're looking to build your workforce, really sit down and try to think what would be the development, what would be the career track from your entry level person to your seat or to a seat that sits next to you at the executive table and how can you craft that within your organization because that is the way you can solve the problem.

Kim Jones (25:20)

And then shifting again, one of the things that you had mentioned, Ethan, when you were talking about Jeff Wilkin and his viewpoint in Skillrex, he had a very, very interesting viewpoint and perspective on, on the problem in terms of the data that we were looking at, the results of that data that we were looking at in the environment and whether or not we were utilizing that data to help us plan what we need and think about training and uplift and onboarding in a strategic level within the environment.

Jeff Wilkin (25:56)

We need to throw the pebble in the pond. You know when you throw a pebble in the pond it has a ripple effect.

Ethan Cook (26:03)

Right.

Jeff Wilkin (26:03)

And the pebble for us starts with work role analysis. Really understanding the core expectations from skill sets perspective for any given job role at any given level, that's like the step one and then the ripples out from there. So once you have that data, you want to understand like, well, now I know what I need. What am I going to do with that data? Well, I can go back to my job descriptions as you mentioned and update job descriptions based on an analysis of the expectations. But then two, you're going to want to understand where are my people compared to my expectations?

Kim Jones (26:54)

Before, before we head down any further, I want to take a step back and we spent some time or we spent an episode and you and I talked about it mid season as well, talking about whether or not diversity matters within cyber. Again, as an outsider, what are your thoughts?

Ethan Cook (27:21)

Yeah. So as someone who is an Asian American, diversity is very important to me. It's always been something that, you know, the reality is is America sometimes is not what I would like it to be, diversity wise. And right now it has become a contentious issue for whatever reason. And I think that that episode was to me, when I saw you list it, I my first reaction as an outsider was to say of course, why did, why would it matter? Like it brings tangible benefits because I didn't even consider for the fact that it wasn't a common thing within cyber. And then as I dove into the research and looked at the demographic reports and I want to note it's not just race, it's not just gender, but it's also in terms of background. And I can even say this from a perspective of myself coming in with a non cyber background. There have been conversations that I have had where we are talking and I have a bunch of cyber people around me and they are seeing it one specific way. It is A to B to C and it's not making sense or they're trying to make it take four extra steps longer or whatever the case is. And I kind of take a step back and say, well, why don't we do it this way? Why don't please explain to me the logic, right? And it's not to counter, it's more to understand. And when I get the explanation and respond back, I view I. It's the, it's like, wow, we didn't even consider that. And I think that right there is the value of diversity. It's not about checking off some box that oh, I've hired X amount of minorities or women or et cetera. Like that's. I think that's what it's been politicized into. I think the better way to view it is what I am bringing is different ways of thinking into my organization. Because when you have one mono, mono focused way, one monolithic way of viewing the problem, sure, maybe that way works a couple times, but it's probably not going to work every time and it's probably not sustainable because the system that we live in with cyber is constantly changing. There are new threats every single day and they think differently than you do. They are approaching the way they tackle you differently than you view defending yourself. So having multiple people come in with different lines of background, different ways of thinking, different ways of approaching problems, whether they are defense based, whether they are internal structure based, whether they are problem solving or acquisition based, et cetera, these mentalities are going to result in a more productive, more efficient and more sustainable line of business. And I think that as someone who is an Asian American and Kim, I thought the episode was very, very important to have. And I think people who are ignoring that and pretending like that's not real are people who don't really want to actually dive into the data. And the data is very, very overwhelmingly in support of the value that diversity brings. And I wrote about it in the blog. There have been numerous studies that talk about it's not just a oh, my team looks different than your team. My team produces more than Your team. My team is more effective in what we produce. They produce less errors, they account for more facts, they correct facts, they correct errors faster, et cetera.

Kim Jones (30:33)

Let's pull that all together. Ethan, I thought your answer was spot on. I get equally passionate about it. It's important for cyber. It's not a political issue. So let me begin. Try and pull things together. You've heard lots of perspectives, you've heard lots of challenges, you've heard lots of points of view from lots of subject matter experts regarding this topic. So I'm going to ask you a similar question that I've asked Ed Vasco when he was on and some others as well. How do you solve it? We've done a very, very good job of identifying the problems, plural, with the cyber talent ecosystem now. And we've hit it from about every conceivable angle we could think of for this season's arc. So we've done a good job of identifying the problem. I obviously am too close to the problem, having been in this profession for almost four decades. So I would welcome your perspective. As someone who has been handled this stack of stuff to fix, how would you solve the problem? If you could wave the magic wand and were supreme ruler and emperor cyber for a day, how would you solve it?

Ethan Cook (32:07)

Great question. I first, what I would say is you cannot have a monolithic approach. There is no one way that this gets solved because there is no one way to view this problem. As we have found throughout the season, there are issues with talent pipelines, there's issues with talent acquisition, there's issues with talent sustainability, talent development, et cetera. Name it, it's there. So the first thing I would say is we can't say, oh, if we just fix the universities, this solves the problem. If we just fix the way business leaders approach it, it solves the problem. That's not how it works. I would say the two things that I would really drill down on and think are the most impactful for short term fixes are. One would be Ed's engagement with state governments. It helped the state of Idaho and giving people tangible, real world experience for free. Right? And that was helping out. And that gives more technical experience and creates a system that's similar to what nurses go through and how the medical industry approaches training people up rather than just dropping you out of college and saying, okay, fend for yourselves. And that also removes the need to have as many internships or get private involvement and ensure private involvement is always going to be a factor. And there's always going to be that aspect. But if you can't motivate privately owned companies to get involved, this is a great way to still continue getting technical experience for younger talent coming in and still train them up while still ensuring that they hit their university requirements, et cetera and actively provide a service to the community and better cyber as a, as a whole. My next thing I would say is I'm a huge advocate for and it was talked about several times by both I believe Jeff, by Simone maybe I think Larry as well about the value of instituting a bar like association for Cyber. And I don't think that a nationwide approach can do that. I think that that would something that would have to be driven on the state level. But to me I'm a big systems guy. I'm a big you know, setting up organization and systems and what I see right now in the industry is a lot of people running around doing whatever they want and there's no consistency across the board. And I don't think you can ever have a nationwide. Okay. This is the mandate nationally that we're going to follow. But having a regional or state centered approach to drive up consistency I think would be a huge step to solving this problem.

Kim Jones (34:42)

So let me, let me stop you for half a second there. And what would you say to the folks who would say setting up some sort of system within the environment would potentially be exclusionary within I mean take the example you've used from the medical profession and the legal profession. Both of those require college degrees within the environment in order for them to be a profession. And what is there a. I mean there's always a possibility but could such a system be more exclusionary to talent that doesn't necessarily have the funds to get a four year degree first Community

Ethan Cook (35:23)

college engagement and that's a huge state driver right there. There are, we are. You've already talked about it before Kim, but I 100% agree there are and I think the value of community colleges are continuing to go up as people real that they're way more affordable and that they can be mapped to state requirements and that would be a natural benefit for state and local communities while at the same time such as like with that SOC program. Right. So I would say that that would be a great entry or launching off point.

Kim Jones (35:49)

So reflecting back the requirements can and more likely in your mind should be set such that a four year degree is not necessarily a mandate to meet the state requirements. We understand what the KSAEs are and we need to demonstrate those KSAEs. College is not a mandate for demonstrating them. The issue is demonstrating them. And there may be multiple pathways. If I'm reflecting back what I'm hearing. Yes, but let's also talk about some of. Let's talk about. Yes, it can be an advantage, but within cyber as well as a lot of other places, college is being seen as elitist, costly, and disadvantageous to an exclusionary. To a lot of folks with a lot of backgrounds, this is a great opportunity to drop the quote in about sitting on the laurels on the ivory towers and saying, trust us. That Laura made in episode seven.

Dr. Laura Ferri (36:55)

We have sat back on our laurels in our ivory towers and said, just trust us.

Ethan Cook (37:03)

Right.

Dr. Laura Ferri (37:03)

We're doing great things. We're helping the young people think. And that is true. I mean, I do. I'm very much in favor of helping young people to learn how to think. But we haven't taken it upon ourselves to explain the value of a university degree and to explain the ways in which we are trying to adapt and change and meet modern demands.

Kim Jones (37:26)

And so I will end this interview the same way I've ended all of my interviews to date. What is the one thing that we haven't talked about that you want to make sure that we talk about, that we mentioned, et cetera, before we close this off?

Ethan Cook (37:48)

Yeah. So as I look at this problem and problems, I mean, with a plural is probably the better description, the problems that are related to this system is this has been a issue that I have heard about since I've entered several years ago, and it doesn't seem like we're any closer to solving. It seems like we're, if anything, further away from solving. And I think as this season has progressed and as I look forward, what I would say is there needs to be, especially in the absence of. And the decline of certain things like scissors programs or some of these things that are happening right now, there needs to be more industry leaders. I think one of the best quotes that you had, Kim, was when you talked about the first person to do it. It's always hard.

Kim Jones (38:47)

When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply for a position in a company because there's no one already there like them. Every time someone says this to me, my answer is the same. How the hell is it going to get any better if you don't show up? Folks, being the first at anything is hard, actually. It kind of sucks in most cases. But if no one steps up to be the first person, nothing ever changes. Worse, you provide individuals in that company, the excuse to keep their hiring practices unchanged since they can't find underserved candidates to apply. The world doesn't change through complaining. It changes through direct action. That old story about everybody blaming someone when nobody did what anybody could have done is still true. Be the courageous hero. If there's no role model, become one. Show up.

Ethan Cook (39:48)

And while you were referencing diversity in that conversation, I think that applies to just about everything in life, which is. It's never easy to be the person to say, I'm going to solve a talent gap. Like, that's a huge. That's a massive problem. As we've talked about. That's not going to be something that is going to happen. But I think. Or that's going to happen easily, I think, or overnight. I think the better way. And the thing is getting people together as CISOs, as industry leaders to come together and actually make progress and not do the same thing that we've already been doing for 10, 15 years. Don't say, okay, let's design another program. We've already done the designing another program, and it hasn't worked. Let's not say, oh, let's create a, you know, this. This training boot camp. Right. That we've already done those and it's not working. Let's develop this thing that we've already done. Whatever this thing is instead coming together and saying, okay, what have we all tried and failed? So we don't repeat those mistakes and then say, okay, what have we not tried? And I'd rather us try something that we haven't done. And it's gonna mean someone's gonna have a lot of long nights.

Kim Jones (41:00)

Yep.

Ethan Cook (41:01)

Someone's going to mean. It's going to mean someone's taking a risk that may cause an issue that may involve taking someone who's not ready, quote, unquote, to be a SOC analyst. It may mean you having to work with someone and rely on someone who you would not have normally worked with. And that is scary, and that is. Can be intimidating. And that can mean a lot of extra work that you may not be financially compensated for.

Ed Adams (41:28)

Right.

Ethan Cook (41:29)

But if it matters, and if you're passionate about this, and from everyone that I have talked to throughout the season and from the people that I've heard over the years, cyber is one of those industries where people are nothing if not passionate about this industry.

Kim Jones (41:42)

Amen.

Ethan Cook (41:44)

Then if you're passionate about this and you're doing it for the right reasons, then, yes, while it is exhausting and tiring, it is worthwhile and gives tangible value. Not just yourself, not to just your organization, not to just the neighboring organization, but to the people who are coming in the next 10 years. The people who your customers, who you are guarding their information or who you're protecting their financials, Etc. Whatever your industry may be, there is value to this outside of just oh I gotten a paycheck raise or oh my industry, my job is secure for another two months or whatever it may be.

Kim Jones (42:15)

Oh no. And we're going to have to leave it at that. Ethan, I really appreciate you taking the time to give us your perspective and your insight, and I look forward to working with you again for the next season.

Ethan Cook (42:27)

Absolutely. I'm excited.

Kim Jones (42:41)

Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack of zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter designs, deploys, and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented, and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. Deeds, not Words I first ran across this phrase some 40 years ago while indulging in one of my longtime secret pastimes watching B grade action movies. While I remember the movie as being cheesy beyond belief, for some reason the phrase etched itself into my teenage psyche. The idea that what you do is more important than what you say, that your actions define who you are and what you're about. That resonated with me. I've taken this philosophy into my adult life, approaching the world with a show don't tell attitude. Specifically, don't tell people who you are. Show them, do what you say you're going to do, and above all else, be consistent in word. And indeed, ironically, I find that these three tenets appear to be what's lacking in today's cyber talent ecosystem, and that deficit seems to be one of the root causes of our challenge. It's clear from this season's explorations that there is no one correct path to enter into and progress along the path in cybersecurity, but there are certainly a number of wrong paths. All of those wrong paths have one thing in common they are riddled with inconsistencies on the part of the profession. Common themes are 1 the lack of agreed upon job descriptions 2 the prominence of nonsensical job descriptions 3 the seemingly endless complaining about a lack of skills without defining skill requirements 4 the continued prominence of talent theft versus talent growth and 5 the prominence of myopic tactical approaches to the talent problem, focusing on the immediate needs of an organization but ignoring long term operational goals. There continues to be a cacophony of loud discussions on these themes without any change taking place, which has left us with a lack of credibility both within and outside the cybersecurity profession. If we want to get serious, truly serious about the cyber talent challenge, there are a handful of things that we need to do. 1. Map the terrain in response to our industry's complaints, as well as our misreading of the data, there are now a plethora of pathways for entry level candidates that are producing well in excess of the entry level opportunities that exist. The first step must be for us to delineate clearly what positions we consider to be entry level positions. Soc analyst, for example, comes to mind, or infosec security Specialist. Next, we need to reframe our message to talent creation organizations to focus on those entry level positions and the true quantity of opportunities available. This approach will most likely disappoint organizations and institutions who have invested time and resources in creating now bloated pipelines, but it remains disingenuous of us as a profession not to address this situation with candor. Lastly, we need to reset experience expectations for entry level candidates. As discussed in an earlier episode, we need to realize that entry level experience may be a combination of internships and other cyber related or IT work. If you're expecting new hires to have more than a year's experience, though, you're not looking for entry level candidates, but rather looking to steal experienced assets. 2. Create internal pathways for Cyber Talent Many organizations treat cyber talent like mercenaries who are there to perform a specific task. There are no clear pathways for promotion nor to expand one's capabilities by taking on other cyber roles within the security organization. Indeed, many companies and sadly many so called leaders within the cyber community are afraid to educate, train and promote their personnel for fear of losing a resource that is performing a specific task right now with this attitude, is it any wonder that talent tends to rotate out of organizations routinely? While promotion should never be automatic, it should always have a large merit component driving them. Holding resources back for fear of losing talent is a surefire way to, well, lose talent. Make sure your team understands all requirements for promotion, including skill levels, abilities and knowledge required, and that you are providing them opportunities to acquire the necessary tools to be considered for advancement. 3. Create consistency throughout your talent lifecycle this point has serious rant potential for me, so please bear with me. If I were to pick the one major source of our challenges, this would be it folks. I genuinely do not care which of the myriad opinions you hold regarding creating and advancing talent. I do care that for the most part, we are failing to walk the talk around our opinions. If you believe, for example, that we are more trade than profession, great. If that's the case, then stop recruiting for talent exclusively at colleges and universities and create interview processes that focus on knowledge and skill demonstration. If you believe that a good cyber professional needs solid IT experience before entering the field, also great. If that's the case, then adjust your starting salaries for junior cyber professionals to account for the additional years of experience and start creating programs with each in your organization to migrate IT professionals into cyber. If you believe the best way to acquire cyber folks is to grow them organically from anywhere within the company, that's wonderful. If that's the case, then you need to create the organic pathways and training programs to allow this to occur. In one of my former organizations, I propose creating a pathway for our customer care people to become entry level cyber professionals. These folks had already been vetted and hired as assets to the company. This initiative would give them a pathway to progress from holding a job to having a career. As an added bonus, since customer care staff tend to be more diversified than technology teams, it produced a mechanism to organically create more diverse organizations. If you believe that cybersecurity requires a degree, that's positively fantastic. If so, then you need to support the degree programs that are out there by providing meaningful internships, guest lecturing, or joining extended faculty in their degree programs and hiring graduates. Above all else though, you need to stop nattering about how it should be without also fighting to create the ecosystem that can get you there. Stop complaining about it and act rant over this season, we talked about the various pathways to entry into the cybersecurity arena and the advantages and disadvantages of each. We explored some of the misconceptions, prejudices and myopia cybersecurity leaders can cling to about these pathways. While there is no one right way to enter the the field, we've shown this season that there are some wrong ways, and those all center around the inconsistencies that we as cyber leaders promulgate in the environment. If we want to restore our credibility and arete, we badly need to standardize our definitions and expectations of cyber candidates and stop being so afraid of having to backfill positions. We refuse to educate, train and mentor our people. It's time to stop talking and start doing, in other words, deeds, not words. My two cents.

Ethan Cook (53:11)

Foreign.

Kim Jones (53:16)

Love to hear what you think of this season of CISO Perspectives, there's a link to share your perspectives with us via the survey in our show Notes. And that's a wrap for today's episode and for this season of CISO Perspectives. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one, and we couldn't do it without you. We're so grateful to have had you with us this season. From all of us here, thank you for listening. We look forward to bringing you more expert insights and meaningful discussions in the next season. This episode was edited by Ethan Cook with content strategy provided by Mayan Plot produced by Liz Stokes, executive produced by Jennifer Iban, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next season. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.