CyberWire Daily — CISO Perspectives

Episode: "But what do you really want?"

Host: Kim Jones
Guest: Ed Vasko, CEO, HighWire Networks
Date: March 24, 2026

Overview

This episode of CISO Perspectives explores a central question facing the cybersecurity industry: What do hiring executives truly want from prospective cyber talent? Host Kim Jones sits down with Ed Vasko, veteran CEO and cybersecurity leader, to unpack the persistent challenges in cyber talent pipelines, the disconnect between academia and industry, and the elusive qualities leaders seek in both entry-level and experienced hires. Together, they dissect the expectations, obstacles, and possible pathways toward building a stronger, more professional cyber workforce.

Key Discussion Points and Insights

1. The Cyber Talent Ecosystem: Gaps and Realities

• Challenge of Identifying True Needs:
  • The profession struggles to articulate and codify what it actually wants in cyber talent. Industry leaders often give wildly divergent answers when asked about entry-level requirements.
  • Kim Jones:

    "You ask 15 CISOs what we need and you get 457 different answers." (11:06)

• Academic Disconnection:
  • Universities historically lacked sufficient programs to prepare graduates for real-world cyber roles; consequently, businesses like Ed’s built their own internal training academies.
  • Ed Vasko:

    "We were constantly looking for new avenues, new pipelines, new pathways of entry level students or entry level workers... what we kept finding consistently was that these students... still lack critical experience, critical training, critical understanding of the what and how to be successful." (05:20)

2. The Three-Legged Stool: Knowledge, Skills, and Experience

• Degrees and Certifications Aren’t Enough:
  • Possessing academic credentials and certifications does not guarantee operational readiness.
  • Vasko points to the missing “third leg”: actual, consequential, real-world experience.
  • Vasko:

    "The one thing that's lacking in that process is the third leg of the stool... It's actual understanding and operational awareness of what needs to be done and how it needs to be done. Not lab. These aren't skills and knowledge and experience you gain in a lab because a lab is not real world." (13:25)

• Medical Model as an Analogy:
  • Entry into cybersecurity should mirror the clinical rotation model in medical education, where “consequential” experience is gained under supervision but with real stakes.
  • Vasko:

    "We anticipate and expect our medical professionals to not only get lab... but their third year is basically all working practical application." (15:41)

3. Barriers to Experiential Learning in Cybersecurity

• Reluctance in Industry:
  • Many enterprises resist granting real-world experience to early career professionals out of fear—of mistakes, liability, or operational risk.
  • Vasko:

    "I doubt you would. I realized, you know, you're the exception. But everybody else we've ever talked to... would typically say I'm not about to have entry level, not, not even level one animals. These are like level zero to level five animals. Into my SOC could drive consequence." (18:18)

• Building Academic-Industry Alliances:
  • At Boise State, Vasko integrated live, operational SOC work as part of education, collaborating with students across institutions, as well as transitioning veterans and job changers.
  • Vasko:

    "We engaged not just Boise State students, but we engaged two year community college students, we engaged master's degree students, we engaged other institutions of higher learning... Service members that were transitioning... wanted to come in and volunteer so that they could put on their resume that they had experience working in this environment. We welcomed them with open arms." (25:35)

4. Pathways Beyond Academia

• Bootcamps, Spot-Training, and Lateral Entry:
  • The profession has supported cyber boot camps and non-degree training, but there’s tension between being a technical field versus a true profession.
  • Vasko’s stance: Cybersecurity is a profession that incorporates technical skills, and pathways must ensure high standards—not just open doors for accessibility.
  • Vasko:

    "If we don't treat ourselves as a profession that has technical orientation, then we'll ultimately be relegated into a position that doesn't have business orientation, that doesn't have all the other things that... we've talked about for years." (25:40)

• The Three Essential Pillars for a Cyber Candidate:
  • Knowledge (classroom or degree-based learning)
  • Skills (certifications, labs)
  • Real-world experience (applied, consequential work)
  • Vasko:

    "The best possible worker... has to have the necessary knowledge from a classroom, has to have the necessary skills... and then ultimately the third leg... is experience." (27:47)

5. Breaking the 'Purple Unicorn' Syndrome

• Unreasonable Hiring Expectations:
  • Many hiring managers wish for "purple unicorns"—candidates with niche, unattainable blends of skills, experience, and certifications.
  • Jones:

    "In other words, in other places where you have hiring managers who will bluntly come out and say, well, what we're really looking for is a purple unicorn." (29:12)

• Moving Academia Forward:
  • Academia is slow to adopt experiential models, partially because current reward structures do not incentivize change, and because the industry often hires graduates regardless.
  • Vasko:

    "The model that exists in terms of reward and compensation in academia seems to differ from the one we're laying out. And... as a profession we're hiring these graduates without them doing anything differently." (30:00)

6. Path to Professionalization and Standardization

• Toward Codification:
  • The cyber field is not yet codified or standardized like medicine or law.
  • Vasko:

    "We’ve yet to codify ourselves in a way that the medical program, medical degree and even... legal and accounting have." (32:34)

• Role of Accreditation Bodies:
  • Encouraging progress from the NSA and other organizations to embed experiential learning in academic accreditation, but the process is nascent.
• Industry’s Responsibility:
  • Vasko urges greater demand from industry for defined qualifications linked to real, consequential experience.

7. Is It Youth or Fear Holding Us Back?

• Why the Resistance to Standards?
  • Jones challenges the notion that it’s industry “youth”; perhaps it’s also fear of locking out diverse talent by imposing standards too soon:

    “...there is still a very loud human cry within our big air quotes profession that doesn't want to do that. Why?” (35:56)

  • Vasko mostly attributes it to youth and lack of maturation, but acknowledges the self-perpetuating uniqueness narrative:

    "Every single business is unique." (38:00)

Notable Quotes & Memorable Moments

• On Entry-Level Expectations:

  "We went through the process of actually establishing an internal university of sorts. So we would take in fresh college grads... and still put them through a six month training cycle... that they simply just weren't getting in their college experience."
  — Ed Vasko (06:35)

• On Industry-Academic Alignment:

  "Ultimately what we're lacking in our academic structure throughout the country is a focus... on that experiential pathway, that experiential learning so that they can apply the practical experience that they've received in lab and the knowledge that they've received through classes in a real world situation."
  — Ed Vasko (16:05)

• On Why the Profession Avoids Standardization:

  "We’re still young. We've got to recognize the fact that even at 40 or 50 years old, we're still young in comparison to the medical field."
  — Ed Vasko (36:11)

Key Timestamps

• 00:11–05:20 — Introduction & Ed Vasko’s career background
• 05:20–09:42 — The enduring skills & experience gap in entry-level hires
• 09:42–16:31 — Why academic programs struggle, and the “real world” experience problem
• 16:31–19:56 — Reluctance by industry to provide “consequential” experience
• 23:50–27:42 — Is cyber a technical field or a profession? Models for training the workforce
• 29:04–31:07 — Addressing the “purple unicorn” problem and academia’s slow adoption
• 31:07–38:34 — Codification, standardization, and why cyber repeats decades-old mistakes
• 38:34–End — Final thoughts: Building a modern cyber workforce via statewide experiential programs

Final Takeaways & Key Recommendations

• Cyber is a Profession in Need of Professionalization:
  The pathway to robust cyber talent requires formal, codified standards and recognition as a profession—with technical orientation, not just technical skills.

• Experiential, Consequential Learning is Essential:
  Degrees and certifications must be paired with hands-on, real-world, consequential experience. Modeled after medical training, entry-level cyber workers need supervised, impactful work exposure.

• Industry Must Lead in Demanding and Defining Standards:
  Progress in academia and training will only accelerate if industry stops hiring on incomplete metrics and insists on the three-legged stool approach—knowledge, skills, and experience.

• Widespread, Multi-institutional Collaboration Is the Way Forward:
  Vasko advocates for creating statewide experiential learning SOCs, inclusive of students, transitioning pros, and community groups, to model scalable workforce pipelines.

• We Must Overcome Our Own Excuses:
  Whether the resistance is due to youth or fear, the time is now for the field to mature—standardizing expectations, aligning with academia, and ensuring everyone knows what’s truly wanted.

Closing Quote

“If I could wave a magic wand and have structural impact, it'd be to actually create a key baby step that we need at a national level... through these kinds of experiential learning opportunities. The creation of statewide all-of-state SOCs that can actually employ and engage interested learners and do so in a way that those learners gain experience, become solid workers and solid career practitioners. If we start there... we can start turning this tide eventually in the war that we're effectively losing and have been losing for decades.” — Ed Vasko (38:34)

For deeper resources and related discussion, see the CISO Perspectives blog linked in the episode show notes.