A

You're listening to the cyberwire network.

B

Powered by n2k.

A

This exclusive N2K Pro Subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP. Welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. This past season we've pulled the deep conversations out of the conference bar to tackle these complex issues from every conceivable angle. And throughout the season we've examined many of the challenges surrounding the cyber talent ecosystem. Today we ask the question but what do you really want? Let's get into it. On today's episode. I'm excited to sit down with Ed Vasco. Ed is the CEO at highwire Networks and has been a serial entrepreneur and successful CEO in the cybersecurity space for years. Today's conversation centers around examining what business leaders want from prospective cyber talent. As someone who has both hired security professionals and advised leadership on how to address talent needs, Ed is uniquely positioned to help us answer the question of what do you really want?

B

Tim, it's a pleasure to be here. Looking forward to the conversation.

A

Likewise. So you know, you and I have known each other for over two decades now, but my audience hasn't had the privilege. So take a few moments and tell them about Ed Vasco, if you would, please.

B

Sure, sure. I'm the CEO of Five Wire OpenWatch. We are a nationally focused MSSP about 1000 customers around the country. I've spent for the past 33 years as both a practitioner and five time CEO of different cybersecurity companies. I've worked across 12 of the 14 critical infrastructure sectors or critical sectors of the US economy and and really have a wonderful career talking to and working with people such as yourself, Ken, throughout the country and finding ultimately, I like to describe it, to keep the bad guy to pay.

A

Amen. Amen. It's that CEO experience and you've done some other things that I will probably bring up as we just, you know, have a conversation. But it's that CEO experience, Ed, that I want to hone in on a little bit for this conversation. You know, we've been talking a lot about the cyber talent ecosystem this season. In fact, this entire season's about the cyber talent ecosystem. And we've been looking at it from various angles, from certification to do we need college or not? But the one group that we haven't talked to yet are hiring executives. And given what you have done, you have seen lots of resumes cross your desk from entry level to mid tier to even senior executive to work for you. And you've supported CISOs in various sectors as hiring managers in helping them, among other things, solve some of their talent issues, et cetera. So what I really want to get into is let's cut all the noise out. What do you really want or looking for in talent? And let's start that from the entry level position. A brand new person who this is their first job, or they've only been in cyber for a year and are coming over, et cetera, and they put a resume in front of you. What do you want to see? What do you want to know, you know, to consider even giving them half a minute of your day to take an interview? Talk to me.

B

Yeah, no, it's a great, great question and it's a great segue. And I purposely didn't talk about one avenue of my career track because I think it was going to be very useful as kind of a story. My last business that I exited, I sold to private equity in 2018. And you know, we, we were national NSSP, you know, one of the top in the top in the country. And you're constantly looking for new, fresh cyber talent. And this was back in 2018 when I sold the business. But as we were building the business from 2008 to 2018, we were constantly looking for new avenues, new pipelines, new pathways of entry level students or entry level workers. And we were challenged, especially in that decade. We were challenged because many of these colleges and universities at that time frame did not have what I would call robust cyber programs. And so we were headquartered in Arizona. And I took this, I took the initiative at that time to go reach out to universities and colleges throughout the state and try to enable both internship pathways, apprenticeship pathways, and really try to lend a hand as it relates to curriculum, industry focused curriculum, so that ultimately not only my business, but, you know, the ecosystem within Arizona at least, would be bolstering through that kind of outreach and that kind of relationship. And what we kept finding consistently was that we would bring in the the best and brightest, most passionate cyber related talent throughout the state and consistently found that these students who wanted to get into this career path at an entry level still lack critical experience, critical training, critical understanding of the what and how to be successful. And so like many of my competition, like many operational socks and service providers such as myself, such as my former business, we went through the process of actually establishing an internal university of sorts. So we would take in fresh college grads, fresh interns, convert them to workers category level workers, and still put them through a six month training cycle and enable them to get certifications, enable them to get the necessary baseline training that they simply just weren't getting in their college experience or even just normal non college experience. After the acquisition of my last business, that got me thinking and it kept running through my mind with a passion. For me it was like, how can we ever expect as a country to really fight the fight that we need to and defend the nation the way we need to? If we didn't and couldn't get the workers out of our key education partners or even key education pathways, we couldn't simply get those workers to come in ready to fight. And if I use a military analogy and Kim, you'll correct me because I didn't ever have a chance to serve, I chose not to serve and you did. So you're going to correct me here. But effectively this would be like if we, if we relied upon basic training to give infantry, infantry soldiers an understanding of how to shoot a gun, how to crawl through muck and how to do certain kinds of basic things. And basic training was failing to produce the type of infantry we needed in, you know, on the battlefield. And that's effectively what we have and had in 2018. And I would still kind of continue to have the nation I want to

A

inject here before I lose this point or to ask a question of you, that is an absolutely fabulous analogy and so well done on your military analogy. So let me take it to the next step. It seems to me though, and we've had guests Here, you know, Dr. Lara Ferri, who is one of my guests as well, that part of the challenge here for those institutions in terms of providing what we supposedly want, is an understanding of what we want. You know, I know that at basic training I need them to be able to shoot this standard array of weapons out here. And if they can do that and understand what a salute report is and what mouth training is, is, et cetera, the acronyms don't matter. That that will meet the needs. Part of the challenge that we seem to see now is you ask 15 CISOs what we need and you get 457 different answers. And it seems that if I don't meet the answer that exactly what this particular individual wants, then the value proposition is considered limited. And you and I have been in rooms where people have said that. And I've talked to, you know, senior executives in security consulting firms who have said, you know, they leave college and they don't know how to do anything right, and therefore we don't yet won't define what it is you want them to do other than to run your specific tool. And we all understand that universities can't focus on running your specific tool versus understanding both the theory and being able to have the grounding to do that.

B

Right.

A

So I love the analogy, but how do we solve that, you know, even in an academic setting when we don't seem to know what the hell we want?

B

Yeah, that's a great, it's a great question and great piece to kind of next half of the of the story and I think the outcomes that were achieved and please. So as I mentioned, you know, I had this thesis, how do we improve the type of worker we're getting into a career path and into an entry level pathway. And so had the opportunity to depart the business after the acquisition and take on a different thesis. And that was again, how can we improve the pipeline of cyber workers coming into this career with a partnership with academia, I had a chance to go work with Boise State University in Boise, Idaho. They traditionally been known for their blue football field. And I was brought in to run an institute that focused on working with faculty, working with industry, most importantly working with our students to build out experiential pathways. What do I mean by that? Well, what it comes down to, and my thesis is straightforward, I think, and that is at the entry level. We've seen a real strong focus on both the degree pathway and on embedded certifications. So a student comes out with say an associate's or a bachelor's degree and they've got three to five industry Certs, Security, netplus, eh, so forth and so on. They got this Alphabet soup after the name and they would come in and they would conduct interviews. They'd go through the process of interviewing with my team, with myself, with other my peers and your peers, Kim, across the country. And inevitably what's lacking, the one thing that's lacking in that process is the third leg of the stool and the third leg of the Stool is experience. It's actual understanding and operational awareness of what needs to be done and how it needs to be done. Not lab. These aren't skills and knowledge and experience you gain in a lab because a lab is not real world. A lab allows you to reset the button, you know, press the reset button and reset the lab and get it right. Real world consequential experience is what, what's been missing, I would contend, in our career pipeline.

A

So let's, let's, let's double click on that then. Real world consequential experience. So there are a couple of things that, that seems to indicate. Well one, we need to talk about the definition of consequential and how that can vary amongst folks because in some cases consequential tends to mean focused experience within the particular area of cyber that I'm hiring you for. But there's also the piece that says. It seems that what that is saying is since the idea behind an educational pathway is to get the job, to get the experience that. Are we saying that there is no such thing as an entry level position in cyber because we expect that everyone comes in with some level of experience and if we're saying that, you know, then that's fine. But.

B

Yeah, yeah, well, talk to me. The, the sector metaphor and the workforce metaphor that I have aligned to is the medical, medical program, medical pathways.

A

Okay.

B

You know, we, we anticipate and expect our medical professionals to not only get lab, you know, and skill development through classrooms, skill development through labs where they're able to press that reset button and get the procedure correct, but their third

A

year is basically all working practical application.

B

That's exactly it. That's exactly right. And so ultimately what we're lacking in our academic structure throughout the country is a focus, or have been lacking, let me say it that way, have been lacking is a focus on that experiential pathway, that experiential learning so that they can apply the practical experience that they've received in lab and the knowledge that they've received through classes in a real world situation.

A

Let's double click on that. Not just on the academic side, but it's also worth remembering that that works because it is an expectation of the profession such that the hospitals that are looking to receive these new doctors understand that part of this process is you're going to take on an individual and, and put them to work doing real work. I have seen a reluctance and I'm wondering if you've seen the same reluctance amongst our cyber brethren. We still have Fortune 500 companies who, it's too hard. We don't want to take on the liability. If they do something wrong, then we're going to take the blame, et cetera, and don't want to do that. So is it just the academic side or if what you're saying conforms to what we collectively believe, why the hell aren't we doing it as a profession?

B

Well, and that's a great, that's a great question. And that actually kind of was one of the challenges of bringing experiential learning into the programs at Boynton State. But the realization epiphany for me was that just like in medical, medical space, we have training hospitals, we have training programs that so not all medical, not all hospitals and not all doctors offices except residents, you know, except residencies. There is, you know, there are a select number and it's by that selection process that the industry within the medical program gets, gets moved forward. And so there's this self selection. Most of these teaching hospitals are attached to a university. They are attached to, to combine the academic program and the experiential learning program. So I took the same kind of metaphor, same sort of alignments and said, well, the benefit I have here is that I'm attached into a university. They've given me the opportunity to build these kinds of platforms. Let's say in your experience as an operational cyber leader, would you be willing to allow early career professionals that opportunity to come in into a commercial sock or into an operational sock like you've run and have consequence? You know, I doubt you would. I realized, you know, you're the exception. But everybody else we've ever talked to across the country would typically say I'm not about to have entry level, not, not even level one animals. These are like level zero to level five animals. Into my sock could drive consequence.

A

Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with a vision of frictionless and integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack zero trust networks from the ground up, with security at the core, at the edge and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn. Every layer is integrated, segmented and continuously protected through a single unified platform. And because METER provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. You as a CEO are breaking on experience. Not just knowledge, not just circs, but just, you know, real world, tangible, hardcore, constructive experience experience. You've created a model and at least created one example of a model where academia can create an environment to provide that experience, a la the medical model or analogy that you used earlier. And do it in a way that serves underserved communities within cyber by creating real world socs, providing information to smaller communities within the environment that provides real defense with real consequence within the environment. So there are a handful of questions that come up from that model. The first question is it, you know, that model seems to indicate that the pathway for doing this is through some type, not even for you, but some type of academic, higher institute of higher learning within the environment, which can fly in the face of some of the things that our community has supported again starting back in the 2000 teens in terms of migrating out of other job families into cyber boot camps within the environment, spot training within the environment to gain the skills that you need. So let's set the academic piece in terms of this model aside. But I'm going to push on the point and say based upon your model, do you believe that these other things that the profession the industry has been pushing on in the early days of oh my God, we have a talent shortage, are viable methods to transition to cyber.

B

So you know that at the heart of your, at the heart of your question that leads to the are we a technical field or are we a professional? Oh yeah, and I'm going to, I'm going to make the CEO decision and not waffle. I lean towards the idea. I mean, I expect that we are a profession that has technical representation. We have an opportunity to ensure that the pathways we create allow for people of not just diverse background, but diverse skills to engage in this field and achieve certain kinds of milestones at a career level. Is that to say that anybody, everybody should have a degree? No, but in the same fashion that not every single baseball, basketball, volleyball pick, the sport player plays at a professional Level, you have to recognize those professional players that do play at the professional level. Where is it that a high school orientation is going to take you to the professional.

A

Okay.

B

And so if we, we kind of align both of those aspects and you know, and I will not just lean, I'll be solidly be in the camp that says we're a profession. If we don't treat ourselves as a profession that has technical orientation, then we'll ultimately be relegated into a position that doesn't have business orientation, that doesn't have all the other things that. Kim, you know, I know you've talked about in other podcasts. We talked about for years. The interesting thing that we had when we set up the experiential Soc at Boise State and throughout Idaho was it served all of Idaho was that we engaged not just Boise State students, but we engaged two year community college students, we engaged master's degree students, we engaged other institutions of higher learning. So it wasn't just Boise State, but our community colleges, our other four year institutions across the state were able to join into this program. And we ultimately then had non profits that aligned to different communities. Service members that were military, service members that were transitioning back into civilian, into the civilian sphere, that didn't necessarily have degrees, but they had experience, wanted to come in and volunteer so that they could put on their resume that they had experience working in this particular environment. We welcomed them with open arms.

A

Okay, fantastic.

B

Yeah.

A

And I think that gets to. You've answered one of my follow on questions which would be if I don't necessarily have the opportunity to go to an institute of higher learning, how do I get that meaningful experience? And reflecting back on what I think you're saying is you've created something that was beyond just supporting Boise State. And by creating this entity, it created opportunities for other entities, academic or otherwise, to bring people in to give them that level of experience. Am I reflecting that back correctly?

B

Yeah. I mean, again, if I forgive the simple CEO metaphor because I'm the thick headed CEO and if you think about Dilbert, I'm the pointy haired boss, I'm the pointy hair, pointy ears boss, boss. So not only do I have an Etch A Sketch, you know, I have a rock and a. I have a rock and a piece of chalk, you know, so with that mindset in mind, you know, I look at it and say the simple metaphor is the best possible worker that we can get to enjoying this career path. Has to have the necessary knowledge from a classroom, has to have the necessary skills and certifications. The classroom being a degree pathway, has to have the necessary skills achieved through different labs or different certifications or whatever the case may be. And then ultimately the third leg of that stool is experience. They have to be able to have a place where they can apply that, that, that knowledge and skill development in a way that help industry hiring managers, myself, yourself, you know, our listeners across the country gain the awareness that this person in front of them actually can do the work that they're asking them to do.

A

So let me shift tax a little bit and given the model that you have implemented around the thesis that you have proposed, I have two challenges that I would love for you to address. One is the purple unicorn theory. We still have a lot of hiring managers and I know you've run into this when you were at Boise, I ran into it at Arizona State. In other words, in other places where you have hiring managers who will bluntly come out and say, well, what we're really looking for is a purple unicorn. And those aren't exceptions within our environment. So how do we as the profession we are break purple unicorn theory? That's one question. The other question is academia is slowly operative term being slowly beginning to look at the model that you have laid out. And you know as well as I do there are only a handful of schools that have even begun to embrace the model that you've put forth. And your success in that model was after three tries in other institutions to implement same and me being one of them. How do we as a profession persuade academia to adopt this model? And the caveat being the, and we've both seen this Ed. The model that exists in terms of reward and compensation in academia seems to differ from the one we're laying out. And by the way, as a profession we're hiring these graduates without them doing anything differently.

B

Yeah, no, great. So I would say enabling collaboration on a multi statewide basis. Taking the, taking the banner into different academic programs like academic accreditation and programs like the NSA center for Academic Excellence program. The good part, the good news out of all that and all this effort is that there is change occurring within the academic accreditation programs that the NSA is putting forward. There is now a need for showing how degree program, you know, accredited degree programs from the NSA actually do have a, an experiential alignment that the work being done in the classroom can be shown to potential employers. That this is the work that's being done can apply to your job or your job needs in the following fashion. And more importantly, enabling our students to be able to Communicate that in an effective fashion. So there is this kind of change occurring. And that's great news for us as an industry. The functional challenge that we have is that industry and the hiring managers and hiring executives across the country tend to look for those purple unicorns, like you said. And the real unfortunate challenge we face as a result of that is that there's not enough communication. Because cyber, unlike medical, unlike the medical profession, cyber has yet to codify itself. I would contend, and I would argue that we've yet to codify ourselves in a way that of that the medical program, medical degree and even like legal and accounting have, and the scenario and the metaphor I would use, the question I'd ask is, you know, would would any solid hiring manager or C suite executive across the country that work their salt go and simply go out on the suite and fate of somebody passing by, hey, I've got this contract issue. Can you take a look at it for me and give me a professional legal opinion? And the answer I know collectively would be no, that they wouldn't do that. Subsequently, the next question I'd ask is, would you turn around and go walk along the street and say, hey person, I'm passing by at random. I have this bleeding head wound. Let's say, can you help me fix it? The answer is probably, maybe you get the right person in both cases. Maybe you get a trained attorney, maybe you get a paralegal that could look at that contract, Maybe you get a medical professional help you with the gaping head wound. But more likely than not, you're trying to engage somebody who doesn't have the necessary experience, training and complication of skills necessary to give you a render a professional qualified perspective. And therein lies the challenge because we don't have that codification and that professionalization. Again, this concept back and forth. Are we a technical field or are we a profession? That's why I lean so hard on the fact that we need to be and will be and have to be a profession first. That by doing that and knowing that in this profession there are efforts, there are structures, there are methods that are now being undertaken at a national level for accreditation that aligns to the type of professional that can be developed at an entry level and come into this field, into this career, tracking at entry level with the experience mapping that it's on us as an industry, it's on our hiring organizations to demand that there's qualification of the people being hired and that the people being hired have appropriate experience.

A

So why don't we want to. Because I would contend that. You know, I agree with you on this one.

B

Yes.

A

And I understand the history behind it because I'm an old fart. But I would contend that there is still a very loud human cry within our big air quotes profession that doesn't want to do that. Why?

B

We're still young. We've got to recognize the fact that even at 40 or 50 years old, we're still young in comparison to the medical field.

A

And I got to push back a bit. Is it youth or is it youth or fear? Because remember, from a historical standpoint, you and I have had this conversation. The fear is that if we put requirements on because we didn't know what we needed, we would close off potential avenues for access and talent. Now, yes, we are still young in comparison, but we're not making aggressive moves as a profession. Even amongst the 500 Fortune 500 CISOs out there to actually standardize within the environment and where standardization is created. Everyone wants to tell or talk about how what they're doing is so different and so special, despite the fact that we're still solving different variations of the same problem that you and I have been fighting for over three decades. So there's a point here where I have to push as the cantankerous old fart and say youth makes a great excuse. I'm not sure it's a full reason anymore. Talk to me.

B

Well, I would probably, as a cantankerous old part myself, I would probably say that youth is larger than 50% reason. And I mean youth of industry. When you do the comparative analysis to medical, legal, accounting, you know, we're talking 50 years versus multiple, in some cases multiple centuries. You know, going so far back is, you know, Hippocrates and so forth. So you could, you know, Millennia.

A

Yeah.

B

The reality is that we have and are embedded in this aspect of uniqueness. Every single business is unique.

A

The only issue is that the level of impact has begun to increase. And why haven't we solved this problem? So that's a fair. That's a fair observation, Ed. You get the last word. What's the one thing you want to double down on or the one thing that you want to make sure our listeners hear from you or discuss that we haven't discussed yet?

B

Well, first and foremost, Kim, I can't thank you and your team enough. It's been a real pleasure. I'm. I hope what. The conversation has been helpful to your audience. Hope it invigorates some conversation across the country. And just a huge, huge thank you for the chance to sit down and chat. If I could wave a wand, if I could truly wave a magic wand and have structural impact, it'd be to actually create a key baby step that we need at a national level to achieve that metaphor. I've talked about the three legged stool and it's a recognition at the state, across all 50 states and all US territories that at the statewide level there's a huge opportunity in front of us to start tackling the workforce needs that we have. And that is through these kinds of experiential learning opportunities. The creation of statewide all of state socks that can actually employ and engage interested learners and do so in a way that those learners gain experience, become solid workers and solid career practitioners. If we start there and we start creating success there, that our commercial and employer communities and commercial socks and commercial pathways and operational pathways will start to recognize that this, this has success and has value and we can start turning this tide eventually in the war that we're effectively losing and have been losing for decades.

A

Yep, Ed, I really appreciate you giving us the time and the opportunity and your wisdom. Always good to talk to you brother. And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making sure shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the Show Notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayon Plot produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Pelsman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's N-E-T-E-R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all CyberWire listeners SA.