Unknown Sponsor Voice (11:54)

And now a word from our sponsor, KnowBefore. It's all connected and we're not talking conspiracy theories. When it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBefore, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBefore's security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35 vendor integrations and Counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity or web security vendors. Then coach your users at the moment the risky behavior occurs with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefore.com SecurityCoach that's knowbefore.com SecurityCoach and we thank KnowBefore for sponsoring our show.

Dave Buettner (13:27)

And now a message from Black Cloak what's the easiest way for threat actors to bypass your company's cyber defenses targeting your executives at home? According to the latest Poneman Research study, over 42% of CISOs have reported cyberattacks on their executives in their personal lives. And this becomes your problem because executives are easy targets at home for account takeover, credential theft and reputational harm. Close the at home security gap with Black Cloak's Digital Executive Protection Platform award winning 247365 protection for executives and their families. Learn more at BlackCloakIO John France is Chief Information Security Officer at ISC2. I recently caught up with him for insights from the ISC2 2024 workforce study.

John France (14:30)

It's broadly opinion and some data combined to provide a view of not only the workforce, the potential needs for the workforce coming up and we call it the gap I. E. What's needed to secure versus what's currently available and also to look at the skills in there. And this year it's a treasure trove of sort of AI data as well because we ask some very specific questions around AI.

Dave Buettner (14:56)

Well let's use that as a Starting point here. Obviously AI is an ongoing hot topic. How are cybersecurity teams utilizing generative AI when it comes to workforce issues?

John France (15:12)

What the report highlighted is a little bit of a double edged sword really, which is we know it's pushed into our environment. In fact, generative AI has been around for a little over two years now since it hit the public consciousness with ChatGPT. And what we've seen as a profession is not only the proliferation of personal use and business use, but also AI in pretty much everything, in all the tooling that we use and the general workforce uses. So I think the double edged sword is, you know, it promises a lot, but it also comes with some risks. Those risks are things that we as cyber pros have to understand and have to cope with. And what it's really showing is we probably don't know enough. Maybe that's generally speaking true of anyone that uses AI, which is we know a little bit to be dangerous, but we really do have to look at what this might mean for our profession. You know, 50, 51% of the respondents to the survey said cyber security skills may become obsolete because of some of the AI evolution. Actually, I think what we'll find is some of our jobs will change fairly significantly when we get used to using AI and the tooling that we provide in the situations we find ourselves. So yeah, it's, it's definitely in the public consciousness, definitely in cyber pros consciousness. And obviously businesses want to use it for competitive advantage.

Dave Buettner (16:41)

I saw someone recently on social media saying that there are folks now who are specializing in helping folks format their resumes as to make them present themselves in the best possible way to the AIs that are analyzing them.

John France (16:58)

Interesting, I hadn't seen that. But yes, of course AI is used in lots of things and it can be used in selection and sifting. Interestingly, in the eu that may not be a use case you're allowed to do anymore because of the AI act, which is automatic decision making around people. So there are some regulatory pressure coming in there as well that might curb some of the use cases that it could be put to. But it's not surprising. And of course being a hot topic that it is, and candidates wanting to be appealing, it's going to be on the cv. What we're actually starting to see is, and what the survey backs up is we don't actually know kind of what the core skills in AI are likely to be. So we're seeing some of them actually going back to things like problem solving, teamwork, and collaboration, communication as some of the key skills that are coming through. Non technical in nature, but where technology is new, emergent, unsure. You can actually use a little bit of a fallback on some of those, I'm going to call them more business orientated skill sets. And that's what we're seeing coming through on the survey data.

Dave Buettner (18:10)

Yeah, it's one of the things that caught my eye when I was reading through the survey was that it highlights this shift towards prioritizing non technical skills. Can you unpack that for us? What is this trend you're seeing?

John France (18:24)

Yeah, so I think that the survey has two broad components. One is the needs of the workforce to secure where we see business going. That's the workforce gap. And then there's a skills gaps which is the skills required to do that. And this year is actually a very pronounced difference between the two. Not only do we not have enough people in the industry to fill those, but the people we do have may not be skilled in the correct areas. So part of that move towards more problem solving, teamwork, collaboration and communication is something that naturally means you're probably going to be a really good learner and actually you can cope with change. And we live in a world of change. So I think that's where we're starting to see those things come through as desired traits. The rest can be kind of learned and picked up. And actually I think it's another affectation of cybersecurity getting a little bit closer to the business. And actually when you get closer to the business, you need some of those skills to communicate, to understand, not only to understand what you're protecting and how to protect it, but actually explain why you're doing what you're doing. So I think it's a little bit of a lot of technical and quite a lot of, I'm going to call them interoperation with other business departments and units where these will really come to the fore and pay dividends.

Dave Buettner (19:55)

Yeah. Another thing that drew my attention was the report outlines how there's a significant portion of the new folks entering cybersecurity who are older, they're age 39 to 49. What does this indicate?

John France (20:13)

It's an interesting stat actually. I probably picked up on the same as you did and I was a little surprised by that. Wow. Wow. And to bust a myth, new entrant doesn't have to mean young. And in case about the data is actually showing that. Right, right. And what we might be seeing is some career changes coming into the profession, which is great to Be brutally honest, we need not only new entrants in, I'm going to call it the bottom end, maybe at the younger side, but we also really value career changes that come in and they bring different viewpoints and different skills from what they've previously been doing. And maybe that's why we're starting to see that age demographic up in that end. And maybe it is some of those where we've been interoperating with other bits of the business, they've become really keen to find out what we do and actually are moving over into our professions.

Dave Buettner (21:13)

Well, let's talk about some practical stuff here. I mean, when we're looking at certifications and standards, where do we stand with that? What's the importance of the certifications these days and what are considered some of the most valuable?

John France (21:28)

You know, without trying to be slightly neutral, standards and certifications are a really good mark of competence. In fact, obviously IC2 certifications are competence based, not just knowledge. So there are, and we come back to that sifting problem, which is how do you qualify? On first glance, certifications is one of those elements. If you maintained a certification and actually I use the word maintenance really, really keenly because it not only shows that you've achieved it, but you've actually maintained it. We have ongoing professional development requirements in our certifications, as do many others. So I think they're a good way, a good mark of knowing that you're getting a certain competence. And you know, if we take standards as well, not just of the standards of the people, but things like the NIST cybersecurity framework, et cetera, those are ways of obviously operating good sets of controls, known, repeatable, with good outcomes. So they absolutely have their place. They're not the be all and end all. You know, you can't just go and get a certain have done and say, yeah, I've made it. It is part of being a rounded individual, not only for proof points, professional development, but. And that's where we see some of these other skill sets come in. You know, good communicator, you know, curiosity, propensity to learn.

Dave Buettner (22:56)

But when you look at the report as a whole, what are the take homes for you? What are the words of wisdom here?

John France (23:03)

I think economic pressures, budget constraints and layoffs continue to challenge our profession. That challenge impacts the workforce satisfaction. Slight dip in that satisfaction rating and technology adoption is still fairly aggressive. So economic pressures are driving probably that lack of budget which is driving staffing challenges. So in fact, lack of budget replaced lack of qualified talent as the top staffing barrier. So we are definitely seeing that as a pressure. 25% observed some layoffs. That's up 3% from 2023. And nearly a third have seen fewer promotions. So that goes to that little bit of stagnation. That's number one. Economic pressures leading to staffing challenges through budget constraints. I think gaps in skills. 67% reported staffing shortages with 90% mitigating skills gap on their teams. That's the difference between I know I need to get someone in or get a person in, but actually saying there's a really big skills gap out in the market that I'm not finding what I'm really looking for. 64% viewed those shortages as more serious than the personal shortages. So, you know, even if I can't get people in, the access to skills is the key issue that they're dealing with now. Training and development is part solution to that. So there is some upside. Doesn't have to be formal. We'd love it to be in certain cases, but it can be just opportunistic and giving people the experiential component. And then finally that threat landscape, the environment we swim in is challenging. We've seen obviously conflicts in a number of regions that have digital components. That's driving uncertainty, uncertainty in the wider market as well as new and emergent technology sort of giving you something new to look at, specifically AI, which is, you know, I think not only is our profession but also the businesses are trying to fill the edges of where AI can be leveraged for best.

Dave Buettner (25:07)

That's John France, Chief Information security officer at ISC2. We'll have a link to the ISC2 2024 workforce study in our show Notes. Do you know the status of your compliance controls right now? Like right now we know that real time visibility is critical for security, but when it comes to our GRC programs we rely on point in time checks. But get this. More than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the VANTA brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber. That's vanta.com cyber for $1,000. And finally, have you ever felt like you're under the spotlight while choosing how much to tip? You're not alone. Digital tipping systems with handheld devices or countertop screens displaying your selection are making tipping feel like a high stakes social performance. Researchers from the University of Richmond, studying TIP Surveillance analyzed 36,000 transactions and ran experiments with over 1100 participants to uncover its impact. The findings Being watched While tipping is bad for business, customers scrutinized during tipping were less likely to return or recommend a business. While privacy often made customers feel more generous, the eyes on you approach led to resentment and reduced loyalty. Interestingly, people enjoy being observed while donating to charity, but tipping feels more like an obligation than a choice. Businesses hoping to cash in on pressure tactics might be disappointed. The research revealed no clear link between surveillance and higher tip amounts. In fact, when tipping privately, customers tipped similar amounts but felt more in control, fostering positive experiences. With tipping expectations, skyrocketing companies need to strike a balance. Training employees to respect tipping privacy while ensuring fair wages could enhance customer loyalty and build a better reputation. Ultimately, the debate about tipping's future isn't just about dollars. It's about creating systems that protect workers, ensure fair pay, and foster a sense of goodwill. After all, tipping should leave everybody smiling, not sweating under the payment panopticon. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@the cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast apps. Please also fill out the survey in the show notes or send an email to cyberwire2k.com we're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K makes it easy for companies to optimize your biggest investment your people. We make you smarter about your teams while making your team smarter. Learn how@n2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Iban. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilpie is our publisher and I'm Dave Buettner. Thanks for listening. We'll see you back here tomorrow. Hey everybody, Dave here. I want to talk about our sponsor LegalZoom. You know, I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row, all of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBERTEN to get 10% off any LegalZoom business information product, excluding subscriptions and renewals, that expires at the end of this year. Get everything you need from setup to success@legalzoom.com and use promo code CYBERTEN. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm LZ Legal Services llc.