CyberWire Daily: Episode Summary Title: How do you gain “experience” in cyber without a job in cyber? [CISO Perspectives]
Host/Author: N2K Networks
Release Date: May 1, 2025

Introduction

In the latest episode of CyberWire Daily, hosted by Kim Jones and featuring guest Kathleen Smith, Chief Outreach Officer at ClearedJobs.net and co-host of the podcast Security Cleared, the discussion delves deep into the perennial challenge within the cybersecurity industry: how aspiring professionals can gain relevant experience without already holding a cybersecurity position. This episode, the final installment of the season's arc on the cyber talent ecosystem, unpacks the complexities of entry-level barriers and explores potential pathways to bridge the experience gap.

Talent Shortage in Cybersecurity

Kathleen Smith opens the conversation by highlighting the persistent talent shortages in the cybersecurity field—a concern echoed by many industry professionals over the past decade. She draws a poignant parallel to a recruiting ad she recalls from her childhood, emphasizing the irony of the cyber profession struggling with the very problem many other industries have overcome: gaining initial experience.

Kathleen Smith [00:09]:
"As a child, I remember watching an Armed Forces recruiting ad... it’s ironic that my profession is struggling with the same problem."

She underscores that despite the proliferation of boot camps, certifications, training programs, and degree courses, candidates often face rejection from entry-level positions due to stringent experience requirements. This creates a catch-22 situation where gaining the necessary experience to secure a job becomes increasingly difficult.

Challenges with Entry-Level Positions

Both hosts delve into the issue of entry-level positions in cybersecurity being perceived as an oxymoron by many hiring managers. Kim Jones challenges the notion that entry-level positions are entirely ineffective, suggesting that a small percentage (10-15%) of such roles can serve as a crucial stepping stone without being the sole solution to the talent gap.

Kim Jones [18:51]:
"We have to have a certain percentage be entry level. I think that is a great place, but I don't think that we need to have this be the entire solution."

However, Kathleen Smith remains critical of the current state, arguing that lack of consistency in hiring requirements and unclear definitions of "experience" leave candidates confused and deter potential entrants from pursuing careers in cybersecurity.

Kathleen Smith [15:00]:
"We're not being consistent regarding what our requirements are and what we want for those jobs."

This inconsistency not only hampers job seekers but also contributes to disillusionment within the cybersecurity community, potentially exacerbating the talent shortage as qualified individuals become discouraged.

Proposed Solutions to Bridge the Experience Gap

The conversation shifts toward actionable solutions to mitigate the experience dilemma:

1. Enhancing Educational Programs with Real-World Applications:

   • Kathleen highlights how certain academic institutions integrate practical experiences into their curricula, such as:
     • Security Operations Courses: Utilizing open-source tools to manage real incidents for local municipalities.
     • Governance, Risk, and Compliance Projects: Analyzing past breaches using frameworks like NIST and presenting findings to simulated boards.
     • Mandatory Internships: Requiring students to complete cybersecurity-related internships as part of their degree requirements.

   Kathleen Smith [12:27]:
   "These experiences add up even better. They help raise all boats by making some of the most vulnerable targets just slightly harder."

2. Leveraging Volunteer Opportunities:

   • Encouraging participation in volunteer roles with organizations, such as:
     • Church Groups
     • Social Clubs
     • Small Businesses
     • Tasks may include updating antivirus software, reviewing firewall settings, or securing network routers.

3. Transitioning Professionals from Other Industries:

   • Kim Jones emphasizes the value of transferring skills from other sectors into cybersecurity. By recruiting individuals with experience in fields like finance, healthcare, or energy, companies can utilize their domain knowledge while providing cybersecurity-specific training.

   Kim Jones [24:50]:
   "Why are we not asking people who really love healthcare... and then asking them, do they want to move into the tech world, do they want to take that knowledge, that passion of supporting these various different industries and then learn about the technology, the tech stack, for that?"

4. Internal Career Development:

   • Promoting career development within organizations to retain and cultivate existing employees interested in transitioning to cybersecurity roles. This includes:
     • Mentorship Programs
     • Clear Career Tracks
     • Regular Skill Assessments and Training

   Kim Jones [34:04]:
   "If you're looking to build your workforce, really sit down and try to think within your own company. What would be the development? What would be the career track..."

Notable Quotes with Timestamps

• Kathleen Smith [00:09]:
  "...how do you gain experience in cyber without a job in cyber?"

• Kim Jones [15:49]:
  "Why are we not having that same thinking when we have people going in and looking at holistic security systems for our hospitals, for our government agencies forever?"

• Kathleen Smith [18:51]:
  "Is the ability for a mid-career transition for someone coming from X into cyber should be considered at best an anomaly, at worst a myth."

• Kim Jones [32:40]:
  "...career development."

Insights and Conclusions

The episode wraps up with both hosts acknowledging the complexity of the issue and the lack of a one-size-fits-all solution. Kathleen Smith and Kim Jones agree that while entry-level positions alone cannot resolve the cybersecurity talent shortage, they play a vital role when combined with other strategies such as educational reforms, volunteerism, and internal career development.

Kim Jones advocates for a multi-faceted approach, urging cybersecurity leaders to:

• Standardize Hiring Requirements: Creating clear and consistent criteria for what constitutes relevant experience.
• Foster Internal Talent Growth: Investing in current employees' professional development to naturally expand the cybersecurity workforce.
• Encourage Cross-Industry Transitions: Recognizing and valifying skills from other sectors to enrich the cybersecurity domain.

Kim Jones [35:30]:
"...we're losing qualified, valuable candidates who have become disenchanted with the cyber profession... we need to come together as a profession to standardize hiring requirements and the sooner we do it, the better off we'll be."

Kathleen Smith echoes this sentiment, emphasizing the importance of portfolio management and practical demonstrations of skills as essential tools for job seekers to differentiate themselves in a competitive market.

Final Thoughts

This episode underscores the urgency of addressing the cyber talent ecosystem comprehensively. As cybersecurity remains a critical component of organizational security, the industry must evolve its hiring practices, educational pathways, and internal development programs to cultivate a robust and versatile workforce. By implementing the discussed strategies, the cybersecurity community can hope to not only alleviate the current talent shortage but also build a more inclusive and dynamic field for future professionals.

Notable Contributors:

• Kim Jones: Host and industry expert with over 22 years in cybersecurity staffing and community engagement.
• Kathleen Smith: Chief Outreach Officer at ClearedJobs.net, with extensive experience in recruiting and mentoring cybersecurity professionals.

This summary encapsulates the key discussions and insights from the CyberWire Daily episode on gaining cybersecurity experience without prior employment in the field. For a deeper dive and access to exclusive content, consider subscribing to CyberWire Pro.