How do you gain “experience” in cyber without a job in cyber? [CISO Persepctives] - CyberWire Daily

Summary5 min read

CyberWire Daily: Episode Summary Title: How do you gain “experience” in cyber without a job in cyber? [CISO Perspectives]
Host/Author: N2K Networks
Release Date: May 1, 2025

Introduction

In the latest episode of CyberWire Daily, hosted by Kim Jones and featuring guest Kathleen Smith, Chief Outreach Officer at ClearedJobs.net and co-host of the podcast Security Cleared, the discussion delves deep into the perennial challenge within the cybersecurity industry: how aspiring professionals can gain relevant experience without already holding a cybersecurity position. This episode, the final installment of the season's arc on the cyber talent ecosystem, unpacks the complexities of entry-level barriers and explores potential pathways to bridge the experience gap.

Talent Shortage in Cybersecurity

Kathleen Smith opens the conversation by highlighting the persistent talent shortages in the cybersecurity field—a concern echoed by many industry professionals over the past decade. She draws a poignant parallel to a recruiting ad she recalls from her childhood, emphasizing the irony of the cyber profession struggling with the very problem many other industries have overcome: gaining initial experience.

Kathleen Smith [00:09]:
"As a child, I remember watching an Armed Forces recruiting ad... it’s ironic that my profession is struggling with the same problem."

She underscores that despite the proliferation of boot camps, certifications, training programs, and degree courses, candidates often face rejection from entry-level positions due to stringent experience requirements. This creates a catch-22 situation where gaining the necessary experience to secure a job becomes increasingly difficult.

Challenges with Entry-Level Positions

Both hosts delve into the issue of entry-level positions in cybersecurity being perceived as an oxymoron by many hiring managers. Kim Jones challenges the notion that entry-level positions are entirely ineffective, suggesting that a small percentage (10-15%) of such roles can serve as a crucial stepping stone without being the sole solution to the talent gap.

Kim Jones [18:51]:
"We have to have a certain percentage be entry level. I think that is a great place, but I don't think that we need to have this be the entire solution."

However, Kathleen Smith remains critical of the current state, arguing that lack of consistency in hiring requirements and unclear definitions of "experience" leave candidates confused and deter potential entrants from pursuing careers in cybersecurity.

Kathleen Smith [15:00]:
"We're not being consistent regarding what our requirements are and what we want for those jobs."

This inconsistency not only hampers job seekers but also contributes to disillusionment within the cybersecurity community, potentially exacerbating the talent shortage as qualified individuals become discouraged.

Proposed Solutions to Bridge the Experience Gap

The conversation shifts toward actionable solutions to mitigate the experience dilemma:

Enhancing Educational Programs with Real-World Applications:
- Kathleen highlights how certain academic institutions integrate practical experiences into their curricula, such as:
  - Security Operations Courses: Utilizing open-source tools to manage real incidents for local municipalities.
  - Governance, Risk, and Compliance Projects: Analyzing past breaches using frameworks like NIST and presenting findings to simulated boards.
  - Mandatory Internships: Requiring students to complete cybersecurity-related internships as part of their degree requirements.
Kathleen Smith [12:27]:
"These experiences add up even better. They help raise all boats by making some of the most vulnerable targets just slightly harder."
Leveraging Volunteer Opportunities:
- Encouraging participation in volunteer roles with organizations, such as:
  - Church Groups
  - Social Clubs
  - Small Businesses
  - Tasks may include updating antivirus software, reviewing firewall settings, or securing network routers.
Transitioning Professionals from Other Industries:
- Kim Jones emphasizes the value of transferring skills from other sectors into cybersecurity. By recruiting individuals with experience in fields like finance, healthcare, or energy, companies can utilize their domain knowledge while providing cybersecurity-specific training.
Kim Jones [24:50]:
"Why are we not asking people who really love healthcare... and then asking them, do they want to move into the tech world, do they want to take that knowledge, that passion of supporting these various different industries and then learn about the technology, the tech stack, for that?"
Internal Career Development:
- Promoting career development within organizations to retain and cultivate existing employees interested in transitioning to cybersecurity roles. This includes:
  - Mentorship Programs
  - Clear Career Tracks
  - Regular Skill Assessments and Training
Kim Jones [34:04]:
"If you're looking to build your workforce, really sit down and try to think within your own company. What would be the development? What would be the career track..."

Notable Quotes with Timestamps

Kathleen Smith [00:09]:
"...how do you gain experience in cyber without a job in cyber?"
Kim Jones [15:49]:
"Why are we not having that same thinking when we have people going in and looking at holistic security systems for our hospitals, for our government agencies forever?"
Kathleen Smith [18:51]:
"Is the ability for a mid-career transition for someone coming from X into cyber should be considered at best an anomaly, at worst a myth."
Kim Jones [32:40]:
"...career development."

Insights and Conclusions

The episode wraps up with both hosts acknowledging the complexity of the issue and the lack of a one-size-fits-all solution. Kathleen Smith and Kim Jones agree that while entry-level positions alone cannot resolve the cybersecurity talent shortage, they play a vital role when combined with other strategies such as educational reforms, volunteerism, and internal career development.

Kim Jones advocates for a multi-faceted approach, urging cybersecurity leaders to:

Standardize Hiring Requirements: Creating clear and consistent criteria for what constitutes relevant experience.
Foster Internal Talent Growth: Investing in current employees' professional development to naturally expand the cybersecurity workforce.
Encourage Cross-Industry Transitions: Recognizing and valifying skills from other sectors to enrich the cybersecurity domain.

Kim Jones [35:30]:
"...we're losing qualified, valuable candidates who have become disenchanted with the cyber profession... we need to come together as a profession to standardize hiring requirements and the sooner we do it, the better off we'll be."

Kathleen Smith echoes this sentiment, emphasizing the importance of portfolio management and practical demonstrations of skills as essential tools for job seekers to differentiate themselves in a competitive market.

Final Thoughts

This episode underscores the urgency of addressing the cyber talent ecosystem comprehensively. As cybersecurity remains a critical component of organizational security, the industry must evolve its hiring practices, educational pathways, and internal development programs to cultivate a robust and versatile workforce. By implementing the discussed strategies, the cybersecurity community can hope to not only alleviate the current talent shortage but also build a more inclusive and dynamic field for future professionals.

Notable Contributors:

Kim Jones: Host and industry expert with over 22 years in cybersecurity staffing and community engagement.
Kathleen Smith: Chief Outreach Officer at ClearedJobs.net, with extensive experience in recruiting and mentoring cybersecurity professionals.

This summary encapsulates the key discussions and insights from the CyberWire Daily episode on gaining cybersecurity experience without prior employment in the field. For a deeper dive and access to exclusive content, consider subscribing to CyberWire Pro.

Loading summary

Transcript48 lines

[00:02]
Kim Jones
You're listening to the Cyberwire Network, powered by N2K.
[00:10]
Kathleen Smith
Welcome to CISO Perspectives. My name is Kim Jones and I am thrilled to be your host for this season's Journey. Here we provide in depth conversations and analysis of the complex issues and challenges, technological and otherwise, that the average CISO faces. We're bringing the deep conversations out of the conference, or more realistically, the conference bar, and tackling a single complex issue from every conceivable angle across a multi episode arc. For our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. We've been complaining about talent issues for the better part of a decade, but our piecemeal solutions don't seem to be solving the problem.
[00:51]
Kim Jones
Foreign.
[00:57]
Kathleen Smith
How do you gain experience in cyber without a job in cyber? As a reminder, this is the last episode of the season we're making available to everyone. Future CISO Perspectives episodes will be available only to Cyberwire Pro subscribers. We're sharing insights, conversations and additional resources for every question we're exploring this season with our subscribers. If you haven't done so already, please head on over to thecyberwire.com pro if you want to keep diving deep with us. And now on to the show. As a child, I remember watching an Armed Forces recruiting ad. A young man walked out of an office building after being rejected for a position at some company. When asked why he was turned down, he said, I didn't have any experience. His friend responded with the obvious question, how are you supposed to get experience when no one will give you a job over half a century later? It's ironic that my profession is struggling with the same problem, so stop me if you've heard this before. Many professionals acknowledge that there are shortages within the talent ecosystem. Some of the ways we address these shortages are to create multiple pathways for entry, such as boot camps, entry level certifications, training programs, associate and bachelor's degree programs, et cetera. Candidates who graduate from these programs apply for entry level positions within cybersecurity only to be rejected because they don't meet the experience requirements. Excuse me, I've spoken with dozens of hiring managers about this issue and the answers I've received are truly disheartening. Seems that hiring managers are more concerned about what you can do versus what you know, and the best way to prove the former is to have already done it. In their minds, the concept of a zero experience entry level role is an oxymoron. Adding insult to injury, there is no agreement on what type of experience and what duration is sufficient to make employers comfortable with new workers. All of this leaves new candidates struggling to determine what is relevant or meaningful to employers. If they're lucky, they'll guess right and have an opportunity. If not, then they join the growing legions of folks who are disillusioned with the cyber profession. They believe us to be unfocused at best about what we are looking for, or disingenuous at worst. While I am a strong advocate for zero experience entry level positions, I also advocate embracing market realities and the market is deciding based upon experience. Fair enough. Therefore, the professionals who have defined this market need to add clarity around a what types and quantity of experience are required and b what roles should be considered entry level. One approach would be to acknowledge that any entry level cyber professional, regardless of role, must be extremely well versed in the technology stack. Even a governance and risk professional must understand this context to be effective in their role. One way to support this approach would be to require two to three years of demonstrated IT experience before moving into an entry level security position. This would mean adjusting the hiring requirements and the associated pay scales. It would also situate cybersecurity to be placed back under the cio, which might bring its own challenges and concerns. A second approach would involve eliminating the egoism about real world experience. One example centers around collegiate experiences. There's so much rhetoric and debate around the role of academia that we've ignored how many institutions have implemented notable instances of realism into their curricula. Some examples There are degree programs that offer courses on security operations where students use real world open source tools to identify, respond to, and manage incidents for local municipalities. I teach governance, risk and compliance in another degree program. The student's final project is to analyze a past breach using the NIST Cybersecurity framework. Students must identify the control failures, map the control failings to the framework, recommend solutions, and here's the fun part. Brief their findings to a board of directors consisting of current and former CSOPs. Lastly, many degree programs require at least one semester of real world cybersecurity work, such as through an internship to meet graduation requirements. How are these use cases less real than independently hacking? Who knows? In addition to those examples I mentioned, I remind folks that there are opportunities for volunteerism that can become additional experiences. Church groups, social clubs, volunteer organizations, and many small businesses would welcome someone who would be willing to do things like check and update the antivirus software on their machines, update and review firewall settings, or ensure their network routers are configured to be secure. These experiences add up even better. They help raise all boats by making some of the most vulnerable targets just slightly harder. Finally, we need to be realistic in our expectations around the amount of entry level experience we should expect someone to have. If the probability of getting hired without experience is zero, then the experience obtained will be in somebody's free time as they are engaged in other activities. If in college, this may mean internships, but what about students working to put themselves through college? I once asked a hiring manager how they expected a 30 year old career transitioning woman with two kids to take eight weeks off for a non paying internship. Needless to say, I didn't get an answer. I would suggest that having one or more years of experience is equally unreasonable. For a first gig, amassing a total of, say, three to six months of combined real world experience seems like a fair approach. We can no longer afford our jury rigged approach to hiring. We're losing qualified, valuable candidates who have become disenchanted with the cyber profession and are making their displeasure known with disparate hiring requirements and unreasonable demands for experience for entry level positions or facing a potential shortfall within the next generation of cyber professionals. At a time when security has never been more critical, we need to come together as a profession to standardize hiring requirements and the sooner we do it, the better off we'll be. Buy 2 cents.
[08:54]
Sponsor Voice
And now a word from our sponsor. Spy Cloud identity is the new battleground ground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire.
[09:44]
This episode is brought to you by Chevy Silverado. When it's time for you to ditch the blacktop and head off road, do it in a truck. That system no to nothing the Chevy Silverado Trail Boss get the rugged capability of its Z71 suspension and 2 inch factory lift, plus impressive torque and towing capacity thanks to an available Duramax 3 liter turbo diesel engine. Where other trucks call it quits, you'll just be getting started. Visit chevy.com to learn more.
[10:17]
Kathleen Smith
On today's episode. I'm joined by Kathleen Smith, Chief outreach officer@clearedjobs.net and co host of the podcast Security Cleared, who's hiring and how Kathleen's all about helping job seekers connect with opportunities. And today we're tackling a big question. How do you gain experience in cyber without a job in cyber? If you tell my audience a bit about yourself in terms of what you do, et cetera, I would love to hear.
[10:44]
Kim Jones
Well, you know, it depends on which one of my backgrounds you want to hear about. So give them all to me. So very excited to be invited to your table here to have a little discussion about one of my favorite topics. And so for the last, I'd say 22 years, I have worked for a company called clearedjobs.net we are a job board job fair company in the security cleared community. We are also veteran owned. Most of our staff are either veterans, military spouses, and we are very fortunate to have several who are both male spouses and veterans.
[11:20]
Kathleen Smith
As a West Point grad who spent over 10 years in married to Yvette himself, I thank you and all of yours for all that you do well.
[11:28]
Kim Jones
Thank you. I'm very honored to work among my colleagues and in addition to running the events, the marketing, the content creation, the candidate engagement, the employer customer engagement, I always believe in giving back to the community. So I've done a variety of things in the community. One was I'm one of the co founders of an organization called Recruit dc. I then went on to help the DEFCON Career Village do something very similar. I spent about 5 years supporting 10 different B sides across the country doing their career tracks and career villages. I've been part of ISC Squared running their career track for three years. So excuse me, two years. So I might know a little bit about this topic. But as I said, I like to.
[12:23]
Kathleen Smith
Been around for about two days.
[12:27]
Kim Jones
Just a tad. Just a tad. So I really love that we believe we have a workforce challenge and I really want to sort of push back on your white paper, please by doing a little bit of background. So you know, we talk about this being a really big gap and when you look at all the numbers, and I just looked at cyberseek about two minutes before we got on here in the U.S. we supposedly have 450,000 open jobs in cybersecurity. How many jobs do you think we have open in health care in the US we have 2.1 million jobs open in health care. So I want to put that into perspective because all we see in the media is all about this cybersecurity workforce challenge in security, which is very important. But there are the same challenges in any other industry, manufacturing.
[13:28]
Kathleen Smith
So I would Push back on that a little bit. My cautionary tale, though I agree partially with what you're saying, is I get back to what Mark Twain says, three types of lies. Lies, damn lies, and statistics. So in terms of raw number, I'm curious as to what is that a percentage of all of the healthcare positions that are available as compared to what the percentages are. Because at the end of the day, I don't know which percentages higher, number lower. You're right, the raw numbers aren't as big. And then there's also question as to whether those jobs are being repeated through Cyberseek because of how they pull the data. So I am prepared to agree that the top track and the advertising track around the depth or breadth of the challenge within the talent ecosystem may be overblown. I would even go so far as to say it is probably overblown. My counterpoint tends to be if it's 700,000 jobs or 70,000 jobs, the fact remains is we're not being consistent regarding what our requirements are and what we want for those jobs. So my challenge is less the how do I fill these numbers, but how do we create a level of consistency in terms of what we're communicating to people who want to get here, in terms of what we want and what we will accept in terms of getting it.
[15:00]
Kim Jones
So I'm going to take your same foundation there and push back on you in the sense that when we look at the Department of Labor Statistics, there is no category for cybersecurity in the Department of Labor Statistics. It includes pen testers, information system security managers, security architects, security analysts. So when you're asking me about what do we have as far as, you know, ground level, what is the experience? We don't even know which categories you're talking about. So that is what I'm just sort of saying that we can't have a, you know, we have cyberseq, we have the nice framework. We have all of these frameworks, and they've been around for almost eight, nine years, and no one's using them, by the way.
[15:50]
Kathleen Smith
Yeah.
[15:50]
Kim Jones
So, you know, we know that there is experiences needed. We, you know, to use the healthcare example again, we require people have residencies. We have them be interns. We do a lot to make sure that someone who's gonna operate on a body has experience. Why are we not having that same thinking when we have people going in and looking at holistic security systems for our hospitals, for our government agencies forever? I totally get, I totally get that people want to have entry level positions. But this beating of the drum that we need to have them and why hiring managers or program managers or companies are awful because they don't have entry level positions. We have to remember program managers and hiring managers are responsible to their customers, their shareholders, their legal teams. They're responsible to all of that. If you can give them sort of a pass, like, hey, you can hire some entry level people if you'll give us a pass on being able to maybe mess up every now and then.
[17:01]
Kathleen Smith
We talk about this beating of the drum. I'm going to paraphrase you with this beating of the drum regarding entry level positions. My point is this. If we don't believe that entry level positions are a thing, I can be absolutely okay with that. But we haven't said that collectively as a profession. In point of fact, we as a profession are the ones a decade ago who were kicking and screaming and railing that looking at the projections, we don't have a path in that we need to do this. If we've recognized that that is not the case, that's fine. Then one, let's say so, and let's say so clearly and let these other pathways that we helped create die on the vine. And then two, say, okay, if we believe that what is the pathway for someone interested in cyber to enter cyber, and if that pathway is go back under it, if that pathway is like many of the cleared positions that I assume that you're looking for, that's fine. But our Seidou, as we used to say in one of the companies I worked with, is disconnected. So if I'm unpacking your statement correctly, if your statement is that there shouldn't be entry level positions or that there is no place for entry level positions, I'm okay with that. But then we have to answer the other questions. So I guess my first question is, is that what you are saying? And if that is what you were saying, what are the pathways in the.
[18:51]
Kim Jones
Seydoux quotient is very low, as you said, and I really love and you're being generous. It's very low. It's very low. And I think that we came up with entry level positions as a band aid and everyone sort of built their ship on that band aid. And not only did organizations who created frameworks build their ship on that band aid, many certifying organizations have built their ship on that band aid. I believe we need to have a certain percentage be entry level. I think that that is a great place, but I don't think that we need to have this Be the entire solution?
[19:33]
Kathleen Smith
Absolutely, yeah. What percentage, what positions, what industries?
[19:40]
Kim Jones
I think we have about 10 to 15% be entry level, just like we do for many other industries. I think internships are great. I think that people going in and working at the military reserves is absolutely one of the best ways to go through. I think that there are a few solutions out there that are finally coming to the forefront, but I'm going to leave that for dessert. Ralph, other than now, and I think that as far as entry level positions are concerned, we don't have the right training within many companies on how to evaluate people's ability to fulfill those entry level positions. Because when I flip this over to those candidates that I talk to going into those positions, they've been sold a bill of goods that they can make six figure salary if they got a cybersecurity job. And there are so many training programs and workshops out there that say, if you do my program, you'll be able to make six figures. I've gone to several collegiate programs asking people, so what do you want for your career? I want to go into cybersecurity. Okay. What part of cybersecurity are you passionate about? Cybersecurity.
[20:52]
Kathleen Smith
Okay. And first, I absolutely, positively, categorically agree, but I'm still going to press. You've restated the problem with the level of generica that we continue to do within cyber. As someone with your experience and knowledge base, I want your opinion. So what types of gigs for someone entering cyber should we be looking at as potential entry level gigs and then understanding the nature of where we are right now? How would you solve it if you were king for a day? What things would we drop? What things would we do as sitting CISOs within the environment? Because again, one of the things I'm trying to bring to the forefront with this season is everything. Kathleen, everything you've said is absolutely correct. But I want to try and peel back on pieces of these to say, okay, let's frame solutions. So part of what you framed is one, we are still talking to students and the public of cybersecurity as this monolithic thing. I agree with you, it's not. Two, we're talking to people that just want to get in cyber who don't understand what cyber is and haven't broken it down to those pieces. I have four of those conversations every single week with people coming in within the environment. Absolutely agree with it. So what I'm trying to get to is to say, okay, if you truly want to be entry level, what type of gigs Are you looking at where should those 10 to 15% sit? Is there truly a path for career transition within the environment, excluding the military path that's in the environment? And what should we be doing to my fellow CISOs in the environment in terms of figuring out, okay, what are we doing to exacerbate this problem and what types of training, education, experience, other than sticking up your hand for Uncle Sam, should we be pointing them to?
[23:03]
Kim Jones
So I'm again going to reframe the question in a different way because I saw some wonderful examples of what people were doing and I think that they should be replicated, which is we were presenting, and I was presenting on entry level jobs for cybersecurity, and someone in the back of the room said, I've been in the finance industry for 27 years. And I said, wonderful, I've reached the end of my career. My management came to me and asked me if I wanted to get involved in cybersecurity. And I wanted to get down and kiss his feet because he knew finance, he knew the business, he knew the regulations, and they said, we will pay for your entire certification. So I'm not trying to say I don't want to talk about entry level. We can do it. And I'm just giving dessert before we've had salad. I'm just going to say that why are we not asking people who really love healthcare, who really love nuclear energy, who really love physical energy, who love any of these, and then asking them, do they want to move into the tech world, do they want to take that knowledge, that passion of supporting these various different industries and then learn about the technology, the tech stack, for that?
[24:51]
Kathleen Smith
So unpacking that and reflecting that back, one of the solutions we should be looking for for creating cyber professionals, if we're talking about transition, is transitioning people who already understand the business or the profession that they are already in, and taking those resources and reframing, Am I reading that correctly?
[25:12]
Kim Jones
Yes. The one thing, just to put the cherry on top on that one, if you're going to take a look at career development within the United States, within our industries, we have no definitive way of making someone move from one aspect of their career to the next, unless they move to another company, unless they move to another title, another salary, why are we not saying, let's keep our employees who love working for us right now and giving them career opportunities in tech and cybersecurity right now and provide the training for them? It's a much lower cost ratio than trying to find new people.
[25:53]
Kathleen Smith
So we Started with pen testing as one potential entry level pathway and what we should be telling people to do if your son, daughter, someone came up and said, I want to entry level, the cyber suggest pen testing. And we suggest to them the attendance to some of the active events out there, the CTFs, the SANS training, et cetera, within the environment.
[26:24]
Kim Jones
Correct.
[26:25]
Kathleen Smith
Okay, fantastic. Many of those have a high cost to them and have a time commitment.
[26:31]
Kim Jones
I was about ready to say that. There are also several of them that are online. There are several of them that are virtual. There are over 1100 B sides worldwide and they always have at least one kind of CTF or another. So those are things you can look at and I just want to put a finer point on it. You know, we don't write that summer vacation report or that book report when we come back from a conference. I used to always do this whenever I would go to any strategic marketing conference. Before I got on the plane, when I was sitting in the airport lobby, I got my notebook out and I wrote down what I learned, what changed my mind, what really challenged my thoughts, who did I meet, how am I going to follow up with them? And I really think that doing that as, you know, a job seeker, as a professional, it is a really strong way to showcase to any future employer that you're really part of that experience, that you didn't just go there to go to the parties, that you went there to learn cutting edge technology and that you went there to gain experience. And I would recommend that to any real time worker. Now, if your employer is sending you to defcon or is sending you to RSA or one of the conferences, they're not going to ask for a report. But the next time that the budget comes through, they're going to look to cut that. So I would tell you to get that report out, walk in, say, you know what, I know you may not have time, but these are the five key things that I learned at this conference. And then you keep a copy of that the next time you're up for your employee review. Because you say, I went to these six conferences, these are the things that I learned. And oh, by the way, I had four employee referrals for that.
[28:21]
Kathleen Smith
So yeah, I refer to what you're talking about, Kathleen, as portfolio management, we're saying the same thing in terms of I tell people who are in the profession as well as people coming into the profession, that report becomes part of your portfolio in addition to just what you put on the resume. It can, you know, that's the equivalent I hate to use the terminology, but my wife is an artist and a writer so she's familiar with it. It's the equivalent of that artist or writer's portfolio to say this is the type of stuff that I have done, which is great. So again, how do we educate my peers to understand that? How do we fix that? And if that strays into companies need to train again, let's just start in general from a okay, I've got this kid who can't afford to go to a four year college yet is self teaching, going to the ctfs, doing the volunteer work, building the portfolio and comes in and says I got all this stuff, I'm serious and can't get an interview. How do we fix that?
[29:26]
Kim Jones
Well, you and I both know that you can tell 100 people the silver bullet and 99 of them will not take it.
[29:34]
Kathleen Smith
Amen.
[29:35]
Kim Jones
So I think we need to understand that we can. You know, I've been giving advice to employers and candidates for over 20 years. I can probably count on a few hands how many have really followed that. So I think we have to be really comfortable with the fact that not everyone's gonna listen. And there's probably going to go hire a consultant or heaven bid, hire one of those staffing firms that loves to beat up on recruiters, program managers and talent acquisition professionals. And that's their business model. That's what they sell. They sell fear, they sell anger, they sell revenge. So what do we do? I think that we find two or three people who are willing to do this hard work and change the thinking methodology. I think it's gonna be by example, it really is. And it's finding two or three people who are gonna do it. I mean we can go on the conference circuit and tell everyone how to do this and they're not gonna follow us.
[30:38]
Kathleen Smith
And I am going to ask for as close to a yes or no as you're comfortable giving. Given the scenario that you've set and given the things you've talked about, it almost sounds like what we're saying is other than within a particular company, the ability for a mid career transition for someone coming from X into cyber should be considered at best an anomaly, at worst a myth.
[31:13]
Kim Jones
I think it's a rarity and I think once it becomes more acceptable by CISOs and by the C suites that they can retrain their own professionals to be their CY cybersecurity workforce that will grow exponentially. And as I said, I saw this one company do it six months ago within the cleared community and now that I know of at least three or four others, we have to realize that we're already doing this. I mean, you already know professionals who started at pen testers and then went on to other aspects of their career. And I go back to what is your passion? I mean, one thing that I love about cybersecurity is a passionate industry. It is not this boring. But, you know, everyone has a different passion. But if you have a passion for something and then you want to put another layer on it, with cybersecurity, well, we are going to have one fulfilled, one happy workforce. But we need to facilitate that. And to facilitate that, it is a retraining not only on the professional side, but also on the management side. And we do realize you and I have many friends within the industry who have absolutely no problem hiring people. Yeah, we know tons of them. And so we need to look at that example. They've got charismatic teams. They've got teams that are out in the community. They're doing cool stuff. They're giving back by doing reports.
[32:40]
Kathleen Smith
The question that I would ask is, the companies that are not having a problem recruiting, are they growing or are they stealing?
[32:47]
Kim Jones
Oh, they're growing. They're growing. They're not stealing.
[32:49]
Kathleen Smith
They're growing their own cyber professionals internally. They're bringing in people who do not have past experience within the area and growing them accordingly. They're creating pipelines of talent that people can continue to grow and stay within the community. And they're below the size of Global 1000 or Defense, which, by the way, statistically most companies are.
[33:17]
Kim Jones
Right, right.
[33:18]
Kathleen Smith
Yeah.
[33:21]
Kim Jones
You and I both tripped over the growing. So you were using growing as my solution that I had stated for the cybersecurity workforce, and I was using growing that these are growing companies. Oh, okay.
[33:33]
Kathleen Smith
Yeah.
[33:33]
Kim Jones
Versus, were they stealing from other companies? And what I'm trying to clarify is that these are growing companies. They're not actively recruiting and stealing people from other companies. People are walking to them and saying, we much rather work for you than work for our own company. As far as growing internally. Yeah, it's just something that I've heard and I know it's going to take off.
[33:57]
Kathleen Smith
What is the one thing that we haven't talked about that you would like to talk about relating to this topic?
[34:05]
Kim Jones
I think that the one thing that we touched on, but I would like to just reiterate is career development. I think that, as I said, we've seen it across industries, you know, in the United States, because I know in Europe, they. They're very different as far as their career development strategies from the CISO suite. If you're looking to build your workforce, really sit down and try to think within your own company. What would be the development? What would be the career track from your entry level person to your seat or to a seat that sits next to you at the executive table? And how can you craft that within your organization? Because that is the way you can solve the problem. Put your own knowledge, your own experience, your own education, and then walk the floor. I bet you'll find at least two or three people who would be really interested in having a cup of coffee with you to say hey, if you wanted to stay at this company for the next five to eight years, which is forever in American terminology, as far as careers, ask them what they want to do next, help them to map it through, and then talk to their manager and talk to your recruiting team to make sure that those steps are put in place. And I'll bet you within the end of the year you will have 10 new people in your cybersecurity team.
[35:31]
Kathleen Smith
Been there, done that. Believe in it wholeheartedly. Kathleen it has been a joy to get to know you. It has been a joy to have you here. Thank you for for sharing your insights. I really appreciate it. Thank you so much.
[35:43]
Kim Jones
Thank you Kim.
[35:59]
Kathleen Smith
And that concludes our episode for today. Thank you all for tuning in and joining me and Kathleen as we talked about gaining experience in our profession. Before signing off, a reminder that this is the final episode of the season available to everyone. The rest of the season will be available exclusively to our N2K Pro subscribers. If you'd like to continue following the conversation and access the full season as we continue to explore the Cyber Talents ecosystem, head on over to TheCyberWire.com PRO to learn more about becoming a Pro subscriber. That's T h e c y dash b dash e dash r w I r e all one word.com pro there's a link in the show Notes this episode was edited by Ethan Cook with content strategy provided by Mayan Plout, produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. Tune in next week for more expert insights and meaningful discussions from CISO perspectives. Thanks for listening. Foreign.
[37:35]
Sponsor Voice
Traditional pen testing is resource intensive, slow and expensive, providing only a point in time snapshot of your application's security, leaving it vulnerable between development cycles. Automated scanners alone are unreliable in detecting faults within application logic and critical vulnerabilities. Outpost 24's continuous pen testing as a service solution offers year round protection with recurring manual penetration testing conducted by Crest certified pentesters, allowing you to stay ahead of threats and ensure your web applications are always secure.