Is the cyber talent ecosystem broken? [CISO Perspectives]

Kim Jones

You're listening to the Cyberwire network. Powered by N2K.

Susan Ettlinger

The PC gave us computing power at home. The Internet connected us, and mobile let us do it pretty much anywhere. Now, generative AI lets us communicate with technology in our own language, using our own senses. But figuring it all out when you're living through it is a totally different story. Welcome to Leading the Shift, a new podcast for Microsoft Azure. I'm your host, Susan Ettlinger. In each episode, leaders will share what they're learning to help you navigate all this change with confidence. Please join us, listen and subscribe wherever you get your podcasts.

State Farm

This episode is brought to you by State Farm. You might say all kinds of stuff when things go wrong, but these are the words you really need to remember. Like a good neighbor, State Farm is there. They've got options to fit your unique insurance needs, meaning you can talk to your agent to choose the coverage you need, have coverage options to protect the things you value most, file a claim right on the State Farm mobile app, and even reach a real person when you need to talk to someone. Like a good neighbor, State Farm is there.

Kim Jones

So if I were asked to describe this podcast in one word, that word would be depth. There are more than a handful of complex issues and challenges, technological and otherwise, that plague the average ciso. In many cases, we only hear about these issues during brief sessions during a conference, or more often, around the bar after the conference is over. Speakers and podcasters try to address these problems with short sound bites and incomplete solutions that address only one facet of the issue. At CISO Perspectives, we take a different approach. We tackle a single, complex issue over a multi episode arc, looking at the issue from every conceivable angle. We bring in subject matter experts to discuss and debate the aspects of the issues on every episode with concrete recommendations that, taken together, present a strategic approach to solutioning the problem. Welcome to CISO Perspectives. My name is Kim Jones and I am thrilled to be your host for this season's journey. For our inaugural season, we've chosen to address the challenges surrounding the cyber talent ecosystem. As a profession. We've been complaining about talent issues for the better part of a decade, but our piecemeal, unidimensional solutions don't seem to be solving the problem. To start the conversation, I'm going to ask the overarching question, why does the cyber talent ecosystem have indigestion? Enjoy the ride. About seven years years ago, I had the privilege of sitting down with a number of current and former Fortune 500 CISOs. We discussed how to structure a new training program for people seeking to enter the cybersecurity field. I was working with an organization that had funding locked in, and they were given the freedom to structure a program any way they deemed appropriate. Naturally, they sought the input of industry professionals. After several hours of back and forth around content, skills to be taught, and levers of rigorous, I made the mistake of asking the obvious question so folks who go through this program would meet your requirements and be eligible for entry level positions, right? After a long, awkward silence, the collective response was, well, no, not really. After more gyrations around what would be needed to make these candidates eligible for entry level positions, One of the CISOs finally said bluntly, I'm not dodging your question, Kim. I'm deliberately not answering. And the reason I'm deliberately not answering is because I honestly don't know. The other CISOs around the table nodded in agreement. The radical candor of the comment revealed to me more than the rest of these conversations combined. It was both mind boggling and humbling to realize that we were designing a program to train people to enter the cybersecurity field that would be ultimately ineffective. The seasoned professionals whose needs we were attempting to meet had no idea what they wanted in a candidate. Us old security guys and gals who I lovingly Refer to as OSGs, we came up hardscrabble. We were either thrust into or volunteered for roles and positions that no one else wanted and that people barely understood. We earned our PhDs from the school of hard knocks as we tried again, failed again, and failed better. Thank you, Samuel Beckett. We developed the technologies, practices, and frameworks for our profession. We learned to balance governance and assurance with innovative technologies such as wireless and cloud. We taught ourselves to speak the language of the business so that we could make our concerns understood to business line leaders. For the most part, we succeeded in building this evolutionary path. Or did we? While we have mostly stabilized the role of the security practitioner for the current generation, one of the areas where we continue to fail is in charting a successful and consistent pathway for people who wish to enter the cybersecurity profession. Further, rather than pooling our brain trust and rallying around collective solutions, we continue to bounce around terms like complexity and the need for grit, which flop around like fish gasping for breath as they cause indigestion within the cyber talent ecosystem. Those words are weak excuses for the indecision surrounding standardizing the knowledge, skills, abilities, and experience requirements, also known as KSAEs. KSAEs are necessary for entering and surviving the cyber arena. Our inability to standardize job requirements represents the biggest challenge to our industry. While we complain about this challenge almost incessantly, we don't seem motivated to rectify the problem anytime soon. This is a source of personal frustration for me, since a lot of what I do centers around mentoring both young and older professionals wanting to enter the cybersecurity field. Consider these real issues we face today. 1. We continue to allow the posting of job descriptions that in no way reflect reality positions. Asking, for example, for a CISSP certification from someone with only two years of experience is more common than we would like to admit. 2. We have complained for over a decade that university programs, even computer science programs, weren't teaching cyber. Universities responded by adding cyber curricula to their degree programs and even created cybersecurity degrees, and our response was to criticize the content as being too theoretical and not producing students with real experience, even when programs were constructed by seasoned cybersecurity professionals and included real world experience as part of the requirements. 3. We say we want real world experience, but in fact we want targeted real world experience. When a candidate has specific experience in one area like soc and the job posting is for an access management role, many companies will not hire the candidate because their real world experience is not specific to the job. 4. We do not truly encourage internship and apprenticeship programs. We only encourage such programs when someone else is operating them since we claim to be far too busy to take on an intern. And even if we do take on an intern, they are often relegated to a glorified gopher role versus real training and exposure to cybersecurity. And 5. We encourage alternative pathways for entry that focus on experience versus a four year degree, yet our job descriptions still require a four year degree. I can't tell you how many times I've talked to folks with relevant real world experience trying to break into the cyber arena only to hit wall after wall and no after no. Meanwhile, cyber jobs are expected to grow by 32% by 2032 and there are estimates that as many as 500,000 cybersecurity jobs in the US remain unfilled. So why does the cyber talent ecosystem have indigestion? In the end, Walt Kelly said it best. We have met the enemy and he is us. Here are a couple of thoughts on how we can solve the problem. 1. End the unicorn hunts I have a dear friend who runs a cyber talent creation program at a university and they told me about a situation where a CISO tapped his student pool for a new position after his students had been interviewed. The CISO declined to hire any of them. Naturally, when my friend asked, is there something we should be teaching or training in that we're not? The CISO told him that in reality he was, and I quote, looking for purple unicorns. Here's the reality folks. Purple unicorns do not exist. If you're just looking for purple unicorns, you are exacerbating the problem. Instead, we need to work on nurturing and raising a cadre of solid thoroughbreds. And yes, that takes effort and time. 2. Get specific on KSAES I am truly tired of listening to OSGs complain about what is lacking in candidates without being able to specifically and concretely define what they are looking for in candidates. Much of our job is not prescriptive and is necessarily fluid, but there are foundational skills such as an understanding of protocols and services, knowledge of data structures, encryption, basic coding structures, and risk management that we should agree upon as being foundational skills. The NICE Cybersecurity Workforce Framework and the Cybersecurity Competency Model are great starting points. It would be incredibly useful for the profession to truly adopt these standards and mandate that all job descriptions conform to these requirements. If we don't believe these requirements are enough, then we need to create the standard versus continually complaining about the existing inadequacies. Folks, the challenges of our talent ecosystem are very real, but we cannot solve them via unfocused commitments to random programs addressing non specific needs. If we are serious about solving the problem, let's start by clearly guiding organizations and candidates on our needs and then demonstrating our commitment by collectively showing up. My two cents I first met Ed Adams about five years ago. I was working passionately on talent issues for my company and looking for collaborators who both saw the complexities of the issue and were eager to create and implement tangible, realistic solutions. Ed and I spent many an evening discussing the pitfalls with the current cyber talent paradigm, so it's only fitting that he be my first guest of a season devoted to this topic.

Ed Adams

So my career in cybersecurity started, like many of us, Kim outside of cybersecurity, because my career when it started cybersecurity wasn't a thing. I came up as a software quality person working for the likes of Rational Software before it was acquired by IBM. But I was always into software and I loved software quality. But for the longest period of time I bemoaned the fact that despite everyone talking about different aspects of software quality like functionality and performance and reliability and scalability, nobody was talking about security as an aspect of Software quality. So I started beating that drum and I got the attention of a nutty professor at Florida Tech who had recently written a book called how to Break Software, which I thought was great. His name was James A. Whitaker, and he was working on a sequel called how to Break Software Security with one of his PhD students. And when we got together and he told me that he was thinking about starting this company with a group of his graduate and PhD students to focus on software security, I said, I'm in. I came through the software quality angle through a university spinoff way back in 2002, when very, very few folks were talking about cybersecurity at all and virtually nobody was talking about software security.

Kim Jones

So talk to me. I mean, you and I got to know one another because of your interest in talent and not only creating new talent, but uplifting talent. So talk to me about that. Talk to me about how you're general getting involved in cyber evolved to that, if you would.

Ed Adams

I've always been a fan of trying to recruit folks into the technical fields in general, whether it be volunteering for the Boston Area Middle School STEM projects with United Way Science, Technology, Engineering and Math, or later in my career is encouraging folks to get into the IT and cybersecurity space. And I kept on hearing recurring themes over and over and over again from two types of people who typically sit on opposite sides of the table. And they had a very common complaint.

Kim Jones

Shocked, I am, but keep going.

Ed Adams

I know, I know. So a lot of folks were trying to figure out how to get into cybersecurity and struggling to do it because they either couldn't get interviews or they felt like they weren't qualified for the jobs they were seeing available. And then the other side of the table is my colleagues like yourself who have cybersecurity teams or need to influence large technical teams and were bemoaning the fact that they couldn't find, they couldn't recruit talent, they couldn't retain talent, they couldn't develop talent. And I thought to myself, well, these two problems are not mutually exclusive. Let's see if we can start to dig in and solve it directly.

Kim Jones

Fantastic. So you've looked at this problem from a lot of perspectives. You and I have talked about a lot of those perspectives, and during the season we're going to deep dive into many more of them. But Ed, I asked you to be my first guest because since you have looked at this problem more holistically, I think you're probably one of the best people I know to speak on the problem itself. So what do you see in order of priority, the top three problems, I won't sugarcoat them and call them challenges problems with the cyber talent ecosystem as it exists today.

Ed Adams

So there continues to be a very large discrepancy between job descriptions that hiring managers want to hire for and the appropriate qualifications for that job.

Kim Jones

I'd like you to deep dive in that a little bit and I'm going to tee up the follow on to that, which is. But wait a second, haven't we built knowledge, skills, abilities and experience frameworks, et cetera. So why the hell do we still have this problem when we're the ones who are hiring? So talk to me.

Ed Adams

Absolutely. And we have built wonderful frameworks like the Knights Framework from NIST and the National Initiative for Cybersecurity Education, which does exactly what you specified. It calls out knowledge, skills, abilities and tasks for I think it is now 54 different job functions in cybersecurity. So yes, very well documented what those jobs should be doing. The other side of that coin one very few people acknowledge, know or even attempt to adopt the NICE framework as part of their hiring practices. It's a great first start. The NICE framework is not perfect. It generally omits one half of my cybersecurity color wheel, which I'm happy to talk about at any point in time, and a very important half I might add. But. But it's a great framework and if you were a hiring manager, why wouldn't you want to start there? Because it does give you a great head start. You know, when folks, when I talk to folks that are looking for cloud security architect positions and what they see in the job descriptions are things that are completely outside of what NICE and the NICE framework thing should be a cloud security architecture, they get frustrated, they get confused, and more likely they just don't apply, especially if they happen to be a woman or an underrepresented minority.

Kim Jones

So that's one. What are the other two?

Ed Adams

The other two is that we as cybersecurity professionals, whether it's intentional or unintentional, many of us lack the ability to effectively communicate to the very much larger IT and development teams that are in our organizations about what they could be doing to up level their cybersecurity acumen and as a result the overall cybersecurity hygiene of the organization, thus lifting all the boats by raising the tide as opposed to trying to go out and hire 40 new cybersecurity folks, which is going to be tough to find and very expensive. Yep, we in cybersecurity understand red teaming and blue teaming very well. One attacks, one defense comes from the military. You and I spent a lot of time doing that ourselves. Combine the two, you get purple teaming. Yay. Everyone's happy about purple teaming. My focus historically has been on the other half of that cybersecurity color wheel, focusing on the yellow teams, the IT teams, the development teams, the engineering teams that usually outnumber the cybersecurity teams by a factor of 5, 50, or 100 to 1.

Kim Jones

Yep. And let's, while we're here, since we've hit four of the six colors on the color wheel, which I'm a huge fan of, if, you know, you want to talk about the other two, orange and green, if I remember correctly. And let's round out that wheel.

Ed Adams

Absolutely, absolutely. So just like in cybersecurity, if you combine red teaming offense with blue teaming defense, you get purple teaming, which is essentially war gaming. The same thing happens on the second half of that color wheel. If you focus on the yellow teams, which are basically the builders. They're not the breakers or the defenders, they're the builders. You teach that yellow team a little bit of red teaming, you turn them orange, you teach them a little bit of defensive tactics like secure coding, you turn them green, all of a sudden they're not just a yellow team building stuff. You turn them into a bit of a yellow jacket, you give them a little bit of a stinger, you give them a little bit of spice. And that spice is cybersecurity, but the spice is really security as an aspect of the product quality of what they're building.

Kim Jones

Yep. I've taken to using the term OSGs, old security guys and gals like myself. So I'll put it out there. Why do we continue to suck at this? I mean, seriously, you know, I believe, you know, you know, I'm a West Point grad. I've got 10 years in the military. I believe in force multiplication. Okay. It seems to me that if we were to do this effort, it's going to raise all boats and make my job easier.

Ed Adams

One, because we generally don't understand the process of building IT products as cybersecurity professionals, we just don't get it. We don't understand. And I can't tell you how many Cybersecurity professionals, even CISOs, have come to me to say, ed, I need to train my developers on security, and I will stop them right there. And I'll say, excuse me, Ms. Ciso, can you please explain to me what you mean when you say developers and that usually opens up a wonderfully productive conversation. And just to use an analogy of building a house, just like you're building any kind of IT system, you have to define what you want, you have to design it, you have to build it, you have to test it, you have to make sure that it's functional. Then once you produce it, you have to maintain it and update it. It doesn't matter if it's a house and your sink breaks and you have to fix some plumbing or it's an it, a cloud native application. You still have to follow all these processes. And guess what? Each one of those phases generally has different types of job titles and job titles that do different kinds of things. Now we're talking about tasks and skills and abilities. Well, if you can't understand the fact that in a development team, you have architects and product managers and database administrators and cloud engineers and automation engineers and test engineers, you've got none of them.

Kim Jones

Each of them has a priority, one of which is not your priority one. And each of our priority ones is equally important, not only to the success of the enterprise, but the success of the organization overall.

Ed Adams

No, no, no, you're right. So that misunderstanding of what the jobs are of our yellow teams and the fact that there are multiple job functions in there. But then the second part, Kim, is that we as cybersecurity professionals, cave too easily.

Kim Jones

Talk to me.

Ed Adams

So very often we'll get pushback. We'll hear from Mrs. Cto to say, what are you talking about? You want to train my developers? Forget it. You're not turning my developers into hackers. I need them to be developers. And all too easily we'll walk away, we'll back away because the cto, they're building the stuff that's making our money. I don't have as much leverage as she does. How can I push back so heavily? And this is where we cave too easily. Because it's our fault, Kim. We are not doing our job to understand what her primary motivations are. What does that CTO want to do? She wants to build damn good quality products in a really fast period of time. Right? Of course. Every CTO wants to do that. And what's the bane of good quality products on time? Bugs. And until we achieve that symbiosis, cybersecurity will be viewed as an outsider to those yellow teams. And we're not. We're on the same side. We're on the same team.

Kim Jones

Let me drill that a little bit more, because one of the things I found and I've been preaching lately and I'm curious as to your thought process on this ad. Have we built within cyber and within this ecosystem a culture that relishes the fact that we're that outsider? Oh yeah. Because I find myself knocking down folks to say it's not we they your paycheck is signed by the same person. If they fail, congratulations. So do you. Is that just me or am I missing something?

Ed Adams

No, you're not at all. A lot of it comes out of the bravado hacker culture that personally I'm trying to help change in the cybersecurity industry. But it's very, very difficult. Oh yeah, almost impossible. And it all stems from the hey, if I can hack you, I'm better than you. If I can find a problem with your stuff, I'm better than you. So we almost set ourselves up to be outsiders right from the start.

Kim Jones

So getting back from a talent standpoint, you've talked a little bit about those relations, creating the ability to raise talent within the existing corporate ecosystem, if you will, by creating the yellow team, the orange team and the green team and arming them from an intake standpoint. You talked earlier regarding we've been complaining regarding there are challenges with intake we've been complaining regarding there are challenges with the ways we're intaking. I'm going to shift a little bit in terms of those different mechanisms of intake and I agree with you 1000% that not figuring out what the requirements are for specific jobs and that disconnect is causing chaos regarding our intake mechanisms. We've created different entry level intake mechanisms I still see us running into and in fact I think that's one of our upcoming episodes as well. You asked 15 different CISOs what they're looking for from an intake perspective and you get 417 different answers and none of them agree. So you have been around and more closely than I have me as an operator, you as a person who has been trying to fix this problem, looking at the different mechanisms we've created for intake between the certifications, between the two year colleges, there are now these things called cyber degrees out there and yet we're still seem to be challenged with what are we looking for? Are you seeing that this plethora of intake mechanisms is making things better or worse or can it not make things as better as they could be? Because there are different methods of intake that are trying to solve a problem that we haven't defined since we haven't defined what the hell we're looking for.

Ed Adams

Like you said, if you ask 50 CISOs, the same question. You'll get 400 and something answers. Well, I did ask 50 CISOs, including you, the exact same question as far as what are you looking for in an entry level, But I gave you.

Kim Jones

An answer because I mapped my stuff to nice.

Ed Adams

Yes, you did. You did. And I took those 50 answers and I wrote about them in the book. And what I was able to determine is that there is a distinct pattern which I found fascinating. I'll give you one simple highlight. The most common trait or characteristic that CISOs are looking for had nothing to do with any degree, any certification, or any experience.

Kim Jones

And that was, if you're willing, the.

Ed Adams

Ability to be taught.

Kim Jones

I love it.

Ed Adams

That's it. Like, that was it. And however, when I still read cybersecurity job descriptions, whether they're entry level or not, I do not see those words showing up. I see things like degrees and certifications and technical skills, which didn't come out of the mouths of people I interviewed, but they're on the pieces of paper that show up as job requirements.

Kim Jones

Yeah, yeah. So what is the one thing we haven't discussed yet that you believe is essential to solving the talent ecosystem problem and. Or what is the one thing we haven't talked about that you would like to make sure gets mentioned?

Ed Adams

You don't need to have a technical background to have a successful career in cybersecurity, Full stop. I think that's a very understated but incredibly important comment. Almost as important as the five words that I've heard come out of your mouth on many occasions, which is entry level means no experience. There are so many talented people that I have personally hired and worked with at other companies that don't have technical backgrounds that are fantastic in cybersecurity and so many different jobs that are critically important to cybersecurity. 0.0technical background. And one of my personal favorite CISOs, a lady named Sharon Burgess from BCD Travel, know her well, and she's a absolute talisman of success, no matter how you measure it, personally and professionally. And as a female CISO of color, there's not a lot of those around. And she rose to that level with a degree in, wait for it, Spanish.

Kim Jones

Yep.

Ed Adams

And she's a remarkable Caesar.

Kim Jones

So I am going to actually throw one more at you because I'm beginning to see a lot of change in the wind right now, and I would love to get your perspective on this. You know, I'm seeing a handful of things in the past year. Ish. Or so. One, the OSGs of the world are retiring. I consider myself semi retired right now and I'm loving what I'm doing within that environment. But several of the OSGs, the old security guys and gals who are upper 30s of years of experience into early 40s of experience, have stepped away from operational roles. We've also seen a group of individuals who have come up during the timeframe where we were advertising all you need to do is hack in order to get into cyber, who are now coming of age in the role and beginning to struggle with those business focus and showing value and communication pieces that we're dealing with all along the timeframe where we're beginning to see people finally understand that liability is the third leg of responsibility and accountability. You do need more than just to be able to hack to do this. So there's a lot of movement going on right now simultaneously and at the same time as to say, regarding the profession, I'm curious as to what you see as potentially the outcome of that in our talent ecosystem. Talk to me.

Ed Adams

There has been an absolute explosion of virtual CISO companies or virtual CISO offerings that have emerged and a lot of those OSGs are appearing as virtual CISOs. And there's reason for it. One, they don't have the liability that you talked about, and that's a big one. We as an industry are chasing talented people away from the C level cybersecurity roles because of that liability.

Kim Jones

Which is because what we're also seeing with that is we're seeing young folk who come from consulting, have two years of experience and a pmp, say I'm a virtual ciso. No, you're a security consultant. No, I'm a virtual C. So. And stand on that. So we're also seeing a lot of folks, not just the OSGs, but a lot of folks abuse that title, in my opinion. So yeah, I'm seeing that trend as well.

Ed Adams

Completely. Completely. So. And you actually finished my point for me, which is some of these CISO services are completely legit and very valuable because you can get super talented folks for a fraction of the time and a fraction of the price, but there's a lot out there that are selling overselling, shall I say? So you've got to do a little bit of due diligence to find the needles in the haystack in that particular analogy. And the other trend that I'm seeing is the cybersecurity professionals that have come out of the technical ranks that are getting into leadership positions, as you mentioned, they are struggling on the business side and they're struggling.

Kim Jones

And I would add to that, agreeing with what you're saying. There has been no need for them to have that exposure to be successful up until this point. And because of that, we're security, and the rest of you are just the business thing that we talked about earlier. There's also in many cases, been a lack of a desire, and those two things combined make the transition harder in their minds.

Ed Adams

And I'm oversimplifying this. When they walk into a boardroom and say things like, but, dude, we've got five priority one bugs and three zero days. Like, of course we've got to fix these. And they get blank stares, they get frustrated, and they walk away. And that's a shame because that's a great opportunity for them to develop as a person and as a professional and as a cybersecurity contributor to the board that they're working for.

Kim Jones

Yep. Yep. One of the presentations I have been giving to groups of CISOs, you know, what I usually do is I start the presentation with, you know, show of hands. How long have you been in Cyber? And at 38 years. Yes. I'm usually usually, at best one of two who's been in over 35. Usually I'm the old guy. And the first question I ask is, how have I failed you?

Ed Adams

Ah, wish more people did that. We are part of the problem. But we also need to encourage folks that want to get into the professional and think that they can't, for whatever reason, they're not worthy. They don't have the technical chops. They don't have whatever it is. And in fact, the first three words that I wrote in my book, which it's called see yourself in cyborg, but the subtitle is Security careers beyond hacking.

Kim Jones

Hacking, yeah.

Ed Adams

Yes. But the first three words I wrote in that book is I'm an imposter. And the reason I wrote I'm an imposter is because I don't have a single cybersecurity certification. I don't have a cybersecurity degree. I haven't even sat through one of your SANS courses and gotten a certification from that.

Kim Jones

Kim, why are we talking to this guy again? Never mind.

Ed Adams

And yet I was able to forge a successful career in cybersecurity. My background, just like Sharon, who has a degree in Spanish, I have a degree in English literature. What good is that when trying to sort out zero days or. Well, it's great because I learned how to communicate and articulate and summarize and empathize for a whole bunch of different reasons. Very, very useful to me. But a lot of folks would look at me as an imposter. In short, look at me as an imposter. I don't have all those credentials that you might think about today as a successful cybersecurity thought leader. Quote, unquote, Fine. But I am. And a lot of people out there can be cybersecurity professional professionals too. And they belong just like I belong.

Kim Jones

And that's a wrap for this episode of CISO Perspectives. I hope today's conversation gave you new insights and practical takeaways to navigate the ever evolving world of cybersecurity. Leadership, strategy and shared knowledge are key to staying ahead, and we're glad to have you on this journey with us. To access the full season of the show and get exclusive content, head over to thecyberwire.com pro. As a member of N2K Pro, you'll enjoy ad free podcasts, access to resource filled blog posts, diving deeper into the cserve, perspectives, research and a wealth of additional content designed to keep you informed and at the front of CyberSecurity development. Visit TheCyberWire.com PRO to get the full experience and stay ahead in the fast paced world of cybersecurity. We'd absolutely love to hear your thoughts. Your feedback helps us bring you the insights that matter most. If you enjoyed the show, please take a moment to leave a rating and review in your podcast app. This episode was edited by Ethan Cook with content strategy provided by Mayon Cloud, produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thank you for listening.