A (3:24)

Oh, yeah, yeah. One of my favorites. So let me take a step back first and get to what you talked about, about the multifaceted aspect of this, Ethan. And this gets back to one of the things we've wanted to do with this podcast. You know, there's a lot of conversation everywhere I go and all my media feeds regarding some of the more complex issues, including this one regarding talent. Everyone seems to have an opinion, and everyone seems to give that opinion in the sound bite. I just came back from a conference out in Denver where I was talking and listening to people talk about talent issues and concerns and whether or not college is worthwhile or not, whether or not certifications are worthwhile or not, whether or not there is a cyber talent gap. And everyone is very quick to render a sound bite opinion that is firmly steeped in their own experience or just adamant, passionate belief. And when you start to get them to peel that onion away, no one seems to have time. No one seems to have time to do the work, to do the research, and nobody seems to, in some cases, maybe even have the desire because they're too busy fighting the fires that they have to fight today. So I'm not trying to disparage anyone who doesn't have the time to get down and dirty with things, but you miss some of the nuance and complexity. If you don't do that, then, as you've said, Ethan, we're seeing that. We're definitely seeing that as we go forth.

B (5:10)

I was going to say people have this unwillingness, whether it's maybe because of a lack of time or maybe because a lack of desire to really investigate this problem, dive into it, and instead are focusing on fighting the fight. That is incredibly important across the nation. And this is a theme that has come up not just in Will's episode, but across many of our episodes, about why do we have this misconception, why do we have these soundbite moments or people unwilling to. And Will stood out to me in his conversation. It would be a nice little transition to talk about that episode a little bit more. But he talked about how people are engaging in this almost bloodbath, I think, was the term he used to acquire top talent. And Will always kind of feast upon talent and engage in this sort of arms race almost to a degree, rather than nurturing and developing talent. And that was a theme that we found throughout many of the conversations So I think I would love you to dive a little deeper into that and talk about, is that because it's simpler? Is that because it's more cost effective? Why do you think that we have this bloodbath, so to speak?

A (6:16)

Several reasons. I genuinely believe it is not an issue of negligence or malfeasance. I think it's an issue of time more than anything else. On one end, you know, a lot of people don't have the time, given the firefight that they're in, to look at investing in a long term strategic approach. When the issue is tactically, I need someone who can do this. Now, the other end of that is fear. One of the things I said at the keynote I did at the conference is that we're living in a cycle that's being driven by fear as cyber professionals, which is really interesting since we talk about driving out fear, uncertainty and doubt. And here's where I'm coming from with that. As the job description gets larger, as the stakes potentially get larger in terms of fines, penalties, sanction by the sec, even potentially jail time by other organizations, the challenge here is nobody wants to make a mistake. We have created an environment in that ecosystem that says I have to be right 100% of the time, which by definition sets the profession up for failure. Yet we have set ourselves up and created an expectation that we can't fail, we can't get it wrong, and we perpetuate that with our constituents. So why am I going to take someone who has the potential for doing great and wonderful things and nurture them and grow them, etc. When I can steal? Someone who has the ability to do it now, has demonstrated they have the ability to do it now, and all I have to do is pay them 5 to 10% more than they were making over there and I can grab them and bring them here. So there's a lot of fear within our ecosystem that is perpetuating this problem, if that makes any sense.

B (8:40)

No, absolutely. I think there is a question that I kind of come back to then, which is, then how do we change this perspective? Is this something that we have to do internally? Is this something you mentioned, fines? That's something that comes from a government body. Is that something we have to change from an executive perspective? Where do we bridge this gap or how do we even begin to solve this? Because this was a reoccurring problem that we found throughout the season so far.

A (9:09)

Well, I think, and you know, the short, flippant, yet accurate answer is, listen to the season up to now. As well as the other four episodes that are coming because that's what we're trying to tee up within the environment. But that's the short, flippant, though accurate answer. What I would say the long answer is, is consistency. And the thing that I think the direction I think I'm heading in right now is, is there a perfect one size fits all answer out there? No. But you have to be consistent in your approach. And as an example, you can't tell me that college doesn't matter yet the only place you recruit from are people with college degrees and universities. You can't tell me that all that matters is skill sets and your ability and not define. And there's that dirty, nasty word I use every episode, knowledge, skills, abilities and experience. And can't define the KSAEs that you're looking for or you're not testing for those KSE when you go to interview people and you're not accurately putting them within your job descriptions. So what I'm beginning to get a sense of, just based upon me stepping back and talking to the thought leaders within this space for eight episodes and four more to come, is if I were to label our biggest headache, it's inconsistency. And whichever approach we choose to take, either as a profession or you as a CISO within your organization, I contend that the vast majority of us are being inconsistent in our approach, and that's what's shooting us in the foot. So again, I think the first solution is consistency, regardless of what opinion you have as to what the correct, big air quotes, correct approach to the problem is. And I feel comfortable saying, and again, I said this recently at a conference, we are nothing if not inconsistent regarding our approach to this problem, and we continue to be.

B (11:34)

No, I think that is a great starting point. You know, and I think a thing you noted in there, where, you know, how we assess and approach talent ties into another episode that we had. And this episode revolved around diversity and in assessing where we get talent, what is the value of talent and the different values that various people coming from different backgrounds bring to your organization. But this episode was a little different from the other ones that we did. This episode, we did not have a guest. You ran this one by yourself. So before we talk about the content of what you talked about in that episode, I would love for you to kind of shed some light for our audience about why you chose to take this one head on.

A (12:13)

Yeah. Diversity, equity, and inclusion have become a contentious rallying point within our nation right now. There are political ramifications and overtones that sit around that issue. And I gotta tell you, I've had almost 40 years of experience in intelligence and security and risk, about 25% of that in service to my nation. And I've done a lot of hard things. And to this day I have been in situations where people have question whether or not I've earned the right to be where I am, question whether or not I'm just a diversity hire, despite the fact that I tend to take the jobs that nobody else wants to take. In this environment, it's difficult to make statements regarding DEI that people don't assume are politically motivated. And the way I've chosen to approach DEI is look on one end, I don't want anyone to assume that I'm making a political statement. I tend to be very apolitical regarding things. I have opinions, I'm not averse to expressing my opinions. But I'm also not qualified to make statements regarding politics or economics within the environment. Where I am qualified more than most to be very direct is to talk about security and is to talk about the potential impact of diversity, or a lack thereof, on our ability to secure this great nation, on our ability to meet the needs of our constituents. So it's important to me, as an African American male who were members when There were only 27 CISOs in the entire US who looked like me and we all knew one another and several of us are still in the game, to make sure that I am communicating properly and factually where I can regarding the importance of diversity within cybersecurity. And I would contend that it's not a political issue, it's an issue regarding critical thinking. And given that our job is to make lemonade out of two apples of grapefruit and a kumquat and make it look easy and move from telling people no to trying to tell them how to do something in a more secure fashion than the idiotic method they may have approached us with. I need people who can think outside of the box and for me, outside of the box, and I think I said this during that episode, is just applying previous experience and knowledge in a different way to the problem that you have here now. And if we all have similar backgrounds, similar ethnicity, similar stories, et cetera, then we're all going to think about the problem in a similar fashion. That limits our creativity. It limits our ability as teams to think critically and therefore to come up with unique and innovative solutions to problems that work in this fast paced, data driven economy. So I fervently and staunchly believe that diversity is absolutely essential for a cyber professional and their team to succeed.

B (16:14)

Well, I think you're right. You know, outside of your episode where you talked about this issue, when I wrote the blog post that kind of echoed that. The evidence supports everything you say. There's studies that have supported it about the value it brings, not just from a business perspective in terms of returns and productivity, but also in terms of within a team, we're making less errors, accounting for errors, raising more facts, etc. And that extends beyond just race or gender. It extends to background, and I think

A (16:46)

that also economic status, the list goes on. You know, I'm not just talking race and gender. Those are definite factors. But I'm also talking, by any, any measure, I don't want people who think like me. You know, I know how I think, and I know how crazy I am. I want people who think differently. I want people who are going to challenge the way I look at problems. I tell this war story. And in terms of thinking critically about a problem, thinking differently about a problem. One of my last CISO gigs, I was a physical as well as information security officer. So I ran the Guns and the Geeks. And I used to walk our two buildings every day. So the first two hours of my day were nothing but going on walkabouts. This one morning, three of my best engineers were huddled around a desk trying to deal with Robin. And as I normally say, hey, do you need me? And they said, nope, okay, fine. You know, the boss doesn't need to stick his nose in. He's gonna keep going. I got back an hour and a half later, and they were still huddled around the desk. That's a lot of thought power. That's a lot of money sitting around. It's like, okay, you guys have been here for 90 minutes. What's going on? So what happened was we were putting in a new security tool. We owned our data centers, and the requirement for the tool was that we have high availability, preferably between two data centers. The problem is one of our data centers was tapped out for power. We could not put another box in that data center. So they were trying to figure out how we create a high availability situation, given the fact I couldn't put anything in two data centers. So I stopped for 30 seconds and said, okay, wait a second. Correct me if I'm wrong. Both of our data centers have power coming from two separate transformers, right? And the plugs are labeled regarding the two separate transformers they come from. So if I were to put two boxes in the Same data center plugged into power that comes from two separate transformers. It's not perfect, but I can create a high availability situation until we can get more power in the other data center. Right, and the person who has to approve that is the first senior vice president in the food chain, which, oh, by the way, happens to be me. So why can't we do that? I had three very, very smart technical people who I would trust my infrastructure to any given day, who had spent an hour and a half and admitted freely that had never occurred to them. They had never even thought that that was a possibility. That's the value of critical thinking. That's the value of making lemonade out of two apples of grapefruit and a kumquat. I came up differently than they had, you know, from my military background, etc. And I'm used to solving problems with duct tape, chewing gum and baling wire. And it allowed me to look at the problem a little differently than they had. There's only really two ways to develop better critical thinking skills. One is experience. The other is somebody else's experience. And unless you want to be old like I am, you know, and wait for four decades, I like to lean on other people's experience and learn from them and get better. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch? What if you could build the hardware, firmware and software with the vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs, and instead spend your time focusing on helping your business and customers thrive. Meet Meter, the company building full stack zero trust networks from the ground up. With security at the core, at the edge, and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn, every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's me. T E R.com CISOP.

B (22:47)

So, jumping gears a little bit here, you mentioned a key word at the End of that phrase. And that was experience and the value of gaining experience. And this was a conversation in episode seven where you sat down with Lara and talked about education.

A (23:02)

Yeah.

B (23:02)

And you talked about how colleges structure their programs and some of the difficulties that people have had getting experience to their, their students. And my favorite sign. And all this came from a different episode, but I think it applies very much so to Laura's episode was there are no such thing as purple unicorns.

A (23:24)

Yeah.

B (23:25)

And I, I love that. And it has stuck with me since the very beginning of the season. And I felt like it came full circle with that episode. So I would love for you to talk about, you know, what it means to get experience the challenges associated a little bit more and dive into why you tapped Laura for that episode and why her perspective on that really shed some light.

A (23:47)

So let's answer the last question first. Dr. Laura Ferry is now the Vice president of research at Arizona State. I met Laura because she had the dubious distinction of being my boss when I was building a cyber degree program at asu. So she got some direct exposure to some of the challenges associated with cybersecurity in general, combined with me learning how to maneuver within a university setting, which if you've never done it, you don't fully understand some of the real challenges that exist in terms of trying to make certain that we're meeting the mission of the university, the needs of the university and academia while they continue to figure out how to meet the needs of the business they support. And one of the things that I tapped Laura for was because they're in the midst of the cyber talent argument, there is this, I'll go so far as to say, there is this staunch misperception that college is worthless and that there is no need for you to have a college degree to get into cyber. Well, yes, there are jobs that do not require a college degree, but there's a 1. There's some value proposition. Part of that is critical thinking, because it forces you to do and think about things that are outside of your realm of expertise, if you do it properly. But there are also a lot of good programs out there that are attempting to make certain that students come out with some real world, hands on experience so that they understand not only the tool sets, but the realities associated with operating cyber in any sort of environment to go forth. And I would contend that that that bias against academia and that very, very staunch. It's almost like a civil war within cybersecurity is truly hurting our ability to solve the talent problem. Despite the fact that while we're biased against it, we are still recruiting from colleges and universities in many organizations as we go forth. So. Well, that's why I asked Laura and that's why I wanted to talk about the value of college. But the experience piece, which has come up a couple of times to include the purple unicorn first episode that we did, gets to the. We're stealing talent. We're not creating talent, we're stealing talent and we're breaking our talent decisions on experience. I want you to have already done what I am looking for you to do and have done that specifically for me to hire you. So we're stealing people and there's a great line and I'm going to steal it from. I told Will Mark I was going to steal this. We're hiring mercenaries, not missionaries. We're hiring people who can come in and say, hey, for 10% more money, we'll come in and do this thing for you. I know you don't care about training or growing me, et cetera, so that when somebody offers me 10% more than you've offered me, I'll go somewhere else. And then we're complaining that we can't find the talent or resources and we don't want to spend the time to build it. So we're looking for that purple unicorn with the rainbow butterfly wings sitting out there right now who has three years of experience in exactly the tools I'm looking for, has all the certifications I'm looking for and, and wants to work for $50,000 a year. And then we complain when we can't find him or her.

B (27:44)

Yeah. And I think it goes to the point that Laura brought up, which was when we designed these programs or when she was designing these programs and working with industry leaders, there was this huge expectation, well, I want you to code the way I code. I want you to use the tools that I use. I. It's not that I don't want just to your point, I just want you to have experience. I want you to have hyper specific experience which is antithetical to what a

A (28:10)

college can or should be doing. Because, and again, I'm probably going to paraphrase Laura in the episode, we now create an individual who is absolutely positively perfect for your job requirement but may not be hireable anywhere else or promotable anywhere else in the environment. Neither of which is we should want any university or hell, even any trade school to be. I mean, that's a problem.

B (28:41)

And I found it to be a funny, you know, conversation because, you know, I Graduated from college a couple years ago for my undergrad. But there was a point where I was sitting during the episode and writing the blog post where I sat to myself and asked this question. It sounds like businesses or organizations are trying to offload training costs onto the individual, so. Or the college. The college will train them to get exactly what they want. They get the person right out the gate who they want or the experience whatever they want without having to put in any of the work. And kind of feeds into this mercenary mindset where it's, I don't really want to develop or nurture any talent. I want the solution now. And if the person can do it on their own time, all the better.

A (29:25)

Yeah. And it also harkens back to episode two that I did with Larry Whiteside, which is are we a trade versus a profession? And there's a lot of truth to say that we may be both and that there's a pivot point for both, but we still haven't been consistent regarding what the requirements are during that trade. So if we're going to be a trade, then, and we say that we need these technical things, we need to create. There's that nasty C word again, consistency regarding what those things. Things are. And if we were willing to say that if you knew these things, then I can take you and drop you into any of my environments to do any of the things that I need to, then I would buy the fact that, yeah, you know, it's okay for us to expect that a university or an individual or a two year college or, you know, insert method here, should be training that individual so that when they get out, they can do this thing, then that thing can go anywhere. That's not what we want. We want to do this specific thing pivoted about 5 degrees that I've done customized here. And I want you to prove it by doing it somewhere else. So in that respect, yes, we are inappropriately, unfairly and unrealistically attempting to shirk the responsibilities of any good profession and any good trade to make sure that we create a virtuous cycle that allows for training and growth.

B (31:06)

This relates to another really good conversation that you had with my former boss, Simone. You all talked about and one of the things that she stood out and mentioned was you brought up her law background and the value of implementing a bar like association for Cyber and this, you know, universal certification system that's accepted across the board within lawyers and the legal profession. And akinning that to some of the. Because with her background in certifications and how muddy I guess that sector has become, so to speak.

A (31:41)

Yeah, I mentioned at the time, I think, and I know you pull the reference to the blog post, that there were like over 450 separate certs that you could get within cyber and what's required and what's not. But the challenge that we have here is when somebody asked me, and this was another question I answered at the conference I was at last week, actually, no, this wasn't the conference. One of the other things I do is I'm a lecturer in UC Berkeley's Master's in Information and Cybersecurity program. And I was talking to a group of incoming students, and they normally have one of the professors talk to the students with some of the people in the program and some of the grads so that the new students can figure out what like. So I. I was supposed to talk for five or 10 minutes and then we were going to open up to questions. And I answered questions for 45 minutes and one, because these are. Some of them are straight from bachelor's into master's degree, but a lot of them are working professionals, either working professionals in IT who want to go cyber or career transitioning, etc. Within the environment. And I was talking to a network engineer who was passionate about going to cyber in addition to getting his master's program, asking what certifications he should get that would be recognized by industry as something that is valuable that will help him or him get his next job or break into the profession. So the challenge that we've had is as we've begun to narrow in on certain skill sets and certain capabilities, et cetera, and we're looking for certain specific things within the environment. It's getting to the point that there are specific certifications for specific technologies or specific functions. And if you don't know what specific function that you wish to deal with or what specific technology the company you wish to go with is using, it gets very difficult to say which certification should you get, A or B. Well, yes. And then conversely, there are more generic certifications out there that tend to be more holistic, such as, I'll pick on the cissp, Right, wrong or indifferent. The CISSP does give you a good holistic viewpoint of the various aspects and the common bodies of knowledge that need to be looked at, you know, within cyber. But to get the cissp, you have to have five years of experience. So where do you start? What do you get? And remember, all of these things cost money and time. So I'm sitting, where do I tell someone who knows that they want to get into cybersecurity, but doesn't necessarily know all of the potential jobs and opportunities that exist in cybersecurity. What certification should they take and how many should they have? The network engineer I was talking to said at one point I had 15 different sets of letters after my name and at one point early in my career I had 22. So, you know, figuring out what makes sense and what's useful and what's not useful, etc. Is hard. Yet we sit there and in some cases we use certifications as screen outs. There are folks who, because of the automated tool sets, etc. Are looking for the CISSP. They're looking for, okay, if you don't have a CISSP, we're going to flush you and not even take you to the next step where a human being looks at your resume. Which gets very interesting because they're looking for this for entry level positions with two years of experience and you can't get the CISP until you have five and then you get others that if I don't have the right certification, then I don't think you know enough about your particular, you know, the job that I'm looking for yet. Conversely, I know, and I think I mentioned this in the episode, I know some great cyber professionals who genuinely suck at test taking. So, you know, certification has become more of an industry or business to include the continuing professional education credits associated with maintaining them has become more of an industry or a business in many cases than something that proves out your ability to do the gig. Now let me take a half step back. I do believe, and I talk about this in detail with Simone, that there are some value propositions to certifications and there's a right way to do it. So I am not denigrating dissing pooh poohing certifications, you know, in any blanket statement. And if you still don't believe me, please take a moment and go listen to the episode. When we talk about some of the pros and cons that are there. But it's important to remember that just as there are pros there for certifications, and I still maintain several of them, there are also some cons and challenges to, you know, what they are, how we get them and how we are using them, you know, in terms of seeking talent and maintaining talent in the

B (37:00)

environment, well, I think it harkens back to the point you made earlier. Consistency. Consistency from both.

A (37:06)

C word's going to be there for a long time.

B (37:09)

Consistency from both a organizational perspective. Consistency from A CISO perspective, shout out to the show name consistency from a employee perspective or prospective talent and being consistent in how you approach it. How we approach it as an organization, how we approach it as an industry, I think will be critical. And I look forward to the conversations that are to come and the conversations that we have yet to have over the next three episodes and eventually the season finale where we break down this conversation even further and look at it from a few other angles. So, Kim, I appreciate you taking the time to sit down and take this brief moment to reflect on how far we've come through this season and take a step back and give some perspective on both what you think about the season as well as share that with the audience who may not have had the chance to see some of these episodes. And if you have not, I highly Recommend Becoming an N2K pro subscriber. So thank you for your time.

A (38:07)

Yeah, I appreciate that. So, for those who are interested, we've teased that there are more episodes coming and there are more episodes coming this season. I would echo what you said, subscribe if you're interested, because I think you will enjoy the depth and breadth of the conversation we're having. So with that, Ethan, I appreciate you allowing us to flip the mic for a change.

B (38:31)

Yeah, it was fun.

A (38:32)

I hope it's been useful.

B (38:33)

It's been incredibly useful and it's been incredibly enlightening. Thank you for coming on, Kim.

A (38:37)

Thanks for having me. Today was a moment for reflection, an opportunity to look back at the journey we've taken this season and revisit the powerful insights shared by the guests who joined us. From tackling the cyber talent crunch to reimagining what strong security leadership looks like in a shifting threat landscape, we've covered a lot of ground. If you've been with us all season as priority a pro subscriber, thank you. We hope these conversations sparked new ideas, challenged your thinking, and offered actionable takeaways to bring back to your organizations. And if you've only caught the first few episodes, now's the perfect time to subscribe. There's more ahead and you won't want to miss it. Speaking of what's ahead, our season finale is just around the corner. I'll be sitting down with with Ethan Cook, who's been closely tracking each episode and authoring the companion blog posts all season long. Today he interviewed me. Next, I get to turn the tables and interview him. We'll bring it all together in one final conversation, weaving together the themes from across the season to explore where the role of the CISO is headed next, so make sure you're subscribed and we'll see you back here for for the finale. That's a wrap for today's episode. Your continued support enables us to keep making shows like this one. Tune in next week for more expert insights and meaningful discussions from the CISO perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayon, plot produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Pelzman. I'm Kim Jones and thank you for listening. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardw, or managing endless complexity. Meter builds full stack zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M E T E R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.