Bridging the Cyber Skills Gap
Perry Carpenter: Hi, I'm Perry Carpenter, and you're listening to "8th Layer Insights." Have you ever had a time when you've had something break down and you've said to yourself, huh, I wonder if I can fix that? I've done that maybe more times than I'd like to admit. YouTube sometimes helps, but there have also been times when finding YouTube videos or how-to guides only helped me have a false sense of bravery. And the result - rather than fixing my washing machine, I wasted time, injured myself and made the whole situation worse. The whole thing cost more, took longer, caused pain, and I'm pretty sure that the repairman got a good laugh at my incompetence. Then there are the other times, the times when you do the research and you realize immediately you are completely out of your depth. Maybe that's when something goes wrong with your car or your air conditioner or your plumbing, and you just know that you're going to have to call in a professional, someone who specializes in just this specific thing.
Perry Carpenter: Now, imagine what would happen if you go to call that specialist, and you find out that nobody in your city can help. And then you widen your search, only to find out that there's nobody in your region who can help. And then you find out that there are maybe only a handful of people in your entire country who can help. But those people are so busy that you're going to have to get on a waiting list, and your wait is going to be several months for them to get to you.
Perry Carpenter: That's a skills gap problem. It's a problem of supply and demand. And fixing it isn't as easy as you might think. And that's a bit scary because one of the most pressing skills gap issues that we're facing today is in the area of cybersecurity. You've probably heard people talk about the cybersecurity skills gap. Yeah, it's a big deal, and it has implications across business, critical infrastructure, national security, the economy and even civilization as we know it. So on today's show, we're going to take on the cybersecurity skills gap from a couple different directions - organizations needing to staff up and from the direction of people looking to enter the workforce. And to help us think through all this, I've invited four guests. Today, we'll hear from Heath Adams, Karla Carter, Sam Curry and Lola Obamehinti. Let's dive in.
Heath Adams: Defense is really big right now, and there's not enough people.
Karla Carter: There's a commitment that a four-year degree implies. Whether people agree with that or not, that tends to be a societal standard.
Sam Curry: There's the value of diversity, but there's also diversity as a value.
Lola Obamehinti: I think it's good to recognize generational diversity.
Heath Adams: SOC analyst jobs - going in and being able to respond to alerts and incidents and track down things, I think, is very important.
Karla Carter: I do fear that there are going to be far too many places that are traditional. They - they're not looking for a reason to keep your resume. They're looking for a reason to get rid of your resume.
Heath Adams: Incident response type work, especially with so much ransomware that's going around right now.
Sam Curry: Within an organization, having diversity means new ideas come out that you wouldn't otherwise think of.
Heath Adams: As well as forensics.
Lola Obamehinti: The technology industry overall still has a representation problem. The industry is still not diverse.
Karla Carter: And if someone has said, well, we need to have some sort of tech, STEM-related degree, they're going to see English on there. They're not going to look anymore, and they're going to get away.
Heath Adams: But on the other side of it, there's offensive need, as well - ethical hacking, any sort of exploit development and research.
Sam Curry: What we think of as pathology may not, in fact, be. May just be different ways of thinking as people and important to our communities.
Lola Obamehinti: Maybe taking a chance on them would be best because they're coming in with a fresh perspective.
Karla Carter: If somebody wants to hire more people who are going to be passionate, devoted workers, change how you write the job ads.
Heath Adams: Cloud-based security, cloud-based hacking, cloud-based auditing - that's going to keep growing as the years go on, as well.
Sam Curry: What matters more is the attitude that they have.
Karla Carter: You don't even need the degree, right?
Perry Carpenter: Today, Bridging the Cybersecurity Skills Gap - what those of us in the industry can do, what job seekers can do and how to identify long-term fixes. Welcome to "8th Layer Insights." This podcast is a multidisciplinary exploration into the complexities of human nature and how those complexities impact everything, from why we think the things that we think to why we do the things that we do, and how we can all make better decisions every day. This is "8th Layer Insights," Season 2, Episode 4. I'm Perry Carpenter. We'll be right back after this message.
Perry Carpenter: OK, Carl. Let's go ahead and try that intro you had in mind. Let's hear what you got.
Carl: You're traveling to another dimension, a dimension of struggles, hardships and unfulfilled needs, a dimension of being overburdened and understaffed, a journey of education, training, exploration and barriers surrounded by an intricate web of conflicting ideas and opinions. Along the path, weary travelers will be met by pundits, trolls, influencers and, if they're lucky, mentors. There's a signpost up ahead. Your next stop - The Cyber Zone, or The Cyber Skills Gap Zone. Or maybe something like, there's a warning up ahead. It says, mind the skills gap. Yeah, I'm not sure this is going to work.
Perry Carpenter: Oh, that's OK. Let's go ahead and roll with what we already had planned. Thanks. OK, so by now, I think that most everyone in the cybersecurity field has been hearing about the skills gap for a few years now. It's been a topic of conversation and has received a lot of media attention. And there's also been no shortage of opinions on how we got here and what we should be doing to fix it. But before we dive into some ideas for addressing the problem, let's start with an analogy to help understand how bad things can get if we don't begin making significant progress.
Perry Carpenter: Think for a minute about the human body. Our bodies are this amazing collection of organs and organ systems, each serving a function. And when you're healthy, everything is great. We feel great. We can perform all sorts of amazing feats. But now think about what happens when your body is under stress, when you're overly tired or when you haven't eaten. Things aren't quite as good. Now, let's take that a step further. Think about when sickness or disease is present. Our bodies are trying their best. Our immune systems are kicking in, but it's hard. Some systems overreact, and some systems underreact or underperform. We suffer. And in cases when we have organ failure, entire organ systems begin to suffer, causing systematic issues, cascading failures or even, eventually, death.
Perry Carpenter: That's a lot like a skill shortage or skills gap. We have various systems that do great when all the other systems are fully operational. But if one area is understaffed or if the people in critical positions don't have the right training or experience level, people then become overworked. They're trying to cover too many bases and sometimes not doing any of that well. There can be all sorts of problems from a pile-up of small errors all the way up to systemic issues leading to catastrophic collapses.
Perry Carpenter: It's not that we don't have excellence in our industry. We do. We have a lot of excellence. But what we have is inconsistent excellence. Having skills gaps means that we have safety, security and protection gaps, and those gaps open up vulnerabilities and weaknesses. And we as an industry have been in this weakened state for a long time.
Perry Carpenter: So what does the road to recovery look like? To help us find out, let's introduce our first guest, Heath Adams. He's known as the Cyber Mentor, and he's the CEO of TCM Security.
Heath Adams: So, yeah, we're a two-part organization. One side is cybersecurity consulting, and the other side is cybersecurity training. The consulting side is basically anything that you want broken into is - really, we'll try to break into it from networks, web applications, devices, buildings even. And on the training side of that, we teach a lot of what we do on the consulting side. So a lot of it revolves around ethical hacking, around different types of pen testing and even stuff like phishing, malware analysis, etc., and starting to add in some of the basics as well. So our platform is meant to be affordable, meant to be engaging and meant to cater to a wide array of audiences and be, in our view, one of the best trainings that you can get for the price point.
Perry Carpenter: One of the things that we've heard people talk about for a few years now is the, you know, quote, unquote, "skills gap." From your perspective, what is the skills gap? Is that a real thing? And are we - do we have a strategy to deal with it?
Heath Adams: It is, and it isn't. I think that there's one side of the group that is trying to break into security because it either pays really well or it sounds really cool. And I think that they don't understand, maybe, the technical work that goes into it and the amount of effort that it takes to get into cybersecurity. Just because it sounds sexy doesn't mean that it's easy. And there's a reason that the salaries are as high as they are, it's because it's hard to find qualified people that do the work. So on that side of it, yeah, I think that there's a lot of people wanting to get in but not realizing the effort that it takes.
Heath Adams: On the other side of it, I do think that there's definitely gatekeeping. There's a lot of mentality of, you have to have this certification path or this working path. Or you have to do X, Y, Z and have this many years in this job or whatever it might be - or education, or anything - because I did that, or because I came up through that path. And we have a lot of, I think, management-type that - you know, I did this, so you got to do this, or HR that doesn't maybe understand because somebody set the requirements a long time ago. And the requirements have changed in the industry. But HR doesn't know that because they'll be supporting them otherwise. So I think that there's gaps on both sides and meeting in the middle is somewhere that we're still struggling to get to.
Perry Carpenter: Heath just identified one of the key problems behind the skills gap, the problem of perception and expectation. Two words, but they're really two sides of the same coin. On one side, you have perception. That's what people see, what they are currently seeing and what they've seen in the past. New people just beginning to look at cybersecurity as a career option have probably had their minds saturated by seeing cool hacker movies and news all about cyber incidents. And so their perception often revolves simply around the battle and the excitement. What they don't see and what they may not even think about is the potentially boring aspects of the job. Their perception has been tainted. And some people may not even know that there are several distinct roles or domains and competencies within the cybersecurity umbrella.
Perry Carpenter: And then people within the cybersecurity field or HR professionals or recruiters may have the perception that only people with certain types of backgrounds or personalities will be a good fit for a specific job role. In this way, perception leads to cognitive bias. And that bias shows its ugly face on the other side of this coin. Turning the coin over, we're presented with the second word, expectations - the expectation that things will always be exciting, or the expectation that someone who doesn't look, think or hasn't followed the same career path as us won't be suited for a specific job. And the list goes on and on, and on.
Perry Carpenter: If we want to begin to close the skills gap, we need to constantly question our perceptions and our expectations to see where they might be leading us astray. At the same time, we also need to realize and remember that there is value in some of the traditional ways of approaching the field. So there's a bit of a balancing act that we need to do. For example, let's think about a traditional four-year college degree. Many job descriptions list specific college degrees as a necessary qualification. But should that be necessary? Does a university degree really help? And what are the main benefits and drawbacks to help us tackle that? Let's bring on our next guest.
Karla Carter: Hi. I'm Karla Carter.
Perry Carpenter: Karla is an associate professor of cybersecurity in the College of Science and Technology at Bellevue University.
Karla Carter: Which is in Bellevue, Neb.
Perry Carpenter: From your perspective, where does having a traditional college education fit in when it comes to setting someone up for success?
Karla Carter: One of the benefits of having a formal education, such as a four-year degree, is that it's something that a lot of employers are still looking for to validate that the person they're hiring has gone through the various hoops that they would need to jump through to prove that they're interested in learning something. There's a commitment that a four-year degree implies. Whether people agree with that or not, that tends to be a societal standard. So if someone does go the route of going through the degree program, then that's a signal that they're sending to an employer that, hey, I at least cared enough to have gotten this particular degree. There are also degrees that can have particular designations associated with them that can signal a certain type of expertise that has been applied to them, such as being in NSA Center of Academic Excellence, for instance. There are certain standards that have to be met to be called a center of academic excellence. So that someone looking at your transcript - and it does show up on the transcript - would be able to see, OK, this is a program. And this person, I know, had to learn certain knowledge units in order to be granted a degree from this institution. So it has a lot of value as a signaling thing, first of all.
Karla Carter: The other thing is that if you can find the right sources, the internet would be able to teach you anything you needed to know. A lot of people - self-study is just not what they're good at. They prefer to have someone sort of structure the learning for them, tell them, if you show up at this time and this place and do these particular steps, you're going to learn the material. And so a university or college education is certainly going to provide that. We do sort of enforce the structure. Now, that's different if you take a face-to-face class versus taking something online. And that's not to say that online classes are lesser. It's just that to take an online class and be successful, a person really has to have a good reason for why they're there and to really want to succeed and put in the extra effort. They also have to like to read and write because there's more of that in an online class.
Perry Carpenter: I think one of the other strengths that comes from a traditional four-year college education is the broadness of the experience, the exposure to different subjects that you wouldn't really expose yourself to if you were just to take specific skills-based training.
Karla Carter: If you're perceived as being a well-rounded, interesting person, you can have any sort of conversation. And if you have an idea, they're more likely to want to listen to it. Another reason for having a well-rounded education is - this is not to denigrate my master's in cybersecurity. My most useful degree is that bachelor's in psychology. I use that every single day. And it's invaluable, obviously, in the classes that I teach because when I'm teaching what we call operational security, which is really security operations, it's a very human-focused class. And when I'm teaching the human factors of cybersecurity - that's the security awareness and social engineering class - obviously, psychology is an entirely huge part of that. So you have to have a mix of understanding what the human condition is because cybersecurity, until we have Skynet, is still a human problem.
Perry Carpenter: One of the most encouraging things to remember is that our past experience is never wasted. Cybersecurity has so many moving parts. There are almost always applications for any previous education you've done. And, of course, there are applications for programs like math and engineering and computer science. But there are also areas within cybersecurity where previous experience in psychology, English, philosophy or even something like accounting come into play. And those are just examples. The takeaway here is that we shouldn't let the term cybersecurity become something that puts people into a box where certain skills are immediately seen as desirable and necessary and other skills are minimized, neglected or forgotten entirely.
Heath Adams: I come from a nontraditional background. I think a lot of people do, honestly.
Perry Carpenter: Heath Adams.
Heath Adams: I was an accountant, and I'd been in accounting for a few years - absolutely hated it, just chose it because it was a safe field to get into and ended up dropping everything, going and working a helpdesk job. And one of my co-workers told me that you could get paid to hack into things. And before then, I just thought that a hacker was somebody that was a bad person. I didn't know that there was ethical hacking and companies paid for this.
Perry Carpenter: When it comes to the hacking piece of this - the ethical hacking piece, there are the things that everybody's seen in movies, and they have all these high expectations about what that's going to be like. And then there's also the really boring part where you're just working through things, hoping that you find something that works, or you're doing the report writing. You have to have a very methodical thought process. Do you think that your accounting background helped prepare you to just be able to slog through all of the fine-grained details that you need to be successful with those more mundane tasks?
Heath Adams: A thousand percent. I think my accounting background was incredibly beneficial to my hacking background. From a consulting side - because I was a consultant before. I was in public accounting, so I was working with C-level executives. I was working on reporting and documentation and going through fine-tooth comb on stuff because I was an auditor. So I had to look at everything in heavy detail. And then I had to report that back to people who maybe didn't understand accounting or financial numbers and make sure that they can understand it in a way that is presentable.
Heath Adams: So going through that - and then even from being a business owner, having the accounting background has been incredibly beneficial. But I think there's a lot of correlations that overlap there with accounting and hacking, especially in the report writing, presentation skills, communication skills, being able to talk to a technical or non-technical audience.
Perry Carpenter: Yeah. Do you think if somebody comes into pen testing from a background - let's say an English major or a philosophy major or something else like that. Do you think there's always going to be something from their previous life and experience that carries over and provides real substantial value to this new thing that they want to do?
Heath Adams: Sure. I think you can draw from a lot of that. Just, like - an English major is probably going to be really good at writing reports. It may come easy for them where some - you know, some people just dread the report writing. But, you know, an English major might say, oh, I love this, and it could be something where they excel. Everybody has their own traits and their pros and cons of things they love and hate. You can use your backgrounds to accelerate in certain areas of this field, for sure.
Perry Carpenter: We've talked about the value of a traditional university education, but let's be realistic. That's not for everybody. And even for people who already have a degree, there will always be the need to learn new skills. So let's spend just a few minutes talking about the value of online training and other ways of doing skills development.
Karla Carter: Try and take advantage of as many of the free courses or some of the ones that might only have a minimum monthly charge so that you're not laying out a huge investment. Sometimes paying even $5 a month gives you enough skin in the game that it's like, well, I'm paying for this, I guess I better go ahead and start using it. And then from that, you can get a sense of what are some of the things I'm interested in, kind of get their feet wet with it and see, OK, do I like network security or am I more of a programming person and work my way up to knowing how to reverse engineer malware or something like that? Once you're talking about the major paid classes, like the SANS classes, you want to wait until after you're employed somewhere and then you can convince that as part of your professional development, get someone else to pay for it.
Karla Carter: But I do think that once you're in a job, the way that you advance is to show that you are interested in continuing to learn. And if you stop learning for even a month in this profession, you're going to feel so far behind that it can be overwhelming. Maybe that's something to keep in mind when you're out there looking for employers because, right now, employers need people. Folks who are looking for jobs can actually afford to do some shopping. Find out if your employer is willing to pay for extra training, and they should be excited that you want to do extra training.
Perry Carpenter: So we talked a little bit about traditional college and the path there. For somebody just getting into this, regardless of their background, they've probably got a lot of things in their head and a lot of advice that's being given to them, like, you know, go get a CISSP, go get a security+. What are the pros for certification in your mind?
Heath Adams: Yeah, I think the pros are that it can be something that you can set a goal towards and then affirm knowledge in a sense, some certifications more so than others. So for me, when I was coming up, when I was doing certifications, it was, hey, I'm going to use this to study, but I'm also going to buy the certification because I don't have a lot of money as it is and I'm going to make sure that that motivates me in order to study and learn this topic and make sure that I can get to where I want to be. So I took that approach, used it to motivate, study, then go get the certification to prove that I had the knowledge, you know, to do what I was doing. But at the same time, if you have certifications that are multiple choice or they don't go into a lot of depth, it's very easy to get into learning the test, taking the test, passing the test, getting a certification, forgetting all about it. So there's definite pros and cons to it. But the big pros are being able to set goals for yourself, study and then affirm the knowledge that you did get through that process. I think doing your own due diligence when it comes to researching certifications and what value they actually hold from a training perspective versus what value they hold because, you know, they ended up on job descriptions or whatever it might be, doing your research is definitely going to be beneficial.
Karla Carter: If somebody wants to work in a government job, they do need to at least minimally get the security+ certification. That's something that's required for the defense contractors as part of their compliance. And so I would say getting the security+ certification shows people that you are interested. It is obviously very network security focused, but it's a very fair test, very doable. Other certifications kind of depend on the space you're in. If you're a generalist, if you want to be a CISO - CISO, however people are saying that - then you might want to look at the CISSP. But that's a long and involved process. You have to get references. You also have had to have worked in the industry for a little while in order to, after you pass the test, to get the certification. There's continuing education that's required with that. They have a very strong ethics board. I mean, it's a great certification for somebody who wants to be considered a generalist. If you want to go into the auditing space, ISACA's CISA certification would be the gold standard there.
Perry Carpenter: We'll be right back after the break.
Perry Carpenter: Welcome back. We've talked about some of the root issues of the skills gap and some of the issues of perception and expectation that impact the way newcomers may view the industry and the way that current industry professionals may view newcomers. We also touched on the ins and outs of traditional educational paths, online training and certifications. These are ways of upleveling the skills of people currently in the profession, as well as people that we want to train up so that they can enter the profession someday. We also mentioned that many non-cybersecurity-related degrees and backgrounds can actually be really useful in a cybersecurity context. And that's really important to remember because it brings up another critical area to discuss, specifically that there are large populations of untapped talent out there who can, at least in part, help to address our skills and staffing gaps.
Sam Curry: Diversity, in general, is a competitive advantage. It's the right thing to do.
Perry Carpenter: That's Sam Curry. He's the chief security officer for Cybereason. He's also a frequent public speaker and is passionate about finding non-traditional ways to solve some of the cybersecurity staffing issues we face today.
Sam Curry: And it's - it is good for society as a whole and for people who have been disenfranchised or on the wrong end of it for a long time. But it - it's also - it also makes our companies stronger. It makes our organizations stronger. I'm in a cyber organization, which means the enemy is diverse. They're not sitting around, you know, hiring only one type of person - men, women, ethnicity, you know, gender, orientation or religion or anything like that. So you - first of all, you've got to understand the opponents, that they could be from any walk of life. And secondly, within an organization, having diversity means new ideas come out that you wouldn't otherwise think of as a group collectively. I also prefer to be part of diverse groups.
Perry Carpenter: One of the areas you're passionate about is bringing awareness to neurodiversity and the value that neurodiverse people bring to the workforce. Can you speak a little bit about that?
Sam Curry: What we sometimes forget is - and maybe it is a legacy of psychology to some degree - what we think of as pathology may not in fact be, may just be different ways of thinking as people and important to our communities. So I'm talking about things like autism and Tourette's. I'm talking about things like OCD, people who don't necessarily, you know, relate socially the same way that we think of, quote, "us," unquote. And I want to work in a place where somebody doesn't necessarily think that A leads to B leads to C. They jump around - A is attached to J to 42 or to whatever - and figure out ways to work with them. And I think that that makes us better, especially if you're in a problem-solving organization, especially in an organization where, you know, the highly valuable jobs are those that lead to creativity and new ways of thinking. So why would we limit ourselves to only clinically perfect people?
Perry Carpenter: Yeah. So you see a lot of value in engaging a diverse population.
Sam Curry: There's the value of diversity, but there's also diversity as a value. Both are important. And what I mean by that is the value of diversity is the value to us collectively of having a diverse representation. But diversity as a value means it's something that we believe in, like believing in doing the right thing. Those are two different, related and very important things here. So I believe that neurodiversity, like other forms of diversity, is both valuable to us and it is a value that we should treasure at some degree. I'm not a psychologist. But a lot of the thinking now is that the pathologies that have been identified in the past are really just statistical differences as opposed to something necessarily bad or to be corrected. I think neurodiversity is a step behind some of the other ways that people have been discriminated against or disenfranchised, either consciously or unconsciously. And it's going to take time.
Perry Carpenter: I think that diversity and inclusion and this whole area is one of the most important topics that we need to be taking on as an industry and in the individual organizations that we work in. But it's also one of the most difficult to do with the right amount of care. There's a lot of missteps that we can make. So how do our organizations start to embrace this in a way that affects the change that we want, but also alleviate some of the fears of these missteps? Because there are hard conversations to be had, and do those happen at the HR level, the executive level, all throughout the organization, or where does that start?
Sam Curry: Yeah. So I'm going to say I don't think it's on HR to do it. It's a cultural thing. And by that, I don't mean the culture that we wear on our sleeves and make logos about, you know, five key words we put out on an elevator. I mean, we have to actually talk about it. We - at my own Cybereason, we had an initiative called UBU. And yeah, we made T-shirts about it and things. But we had conversations on all-hands meetings, tough ones, because, you know, it's really hard to ask somebody who identifies as gay or transgender or who is an African American in our case to come up and talk to the company about it. And I think it evolves because you - first you state what you want to be, and then you find that you're really not that yet. And you have to work at it. And I don't think it's on HR to do that.
Sam Curry: I think it's on the leadership of a company to begin the dialogue, and it's up to the company to step up and do it. It's not their thing because HR's job isn't to necessarily chart the course or try to shift the culture. You can't shift the culture. Like, it has to - it takes a lot of energy for it to change and it's got to want to go through that. And what you'll find is if you start to sponsor things in your community and you start to, you know, you start to have initiatives and you start to hire the right way and you really think about this correctly, the company starts to move. But culture is the hardest thing to move. And it can't be done from, oh, it's the HR department on Floor Whatever because that will fail. I think it has to start at the top, but it has to come from the whole body politic, from the whole group. The difficulty is in having the conversation in a way that is sensitive and not insulting or cultural appropriation or, you know, looking for a quick fix. In our own company, when Juneteenth was being discussed early in 2021, we had an African American woman come and talk to us about what it meant for her family. Not easy to ask her to do it. Not easy for her to do it. But we all got better by that dialogue.
Perry Carpenter: This is a really important topic and one that we can't afford to neglect or run away from. So I want to explore it just a little bit more. To do that, let's bring in another guest.
Lola Obamehinti: Hi. My name is Lola Obamehinti. I am a keynote speaker, a cybersecurity professional and a technology leader based in Silicon Valley.
Perry Carpenter: I know that you're an advocate for diversity across a whole range of areas, not just the things that many organizations have started to make popular, like gender diversity or racial diversity or ethnic diversity or diversity across sexuality, where a lot of work still needs to be done. But there's attention being paid to those. You are also a big advocate for diversity in some of these areas that people may not immediately consider, like diversity of educational background and diversity of age groups. Can you give us a little bit of your perspective on where the industry is right now when it comes to diversity and maybe some of the things that we are accidentally overlooking?
Lola Obamehinti: The technology industry overall still has a representation problem. The industry is still not diverse. And then if you drill down to cybersecurity, the statistics are a little bit better but by not that much. So I think it still goes back to evaluating the power structures and the hiring structures that be within the organizations and really taking chances on nontraditional employees. So whether that be on a Gen Z individual who has a YouTube channel or TikTok that has really blown up, but they don't have the traditional on-paper experience with security - maybe taking a chance on them would be best because, one, they're coming in with a fresh perspective. They, you know, obviously know how to educate and reach a large audience.
Perry Carpenter: Do you think that hiring managers and recruiters are potentially missing out on great candidates because there needs to be some work to make the job descriptions more inclusive or more inviting?
Lola Obamehinti: I see, especially on social media channels, whether it be LinkedIn or Instagram or even TikTok, where a lot of younger individuals are expressing frustration because they're not being given a chance to even get into the industry or get an entry-level role. Some have degrees. Some don't. Some have a lot of certifications. Some don't. But they all, quote-unquote, have been doing what they supposedly have been told would get them a role, and they're still being passed over for these jobs. What I feel for security, since a lot of us have already been working in tech and then transitioned into security, the hiring management philosophy is, OK, you need to already come and, Day 1, be providing value and already know everything. But for the younger generation, we still need to give them opportunity to learn and train on the job. So I think that's really important.
Perry Carpenter: So then if we were to think about this skills gap, do you think that that is a real skills gap, or is it a skills gap of our own making because the people that are doing the hiring have strange expectations and filtering that they're putting on a lot of the different resumes that are coming through, or is there some kind of combination of factors there?
Lola Obamehinti: Nothing is ever, you know, black or white. So I think it could be - it's a combination of both, first and foremost. But it's also the hiring managers, but maybe more so the recruiting teams need to be better educated and write better JDs. And I say that because I see a lot of job postings and requisitions where - for example, I saw an intern posting for a security team, and they were asking for a CISSP and a CISM, and this is for an intern position on the security team. So it's like, who wrote this?
Perry Carpenter: Yeah, 'cause you get an intern position to cultivate the things that's going to help you get a CISSP later on.
Lola Obamehinti: Right. And, like, everyone in the industry knows you need at least five years of experience.
Perry Carpenter: Yeah.
Lola Obamehinti: How is someone working on their bachelor's degree going to have that?
Perry Carpenter: Yeah.
Lola Obamehinti: So when I see postings like that - and that isn't the only one - it's like, OK, you're deterring people from actually applying, and you clearly don't understand the industry or what is actually needed for this particular role.
Perry Carpenter: Yeah. Well, and that even - it could be - and I hate to use this word 'cause that's assuming motive or some other, you know, factor there, but it could just be basic sloppiness from a hiring manager, copying requirements from an old JD into something new and not looking at the detail. It's just that, you know, everybody's in a rush. And they go, oh, I've already done this. Let me just copy that over. But, you know, the systems that we have as we increase and we automate more - I do think as hiring managers, we have to be aware of the fact that all these automated systems that are using those keywords as filters. And if somebody doesn't have those, then they're potentially getting out of a pool that they should definitely be in because they can contribute, you know, massively, which goes back to networking.
Lola Obamehinti: You know, millennials like myself and Gen Z really go above and beyond and make an effort to network because that's really where you will get a lot of opportunities and jobs and security - is through networking. I remember a previous role was, like - the CSO - he moved to another large organization and took people with him. And some of the people that managers and directors are now CSOs. So nurturing relationships within this industry is really important and then also showing your passion for security. For my current role, I had tech experience, but they really liked that I had a blog. They liked that I had done interviews with executives about security and I had done all this, quote, unquote, "extracurricular activities" outside of my professional experience to show what I could bring to a security organization.
Perry Carpenter: Well, it looks like we're about out of time for today's show. I'm going to give Karla Carter the last word, and then I'll be back to wrap up with a few closing thoughts.
Karla Carter: The biggest thing I have to say is you can't ever stop learning. You always have to learn new things. Most people are flattered to be asked to be a mentor. If they don't have time, then they will tell you, or maybe they can recommend someone else. And it doesn't always have to be someone at the company. Social media, for all that it can be a large dumpster fire, is really, really useful for meeting good people. You just have to spend the time finding where the good people are.
Perry Carpenter: Let's face it. There is no easy single solution that will magically fix the skills gap. This is a complex problem that can't be solved overnight. But we can make both short-term and long-term progress if we approach this in a multifaceted way and if we are willing to move away from outdated modes of thinking and preconceptions. Cybersecurity is all about solving a wide and diverse set of problems, and that means that we should be recruiting from a wide and diverse applicant pool. We need to see the value in people who think, look and believe differently than we do. The rate of technological innovation doesn't seem like it's going to slow down any time soon. And that means that we're going to need to build a cybersecurity workforce that is sustainable for the long term.
Perry Carpenter: Luckily, there's some really good work being done to prepare the next generation of cybersecurity professionals. We didn't have time to cover that on today's show. But the Girl Scout cybersecurity badge program, the GenCyber program and camps that have been sponsored by the National Security Agency and the National Science Foundation - these are good things investing in the next generation. And we need to be ready to welcome them among us. Oh, and because this is such a complex issue, I'm currently working on a second episode related to cybersecurity careers. I'll release that episode in a couple months, so stay tuned.
Perry Carpenter: And with that, thank you so much for listening and thank you to my guests. Heath Adams, Karla Carter, Sam Curry and Lola Obamehinti. I've loaded up the show notes with more information about our guests and all the relevant links and references for the information that we covered today, so be sure to check those out.
Perry Carpenter: If you've been enjoying "8th Layer Insights" and you want to know how to help make the show successful, there are two big ways that you can do that, and both are super-important. First, if you haven't yet, go ahead and take just a couple seconds to give us five stars and to leave a short review on Apple Podcasts, Spotify or any other platform that allows you to do so. That helps others who find the show have the confidence that this show is worth their most valuable resource - their time. The second big way that you can help is by telling someone about the show. Word-of-mouth referrals are priceless. If you haven't yet, please go ahead and subscribe or follow wherever you like to get your podcasts. And if you want to connect with me, feel free to reach out on any of the social networks where you can find me. I've also put my contact information in the show notes for you.
Perry Carpenter: This show was written, recorded, sound designed and edited by me, Perry Carpenter, with additional research by Nyla Gennaoui. Today's show also featured the voice talent of Rich Daigle, aka Mouth Almighty. Artwork for "8th Layer Insights" is designed by Chris Machowski at ransomwear.net - that's W-E-A-R - and Mia Rune at miarune.com. The "8th Layer Insights" theme song was composed and performed by Marcos Moscat. Until next time, I'm Perry Carpenter signing off.