Afternoon Cyber Tea with Ann Johnson 10.18.22
Ep 61 | 10.18.22

Breaking into the Cybersecurity Industry


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we talk with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-suite and other key security decision makers. I'm Ann Johnson, and today we are going to discuss what it really takes and what is really necessary to break into the cybersecurity industry. I am joined today by AJ Yawn, who is co-founder and CEO at ByteChek, a security program and assessment platform. He is also a founding board member of the National Association of Black Compliance and Risk Management Professionals. And AJ has over a decade of cybersecurity experience, including six years as a U.S. Army communications and cyber officer. He earned the rank of captain before joining a national cybersecurity firm where he led a SOC 2, ISO and health care practice.

Ann Johnson: Welcome to "Afternoon Cyber Tea," AJ. 

A.J. Yawn: Thanks a lot, Ann. I'm excited to be here and excited for the conversation today. 

Ann Johnson: So I am really thrilled to be having the discussion with you. I follow you a bit on social media. I've watched the work you do, and as you know, cyber is - been a really small, hard and insular group and industry to break into for folks. Folks tend to be a little bit intimidated. We have some challenges that are similar to STEM career paths when it comes to attracting and also retaining people. But in my opinion, there's also some artificial barriers in the cyber industry that are pretty unique. Employers rarely, if ever, have true entry-level cyber roles is one example, and the list of qualifications and job descriptions and preferred certifications keeps getting longer and longer. And they are not within the realm of even reality of what our folks in the industry are doing. 

Ann Johnson: So there's this massive need. I think we all recognize there's this massive need to bring talent into the industry, and we are starting to see some employers shift their thinking on cyber talent to be more inclusive of different backgrounds. But I do think we need to move faster, and we need to be super expansive if we're going to fill all the cyber roles that are open. So as we talk today, I want to cover this from both the employer and the employee or individual perspective. So can we start with a little bit of historical context? Why do you think employers have had such a high bar of entry into their cyber programs? And what was the thinking from cyber leaders on the skill sets they needed in the past? 

A.J. Yawn: Yeah, it's a great question. And I think the - there's a few reasons why. I think with the importance of cybersecurity and how cybersecurity has become so important to companies at the highest levels, where you're talking about cybersecurity at the board level, the SEC has recently mandated that companies of a certain size have cyber representation on the board. I think because we're seeing that cyber is so important, companies reacted to that with, oh, we need to hire unicorns. We need to hire people that are the perfect fit, that have all of these skill sets to build our cybersecurity programs because if we don't, we're going to fail since there's so many eyes on this. And I think that fear seeped into the hiring process and created these really high bars of entry for folks getting into the cyberspace because of that. 

A.J. Yawn: I think also, you know, there's a ton of gatekeeping because of the challenges that people that, you know, kind of started this whole cybersecurity thing and sector - they had to go through a lot to get into the field. And now with the advancement of certifications and the boot camps and just the many different ways that people can get into the field, I think the folks that are in position to hire people into cybersecurity are looking for folks that went down the same exact paths as them - the same exact schooling, the same exact background. And that's just not going to be effective, which I know we'll get into. But I think a lot of it came from being reactionary, which I think cybersecurity in general is way too reactionary. We need to be more proactive. And then I think there is some gatekeeping going on with folks that are in the industry wanting people to have went through the same exact paths that they went through to hire them into the field. And they're not finding the people to do that because folks are not educating themselves on cybersecurity stuff in the same manner that they were 10, 15 years ago. 

Ann Johnson: Yeah. I think that makes sense, actually. When you think about the risks to a cyber program, if something breaks - right? - there's a reputational risk. There's a risk of customer data. There's a risk of their critical systems going down. They don't want to necessarily take that risk with employees - right? - that they're hiring and bringing into the cyber program. So as we talk to employers about the need for change, it's not always clear how we can help them change, that we can mitigate the risks and then have them bring in people in the industry that - and think differently about it. 

Ann Johnson: They've spent so much time trying to find these people with a laundry list of credentials, so they have this level of comfort. And focusing on the larger group of qualified individuals, I think they've missed folks - right? - that don't necessarily have the certifications. So today, what do you think business leaders should be looking for, for balancing that need for mitigating the risk but also being more expansive and also not necessarily looking for this huge list of credentials? How do you think we can help business leaders balance that? And what skills really are important? 

A.J. Yawn: Yeah. I think one thing with cyber that I think is super important to look for if you're going to have a successful career in this field is you have to care. You have to actually care about this industry because it's hard. It's challenging. There's going to be things that you don't know, and you're going to have to be very comfortable being uncomfortable. So really making sure that folks care about the job, they care about the mission that you all have from a company perspective in protecting the data that's there, I think, is really critical. And I think, oftentimes, you can find that person with the perfect resume, but they don't necessarily care about what they're doing, where you find the person that has taken a nontraditional path that has put in years of work to even get to the interview, they really care about what they're doing. They really have that deep passion for what they're doing, which I think is super important. 

A.J. Yawn: I think finding folks that are - have experienced just problem-solving at a really high level are some of the - a quality or a mindset that I think leads to a successful career in cyber because most of what we do is problem-solving. And it doesn't really matter if you're a pen tester or a compliance person or a help desk or whatever it may be. Across the cyber world, if you're even at the CISO level, you are solving problems on a regular basis. That's what we're doing. And there's a certain level of technical problems that you can be solving, and there's a certain number of interpersonal and human problems that you can be solving, but we're solving problems. So I think finding folks that, regardless of it was in cybersecurity or another adjacent field, have experience and are very comfortable solving, you know, really challenging problems, I think, is a great mindset or quality for folks to have a successful career. 

A.J. Yawn: And I think as well, you know, we often forget about the soft skills necessary to be really good in this field. In order to build secure companies, you have to have a strong security culture. In order to have a strong security culture, you have to talk to people that are not cyber professionals, and you have to tell them why cyber's important. So being able to have those good communication skills, being able to build consensus, to show empathy in conversations are super, super critical to be successful in cyber. And I think business leaders should focus more on finding folks that have really strong soft skills, that have, you know, the want to really be in this field and be successful, that have been able to solve problems in their past because chances are, even if you find this perfect person with all of the certifications and all of the degrees, they still have to go through some training when they get to your organization. You're still going have to teach them the tools that you have in place, the way that you do things, your policies, your procedures. 

A.J. Yawn: So there's still going to be things they have to learn at your particular organization. I'd want somebody that I'd know has all of these other skills, and I can teach them how we do things at the company versus someone that is just a perfect fit on paper. And I think a lot of the things, you know, soft skills, problem-solving, having that true want and desire to be successful in this field are super important. 

Ann Johnson: You know, I think that culture - you know, Bret Arsenault talks about the culture of security all the time - right? - throughout Microsoft and building a company that has that culture. And I think it's something that gets overlooked. I love the way you just framed that and saying you have to talk to noncyber people. And the other piece, right? When you were talking about the fact that you have to actually teach people - even with all the skills and background certifications, when they come into your environment, you're still teaching them. So there is - actually, if there's a willingness to train those folks, and there's an opportunity to train folks that don't necessarily have all those certifications, but they can learn your tools. And the other thing is having folks in cyber, you - as, you know, you were a communications officer, right? Having folks in cyber that can understand how to communicate to everyone else in the company and can drive best cyber practices down to the individual level is really underlooked at times and truly underrepresented. So I love your framing there. 

Ann Johnson: The other thing we talk a lot about - and I know you'll have an appreciation for it - is that, you know, cyber has traditionally not had a lot of women and not had a lot of underrepresented minorities. And I've heard you talk about this before. And for me, there's two things. One, from a pragmatic standpoint, we're never going to fill all the openings we have if we don't actually recruit from a broader pool of folks. And it's also the right thing to do. It also will bring in people that think about problems differently, so you avoid that groupthink, right? You have folks that come in that have different perspectives and different backgrounds that can help you solve hard problems. I know you talk about this a lot. I would love to understand why you think it's so important. 

A.J. Yawn: Yeah, I think a lot of it is some of the reasons you just mentioned there, Ann, that we can't have all of the same people from the same backgrounds in the room and think we're going to be able to solve problems at a high level and with everyone else in mind. So I think that's really important. And pragmatically as well, you know, we have this job shortage in cybersecurity that is well publicized. We're just not going to fill that by just continuing to hire white men (laughter). You're going to have to hire other people from other backgrounds to fill this job shortage. Just the math doesn't work out if we just continue to go about it. 

A.J. Yawn: For me, specifically, there's a few reasons. One, I think, being in this field can change people's lives, financially, professionally, from a quality-of-life perspective. And I'm really passionate about folks that come from a long generation of being kind of in one tax bracket or one socioeconomic status, and that one person that finally breaks into this industry - and I've seen it over and over again - has dramatically changed the trajectory of that entire family. The people that come after them, the people that have come before them, they've been able to shift, you know, where their families are going and have been since they've been here in this country. It's powerful. And I think the - one of the ways that we can solve a really big problem in this country, which is the wealth gap between underrepresented groups and the majority, is by getting more of us into cybersecurity and into tech in general, to be able to have folks in there, you know, that are making really good money, have a strong quality of life, can start to find other things in their life that they're passionate about and other things in their life that they can do, which is really tough to do when you're just struggling to make ends meet or don't have a career like we have in this field. 

A.J. Yawn: And the other aspect of why I'm really passionate about getting women and more underrepresented minorities in this field is because there's a lot of women and underrepresented minorities out there that are qualified, that are talented, that have the skills that are necessary, that are just not getting the right opportunities, that are not being afforded the chance to even interview. And I think that that's just - one, it's not right. And again, pragmatically, we have the folks out there that are trained and ready and can do really great things in this field that are constantly being overlooked. And I've just seen it time and time and again. When you give folks from these backgrounds a chance, you realize I was missing out on somebody that, you know, changed the trajectory of our company or changed the trajectory of a department or whatever it may be. 

A.J. Yawn: So my goal of speaking about it is to encourage others to go look and see are we - is there a pipeline problem? No, there's not. We're just looking in the wrong places. And encourage them to go look in the right places for these people because they're talented. It's not - I'm not asking companies or leaders out there to do charity. I think there are extremely talented women and underrepresented minorities out here that are just not given the opportunity. And I want companies to realize and kind of put - hold the mirror up and ask themselves, are we doing everything necessary to hire folks into this field that don't look like everyone else in the company today, that don't go through the same exact recruiting pipelines from referrals that we do today is a big reason why I talk about it and why it's so important. 

Ann Johnson: Yeah, I agree with everything you said. I mean, you're missing out on talent if you're only looking for really narrow recruiting and if you're only recruiting people who look, sound and act like you and have the same educational or demographic or geo background, right? You're just missing out on talent. 

Ann Johnson: So let's talk a little about education and also about how people can break into the industry, right? For someone who's early in their professional career or maybe at the start of their career or maybe thinking about job change, we've started to see more and more programs in high school and in colleges, community colleges related to cyber. But what programs or communities do you think that people who are trying to break into the industry should be leveraging? How can someone who's early in career market themselves to employers, and how can they get the attention of employers? 

A.J. Yawn: Yeah, such a great, great question. I think there's a few kind of tactical things that people can do to break in. The first and foremost, the LinkedIn platform is probably the most underutilized social platform out there when it comes to networking and building a brand that can help you not only break into this field but have a very long career and kind of make yourself bullet Teflon to market dynamics, layoffs, et cetera, because you're - you as a human and you as a person will stand alone from your company. So I think folks that are trying to break into cyber need to go and get active on LinkedIn. And getting active on LinkedIn can mean many different things. It can mean posting regularly. It can mean commenting regularly. It could mean, just at the start, that you're connecting with people in the industry, which I highly recommend, is to build your network of folks that are in the roles that you think you want to get into. 

A.J. Yawn: And then the other thing that I would suggest from a tactical perspective on LinkedIn is to really reach out and try to get folks on calls, people that are in roles that you would think you want to be in. If you want to be a pen tester, find a pen tester to talk to about what they do. Read their resume, and read their background, and just learn from folks that have been there and done that, and don't try to figure this out on your own. And LinkedIn is a powerful platform that you don't have to physically be located next to someone to meet them, especially with the advancement of Zoom and all these video conferencing tools. It's very easy to talk to folks, and I would encourage folks to do that. 

A.J. Yawn: I think another underutilized aspect for people breaking into cyber are joining local chapters for, you know, some of these groups out there, like ISC-squared or ISACA or CSA STAR. A lot of these different organizations are cybersecurity organizations that have chapters in most, you know, metropolitan cities across the country. I'm sure most folks can probably find a chapter that is involved in somewhere in their region around them. And the reason I suggest people do that is because it's another great way to network. It's a great way to get involved in the cyber industry, hear from leaders in the industry. And it's a great way to volunteer and get in front of people and show them some of those soft skills that we talked about before. 

A.J. Yawn: You may just be trying to break into cyber, but you can go to a local chapter and say, hey, I'd love to volunteer and help you all run your next event. And during that event, you're meeting, you know, the president of the chapter, who is the CISO at X and the vice president who runs security operations at other company. And they're seeing that this person is professional. This person has great work ethic. They can communicate well. They are interested in this field. And they show up on time and do what they say they're going to do. All of those are really good qualities for somebody trying to break into cyber and is a great way for you to get in front of potential employers in a truly meaningful way. 

A.J. Yawn: And then lastly, one of the things that I always tell people is that it's very difficult for you to find a job in cyber that doesn't involve the cloud somehow. So it's important to start that cloud journey, start learning about the cloud. And I encourage anyone I mentor to learn in public, share what you're learning, share the things you're confused about. You can do that through writing on LinkedIn, posting, writing blogs, whatever it may be. But people that just show up with a bunch of certifications, it's not as impactful as someone that I've watched and been able to see their journey from Day 1 of studying for a certification all the way up into earning that cert and ultimately getting into the field. Seeing that past, seeing the perseverance, seeing how you were confused and seeing the vulnerability that you can express via post of learning in public, I think, is a huge way to get in front of folks in a meaningful way. 

Ann Johnson: I think those are all wonderful suggestions. And people need to learn how to network, right? Networking is probably the most important thing they can do. So if their comfort level starts with social media, actually networking via LinkedIn and then evolves to, you know, that more networking in-person or via teams or something like that, that's important, but they actually have to meet people. To break into the industry, you need to meet people who know people. And I love what you said about how folks, you know, it changes the trajectory of their family life. That is so meaningful and so powerful and a great reason to look for that talent. Again, you can change someone's - completely change someone's life. It's amazing to me. 

Ann Johnson: OK, back to something a little more tactical. I know you talk a lot - I've seen you talk a lot about courses and certifications and different things. So what do you think a real baseline is? If someone's looking at the - all the different courses that are available and all the different certifications are available, what would you recommend to them they actually focus on? 

A.J. Yawn: Yeah, if I'm talking to someone that is starting from scratch and just, you know, going from another industry into cybersecurity, I usually say the same thing. First, I think the Security+ certification is a great cert, not for what it means for your resume but more so for you to have the baseline security knowledge to just speak the language. And that's, for folks out there listening, CompTIA Security+ certification is what I'm referring to. And the good thing about that cert is that it really teaches you the language of cybersecurity. You're not going to be a seasoned cybersecurity professional by getting this cert by any stretch of the imagination, but you will understand what the CIA triad is. You will understand what multifactor authentication is and why it's important. You'll understand the difference between data encryption at rest and data encryption in transit. All of these things that are important for you to just have baseline knowledge on, you'll get that in that certification, and it helps you really frame up what areas of cybersecurity you're interested in. 

A.J. Yawn: The other thing that I would say is pick a cloud provider, whether that's Microsoft, whether that's AWS, whether that's Google Cloud, whether - whichever cloud provider is your cloud provider of choice, pick one of those cloud providers, and start down their certification path to learn the cloud. And this is another suggestion just to get to speak the language. If you have the baseline language that you understand from the Security+ cert and you go out and get Microsoft Azure fundamentals and understand the basics of what Microsoft calls in the cloud, you are opening up yourself to so many different opportunities, as well as you can start to see in the career where you want to go. And I think it's critical for any person breaking into cyber today, you got to know the cloud. It's probably impossible, I think, to really grow a strong career in this field without understanding what the cloud is. 

A.J. Yawn: And then if you're going to be in security, you should have that baseline knowledge of what all of these terms mean. I think the only industry that's harder to understand from an acronym perspective is probably the military than the cybersecurity field. So it's good for you to get those terminologies and terms down. And those are - that's the advice I give to folks all the time. You know, Security+ is a great place to start. And then pick a cloud provider and learn as much as you can about that cloud provider as fast as you can because the cloud will play a huge role in your career. 

Ann Johnson: Exactly. And I can't emphasize that enough. And we were talking about this recently, internally at Microsoft, that we need people who have cloud security skills. And the skills that you may have developed from being an on-premises security person, maybe a network person or something like that, they're not actually transferable. You can learn the new skills, right? And you can get yourself up to speed, but we need you to do that, which means that there's more opportunities for people who are coming in from the outside because we need skills that the - some of the folks in the industry just don't have, and they haven't been able to change their skill set because they're so embedded in the projects they're working on, right? It's not like - you don't rip and replace tech overnight. So we need all kinds of skills, and a lot of those skills don't even exist now, which just creates opportunity for new people. 

Ann Johnson: I also want to remind people that not every cyber career is technical, right? Yes, we need developers and pen testers and people who do forensics and reverse engineers, incident response, all those people. But we also need marketeers. We need storytellers. We need folks that do HR. We need folks that do legal. We need folks to do privacy. We need folks to talk to regulators and policymakers. It is a, actually, really broad industry. It's truly an industry. So what surprising cyber roles have you witnessed in your career, and how do you think about driving awareness of all of the breadth of roles that are available in the industry? 

A.J. Yawn: Yeah, great question. And I think it's important for folks to understand that not every single role in cyber is a technical role. There's a lot of ways that you can be very - do very well in this field without writing a line of code and have a very long career. I think for me, the compliant - the GRC space has been the most surprising and exciting I've - Governance, Risk and Compliance, for folks out there that this is the first time they're hearing GRC. When I left the Army, I thought I was going to have to work in a really technical role because of a lot of the technical stuff I did in the military, but I ended up as a security consultant doing SOC 2 audits at a large cybersecurity compliance consulting firm and was able to just accelerate my career to becoming a principal consultant there, leading a team of, you know, well over 130 people. And that industry is one where you don't have to be technical, where the most important thing you can do as a compliance professional is understand how to communicate, understand how to talk to others outside of cyber and translate cyber stuff to those folks, but then also be able to interact with and have good conversations with technical people. You really get to sit in the middle of the security and business side of the company, which is awesome. 

A.J. Yawn: I think as people think about security, security is often seen as a blocker. It's often seen as something that stops the business from doing something. But compliance in security is actually a revenue driver. It's actually something that helps companies earn more revenue because they earn a compliance certification or an audit, go through an audit and now they can go sell into a certain industry, or they can keep a big customer. So compliance becomes a really important business activity. And I think that's a role that I would encourage people, especially career pivoters, to switch into because it takes a lot of soft skills to be good in it. 

A.J. Yawn: And I think we just need to drive more awareness there, to answer your second part of the question. We need more people that are in these type of roles, compliant roles or some of the other roles that, you know, are nontechnical to be public. I think we have a responsibility to be public about these roles and share them. And then there's organizations like the one that I'm on the board of, the National Association of Black Compliance and Risk Management Professionals, that tries to expose, you know, college students and other diverse folks to roles and opportunities in the compliance space. And I think there's roles out - there's companies out there or associations out there that are doing similar things. So for me, it's compliance. I'm the compliance guy. So there's probably only one way I was going to answer that question, but I think it's a great field in cyber that I think oftentimes gets a bad rap. But it's a great way to interact with a lot of the business, which is cool. 

Ann Johnson: Yeah. And I agree, by the way. And I think compliance is a great way, privacy is a great way, all of those things are a great way to come into the industry. And then if you want, you can move from there once you kind of learn the underpinnings of the industry and some of the lingo you talked about - right? - the vernacular we use. I know you have a lot going on. You always have a lot going on. Can you share a little bit with our listeners about what you're working on today? 

A.J. Yawn: Yeah. You know, I'm the founder and CEO of a cybersecurity software company, so my days are absolutely insane most days. But we built a really cool product to help companies with SOC 2, ISO and HIPAA certifications. And most of my time is spent just making sure that we're serving our customers well, building the team and continuing to build ByteChek into a really big business. And that includes, you know, talking with investors and trying to get us, you know, more venture capital in here to continue growing the business, doing stuff on the product. But it all comes back to solving a really important problem for our customers, which - our tagline is to make compliance suck less, and that's what we try to do with our product. And the way we work with others is just make the compliance process super easy for companies of all sizes. So that's what I'm up to today. 

A.J. Yawn: You know, ByteChek has taken up, I would say, you know, 150% of my time, even though my most important job that I have is being a dad. I'm the father of a 6-year-old and a 4-year-old. And it's - the most important thing that I do every day is spend time with my little ones, which I love doing. And it's a great way to break away from the madness of running a company. 

Ann Johnson: I - that is our most important job. Whenever I ask someone that question, you know, our most - I have a 21-year-old daughter, and it is our most important job - is our children. But you, as a founder and CEO of a startup, particularly in this macroeconomic climate, it's a tough, tough job. And I know because I meet with many of you - your peers. I know how much time and personal dedication you have, so congratulations for your continued success. Last thing, we like to leave folks with some key takeaways about how you can overcome challenges the industry is facing. But also, why are you optimistic about the future of cyber? So if you were to leave one or two messages with folks today, what would it be? 

A.J. Yawn: Yeah. So for me, I'm - whenever I get this question towards the end of an interview like this, the thing I like to always talk about is just folks protecting their mental health and making sure that they're doing everything in their power to be right internally before thinking of doing anything else. And I think that's what gets me excited about the future of cybersecurity - is because we've seen cyber be this field where people constantly are burnt out, people are constantly stressed. But I'm seeing more and more cyber leaders and cyber professionals talking about mindfulness, talking about mental health, talking about balance, talking about taking breaks, which I think that's going to be the way that we actually succeed in this industry of protecting the most important asset that exists out there, which is data. 

A.J. Yawn: And I think just seeing that continued push gets me so excited about the future of this industry because we're going to have a future cybersecurity industry full of leaders who were brought up in this era where they understand that the work's important. They understand that the things that they're doing are really important for their companies, for others that are in the industry. But more importantly, they're going to understand that they can't be good at their job unless they take care of themselves, unless they protect their mental health, unless they're doing all the things necessary to be good for their family and for themselves. And I think that's exciting. That's going to be an amazing future here that we have. 

A.J. Yawn: So if you are listening to this and you are not doing all the things necessary to take care of yourself, and you're not doing all the things necessary to protect your mental health, I encourage you to do those things. You know, meditate, go to therapy, take breaks, whatever it may - you need to do. Do those things because if you're trying to break into this field, don't burn out before you get in. Don't run yourself - you know, burn the candle from both ends before you get into the industry. You're not going to show up the best version of yourself. And you're also not going to have the success that you think you're going to have breaking in if you're not OK internally. So I would always like to leave with telling folks, you know, protect your mental health. There is nothing more important than yourself. There is no amount of success, there's no amount of money that is more important than your mental health. And it's cool to see the cybersecurity industry continue to trend in that direction of promoting that balance and a healthy culture in our industry. 

Ann Johnson: I couldn't reiterate that more, everything you said. And I know we have a guest coming up in this season that's going to talk specifically about mental health because it's a really, really tough time, and it's always a tough time for cyber folks, especially those on the front line. And I love all of the advice you gave. Do whatever you need to do to take care of your mental health and make that a priority, so you don't burn out. And you're there for your family and also for your career. AJ, thank you again for taking the time to meet with me today. I know you're incredibly busy. 

A.J. Yawn: Absolutely. No problem. I enjoyed the conversation. Thank you so much, Ann. 

Ann Johnson: And to our audience, thank you for listening. Join us next time on "Afternoon Cyber Tea." 

Ann Johnson: I invited AJ on "Afternoon Cyber Tea" because he's just this big voice in the industry about driving talent into the industry and thinking about talent from different dimensions but also thinking about what the baseline of talent needs to be and how as employers we can think about individuals differently, and we can help fill those cyber talent gaps by looking at people that we bring in and thinking about bringing different people in. It was a great conversation, and I hope you all enjoy it.