Podcasts
CISO Perspectives (Pro)
Ep 128
CISO Perspectives (Pro) 4.15.25
Ep 128 | 4.15.25

Is the cyber talent ecosystem broken?

Show Notes
Transcript

Kim Jones: Welcome to CSO Perspectives. My name is Kim Jones and I am thrilled to be your host for this season's journey. So if I were asked to describe this podcast in one word, that word would be depth. There are more than a handful of complex issues and challenges, technological and otherwise that plague the average ciso in many cases.

We only hear about these issues during brief sessions during a conference, or more often around the bar. After the conference is over, speakers and podcasters try to address these problems with short soundbites and incomplete solutions that address only one facet of the issue. At CSO Perspectives, we take a different approach.

We tackle a single complex issue over a multi-episode arc, looking at the issue from every conceivable angle. We bring in subject matter experts to discuss and debate the aspects of the issues on every episode, and conclude each episode with concrete recommendations that taken together present a strategic approach to solutioning the problem.

For our inaugural season, we've chosen to address the challenges surrounding the cyber talent ecosystem as a profession. We've been complaining about talent issues for the better part of a decade, but our piecemeal unit dimensional solutions don't seem to be solving the problem. To start the conversation, I'm going to ask the overarching question, why does the cyber talent ecosystem have indigestion? Enjoy the ride.

Kim Jones: About seven years ago, I had the privilege of sitting down with a number of current and former Fortune 500 CISOs. We discussed how to structure a new training program for people seeking to enter the cybersecurity field.

I was working with an organization that had funding locked in, and they were given the freedom to structure a program any way they deemed appropriate. Naturally, they sought the input of industry professionals. After several hours of back and forth around content skills to be taught and leverage of rigor, I made the mistake of asking the obvious question.

So folks who go through this program would meet your requirements and be eligible for entry level positions right after a long, awkward silence.

The collective response was, well, no, not really. After more gyrations around what would be needed to make these candidates eligible for entry level positions, one of the CISOs finally said, bluntly, I'm not dodging your question, Kim. I'm deliberately not answering, and the reason I'm deliberately not answering is because I honestly don't know the other CISOs around the table nodded in agreement.

The radical candor of the comment revealed to me more than the rest of these conversations combined. It was both mind boggling and humbling to realize that we were designing a program to train people to enter the cybersecurity field that would be ultimately ineffective. The seasoned professionals whose needs we were attempting to meet had no idea what they wanted in a candidate.

US old security guys and gals who I lovingly refer to as O sgs, we came up hard scrabble. We were either thrust into or volunteered for roles and positions that no one else wanted, and that people barely understood.

We earned our PhDs from the school of hard knocks as we tried again, failed again, and failed better. Thank you, Samuel Beckett. We developed the technologies, practices, and frameworks for our profession. We learned to balance governance and assurance with innovative technology such as wireless and cloud.

We taught ourselves to speak the language of the business so that we could make our concerns understood to the business line leaders. For the most part, we succeeded in building this evolutionary path, or did we? While we have mostly stabilized the role of the security practitioner for the current generation, one of the areas where we continue to fail is in charting a successful and consistent pathway for people who wish to enter the cybersecurity profession Further, rather than pooling our brain trust and rallying around collective solutions, we continue to bounce around terms like complexity and the need for grit, which flop around like fish, gasping for breath as they cause indigestion within the cyber talent ecosystem.

Those words are weak excuses for the indecision surrounding standardizing the knowledge, skills, abilities, and experience requirements, also known as KS AEs, KSA are necessary for entering and surviving the cyber arena. Our inability to standardize job requirements represents the biggest challenge to our industry.

While we complain about this challenge almost incessantly, we don't seem motivated to rectify the problem anytime soon. This is a source of personal frustration for me, since a lot of what I do centers around mentoring both young and older professionals wanting to enter the cybersecurity field, consider these real issues we face today.

One, we continue to allow the posting of job descriptions that in no way reflect reality positions. Asking for example, for A-C-I-S-S-P certification from someone with only two years of experience is more common than we would like to admit. Two, we have complained for over a decade that university programs, even computer science programs, weren't teaching.

Cyber universities responded by adding cyber curricula to their degree programs and even created cybersecurity degrees. Our response was to criticize the content as being too theoretical in not producing students with real experience, even when programs were constructed by seasoned cybersecurity professionals and included real world experience as part of the requirements.

Three, we say we want real world experience, but in fact, we want targeted real world experience. When a candidate has specific experience in one area like SOC, and the job posting is for an access management role, many companies will not hire the candidate because their real world experience is not specific to the job.

Four, we do not truly encourage internship and apprenticeship programs. We only encourage those programs when someone else is operating them. Since we claim to be far too busy to take on an intern. And even if we do take on an intern, they are often relegated to a glorified gopher role versus real training and exposure to cybersecurity.

And five, we encourage alternative pathways for entry, that focus on experience versus a four year degree. Yet our job descriptions still require a four year degree. I can't tell you how many times I've talked to folks with relevant real world experience trying to break into the cyber arena, only to hit wall after wall and no after, no meanwhile. Cyber jobs are expected to grow by 32% by 2032, and there are estimates that as many as 500,000 cybersecurity jobs in the US remain unfilled.

So why does the cyber talent ecosystem have indigestion in the end, Walt Kelly said it best. We have met the enemy and he is us. Here are a couple of thoughts on how we can solve the problem one and the unicorn hunts. I have a dear friend who runs a cyber talent creation program at a university, and they told me about a situation where CSO tapped his student pool for a new position After his students had been interviewed, the CSO declined to hire any of them. Naturally when my friend asked, is there something we should be teaching or training in that we're not? The CISO told him that in reality he was. And I quote, looking for purple unicorns. Here's the reality folks.

Purple unicorns do not exist. If you're just looking for purple unicorns, you are exacerbating the problem. Instead, we need to work on nurturing and raising a cadre of solid thoroughbreds. And yes, that takes effort and time. Two, get specific on ksa. I am truly tired of listening to osg s complain about what is lacking in candidates without being able to specifically and concretely define what they are looking for in candidates.

Much of our job is not prescriptive and is necessarily fluid. There are foundational skills such as an understanding of protocols and services, knowledge of data structures, encryption, basic coding structures and risk management that we should agree upon as being foundational skills. The NICE cybersecurity workforce framework and the cybersecurity competency model are great starting points.

 It would be incredibly useful for the profession to truly adopt these standards and mandate that all job descriptions can form to these requirements. If we don't believe these requirements are enough, then we need to create the standard versus continually complaining about the existing inadequacies.

Folks, the challenges of our talent ecosystem are very real, but we cannot solve them via unfocused commitments to random programs addressing non-specific needs. If we are serious about solving the problem, let's start by clearly guiding organizations and candidates on our needs, and then demonstrating our commitment by collectively showing up my 2 cents.

Kim Jones: I first met Ed Adams about five years ago. I was working passionately on talent issues for my company and looking for collaborators who both saw the complexities of the issue and were eager to create and implement tangible, realistic solutions. Ed and I spent many an evening discussing the pitfalls with the current cyber talent paradigm.

So it's only fitting that he be my first guest of a season devoted to this topic. 

Kim Jones: I want to give you first an opportunity. I mean, I've known you for several years now, but our audience probably does not. So you wanna take a couple of minutes and tell us about yourself please, sir.

Ed Adams: My career in cybersecurity started like many of us, uh, Kim, uh, outside of cybersecurity because, uh, my career when it started, cybersecurity wasn't a thing. I came up as a software quality. A person working for the likes of Rational software before it was acquired by IBM, but I was always into software and I loved software quality.

Um, but for the longest period of time, I bemoaned the fact that despite everyone talking about different aspects of software quality, like functionality and performance and reliability and scalability, nobody was talking about security as an aspect of software quality. So I've started beating that drum.

I got the attention of a nutty professor at Florida Tech, who had recently written a book called How to Break Software, which I thought was great. His name was James A. Whitaker, and he was working on a sequel called How to Break Software Security with one of his PhD students and.

When we got together and he told me that he was thinking about starting this company with a group of his graduate PhD students to focus on software security. I said, I'm in. I came through the software quality angle through a university spinoff.

When very, very few folks were talking about cybersecurity at all and virtually nobody was talking about software security,

Kim Jones: So talk to me. I mean, you and I got to know one another because of your interest in talent. I. And not only creating new talent, but uplifting talent. So talk to me about that. Talk to me about how your general getting involved in cyber evolved to that, if you would.

Ed Adams: I've always been a fan of trying to recruit folks into the technical fields in general. Uh, whether it be volunteering for the Boston area, um, middle school STEM projects with United Way Science, technology, engineering, and Math, or, uh, later in my career is encouraging folks to get into the IT and cybersecurity space.

I kept on her hearing recurring themes over and over and over again from two types of people who typically sit on opposite sides of the table. And they had a very common complaint.

Kim Jones: Shocked I am, but keep going.

Ed Adams: I, I know, I know. So a lot of folks were trying to figure out how to get into cybersecurity and struggling to do it because they either couldn't get interviews or they felt like they weren't qualified for the jobs they were seeing available.

Then the other side of the table is my, my colleagues, uh, like yourself, who have cybersecurity teams or need to influence large technical teams, and were bemoaning the fact that they couldn't find talent. They couldn't recruit talent, they couldn't retain talent, they couldn't develop talent.

And I thought to myself, well, these two problems are not mutually exclusive. Let's see if we can start to dig in and solve it directly.

Kim Jones: Fantastic. So you've looked at this problem from a lot of perspectives. You and I have talked about a lot of those perspectives and during the season we're gonna dig dive into many more of them. But Ed, I asked you to be my first guess because since you have looked at this problem more holistically, I think you're probably one of the best people I know to speak on the problem itself.

What do you see in order of priority? The top three problems. I won't sugarcoat them and call them challenges, problems with the cyber talent ecosystem as it exists today.

Ed Adams: So there, there continues to be a very large discrepancy between job descriptions that hiring managers wanna hire for and the appropriate qualifications for that job.

Kim Jones: Uh, like you to deep dive in that a little bit, and I'm gonna tee up the follow on to that, which is, but wait a second. Haven't we built knowledge, skills, abilities, and experience frameworks, et cetera.

So why the hell do we still have this problem when we're the ones who are hiring? So, talk to me.

Ed Adams: We have built wonderful frameworks like the Knights Framework. From, uh, from NIST and the National Initiative for Cybersecurity Education, which does exactly what you specified. It calls out knowledge, skills, abilities, and tasks For, I think it of now 54 different job functions in cybersecurity.

So yes, very well documented what those jobs should be doing. The other side of that coin, uh, one very few people acknowledge no, or even attempt to adopt the nice framework as part of their hiring practices. It's a great first start. The nice framework is not perfect. It generally omits. One half of my cybersecurity color wheel, which I'm happy to talk about at any point in time and a very important half I might add.  But, uh, but it's a great framework and if you were a hiring manager, why wouldn't you wanna start there? Because it does give you a great headstart. When I talk with folks that are looking for cloud security architect positions and what they see in the job descriptions are things that are completely outside of what nice. And the NICE framework Bank should be a cloud security architect. They get frustrated, they get confused and more. Likely they just don't apply, especially if they happen to be a woman or an underrepresented minority.

Kim Jones: So that's one. What are the other two?

Ed Adams: The other two is that we as cybersecurity professionals. Whether it's intentional or unintentional, many of us lack the ability to effectively communicate to the very much larger. IT and development teams that are in our organizations about what they could be doing to uplevel their cybersecurity acumen, and as a result, the overall cybersecurity hygiene of the organization.

Thus lifting all the boats by raising the tide as opposed to trying to go out and hire 40 new cybersecurity folks, which is gonna be tough to find and very expensive. We in cybersecurity understand red teaming and blue teaming very well.

Lot of attacks. One defense comes from the military. You and I spend a lot of time doing that ourselves. Combine the two. You get purple teaming. Yay. Everyone's happy about purple team there. My focus historically has been on the other half of that cybersecurity color wheel, focusing on the yellow teams.

It teams, the development teams, the engineering teams that usually outnumber the cybersecurity teams by a factor of five 50 or a hundred to one.

Ed Adams: Absolutely. Absolutely.

Ed Adams: So just like in cybersecurity, if you combine red teaming offense with blue teaming defense, you get purple teaming, which is essentially war gaming. The same thing happens on the second half of that color wheel. If you focus on the yellow teams, which are basically the builders, they're not the breakers or the defenders, they're the builders.

You teach that yellow team a little bit of red teaming, you turn them orange. You teach them a little bit of defensive tactics, like secure coding, you turn them green, all of a sudden they're not just a, uh, a yellow team building stuff. You turn them into a bit of a yellow jacket. You give them a little bit of a stinger, you give them a little bit of, of, uh, spice.

And that spice is cybersecurity, but the spice is really security as an aspect of the. Product quality of what they're building. 

Kim Jones: I've taken to using the term osg, old security guys and gals like myself, so I I, I'll put it up there. Why do we continue to suck at this? I mean, seriously, you know, I, I, I believe you know, you know, I'm a West Point grad. I, I, you know, I, I've got 10 years in the military. I believe in force multiplication.

Okay. It seems to me that if we were to do this effort, it's going to raise all boats and make my job easier.

Ed Adams: One, because we generally don't understand the process of building IT products as cybersecurity professionals. We just don't get it. We don't understand, and I can't tell you how many cybersecurity professionals, even CISOs, have come to me to say, ed, I need to train my developers on security, and I'll stop them right there.

And I'll say, excuse me, miss ciso. Mr. Ciso, can you please explain to me what you mean when you say developers? That usually opens up a wonderfully productive conversation. And just to use an analogy of, you know, building a house, just like you're building any kind of IT system, you have to define what you want.

You have to design it, you have to build it, you have to test it. You have to make sure that it's functional. Then once you produce it, you have to maintain it and update it. It doesn't matter if it's a house and your sink breaks and you have to fix some plumbing or it's an IT system, a cloud native application.

You still have to follow all these processes. And guess what? Each one of those phases generally has different types of job titles and job titles that do different kinds of things. Now we're talking about tasks and skills and abilities. Well, if you can't understand the fact that in a development team you have architects and product managers and database administrators, and cloud engineers, and automation engineers and test engineers, you've

Kim Jones: And none of them, each of them has a priority, one of which your is not your priority one. And each of our priority ones is equally important, not only to the success of the enterprise, but the success of the organization overall.

Ed Adams: You are right. So that misunderstanding of what the jobs are of our yellow teams and the fact that there are multiple job functions in there, and this is where NICE falls down. But then the second part, Kim, is that we as cybersecurity professionals, cave too easily. When we get pushback, we'll get pushback from

Ed Adams: So very often we'll get pushback. We'll hear from, you know, Mrs CTO to say, what are you talking about? You want to train my developers? Forget it. You're not turning my developers into hackers. I need them to be developers. And all too eagerly will walk away, we'll back away because the CTO, they're building the stuff that's making our money.

I don't have as much leverage as, as she does. How can I push back so, so heavily. And this is where we cave too easily because it's our fault, Kim, we are not doing our job to understand what her primary motivations are. What does that CTO want to do? She wants to build damn good quality products in a really fast period of time, right?

Of course, every CTO wants to do that. And what's the bane of good quality products on time? Bugs.

Ed Adams: And until we achieve that symbiosis, cybersecurity will be viewed as an outsider to those yellow teams. And we're not. We're on the same side. We're on the same team.

Kim Jones: let me drill that a little bit more because, uh, one of the things I've found, and I've been preaching lately, and I'm curious as to your thought process on this ad. Have we built within cyber and within this ecosystem, a culture that relishes the fact that we're that outsider? Because I find myself knocking down folks to say, it's not we, they, your paycheck is signed by the same person.

If they fail, congratulations. So do you, is that just me or am I missing something?

Ed Adams: No, you're not at all. And, and, you know, a lot of it comes, comes out of the bravado hacker culture that, um, personally I'm trying to help change in the cybersecurity industry, but it very, very difficult, only possible. And, um, you, it all, it all stems from the, Hey, if I can hack you, I'm better than you. If I can find a problem with your stuff, I'm better than you.

Um. So we almost set ourselves up to be outsiders right from the start. So. Getting back from a talent standpoint, you've talked a little bit about those relations, creating the ability to raise talent within the existing corporate ecosystem, if you will, by, you know, creating the yellow team, the orange team, and the green team, and arming them from an intake standpoint.

You talked earlier regarding, we've been complaining regarding there are challenges with intake. We've been complaining regarding there are challenges with the ways we're intaking. Um, I'm going to shift a little bit in terms of those different mechanisms of intake and you. I agree with you a thousand percent that not figuring out what the requirements are for specific jobs and that disconnect is causing chaos.

Regarding our intake intake mechanisms, we've created different entry-level intake mechanisms. I, I, I still see us. Running into, and in fact, I'm, I think that's one of our upcoming episodes as well. You asked 15 different CISOs what they're looking for from an intake, uh, perspective, and you get 417 different answers and none of them are great. So you, you, you have been around and more. Closely than I have. Me as an operator, you as a person who has been trying to fix this problem, looking at the different mechanisms we've created for intake between the certifications between, uh, the college, you know, the two year colleges. There are now these things called cyber degrees out there, and yet we're still.

Seem to be challenged with. What are we looking for? Are you seeing that this plethora of intake mechanisms is making things better or worse? Or can it not make things as better as they could be? Because there are different methods of intake that are trying to solve a problem that we haven't defined since we haven't defined what the hell we're looking for.

So what do you think? 

Ed Adams: Like you said, if you ask 50 CISOs the same question, you'll get 400 and something answers. Well, I did ask 50 CISOs, including you, the exact same question as far as what are you looking for in someone, an entry level

Kim Jones: Yeah, but I gave you an answer 'cause I mapped my stuff to Nice.

Ed Adams: Yes, you did. You did. Uh, and I, I took those 50 answers and I wrote about them in the book. What I was able to determine is that there is a distinct pattern, which I found fascinating.

Ed Adams: I'll give you one simple highlight. Yeah. The most common trait or characteristic. That CISOs are looking for, had nothing to do with any degree, any certification, or any experience.

Ed Adams: The ability to be taught,

Kim Jones: I love it.

Ed Adams: that's it. Like that was it, and however. When I still read cybersecurity job descriptions, whether they're entry level or not, I do not see those words showing up. I see things like degrees and certifications and technical skills, which didn't come outta the mouths of people I interviewed, but they're on the pieces of paper that show up as job requirements.

Kim Jones: So. going to ask you one more question as we begin to bring this to a head. Maybe two because maybe, yeah, maybe something will come up. Uh, about this. What is the one thing we haven't discussed yet that you believe is essential to solving, you know, the talent ecosystem problem and or what is the one thing we haven't talked about that you would like to make sure gets mentioned.

Ed Adams: You don't need to have a technical background to have a successful career in cybersecurity. Full stop. I think that's a very understated but incredibly important comment. Almost as important as the five words that I've heard come out of your mouth on many occasions, which is entry level means no experience.

There are so many talented people. That I have personally hired and worked with at other companies that don't have technical backgrounds that are fantastic in cybersecurity, and so many different jobs that are critically important to cybersecurity. Zero. Zero technical background and one of my personal favorite CISOs, a lady named Sharon Burgess from BCD Travel,

Kim Jones: her well.

Ed Adams: and she's a absolute talisman of success no matter how you measure it personally, professionally, and as a female CISO of color, there's not a lot of those around. She rose to that level with a degree in, wait for it Spanish,

Kim Jones: Yep.

Ed Adams: and she's a remarkable ciso.

Kim Jones: I am gonna actually throw one more at you because I'm beginning to see a lot of change in the wind right now, and I would love to get your perspective on this. You know, I'm seeing a handful of things in the past year-ish or so. Um, one, the os Gs of the world are retiring. I'm, I'm semi, I, I'm quote unquote semi-retired.

Right now I'm working my butt off

Kim Jones: I consider myself semi-retired right now, and, you know, I'm in, I'm loving what I'm doing within that environment. But several of the o sgs, the old security guys and gals who are upper thirties of years of experience into early forties of experience.

Have stepped away from operational roles. We've also seen a group of individuals who have come up during the timeframe where we were advertising. All you need to do is hack in order to get into cyber who are now coming of age in the role and beginning to struggle with those business focus and showing value in communication pieces that we're dealing with. All along the timeframe where we're beginning to see people finally understand that liability is the third leg of responsibility and accountability, you do need more than just to be able to hack. To do this so there's a lot of movement going on right now simultaneously, and at the same time as about to say regarding the profession. I'm curious as to what you see as potentially the outcome of that in our talent ecosystem. Talk to me.

Ed Adams: There has been an absolute explosion of virtual CISO companies or virtual CISO offerings that have emerged, and a lot of those os Gs are appearing as virtual CISOs and there's reason for it. One, I. They don't have the liability that you talked about, and that's a big one. We as an industry are chasing talented people away from the C-level cybersecurity roles because of that liability, which is

Kim Jones: What we're also seeing with that is we're seeing young folk who come from consulting have two years of experience and A PMP say, I'm a virtual ciso. No, you're a security consultant. No, I'm a virtual ciso, and stand on that. So we're also seeing a lot of folks, not just the os Gs, but a lot of folks abuse that title in, in, in my opinion. So yeah, I'm, I'm seeing that trend as well. Go on.

Ed Adams: Completely, completely. Uh. And, uh, you, you actually finished my point for me, which is some of these, these CISO services are completely legit and very valuable 'cause you can get super talented folks for a fraction of the time and fraction of the price. Uh, but there's a lot out there that are selling overselling, uh, shall I say. So you've gotta do a little bit of due diligence to find, you know, the, the needles in the haystack in that particular analogy. Um, and the other trend that I'm seeing is the. Cybersecurity professionals that have come out of the technical ranks that are getting into leadership positions, as you mentioned, they're struggling on the business side.

Kim Jones: And I, and I would add to that, agreeing with what you're saying, there has been no need for them to have that exposure to be successful up until this point. And because of that, where security and the rest of you are just the business thing that we talked about earlier, there has also, in many cases, been a lack of a desire.

Ed Adams: Yes.

Kim Jones: And those two things combined the transition harder.

Ed Adams: In their minds, and I'm oversimplifying this, when they walk into a boardroom and say things like, but dude, we've got five priority one bugs in three zero days. Like of course we've gotta fix these. And they get blank stares, they get frustrated and they walk away. And that's a shame because that's a great opportunity for them to develop as a person and as a professional and as a cybersecurity, um, contributor to the board that they're working for.

Kim Jones: Yep. And one of the things, um, one of the presentations I have been giving to groups of CISOs, you know what, what I usually do is I start the presentation with, you know, show of hands, how long have you been in cyber? And at 38 years, yes. I'm usually at best, one of two who's been in over 35. Usually I'm the old guy, and the first question I ask is, how have I failed you? And it's that.

Ed Adams: did that.

Ed Adams: yes. We, we are part of the problem, but we also, we also need to encourage folks that want to get into the professional and think that they can't, for whatever reason, they're not worthy. They don't have the technical chops, they don't have, you know, whatever it is. Uh, and in fact, the first three words that I wrote in my book. Which it's called See Yourself in Cyber, but the subtitle is Security Careers

Kim Jones: Beyond hacking. Yeah.

Ed Adams: Yes. But the first three words I wrote in that book is I'm an Imposter. And the reason I wrote I'm an Imposter is because I don't have a single cybersecurity certification. I don't have a cybersecurity degree. I haven't even sat through one of your SANS courses and gotten a certification from that Kim.

Kim Jones: Why are we talking to this guy again? Nevermind.

Ed Adams: And yet I was able to forge a successful career in cybersecurity. My background, just like Sharon, who has a degree in Spanish, I have a degree in English literature. What good is that when trying to, you know, sort out Zero days, sir? Well, it's great because I learned how to communicate and articulate and summarize and empathize for a whole bunch of different reasons. Very, very useful to me. I. But a lot of folks would look at me as an imposter. In short, look at me as an imposter. I don't have all those credentials that you might think about today as a successful cybersecurity thought leader, quote unquote, fine. But I am, and a lot of people out there can be cybersecurity professionals too, and they belong just like I belong.

Kim Jones: And I think we will leave it at that. Ed, I greatly appreciate you making the time for this. Thank you for being willing to be my first guest in the new season and on this new venture for me.  

Kim Jones:  And that's a wrap for this, the very first episode of CSO Perspectives for this season. I hope today's conversation gave you new insights and practical takeaways to navigate the ever evolving world of cybersecurity, leadership, strategy and shared knowledge are key to staying ahead, and we're glad to have you with us on this journey.We'd love to know what you think your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber. Visit the cyber wire.com for exclusive resources accompanying each episode of CSO Perspectives. This episode was edited by Ethan Cook with content strategy provided by myON Plow, produced by Liz Stokes and executive produced by Jennifer Ivan, mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thanks so much for listening 

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire