How do you gain “experience” in cyber without a job in cyber?

Welcome to CSO Perspectives. My name is Kim Jones and I am thrilled to be your host for the Season's journey. Here we provide in-depth conversations and analysis of the complex issues and challenges, technological and otherwise, that the average CISO faces we're bringing the deep conversations out of the conference, or more realistically, the conference bar and tackling a single complex issue from every conceivable angle across a multi episode arc.

For our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. We've been complaining about talent issues for the better part of a decade, but our piecemeal solutions don't seem to be solving the problem. Today we explore the question, how do you gain experience in cyber without a job in cyber?

As a reminder, this is the last episode of the season we're making available to everyone. Future CSO Perspectives episodes will be available [00:01:00] only to Cyber Wire Pro subscribers. We're sharing insights, conversations, and additional resources for every question we're exploring this season with our subscribers.

If you haven't done so already, please head on over to the cyber wire.com/pro if you want to keep diving deep with us and now onto the show.

As a child, I remember watching an Armed Forces recruiting ad. A young man walked out of an office building after being rejected for a position at some company. When asked why he was turned down, he said, I didn't have any experience. His friend responded with the obvious question, how are you supposed to get experience when no one will give you a job?

Over half a century later. It's ironic that my profession is struggling with the same problem, so stop me if you've heard this before. Many professionals acknowledge that there are shortages within the talent [00:02:00] ecosystem. Some of the ways we address these shortages are to create multiple pathways from entry, such as boot camps, entry level certifications, training programs, associate and bachelor's degree programs, et cetera.

Candidates who graduate from these programs apply for entry-level positions within cybersecurity only to be rejected because they don't meet the quote unquote, experience requirements. Excuse me. I've spoken with dozens of hiring managers about this issue, and the answers I've received are truly disheartening. Seems that hiring managers are more concerned about what you can do versus what you know, and the best way to prove the former is to have already done it in their minds.

The concept of a zero experience entry level role is an oxymoron. Adding insult to injury. There is no agreement on what type of experience and what duration is [00:03:00] sufficient to make employers comfortable with new workers.

All of this leaves new candidates struggling to determine what is relevant or meaningful to employers. If they're lucky, they'll guess right and have an opportunity. If not, then they join the growing legions of folks who are disillusioned with the cyber profession. They believe us to be unfocused at best about what we are looking for or disingenuous at worst.

While I am a strong advocate for zero experience entry-level positions, I also advocate embracing market realities, and the market is deciding based upon experience. Fair enough. Therefore, the professionals who have defined this market need to add clarity around A, what types and quantity of experience are required, and B, what roles should be considered entry level.[00:04:00] 

One approach would be to acknowledge that any entry-level cyber professional, regardless of role, must be extremely well-versed in the technology stack. Even a governance and risk professional must understand this context to be effective in their role. One way to support this approach would be to require two to three years of demonstrated IT experience before moving into an entry level security position.

This would mean adjusting the hiring requirements and the associated pay scales. It would also situate cybersecurity to be placed back under the CIO, which might bring its own challenges and concerns. A second approach would involve eliminating the egoism about real world experience. One example, centers around collegiate experiences.

There is so much rhetoric and debate around the role of academia that we've ignored. How many institutions have implemented notable instances of realism into their curricula? [00:05:00] Some examples. There are degree programs that offer courses on security operations where students use real world open source tools to identify, respond to, and manage incidents for local municipalities.

I teach governance, risk and compliance in another degree program. The student's final project is to analyze a past breach using the NIST cybersecurity framework. Students must identify the control failures, map the control failings to the framework, recommend solutions, and, and here's the fun part. Brief their findings to a board of directors consisting of current and former CISOs.

Lastly, many degree programs require at least one semester of real world cybersecurity work, such as through an internship to meet graduation requirements. How are these use cases less real than independently hacking? Who knows? I. In addition to those examples I mentioned, I remind folks that there are [00:06:00] opportunities for volunteerism that can become additional experiences, church groups, social clubs, volunteer organizations, and many small businesses. Would welcome someone who would be willing to do things like check in, update the antivirus software on their machines, update and review firewall settings, or ensure their network routers are configured to be secure.

These experiences add up even better. They help raise all boats by making some of the most vulnerable targets just slightly harder. Finally, we need to be realistic in our expectations around the amount of entry level experience we should expect someone to have.

If the probability of getting hired without experience is zero, then the experience obtained will be in somebody's free time as they are engaged in other activities. If in college, this may mean internships, but what about students working to put themselves through college? I once asked the hiring [00:07:00] manager how they expected a 30-year-old career transitioning woman with two kids to take eight weeks off for a non-paying internship.

Needless to say, I didn't get an answer. I. I would suggest that having one or more years of experience is equally unreasonable for a first gig amassing a total of say three to six months of combined real world experience seems like a fair approach. I. We can no longer afford our jury rigged approach to hiring.

We're losing qualified, valuable candidates who have become disenchanted with the cyber profession and are making their displeasure known with disparate hiring requirements and unreasonable demands for experience for entry-level positions. We're facing a potential shortfall within the next generation of cyber professionals at a time when security has never been more critical.

I. We need to come together as a profession to standardize hiring requirements, and the sooner we do it, the better off. We'll [00:08:00] be my 2 cents 

On today's episode, I'm joined by Kathleen Smith, chief Outreach officer@clearedjobs.net and co-host of the podcast, security Cleared Jobs, who's hiring and how Kathleen's all about helping job seekers connect with opportunities.

And today we're tackling a big question. How do you gain experience in cyber without a job? In cyber? Let's get into it 

Kim: I'd like just to, if you tell my audience a bit about yourself in terms of what you do, et cetera, I would love to hear,

Kathleen: Well, you know, it depends on which one of my backgrounds you wanna hear about. So,

Kim: give 'em all to me.

Kathleen: so very excited to be invited to your, your table here to have a little discussion about one of my favorite topics and so for the last, I'd say 22 years. I have worked for a company called Clear jobs.net.

 We are a job board job fair [00:09:00] company in the security cleared community. We are also veteran owned. Most of our staff are either veterans, military spouses, and we are very fortunate to have several who are both male spouses and veterans.

Kim: As a West Point grad who spent a, uh, over 10 years in married to Yvette himself, I thank you and all of yours for all that you do.

Kathleen: Well, thank you. I'm, I'm very honored to work among my colleagues and in addition to running the events, the marketing, the content creation, the candidate engagement, the employer, customer engagement, I always believe in giving back to the community. So I've done a variety of things in the community. One was, I am one of the co-founders of an organization called Recruit dc, I then went on to help the Defcon Career Village do something very similar.

I spent about five years. Supporting 10 different BSides across the country [00:10:00] doing their career tracks and career villages. I've been part of ISC squared running their career track for three years, so, excuse me, two years. So I might know a little bit about this topic, but as I said, I like

Kim: Been around for about two days. I get it.

Kathleen: just a tad. Just a tad. So I really love that we, I. Believe we have a workforce challenge and I really wanna sort of push back on your white paper, uh, by doing a little bit of background. So, you know, we talk about this being a really big gap and when you look at all the numbers, and I just looked at Cybersec about two minutes before we got on here in the US we supposedly have 450,000 open jobs in the cybersecurity.

How many jobs do you think we have open in healthcare? In the US we have 2.1 million [00:11:00] jobs open in healthcare. So I wanna put that into perspective because all we see in the media is all about this cybersecurity workforce challenge in security, which is very important. But there are the same challenges in any other industry manufacturing.

Kim: I, I, I would push back on that a little bit, you know, I would, you know, my, my cautionary tale though, I agree. I. Partially with what you're saying is, you know, I, I get back to what Mark Twain says, three types of lies, lies, damn lies and statistics.

So in terms of raw number, I'm curious as to what is that a percentage of all of the healthcare positions that are available as compared to what the percentages are. Because at the end of the day, I don't know which is higher or number you, uh, or lower. You're right, the raw numbers aren't as big. And then there's also question as to whether those jobs are being repeated through cybers seek because of how they pull the data.

 I am [00:12:00] prepared to agree that the top track and the advertising track around. The depth or breadth of the challenge within the talent ecosystem may be overblown.

I would even go so far as to say it is probably overblown. My counterpoint tends to be, if it's 700,000 jobs or 70,000 jobs, the fact remains is we're not being consistent regarding what our requirements are. What we want for those jobs. So my challenge is less the how do I fill these numbers, but how do we create a level of consistency in terms of what we're communicating to people who want to get here in terms of what we want and what we will accept in terms of getting it.

Kathleen: So I'm going to, I'm gonna take your same, you know. Foundation there and push back on you in the sense that when we look at the [00:13:00] Department of Labor Statistics, there is no category for cybersecurity in the Department of Labor. Statistics. It includes pen testers, information system security managers, security architects, security analysts.

So when you're asking me about what do we have as far as, you know, ground level, what are, what is the experience? We don't even know which categories you're talking about. So that is what I am, I'm just sort of sa saying that we can't have a, you know, we have cyber sse, we have the nice framework, we have.

All of these frameworks and they've been around for almost eight, nine years and no one's using them, by the way. So, you know, we, we know that there is experiences needed. We, you know, to use the healthcare example again, we require people have residencies, we have them be interns. We do a lot to make sure that someone who's gonna operate on a body [00:14:00] has experience.

Why are we not having that same. Thinking when we have people going in and looking at holistic security systems for our hospitals, for our government agencies forever. I totally get, I totally get that. People wanna have entry level positions. But this beating of the drum that we need to have them and why Hiring managers or program managers or companies are awful because they don't have entry-level positions.

We have to remember program managers and hiring managers are responsible to their customers, their shareholders, they're legal teams, they're responsible to all of that. If you can give them sort of a pass, like, Hey. You can hire some entry level people if you'll give us a pass on being able to maybe mess up every now and then.

Kim: I'm gonna paraphrase you with this beating of the drum regarding entry level positions. My point is this.

If [00:15:00] we don't believe that entry-level positions are a thing, I can be absolutely okay with that. But we haven't said that collectively as a profession.

 In point of fact, we as a profession are the ones a decade ago who were kicking and screaming and railing that looking at the projections, we don't have a path in that we need to do this.

If we've recognized that that is not the case, that's fine. Then one, let's say so, and let's say so clearly. Let these other pathways that we help create die on the bin. And then two say, okay, if we believe that, what is the pathway for someone interested in cyber? To enter cyber and if that pathway is, go back under it.[00:16:00] 

If that pathway is like many of the cleared positions that I assume that you're looking for. That's fine. But our say do, as we used to say in one of the companies I worked with is disconnected.

So if I'm unpacking your statement correctly, if your statement is that there shouldn't be entry level positions or that there is no place for entry level positions, I'm okay with that, but then we have to answer the other questions. So I guess my first question is, is that what you are saying?

And if that is what you were saying, what are the pathways in.

Kathleen: Say do Quotient is very low, as you said, and I I really

Kim: And you're being generous.

Kathleen: it's very low. It's very low, and I think that we came up with entry level positions as I. A bandaid and everyone sort of built their ship on that bandaid. And not only [00:17:00] did organizations who created frameworks build their ship on that bandaid, many certifying organizations have built their ship on that bandaid.

I believe we need to have a certain percentage be entry level. I think that that is a great place, but I don't think that we need to have this be the entire solution. 

Kim: Absolutely

what percentage, what positions, what industries.

Kathleen: I think we have about 10 to 15% ENT entry level, just like we do for many other industries. I think internships are great. I. I think that people going in and working at the military reserves is absolutely one of the best ways to go through. I think that there are a few solutions out there that are finally coming to the forefront, but I'm gonna leave that for dessert rather than now.

And I think that. As far as entry level positions are concerned, we don't have the right training within many companies [00:18:00] on how to evaluate people's ability to fulfill those entry level positions. 'cause when I flip this over to those candidates that I talk to, going into those positions. They've been sold a bill of goods that they can make six figure salary if they got a cybersecurity job.

And there are so many training programs and workshops out there that say, if you do my program, you'll be able to make six figures. I've gone to several collegiate programs asking people, so what do you want for your career? I wanna go into cybersecurity. Okay. What part of cybersecurity are you passionate about?

Cybersecurity.

Kim: First I absolutely, positively categorically agree, but I'm still going to press. You've restated the problem with the level of generica that we continue to do within cyber. As someone with your experience and knowledge base, I want your opinion so what types of [00:19:00] gigs for someone entering cyber should we be looking at as potential entry level gigs?

And then understanding the, you know, the nature where we are right now. How would you solve it if you were keen for a day? What things would we drop? What things would we do as sitting CISOs within the environment? I. Because again, one of the things I'm trying to bring through the forefront with this season is everything, Kathleen, everything you've said is absolutely correct but I want to try and peel back on pieces of these to say, okay, let's frame solution. So part of what you framed is. One, we're talk, you know, we are still talking to students and the public of cybersecurity as this monolithic thing.

I agree with you. It's not two. We're talking to people that just want to get in cyber who don't understand what cyber is, and [00:20:00] having broken it down to those pieces, I have four of those conversations every single week with people coming in within the environment. Absolutely agree with it. So what I'm trying to get to is to say, okay, if you truly wanna be entry level, what type of gigs are you looking at?

Where should those 10% to 15% sit? Is there truly a path for career transition within the environment? You know, excluding the military path, you know, that's in the environment. And what should we be doing to my fellow thesis in the environment in terms of. Figuring out, okay, what are we doing to exacerbate this problem?

And what types of training, education, experience, other than sticking up your hand for Uncle Sam, should we be pointing them to 

Kathleen: so I'm again going to reframe the question in a different way because. I saw some wonderful examples of what people were doing, and I think that they should be replicated, which is [00:21:00] we were presenting and I was presenting on entry-level jobs for cybersecurity, and someone in the back of the room said, I've been in the finance industry for 27 years, and I said, wonderful.

I've reached the end of my career. My management came to me and asked me if I wanted to get involved in cybersecurity and I wanted to get down and kiss his feet because he knew finance, he knew the business, he knew the regulations, and they said, we will pay for your entire certification. So I'm not trying to say, I don't wanna talk about entry level.

We can do it, Why are we not asking people who really love healthcare, who really love nuclear energy, who really love physical energy, who love any of these? And then asking them, do they wanna move into the tech world? Do they wanna take that knowledge, that passion?[00:22:00] 

Of supporting these various different industries and then learn about the technology, the tech stack for that. 

Kim: So, unpacking that and reflecting that back.

One of the solutions we should be looking for, for creating cyber professionals, if we're talking about transition, is transitioning people who already understand the business or the profession that they are already in, and taking those resources and reframing them. Am I reading that correctly? 

Kathleen: The one thing, just to put the cherry on top on that one, if you're going to take a look at career development within the United States, within our industries, we have no definitive way of making someone move from one. Aspect of their career to the next, unless they move to another company, unless they move to another title, another salary.

Why are we not saying let's keep our employees who love working for us right now and giving them career opportunities in tech [00:23:00] and cybersecurity right now and provide the training for them. It's a much lower cost ratio than trying to find new people. 

Kim: So we started with pen testing as one potential entry level pathway, and I. What we should be telling people to do if your son, daughter, some, someone came up and said, I want to entry level with the cyber suggest pen testing.

And we suggest to them the attendance to some of the active events out there, the CTFs, the uh, the sands training, et cetera within the environment.

Kathleen: Correct.

Kim: Okay, fantastic. Um, many of those have a high cost to them. Uh, have time commitment.

Kathleen: I was about ready to say that. There are also several of them that are online. There are several of them that are virtual. There are over 1100 BSides worldwide, and they always have at least [00:24:00] one kind of of CTF or another. So those are things you can look at. And I just wanna put a finer point on it.

You know, we don't write that summer vacation report or that book report when we come back from a conference. I used to always do this whenever I would go to any strategic marketing conference before I got on the plane, when I was sitting in the airport lobby. I got my notebook out and I wrote down what I learned, what changed my mind, what really challenged my thought, who did I meet?

How am I gonna follow up with them? And I really think that doing that, as you know, a job seeker as a professional, it is a really strong. Way to showcase to any future employer that you're really part of that experience, that you didn't just go there to go to the parties, that you went there to learn cutting edge technology, and that you went there to gain experience.

And I would recommend that to any real time [00:25:00] worker at now if your employer. Is sending you to Defcon, or is sending you to RSA or one of the conferences. They're not gonna ask for a report, but the next time that the budget comes through, they're gonna look to cut that. So I would tell you to get that report out, walk in, say, you know what?

I know you may not have time, but these are the five key things that I learned at this conference, and then you keep a copy of that the next time you're up for your employee review because you say, I went to these six conferences. These are the things that I learned, and oh, by the way, I had four employee referrals for that, 

Kim: yeah, I refer to what you're talking about, Kathleen, as portfolio management. We're saying the same thing in terms of, I tell people who are in the profession as well as people coming into the profession. That report becomes part of your portfolio or part becomes in addition to just what you put on the resume.

It can, you know, that's the equivalent. I, I hate to use the terminology, but my wife is an artist and a writer, [00:26:00] so she's familiar with is the equivalent of that artist or writer's portfolio to say, this is the type of stuff that I have done, which is great. So again, how do we educate my peers to understand that?

How do we fix that? And if that strays into companies need to train again, let's just start in general from a. Okay, I've got this kid who can't afford to go to a four year college yet is self-teaching, going to the CTFs, doing the volunteer work, building the portfolio, and comes in and says, I got all this stuff.

I'm serious, and can't get an interview. How do we fix that?

Kathleen: Well, you and I both know that you can tell a hundred people the silver bullet. 99 of them will not take it. So I think we need to understand that we can, you know, I've been giving advice to employers and candidates for over 20 years. I [00:27:00] can probably count on a few hands. I. How many have really followed that?

So I think we have to be really comfortable with the fact that not everyone's gonna listen and they're probably gonna go hire a consultant or heaven bid. You know, hire one of those staffing firms that loves to beat up a recruiters, program managers and talent acquisition professionals, and that's, that's their business model. That's what they sell. They sell fear, they sell anger, they sell revenge.

So what do we do? I think that. We find two or three people who are willing to do this hard work and change the thinking methodology. I think it's gonna be by example. It really is. And it's finding two or three people are gonna do it. I mean, we can go on the comfort circuit and tell everyone how to do this, and they're not gonna follow us.

Kim: So. And I, I, I am going to ask for as close to a yes or no as, uh, uh, as you're comfortable giving, given the scenario that [00:28:00] you've set, and given the things you've talked about. it's almost sounds like what we're saying is other than within a particular company. The ability for a mid-career transition for someone coming from X into cyber should be considered at best, an anomaly at worst. A myth 

Kathleen: I think it's a rarity, and I think once it becomes more acceptable by CISOs and by the C-Suites that they can retrain. Their own professionals to be their cybersecurity workforce. That will grow exponentially. And as I said, I, you know, I saw this one company do it six months ago within the clear community, and now that I know of at least three or four others, 

we have to realize that we're already doing this. I mean, you already know professionals who started at pen testers and then [00:29:00] went on to other aspects of their career. And I go back to what is your passion? I mean, one thing that I love about cybersecurity is a passionate industry. It is not this boring, but you know, everyone has a different passion.

But if you have a passion for something and then you wanna put another layer on it with cybersecurity, well, we are gonna have one fulfilled, one happy workforce. But we need to facilitate that and to facilitate that. It is a retraining not only on the professional side, but also on the management side. And we do realize You and I have many friends within the industry who have absolutely no problem hiring people. We know tons of them.

And so I need, we need to look at that example. They've got charismatic teams. They've got teams that are out in the community. They're doing cool stuff. They're giving back by doing reports. 

Kim: The question that I would ask is, the companies that are not having a problem recruiting, are they growing or are they [00:30:00] stealing Because part of the

Kathleen: They're growing. They're

Kim: so they're growing their own cyber professionals internally. They're bringing in people who do not have past experience within the area and growing them accordingly. They're creating pipelines of talent that people can continue to grow and stay within the community, and they're below the size of global 1000 or defense, which by the way, statistically most companies are

Kathleen: right. Yeah. Um, I, you and I both tripped over the growing, so, um, you were using growing as a my solution that I had stated for the cybersecurity workforce and I was using, growing, that these are growing companies

Kim: Oh, oh, okay. Yeah.

Kathleen: versus were they stealing from other companies. And, uh, what I'm trying to clarify is that these are growing companies.

They're not actively recruiting and stealing people from other companies. People are walking to them and saying, we much [00:31:00] rather work for you than work for our own company. As far as growing internally, yeah. It's just something that I've heard and I know it's gonna take off. 

Kim: What is the one thing that we haven't talked about that you would like to talk about relating to this topic?

Kathleen: I think that the one thing that we touched on, but I would like to just reiterate

Kim: Please.

Kathleen: career development. I think that, as I said, we've seen it across industries, you know, in the United States. 'cause I know in, I. Europe, they, they're very different as far as their career development strategies. From the CSO suite, if you're looking to build your workforce, really sit down and try to think within your own company what would be the development, what would be the career track from your entry level person to your seat or to a seat.

That sits next to you at the executive table, and how can you craft that [00:32:00] within your organization because that is the way you can solve the problem. Put your own knowledge, your own experience, your own education, and then walk. the floor I bet you'll find at least two or three people who would be really interested in having a cup of coffee with you to say, Hey, if you wanted to stay at this company for the next five to eight years, which is forever in, you know, American terminology as far as, uh, careers. Ask them what they wanna do next. Help them to map it through and then talk to their manager and talk to your recruiting team to make sure that those steps are put in place. And I'll bet you within the end of the year, you will have 10 new people in your cybersecurity team.

Kim: Been there. Done that. Believe in it wholeheartedly. Kathleen, it has been a joy to get to know you. It has been a joy to have you here. Thank you for sharing your insights. I really appreciate it. Thank you so much.

And that's a wrap for today's episode. Thanks so [00:33:00] much for tuning in and for your support as N 2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoy today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic.

There's a link in the show notes.. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. Thanks for listening. 

 

Kim Jones: This episode was edited by Ethan Cook, with content strategy provided by Mayan Lau, produced by Liz Stokes, executive, produced by Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thank you for listening.