Podcasts
CISO Perspectives (Pro)
Ep 131
CISO Perspectives (Pro) 5.6.25
Ep 131 | 5.6.25

What’s the “correct” path for entering cyber?

Show Notes
Transcript

Kim Jones: Welcome to CSO Perspectives. I'm Kim Jones and I'm thrilled that you're here for the season's journey. We're bringing the deep conversations out of the conference, or more realistically, the conference bar and tackling a single complex issue from every conceivable angle across a multi episode arc.

As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. Today we explore the question, what's the correct path for entering cyber? Let's get into it 

Kim Jones: In previous episodes, I've mentioned how the cyber community has created multiple pathways to enter the field. In this episode, I'm going to explore the feasibility of taking a non-traditional path into cybersecurity. And to start that discussion, I'm gonna tell you a story. CC is a colleague who worked for the same company in a non-technology role for more than 25 years.

While she was [00:01:00] successful in her chosen profession, she became intrigued by and enamored with cybersecurity. And after careful research decided to make the change. For three years, she joined professional security organizations, 

interviewed security professionals about career pathing. Had her resume redone and looked for opportunities to learn CC applied for and won a scholarship to take two entry-level certifications, both of which she passed with flying colors. She also took on an unpaid internship in her not so copious free time to get some experience under her belt.

Despite this Herculean effort, no company including her own company of 25 plus years. Would bother to return her calls or even to send a standardized rejection letter. The silence was deafening. I met cece for the first time at a conference focused on hiring people who were taking [00:02:00] non-traditional pathways into cybersecurity.

After hearing her story, I went into the hiring hall where various companies were advertising for talent. Imagine my surprise when I saw cc's own company they're actively recruiting for new hires. I wandered over an eavesdrop on an exchange between a cyber director in the company and a hopeful candidate As the director was extolling the virtues of her company, I found myself unable to stay silent.

So out of curiosity, how many people have you hired from non-traditional pathways before we hire out of the military regularly was her quick reply. So you hire folks who have already been trained and have two to four years experience. Great. But what about the pure play non-traditional folks who don't have the benefit of Uncle Sam's training?

We're open to that. Absolutely. It's why we're here. I raised a skeptical eyebrow. [00:03:00] Seriously, or of course, does that include members of your own company who express a desire to join your team? Absolutely. Great. Wait right there. I then found CC and introduced her to the director cC'S 14 queries to your team this year have somehow gone unanswered. I said this is a perfect opportunity to rectify what I'm certain was an innocent clerical error. I walked away certain I had helped. A talented, eager, hopeful, who was exactly the type of person these companies claimed they were looking for. The good news is that the call it public shaming, if you must did result in CC'S resume being reviewed by the security team.

She was eventually passed on to another security director on the operation side of the house who regularly hired entry-level employees. [00:04:00] This director coached cece on areas that he felt would make her more hireable. After six months, he extended an offer to Cece for their lowest level entry position on the team.

Cece has always been a hard worker, so she dug into her new role and responsibilities with Zeal. She devoured the process manuals, took every available training, learned the technologies, and responded to queries at any hour of the day. Her job was measured among other things by ticket closures, so Cece regularly made sure she led the pack enclosure volume for folks at her level and at the level above her.

Given this, Cece was surprised to hear that her performance was considered merely average for her level. When she asked for specifics and what she could do to improve the response from her supervisor, stunned her. The truth is he said, you're just not qualified for this role. [00:05:00] After all, her diligent effort and hard work, Cece was understandably disappointed when she pressed to find out why he felt this way and what she could do to improve, to become qualified in her supervisor's eyes.

The man responded nothing. You just didn't come up the right way to be in cyber. Undaunted CC doubled down. She took every training course offered by the company enrolled in college classes, sought out advanced training from organizations like Sands, all of which she passed with flying colors, all the while maintaining her day job and out pacing her peers in productivity.

A year later, Cece found herself in the same position. She was still considered average for her level and was again told that she was unqualified for the role without being given a why. In the end, while she is still sticking with the job, Cece has been left with a foul taste in her [00:06:00] mouth. The cyber profession lies.

She has said to me on several occasions. They tell us they want and need non-traditional thinkers, yet they treat us like dirt because we didn't come up the same way they did, and they consider it a waste of their time to tell us what we need to succeed.

This situation would bother me on the best of days. In the past two years, I've heard variations of the same story over and over again. I've heard over a dozen tales, like ccs from folks of every race and in every single age bracket. The only commonality seems to be that these folks all attempted to enter cybersecurity via a non-university path, excluding prior military individuals.

It remains exceedingly difficult to find people who have been successful in taking a non-traditional path into cyber. Our collective bias against non-traditional entrants remains strong and [00:07:00] seems to be unyielding worse. It seems to have little or no basis in fact. I've met more than my share of non university educated folks who know the technology intimately.

I've reviewed six months cyber bootcamp courses that other technologists have referred to as just ATMs for private companies and have found the curricula to be robust and challenging. And still we give lip service to hiring non-traditionally. Folks, it's time for us to own our decisions. If we don't believe that non-traditional paths provide value, then let's stop being disingenuous to prospective hires and own the results of that decision.

Those results are one. An increase in cost points for cyber talent as entry-level professionals will all require either a college degree or three to four years of IT experience. And two, a further loss of diversity within the [00:08:00] ranks leading to a loss of innovative solutions due to groupthink. Now, I'm not advocating one position or another.

Yet, what I am stressing is that the cyber community needs to stop waffling about this issue and then complaining about the results. If companies do not want to consider non-traditional pathways into cybersecurity, stop lying to folks that they have a shot at being hired. Stop offering supposedly viable paths into entry-level cybersecurity jobs like cyber bootcamps, technology certifications.

Technical skills gained from non-cyber jobs, online courses, open source projects or internships. Be honest and tell them they need a degree in computer science. Period, and then track and analyze the result in aftermath over the next 15 to 20 years to see whether that yields desirable results or if the cybersecurity profession becomes bogged down in group.

Think [00:09:00] my 2 cents. 

Kim Jones: On today's episode, I'm joined by Will Marko, founder and CEO of four. One insights and a leading voice on the intersection of cybersecurity, and the workforce will spends his time digging into the data behind cyber jobs. And today we're asking a question that's on a lot of minds. What's the correct path for entering cyber? So let's get into it 

First off, Kim, thank you so much for having me on.

I, I've been looking forward to this one for a while. I think this conversation will be on a lot of topics that are near and dear to my heart, so really appreciate the invitation, but. I have really taken a, what I call a backdoor into the cybersecurity world. My background isn't, as a practitioner, you don't want me protecting any digital networks whatsoever, but I've been analyzing the cybersecurity workforce now for over 12 years.

I. Most of that time was spent with a company called Light Cast. Used to be called Burning Glass. And when I was there, I led our research and [00:10:00] consulting team, and we did a lot of work using non-traditional data sets, trying to look at just what's happening in cybersecurity, right? Because if you take a step back to 10, 15 years ago.

Nobody had any good data on the cybersecurity workforce. Nobody knew what was going on. There was a, my, my viewers have had me do this before, but I'm gonna do it again here. Remember, your tax law trained me how to do this Really shocking. Shocking. Anyway, peace continue. Oh, I know, I know. It's if, if you can't believe that, you know, the government isn't collecting granular data on pen testers, who would've thought, but you know, they, there was just nothing.

And you can't prepare people for jobs, you know, nothing about. So we looked at that. I. Back over 12 years ago and said, well let, let's see if we can at least get a little more fidelity and better quantify what's actually happening in the cybersecurity workforce and not just track information security analysts like everybody was doing back at the time.

'cause that's all you could get from government data. Mm-hmm. And said, well, what if we actually [00:11:00] looked at where cybersecurity skills were showing up in different corners of the market, regardless of what you called someone, because everybody knows there are network admins out there, or software developers or other IT workers who in many companies, they're also the security person and really that work culminated in a few reports on the cybersecurity workforce that we released over the years.

But I think the, the biggest contribution we made was a tool called cyber seek.org. Yep. And this was a tool that was funded by federal government. And the idea behind Cybers Seek was, let's put all of that data in the hands of.

Everyone across the country who wants to know something about the cybersecurity workforce, I would just say the most rewarding work I've done over the years has been looking at the cybersecurity workforce and just trying to help people better understand what's really happening so we can more effectively get people into better jobs in the field.

I wanna focus a bit on cybers seek, because cybers seek has both been hailed and vilified. [00:12:00] Within the cyber community, as you know, there are indications or not indications, there are accusations that many of the, we're showing this many jobs.

Well, you're collecting jobs from, you know, the same job from 17 different sites, so that's 17 jobs, et cetera. So I would love for you to take this opportunity to talk about what you did, some of which you and I have already talked about in the past, to normalize that data so that the community can, if you believe we can, can have confidence with the data we're looking at in Cybersec.

Can you talk to me about that a little bit? I, I would love to and I would love to just clear up. I think a lot of misconceptions on this as well, because that's why I asked the question, brother. I will be, I will be one of the first people to actually vilify. How cybers seek data is used. Okay. Even though I'm the one behind it.

Okay. To me, I'll, I'll tell you why in a second, but to your question, we aren't just going to 17 different sites, finding the same job, posting at the same company, and [00:13:00] counting at 17 different times. We always controlled for that. We always de-duplicated so that if you see that same job at that same company and that same location across 17 different sites.

We're only counting it once, not 17 times. So all of the data in cyber seek are deduplicated. Now I'll, will we miss a few? I'm never gonna say we get a hundred percent right. There are, let's say 85,000 cyber jobs open in Arizona.

That these are 85,000 unique opportunities here versus 15 opportunities are duplicated several thousand times within the environment. That's what I think I, reflecting back, that's what I'm hearing. Would you agree with that statement? Yeah, so, so I, I will take a second to explain. I think this might be helpful.

Please what the data are actually telling us in cybers seek, because I, I've heard so many people. At very high levels of the federal government and other places misuse the data. And it's like nails [00:14:00] on a chalkboard every time I hear it. But what am I gonna do? Go correct a senator. Whenever I hear people citing cyber sse, they love to take the big high level number that usually says somewhere between 450, it's even been as high as 750,000 job openings, and say, that's how many unfilled positions we have in the country right now.

We need 750,000 more cybersecurity workers. And if you say that you are blatantly wrong, that is not what the data is saying. So talk to me. So what that number actually is, is that's how many unique job openings we saw over the past 12 months, not at a point in time. That's over the last 12 months, how many job postings or job openings were there, which were unique online.

Now, in some cases, those jobs got filled. Frankly, in the vast majority of those, I'm pretty sure they got filled. That's not how many jobs are open. Those are just the number of times. Uh. [00:15:00] An employer posted a job over the past 12 months that had a cybersecurity component to it. It also isn't just what we think of as core cybersecurity workers.

Most people in this industry, I think they think, oh, you're talking about either InfoSec, analyst, security analyst, pen, pen, tester engineers, pen tester. Exactly. Not what? Not. The only thing we're looking at, we're also looking at. Uh, the network administrators who are responsible for cyber within an SMB or other IT professionals, or even some cases, maybe even non-IT professionals who still have a significant security component to what they do.

And so I break that into, there's the core cyber workforce. We're capturing those and there's also the cyber, the enabled workforce who need to have significant security components to what they do. But that's not the only thing that they do, and I think that doesn't fit the mental model. A lot of people have.

This has been very helpful, by the way, because I admit I have been guilty of misreading that site in the past. So first, thank you for that. So here's the next [00:16:00] question. I. 

Is there a way for me to extract, if I look at cyber seek as it sits right now, how many jobs are open now that have a cyber component in them versus the three quarters of a million jobs you've looked at in the past year? How do I extract that data from the site? So the honest answer is, as it stands today, there isn't a clean way to just say how many job openings are there today?

That is something we've wanted to add over the years for various reasons. I. It never got incorporated the way that, to be perfectly honest, I would've liked it to be incorporated. Um, it, sometimes it's a funding issue, sometimes it's a, you know, timing issue, data issue, whatever it may be. But, uh, I would love to just have that number right up front.

I. Yeah. Now, a few years ago, uh, during the previous White House administration, we'd done a lot of work with ONCD also trying to provide [00:17:00] a cleaner data point that just said, what's, what's the actual gap? How many people do we actually need? And we actually did do that, and we wanted to incorporate it into cybers seek.

It's lived in a few different places. We've actually put it in cybers seek releases. But the basic idea is that. For that data point, we look at not just how many job postings there were over the past 12 months, but we look at a point in time when we pull the data. What is the gap between how many cybersecurity jobs employers are hoping to fill and how many.

People do, we actually have in our country with the skills necessary to fill those jobs. the last time you did that analysis, rough order of magnitude. What's that delta look like? If it's not a, if it's not three quarters of a million, what is it? What do you say it is? It is not three quarters of a million. It was about a quarter of a million, so it was about 250,000, which is still a big number.

But yeah, there's a big caveat to this, which, which I wish this got more [00:18:00] play because this, Hey, you're here, brother, and I'm very glad to be here to clear this up because this is what needs to be told. One thing we did was we went a step beyond just saying, okay, 250,000 people. That's the gap. We all know that if we just produce 250,000 graduates from cybersecurity programs or bootcamps or whatever it is.

They're not all going to be filling those jobs immediately. We've all heard the stories of someone who graduates, has a hard time finding a job for six 12, however many months you had, uh, you know, have, have talked about this at length as well. And what we did was we said, well, out of those jobs and out of that gap.

How much of that gap is actually for entry-level jobs versus more experienced jobs? Yeah, and you see a very different picture when you look at that. But let's, let's unpack that a little bit again. You know, and I, I'm just making sure, not [00:19:00] looking for exacts, but you are, have been closer to those realities than any of my previous guests or myself.

So I, you know, rough order of magnitudes or as we used to say, swag, scientific wildes guesses, you know, your rough order, your swag is gonna be better than mine. So when you unpack that from an entry level position standpoint. Collectively, what does that look like? What does that really look like? I'll, I'll, I'll do you one better than, than just swag.

I'll give you some specific numbers. We're all specific numbers. I love data. When, when we looked at this, we found that for every 100 entry level jobs, employers were demanding. We had 110. Entry-level workers vying for that. And when you translate that into an absolute number, that means that we actually had about 35,000 more entry-level individuals looking for cybersecurity jobs than we actually had entry-level cybersecurity jobs that they could fill.

[00:20:00] So mathematically, they're not all gonna get a job. Yeah. Yeah. So we're saying that most of those other jobs that are out there are not entry level of the, let's, you know, you used quarter million figure of the quarter million figure that you looked at the last time that you looked at it.

The vast preponderance of those jobs weren't entry level jobs. Would that be a fair statement? I don't wanna misquote you. Yeah, no spot on. No. The, the vast majority, not entry level usually require a minimum three to five years prior work experience. Okay. Uh, so you gave me a statistic in terms of number of jobs per number of applicants, et cetera.

I would be curious, would you be willing to venture another statistic to say, what is the percentage of that quarter million that were considered entry level? 5%, 10%, 1%? You know, uh, in terms of just the number of, um, workers or the number of [00:21:00] jobs that were being demanded. Jobs, number of jobs. So this one, I also have some stats for you.

Okay. Uh, over the years when we first started looking at this. About 12 years ago, there were about 15% of all cybersecurity job openings that were open to someone with less than two years of prior work experience. You could roughly say as an entry level job. Okay. Um. That number has pretty much not changed at all over the past 12 years.

The whole time we looked at the cybersecurity workforce while I was at Light Cast, and while I'm still looking at the data, I still work with Light Cast in my current role. Um, we see basically the same thing. About 10 to 15% of those job openings are asking for somebody with fewer than two years of prior work experience.

So, you know, there are jobs out there. There aren't a whole lot, so let me take it down. So first, you know, doing some rough math in my head, not being the data scientist that you are [00:22:00] of, if the number is a quarter million, that's 37,500. You know, jobs sitting out there collectively across the country, give or take for which, if we've got 110 people looking, you know, for those entry level positions, that's roughly four to 500,000 people trying to fill 37,000 jobs, give or take.

Or did I miss a zero somewhere? Uh, so it'd be a little bit different than that. So I think you're right, right about the, you know, right order of magnitude when we're, you know, looking at, some of these numbers. So actually the, the 200 taking one step ag, the 250, um, thousand gap number, that, that's just the gap between.

Demand versus supply. Uh, the actual demand in terms of that, which includes people who are currently employed, doesn't just include open jobs, things like that. that fair, fair? And that helps, that total number is were about 1.25 million employed cybersecurity professionals.

Okay. When you [00:23:00] said 1.25 million cyber professionals as cyber seats classified folks, they were looking at anyone who had a preponderance of cyber or a significant portion I.

Of cyber within their job description, regardless of if they came up the way that I did and have been cyber for, you know, you know, forever. Um, is that, when you look at that 1.25 million, are you including that same workforce set or are you narrowing that set to people who are, who, uh, who are predominantly cyber professionals?

Are you looking at the same? Uh, base set. So that that number is looking at both the, the core cyber folks who came up the, you know, if there is a traditional way to come up in cyber banging head against the wall a few times, that's usually involved. Sounds about that. Keep going. I'm sorry. No, no, it is, but it also includes the en cyber enabled folks.

So those, you know, that's the network admin who's responsible for security at a small, you know, company. Um. Okay. [00:24:00] And those, uh, so that's the 1.25 figure. Okay. If, if you're just talking about the core cyber workforce, I don't know the exact number off the top of my head, but I would say it's, you know, a few hundred thousand, something like that.

Uh, usually it was roughly in that range. Um, I, you know, the, the majority of those jobs actually that 1.25 figure. Those are folks who are in that cyber cyber enabled category. Um, so the vast majority of people who are doing cyber work and require cyber skills are not in what we typically consider the quote unquote traditional cyber jobs.

Excellent, excellent. A few other things I wanna dig into ancillary to this or, you know, to dive off of when you talked about entry level positions, you use the cutoff of less than two years. So zero to two years as an entry-level position.

I am, you know, one of my big [00:25:00] concerns out here, and I talked about it in an earlier podcast is how you know that no experience, no job thing. So you want someone with zero to two years, I am fresh out. I have done the training. I have maybe an entry level C or two, but I haven't had a quote unquote real, you know, big air quotes around that.

Mm-hmm. Job involving cybersecurity, so I have zero level experience. I. And yet there are folks advertising entry level positions who want someone who has one year or two years. In other words, we want entry level provided somebody else gave you the opportunity to learn, et cetera. I am curious as to if you are seeing that trend as you look at entry level positions and are there true positions out there?

 I'll even consider this like zero to six months because you know, I can do an internship here, I could do a little work here, and I could probably get six months worth of stuff in [00:26:00] my portfolio, even if I'm doing this part-time from, you know, in other things. Are you truly seeing true entry-level positions at zero to six months experience, or are you truly seeing people who want a year or two's experience, meaning that somebody else gave you that opportunity?

What are you seeing or what did you see out there? Yeah. And, and this is, you know, the proverbial chicken and egg problem, right? The reality is yes, we do see some jobs, not a whole lot.

You know, as I mentioned, about 15% of job openings in cyber are actually looking for someone with. You know, less than two years of work experience. Um, of those, I don't have the exact numbers, but when I've looked in the past, uh, it was roughly. Cleanly broken out between how many were in the zero to six month?

How many were in the roughly one year range? How many were in the, you know, one to two year range? So they're out there, but Yeah. Are they few and far between? Yeah, they kind are. There aren't a whole lot. [00:27:00] And so this is, you know, a, a little bit of, one of my biggest concerns about, frankly, the work I've done in the past, because I, I think that.

Yeah. A lot of what I've put out into the world has advocated for we need more cyber workers and I'm not the only one. A lot of other people have done this too. Um, and the problem was people actually listened. Yes. They listened a little too well, and now we have a flood of pipelines mm-hmm. Of people coming in and not enough opportunities for them.

Yep. Yep. And so I, I think that that, you know, is, is one of my biggest regrets, I think, frankly in, in the research that I did earlier on, was not making it clear that these job opportunities, they're, they're not evenly distributed between entry level and more experienced. And, you know, they're, they're very heavily.

Up weighted in that more experience. So I gotta, I gotta tell you, you're, you're, and again, this is where I get to be the old security guy. [00:28:00] Uh, you're taking blame for stuff that is maybe 10% on your shoulders and 90% on my peers because we dove into it, we supported it, we advocated for these things, and then created these pipelines, and then we started shutting doors.

Yeah. And then, and you know, this, this was a case that you listened to us. And you provided what we asked for. Let me, let me shift gears again. So 85% of those jobs are looking for experienced personnel from.

And we're not creating entry-level opportunities. So my perspective tends to be we're trying to steal from one another and we're not necessarily training one another, and we're trying to say, can I pay you X percent more to come do the same thing here? Versus train and educate, et cetera. I'm curious as to your perspective on it as someone who sees [00:29:00] the data. So, uh, this is something I've looked at a lot.

I call it hiring for mercenaries, not missionaries. This has been the default in the industry for years. You go after the mercenary, who has the best resume?

They look the best on paper. Maybe they. Went to some fancy school. They got some fancy certifications. They look amazing on paper. Problem is you wanna hire them. So do all of your 20 biggest competitors and you are going to be in a bloodbath for talent. If this is what you do, you're just gonna have to throw money, hand, or fist for a small number of highly qualified, or maybe they aren't even that qualified.

They just look qualified on paper folks who everybody else is trying to get to. Yeah, and they're not gonna stick around that long. You think it's gonna be what, five years until someone gives 'em a better offer? No, it's gonna be five months and actually one point I want to, I wanna double down on this as well, is that please, we, we also have done some work, which [00:30:00] again, I, I wish we were trumpeting more. In the past than we did where we, we said, well, what happens when the very small number of companies who don't just hire those mercenaries, hire somebody else who maybe comes from a non-traditional background, doesn't look as good on paper, is more entry level.

Do we actually see different employment outcomes? The answer is, oh yeah, we do. When you hire somebody who doesn't come with even a bachelor's degree, when you hire somebody who comes with a non-traditional background, whatever you call it, they stick around longer 'cause you invested in them and they're not, you know, going to be the one who just tries to look good on paper and then hops around.

They're gonna say like, Hey, nobody else was giving me a chance, but this company did. I'm gonna be more loyal to them. If we look at. Workers without a bachelor's degree in cybersecurity, for example, they are far more likely to stick around. Somebody with a bachelor's degree who is hired for a cybersecurity role is [00:31:00] 64% more likely to leave within a year.

Wow. Than somebody who does not have a bachelor's degree. We see similar things for women in cybersecurity. They, on average, actually stay longer, which is maybe counterintuitive. But yeah, um, there's a lot of work we've done, especially in cyber, other fields as well, but especially in cyber where we see when folks are given the opportunity.

That they weren't being given elsewhere, they are going to appreciate it and they are gonna stick around. Now, let's talk about that because that's a great segue into, um, the, the next aspect of the data and seeing what you're seeing will, I was talking about non-traditional pathways into cyber. Mm-hmm. And I was talking about we don't, you know, with the exclusion of the military, I. Because you have a lot of employers who understand the other components that, uh, a soldier or sailor, airmen, marine, uh, or space or guardian, which is the term for the space force [00:32:00] bring to the equation, particularly if they are coming up within these cyber realms of those organizations.

Excluding the military, there are a lot of pathways, booth camps, certs, et cetera, for non-traditional entry into cyber. What I typically see is a lot of folks. Um, poo-pooing those non-traditional pathways. I once had a very senior engineer said, yeah, boot camps are just ATMs for the colleges. So I asked are there really opportunities for not only non-traditional pathways, but for career transition into the cyber through those non-traditional pathways? So this is, this is definitely an interesting question and we have looked at where people are actually coming from into cyber. The majority come from some kind of IT field. Uh, last time I looked the current, uh, [00:33:00] cyber workforce, about 55% came from either a previous cyber job or a previous IT job.

I. That actually leaves a fair number of folks though, who did come from other fields. Now, to be fair, a lot of those folks. They maybe came from a non-IT field, but they had IT experience, so maybe they worked in it, maybe then they, you know, worked in, I don't know, marketing for a little while or something else, and then decided, I wanna go back to, to IT or cybersecurity.

So sometimes it's, it's not a linear path and it almost never is a linear path. Oh God. Yeah. But then there's also, um. A very small portion of folks who came directly out of school. Actually, and I'll give you some stats on this, uh, only 7% of the existing workforce in cybersecurity came directly from a degree program.

I. Wow, that's really, really interesting. Considering, you know, as a result of [00:34:00] the misinterpretation of data that we have all done, we pushed a lot of colleges and universities to create cyber degree programs. Yeah. In fact, I created one for the university many years ago. So what we're saying is we're not seeing.

Folks come from, you know, straight from school into cyber, they're going straight from school, if anywhere into it and then into cyber. Is that what I'm hearing that that's more common. Okay. That is a more common path. And, and one other additional nuance to this is that. A lot of people for a long time also said that cyber is a great opportunity for someone who doesn't have a bachelor's degree.

Mm-hmm. And historically, yeah, about a third of the cybersecurity workforce didn't have a bachelor's degree. So you, you see that data from the Bureau of Labor Statistics. That's usually where that came from. And you say, oh, well, okay. Wow. We should definitely be producing more, [00:35:00] uh, undergrad or uh, uh, sub baccalaureate folks from community colleges in cyber programs so that they can get good high paying jobs in cyber.

Um, out of that universe of cyber workers that we looked at. The percentage who came directly from a sub bachelor's program, like a community college program, like a bootcamp of the entire cyber workforce, only 1% came from one of those programs. Now, that doesn't mean only one of the cyber workforce has less than a bachelor's degree, but those people who are in the field who don't have a bachelor's degree.

They didn't come straight out school. They cut their teeth somewhere else in it usually, or in other fields. There was not a direct path from, I get a degree and I go into cyber. Now we can debate whether or not that is what employers should be doing, whether they should be cutting [00:36:00] out anybody who doesn't have a bachelor's degree from all those entry level jobs, and maybe not all of them, but the ones that do exist.

Um, that's a different discussion. But the reality is right now there have not been many entry-level hires who don't have a bachelor's degree directly into cyber roles. That's good to know. And again, it. Contradicts the typical talk tracks from old security guys like myself to people who wish to enter cybersecurity.

So and I get asked this question two to three times a week from various people from the high school kid who says, I want to go into cyber. And when you ask them what that means, they say cyber and don't necessarily know what it means.

But I want to get into cyber. What should I do to the college kid who is, has a technical degree, be it in cybersecurity, comi, or any or it? There are some schools that offer it degrees. I really wanna focus on cyber [00:37:00] to the individual who is looking at career transition. I. To say, look, I see where my career is going.

Cybersecurity is up and coming. I want an opportunity to see if this makes sense for me. What should I do? What should I, you know, study? What should I look at? Should I go back to school? And the list goes on. So you've got those three general use cases, all of which are saying. You know, what do I need to do to get into cyber?

So you can either answer it blanketly will, if you were the person being asked or take it use case. By use case, what would you tell those people? Yeah, so one thing I would say for anybody who wants to get into cyber, regardless of which of those buckets they fall into, is that your passion is going to be infectious.

If you have passion for it, you need to demonstrate that. You need that to be seen. You need passion for cyber oozing out of your pores. 

Make sure you're okay [00:38:00] with the things that are not sexy in this world and make sure you actually, that well not chewed up and spit out if you love it. This profession will nurture and take care of you if you don't love it and you're here just trying to make a dollar, you will get chewed up and spit out And yeah, there are whole lots of what we do that ain't sexy.

Yeah. You know, to include fighting bad guys at. One 30 in the morning after getting off shift at nine. So yeah, that's not sexy. Yeah. And you know, to maybe put it another way, you know, you'll be put through the ringer, be okay being put through the ringer and fair. And, and, and you know, I I, I think that really comes through too, like people who've been in the industry as long as, I mean, there are, I'm sure there are bad hire hiring managers out there.

Every industry has them. But the, I think most hiring managers are, they're, they're going to notice your passion for the field.

Yeah. That's fantastic. So the last question I'll ask is the same last question that I ask every guest. What is the one thing that we haven't talked about that [00:39:00] you would want all of our listeners to know about, hear about?

What's the one thing you would put on the table that we haven't discussed, be it a different take on something maybe we've already discussed or something we just haven't brought up yet. Flourish yours. I, I think a lot of our discussion right now. Has been around the data and demystifying a lot of the things we see in the data.

Yep. And, and, and I think that taken a certain way, some of the things that, that we've been saying, that I've been saying. It could be interpreted as, man, we really shouldn't be preparing so many people for cyber man, we really shouldn't be selling this story. That there should be entry level opportunities.

I think you can also frame it as we need to fix this expectations gap between what employers are asking for and what people think they should be asking for. Mm-hmm. And what people are actually preparing. Folks four I I'm a big believer that you can find more opportunities to [00:40:00] expand the entry level pipeline into cyber.

Now are, are we going to hire somebody fresh outta school to protect our most valuable digital assets? Obviously not they, they gotta cut their teeth somehow. You're not gonna ask a kid fresh outta med school to replace a spleen. You, you want them to go to residency. You want them to learn from a seasoned hand.

But, and the cyber is the same way, but that doesn't mean that we can't still find opportunities to build out intentional career pathways for folks to enter into this field. Whether that is in a core cyber role or whether it's in a cyber adjacent role, such as another IT role, I mentioned earlier. If you hire those non-traditional workers, you're rewarded with more loyalty. You're rewarded with less turnover and better retention.

It also saves a lot of money when you are investing in growing your workforce. We find that if, for an example, if you hire somebody with. Out a bachelor's degree for cyber [00:41:00] versus somebody who does for some of those few entry level roles that are out there, on average, the hiring costs you save are over $15,000.

It's not just salary costs, it's also just. Shorter time to fill and other things like that. Um, and you also expand your entry level candidate pipeline by over 60%, and there can be many other spillover benefits as well to investing in your people. So I, I, I don't want people to think that I'm advocating for, I.

People to only go into cyber if they have a higher level degree or if they come with five to 10 years of prior experience in similar roles. I think that we still also need to put the onus on employers to be intentional about building out those entry level opportunities so we can grow the next generation of cyber workers.

And I think that's a great place to leave it. Well, again, thank you so much. I have been looking forward to having this conversations. Learned a few things about the data myself. So thank you so much for [00:42:00] participating and, uh, being here and, uh, educating us all on this. 

And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N 2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoy today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic.

There's a link in the show notes.. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. Thanks for listening. 

 

Kim Jones: This episode was edited by Ethan Cook, with content strategy provided by Mayan Lau, produced by Liz Stokes, executive, produced by Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thank you for listening. 

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire