Do certifications matter?
Welcome to CSO Perspectives. I'm Kim Jones and I'm thrilled that you're here for the season's journey. We've been taking the deep conversations out of the conference, or more realistically the conference bar and have begun tackling complex issues from every conceivable angle across a multi-episode arc.
As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. Today we explore the question, do certifications matter? Let's get into it. at least twice a week, I'm contacted by people who are either trying to enter cybersecurity or advance their careers. And the question I am most often asked is, what certification should I get, if any? Like most things surrounding the cyber talent ecosystem, the profession seems split as to the value of certifications, which is pretty amazing considering that one sourced lists over 450 cyber related certifications that you can pursue.
As with most things we've discussed this season, there are valid arguments on both sides on the pro certification side. One. Certifications can provide some validation of skills. They represent a potential note, the caveat benchmark that employers can use as a preliminary screening point for candidates, ensuring that the candidate has or should have the knowledge and skills needed to be effective in a given role.
Two certain certifications can help individuals stand out from other candidates. Making them more attractive to employers and potentially leading to more advanced roles. Three, depending upon your industry, vertical regulators may expect, if not require certifications to demonstrate a level of proficiency and expertise within the security functions.
And four. For companies and industries that are forward leaning enough to market security as part of their value proposition, certifications can be a way to add and or enhance that differentiation. Unfortunately, there is also a valid downside to focusing two intensely on certifications one, many of the so-called premier certifications such as the C-I-S-S-P and CISM.
Or multiple choice exams. This can lead to people learning the theory behind solving a problem and recognizing the right answer if given several options. But this doesn't necessarily mean that they know what the correct answer is. When presented with a singular situation and are tasked with devising a solution, two certification exams are well exams.
Some people, even highly capable and knowledgeable people do not test well. One of my best technologists in a past role struggled to pass a certification exam despite it being well within his field of demonstrated expertise. I choke on exams. He would say it took him three times to finally certify.
Three technical exams may only be slightly better. Knowing how to apply a technical solution is only half the answer at certain levels or in some roles. Knowing when and under what circumstances that solution is warranted versus other equally viable alternatives requires a degree of critical thinking, situational awareness, and an overall understanding of the theory behind the solution that many technical exams do not provide.
Four. Certifications are expensive between the exams themselves and the quality study materials. This is one of the biggest criticisms of certs. Many of the better known and respected certifications can cost several thousand dollars. Even entry level certifications. That is certifications that don't require an expert component.
Can cost $500 or more between the cost of the exam and the cost to join the professional organization offering the certification. This can be prohibitive for individuals who are trying to enter the field on their own time in their own dime. And five, we also need to acknowledge the business impact of offering certifications.
I remember taking the C-I-S-S-P in 1998. I studied for months. Note that this was in the ancient days before a robust internet or YouTube. I left the 400 question exam with a headache and no idea if I had passed. Turns out I did. Three years later, I found myself retaking the exam because my consulting career left no opportunity to earn the required continuing professional education credits, also known as CPEs to maintain my certification.
I power skimmed the reference book and walked into the exam on a Saturday morning. It was only 250 questions long. I finished in under two hours and left confident that I had passed while three more years of experience may have made things easier. I've always wondered if the exam had gotten easier in order to increase the number of people who would take it and pass.
So what's my take on certifications? Here's the answer that I give people to the question, what certification should I get if any, one, for people entering the field, I suggest taking certifications that A, demonstrate an overarching understanding of technology in the field, as well as B, focus on specific skills that employers might find useful.
My specific recommendations usually include the Compt certifications up to and including the security plus certification. And any of the major cloud provider certifications moving beyond the entry level certification and up to their security certification these days. I also recommend some type of artificial intelligence or AI familiarization training, which includes modules outlining the associated security challenges and risks.
Two, if you have an idea which specific field of cybersecurity you wish to pursue. Let me run that again with a slight change in three, two, and one. Two, if you have an idea which specific field in cybersecurity you wish to pursue research, which certifications are most recognized within that field, and pur and pursue those, for example.
OFFENSIVE Securities certified professional, or OSCP certification is currently considered the gold standard for penetration testers three at the intermediate and higher levels. Particularly as you take on leadership roles, I tend to favor certifications that look at the holistic ecosystem. I tell people that, regardless of how you feel about it, the C-I-S-S-P serves a purpose.
A reminds us as practitioners that security is multifaceted. Something we tend to forget when we operate with laser-like focus within a specific discipline. And B, more importantly, it helps us see how the pieces fit together, which allows us the opportunity to think just a little more holistically and critically about vexing problems.
To employers and hiring managers who ask me about certifications, I urge them not to make them the deciding factor when hiring a candidate. When you require a certification to the point of including it in a job description, ask yourself the question, what is it I'm hoping this certification will bring to the role and to the team?
If you don't have good answers, then the search should be listed as preferred or optional versus a requirement for hire. This way you can avoid having good candidates unfairly screened out of a hiring process because they lack certain letters after their names.
The questions of whether in which certifications to get, let me run that again. 'cause I heard my dog in the background in three to two and one. The questions of whether and which certifications to get, depend upon your goals and objectives. A good rule of thumb is to do your research and talk to industry experts, but even cyber professionals, disagree on the topic.
At the end of the day, pick the certifications that most closely align with your career objectives. Quantity doesn't be quality in the certification game. My 2 cents.
On today's episode, I'm excited to welcome Simone Petrella to the conversation. Simone is an industry leader who has been working for the better part of a decade to solve the skills gap issues we see across the cybersecurity workforce. Today's conversation revolves around a somewhat controversial topic in cybersecurity. Do certifications matter? Let's get into it. Interview Simone, first, I really appreciate you taking the time to do this more than you know. Thank you so much. Kim is always a pleasure.
That's the lie. But I appreciate it. You know, you and I clearly have known each other for a little bit now, but I don't think my audience knows who you are or understands your background. So let's take a few minutes and let them know who Simone is. Talk to me.
Yeah, sure. Um, so I have been in cybersecurity for the last 20 years. Um, you know, DOD background and then private sector, um, over the last decade or so, and I'd say most notably to this conversation, um, have spent the last 10 years of my life really in the cybersecurity. Workforce space. Looking at the, the people and the process challenges that we have in making sure that our nation, our organizations, our companies have the right skills and talent they need to actually address our cybersecurity challenges is,
Fantastic. It, it, it's funny, you and I, I think, crossed paths the first time over a decade ago in my backyard, in Scottsdale, mm-hmm. you know, having this same conversation, one form or fashion. I know, I know. It's like both, it's, it's both warming and yet infuriating.
Uh, I, yes, both descriptors are absolutely correct. So, wanna deep dive a little bit on certifications? And I'm gonna start with the basic question that forms the title of this episode. Do certifications matter? Yes. No. And why or why not?
Yeah. Um, well, I think that. You know, the best analogy I can say is they matter in the sense that if you want a passport to go to another country, you need one, but it's not gonna be the plane ticket to get you there. Um, and so I don't think they guarantee you, they certainly don't guarantee you the job, but they do open the doors.
And for those reasons, I will always say that certifications have value. Um, but that being said, I cannot make that statement without acknowledging the. Kind of di dichotomy that we have in the industry right now in the profession where we have people who are going out and they're spending time and money and resources to earn these credentials.
And it might open a few doors, but it's certainly not getting them through the door or at least enough into the door so that they can actually get that job at the end. So we have some major issues I think that we can kind of chat about it, but I don't think I'm willing to throw.
The utility of certification is like totally out the window.
Okay, so let, let, let's begin to dig. I love the passport versus plane ticket analogy. They open the door but won't necessarily get you there or get you the gig. And you know, that seems to indicate a limited value associated with the cert. Why is it that certifications are considered door openers?
I think, and I'm curious if you have different thoughts on this. I think they're considered door openers because of some of the intangibles that they represent to hiring managers for the job It in. It indicates you've spent time and energy to focus on the. Fundamentals and foundations of the field. So you have some baseline level of knowledge coming in.
You've put in the work, you have shown enough ambition and diligence that you have gone through the exercise of not only studying for it, but sitting for it and taking it. And I think those are all qualities that we value in the profession. Very rarely, with some exception, there are some credentials that will say you're working on a certain tool or a certain system and we want someone who is credentialed or certified on this thing, but that's not the majority of cybersecurity jobs and what they're looking for in those credentials.
So I kind of put them more in the like, it tells us that you're kind of like in the ballpark, but it's, you know, like you're qualified to get on this flight, but it's doesn't put you at the boarding gate, I guess, you know, like to keep my analogy going.
Yeah, I think I said something, you know, in the opening, like they're like 450 different certifications out there, and I, I, I guess my concern is. When you talk about certifications, I get a sense that you are referring to maybe being what I would call the professional certs that are out there, and I'll pick on the cis b and the cism and the ci a and you know, the, the, the list goes on of those professional certs that require a certain level of.
Experience within the field, uh, before you can even begin to sit for them. So I, I, and I told this story at the beginning of the episode where, okay, my original C-I-S-S-P number is four digits long. Okay. I then went into consulting and I remember it was a 400 question exam. I studied for it for months. I left there and my brain hurt, and I had no idea as to whether I would pass or not.
Yeah. I. Cut two, three years later. Okay. I was short CPEs 'cause I was on the road consulting constantly, so I'm going to lose my C-I-S-S-P. So I need to, if I wanna maintain it, I need to reset the exam. I literally grabbed the reference book and power skimmed it on the plane ride back from Portland, Oregon to the east coast where I Walked in 250, question exam, same number of hours. I left out after about an hour and a half, two hours, and passed it easily, you know, I said, oh yeah, this is, this is cake, and walked in. So what I, a lot of the criticisms that these professionals sorts get is as they have become more important passports to continue urology. Uh, there's a question as to whether or not these certifying bodies have made it easier to jump through that wicked gate to get it. Yeah.
I had three more years of experience, but that was a damnably different, you know, I wasn't coming in on experience when I took it the first time. It was a shorter exam.
I felt it was easier. And I don't think it's because I had three more years experience as opposed to the 13 that I had when I sat the exam was really making that difference. So I am wondering if the, the utility of utilizing the certs as an entry doorway has created. A business of certification that is weakening the original intent of the exam.
When I first, um. Founded, um, cyber Vista, which we had focused on training and cybersecurity certifications.
And we had a period of time where we were really focused on the certification bodies, the professional memberships, and therefore those exams. So think security plus think, C-I-S-S-P, think anything that kind of falls into that broad professional certification category. And the example I wanna give you is we had, and I had brought on a chief product officer, which in our world was more like.
You know, learning and training. Like this is the person who knows how to train and pass exams. His background was in finance and had been in education and training for the entirety of his career, and he took, you know, a book and a bunch of research materials, zero experience in Cyber Zero, and I think it took him about a month and he passed the C-I-S-S-P.
Uh, you can't see my head hitting the desk or, uh, you know, but my head has hit the desk.
Right. And you know, and this is someone who, you know, knows there's, there is a science to creating an exam that tests someone's knowledge. And so if you know that's science, I'll give him the, you can kind of hack the, the psychometrics behind that and kind of give yourself an edge,
Yeah. And conversely, you know, on the same boat, I know great technologists and great cyber people who genuinely suck at test taking. I, I, I have a use case of someone who I would trust my network with. You know, in a heartbeat has failed the spy three times running because they suck at exam taking.
And one of the things that the always struck me is, you know, I started my career in the DODI ended up in cybersecurity, not too many years into that Department of Defense experience. And so when I was first exposed to CSP and Security plus, I did not. I knew the exams, I knew the content of them. I knew like where they went.
I actually did not have a strong sense of the. Professional associations that ran them. And one of the most illuminating things for me personally, when I kind of came out the other side, 'cause you asked the question like, has this become essentially a business? And I was dumbfounded by like the cottage industry that is, you know, you have an exam that's supposed to be a professional. Barrier in some ways, right? And Or Wicked Gate. So a, yeah, you can call it something that's maybe a little less, um, you know, defensive in nature. But then the same organization that issues it is the one that is also offering you the course materials in order to prepare for it. And I look at any other professional body, like pick an industry, Well, let's pick, well, let's pick yours because one of the things you glossed over is that you are an attorney by training. I don't like to tell people that. 'cause then people don't like me anymore,
Well, well, well, well, well, well, that's okay. You know, I, I don't like most attorneys and I have several in my family, barring them. And you, it's a small circle, but you're in the circle, so keep
Okay. Well, all right then, we'll, we'll keep this analogy going. So, yeah, think about, you know, a, a law practitioner, a lawyer. The bar exam is. Created, maintain and run by a completely separate body that is separate from the Bar Association. It is separate from the, um, anyone that you might pay as a third party to actually help you cram to take that, you know, bohemoth of a test.
And so there is a. True firewall between the interests, meaning who, like how Like that organization and that nonprofit makes money on the exam is different than the dues that you have to pay that state's bar to be an attorney. But in cybersecurity, the lines are completely blurred. And this is not, I, I'm gonna point fingers at everyone 'cause I don't think it's anyone's fault and it's everyone's fault at the same time.
Um, we've misaligned the incentives and this, this profession has grown. I mean, we're still kind of in our like. Pre-teen years, if you think about how long it takes for professions to mature and you know, we have like these exams, but then the very exam is actually also the same body that's making money off of you being a member, you getting the certification, you maintaining the certification, and then all the other components that are going to allow them to make money at the same time, like it's a really confusing patchwork of a system.
yeah. So let's go back then to where we started, given that patchwork. I mean, is it still appropriate for this to be the Wicked Gate? Because I now have individuals who, if I'm good at passing an exam and can afford to take the exam, are qualified to be me. And is that really what we want? Whether we, and we've had the trade versus profession conversation back a couple episodes ago, but is that really what we want as a barrier or a, um. A wicked gate to entry wi within the environment. You know, one, one of my previous guests had talked about, you know, do you really want the junior individual to do your heart surgery and protect your, your, your best assets? Well, at least that junior individual has gone through med school, whereas in this case, the wicked gate is, you know, again.
I can take a good exam is, is that really appropriate within the environment?
I think that's fair. Um, but you know, what I will say is, I think one of the reasons that we have seen in the last four years, a push not as big as a push as I think either you or I would like in the. Direction of skills-based hiring has started to at least gain a little bit of traction is for this very reason.
Being able to rely on a credential alone can't be indicative of someone's true competence to perform the job, and that's not the fault of. Uh, actually I don't think it's a fault of any of the associations that have kind of created these exams,
I had agree.
I think a huge part of the problem lays on, we have now an industry that like loves putting labels on things and creates these jobs that don't match the packaging for the labels that they've created.
You know, and so. We, we kind of have fallen on this like lazy, like we need someone with A-C-I-S-S-P for this role. And it's like, okay, well they're doing governance risk and compliance as the job role. Let's say for an example, GRC is absolutely a component of the C-I-S-S-P. You know what else is like six other areas that have nothing to do with anyone that Cryptography and other things. Yeah.
Physical security. I mean, you know, you, you kind of name it. And so I think that. It's really hard to sort of say we are. We should create this kind of gold standard of what it means to be a cyber profession professional. And we haven't actually defined what any of those jobs require. You know, and, and I just wanna even say, like you say, you don't want a junior doctor performing surgery, but we have created a medical system where you don't just go to medical school, you have to go through this much of rotations, you have to do this much residency, you have to take these board exams at the end.
And so by the time that person is operating on you, they've done more in person like. Surgery hours, then you would, you know, I don't think that you would feel uncomfortable. And by the way, someone's always gotta start somewhere. Like baby attorneys come out and they've passed the bar exam and they can get there.
It doesn't mean that they're, you know, they haven't had thousands of hours in a courtroom.
Yeah. Fair enough, fair enough. And I, I like, I, I, I like what you're saying about labels. I, I, I would be more critical. I, I, I genuinely think the industry and the profession have gotten lazy because, and, and it's, I. A laziness born of two things. It's one. Most of us came up hard scrape. Now we're trying to put. Order out of that chaos to say what are the paths that we want? Everyone is trying to duplicate the path they're familiar with while we're still playing whack-a-mole with the bad guys.
Right, and then we've, and what we're left with are, you know, the credentials and certifications that. Because they have to be all things to all people. They become so general, they're not really useful
Or conversely, when they're specific, they're so specific that I've gotten three certifications to do X. I want to learn to do Y and I'm considered unqualified to do Y because I don't have this certification here. And it's just, just created a, uh, a, a huge landscape issue in terms of people looking to, you know, to looking to enter the field.
So, so the question here then becomes. And how do we fix it? I mean, Kim, if we had the answer to that question, we would not be having this conversation five years later. 10 years later. I you were Supreme, ruler and I know, environment, uh, I there, I know. What would you do?
Supreme, empty. You know, I think that the industry, like, you know, I don't, I don't know the history of how every professional association or like group has kind of come together and made.
Common standards for itself, but I think it really comes down to like what does the profession think are the common standards for itself? And in some cases that may not be just a skill. I think it's around like what are the ethics that we have to adhere to? What are the people doing these jobs as they've evolved, and then what's the deal and what's happening in. Corporate or organizational environments where, you know, it's always, you're always lagging to define the role after it's already kind of evolved onto something else.
I was on some, I was on some panel and I got a really tough question from someone. 'cause I made the comment about, um, advanced, um, threat hunting and how like, you know, um, a TP and persistent threat hunting was. You know, a role that didn't exist. And I think at the time I was like, this role didn't exist five years ago, and I got challenged on it.
It was like, I have been doing that for my whole career. Like absolutely that existed as a role. And I was like, no, I hear you. Like people were doing those tasks and you were doing those things, but no one had come out and defined it as an actual job.
And you're right by the way, you.
thank you. Yes. I feel validated, but like I understand the challenge where, you know, we have this like di dichotomy between, hey, we've been doing it and we're kind of evolving to meet this new threat landscape that's constantly changing, but it's really hard to keep up because you know, at least now we say a cardiac surgeon, like we know they work on the heart and.
The human anatomy evolves not as fast as the cyber threat landscape.
Yeah, also true. So let, let me, let me take it back a sec. You, you've been talking in a lot of cases regarding professional certifications, you know, and some of the challenges with that. You, you, you have a background that also deals with what I would refer to holistically as entry level certifications in terms of security plus, et cetera, which I call those that required No.
Formalized experience like the five-year mark Spy has. In order for you to take the cert, you have to demonstrate the knowledge and then make sure you test well. So let's go back a little bit and talk entry level certs and come at it a blankly.
I want to get into cyber, or I'm just getting into cyber. And while there are different areas of emphasis, depending upon role, do you believe that there's a core set of knowledge that I would want anybody entering the profession in any form or fashion to have. Yes or no? And if yes, what are two or three of the things that you would want anyone who purports to want to get into cyber to know and or understand in either theory or practice?So knowledge or ability, or knowledge or skill. I think there is a baseline core set of knowledge that you need to do this job. Um, I think it's more than two or three, but if I had to Gimme your top five.
I would say networking and computing, anything on the OSI layer model, just so that you understand how it all OSI layer because there are a lot of places not teaching it anymore. Yeah, like so, you know, understanding the basics of computing and, and how all of those layers work and communicate with each other, I'd say is paramount. And then from there it's like, I'd say the next layer, and I'm biased because I have an Intel background and a threat intel background, is understanding adversarial like threats.
And what are the primary ways that then those types of. Human holes we've created in our computing systems could be exploited by people with bad intent. Um, and I'd say like the, the third one that I would just sort of like throw in there because I think that it is overlooked and I'd love to see it in there, is again that like contextual. Now why does this matter for the organization that I am in and in charge of protecting?
So, you know, let, let's talk a little bit regarding. a, and we've talked about both the trade versus the profession standpoint. We've talked about the need for training and growing. Um, are people using certifications to use that as an excuse, not just to differentiate, but to either A, be lazy for hiring and or b, to preclude the need for understanding that you still need to train within your environments.
Like my, my gut reaction was I was gonna say yes, but then I also was like, is it that we're just so lazy that I don't even think it's intentional? I think, you know, I don't know if it's, I
On thread for me. well, I just think about how many times for any position, you know, hiring manager goes, you know, I have. These thousand fires that we have to actually put out day to day, and we're chasing down, you know, this many things happening on the network and we're instituting these new controls that we have to do on our security strategy.
And now we have all these open positions and so like the easiest thing you do is you're like, I have to have this job filled. Here's the closest thing I had X amount of months ago that was sort of like it, like let's modify it. Those types of terms are already in the job description from. Whether it was intentional then or not.
Like they're just in there. So you just kind of keep 'em in and you riff off that old job description. And I think it just kind of perpetuates it. Like, I don't know if it's a, I don't know how many, I've had so many conversations with hiring managers and like. Cyber executives who will say, certifications give me this indication of someone, but I don't, like, it's not a requirement for me.
Or they can get it on the job, and yet their job descriptions
Yet they're screening on them because of that.right. So like I'm sitting there going, either you're lying or you have it in there and you just haven't thought to remove it. Like it's, you know.
or disingenuous. Um, I want to talk in terms of certifications, and I'm going to go down a path that.
Um, I, I do go down in some depth in one episode, but I'm gonna go down a path that may make some of our listeners feel uncomfortable, and I'm gonna talk about diversity and the role that certifications potentially play in either helping or in some cases hindering diversity. Within the environment, you know, because one of the things, and again, it gets into some of the entry that we talk about, certifications, cost certifications, cost dollars for the study material.
If you can afford it, you know, dollars for the exam. As well as if it's one that required CPS to maintain dollars associated with that. So it does not only become a Wicked Gate, but there's an economic component to it that gets in the way, even for entry level certifications of people who know getting that check mark that they need to be considered.
And then we add to that the fact that. I cannot remember the name of the study, but you and I have talked about it before. If a job description goes out. And, and I'll start with just male and female. A male says, Hey, I meet 30% of the requirements. They're gonna throw their resume in. You know, you as a woman say, I only meet 75% of the requirements.
I'm not qualified and I'm not gonna throw in. So are these wickets that we're establishing, creating? Um. And Unin, hopefully unintended yet very real discriminatory, um, situation within our profession. I, I would welcome your opinion.
I mean, I think some of the just like time and service requirements in order to get them kind of perpetuates what has already been a really unbalanced representation in the field. So once you just play out those numbers, if you're saying, well, you need the five years of experience and you have to pass this exam to get it, well, you know, we've been making some progress.
But if you look at the numbers now, you know it's still.
The workforce only looks 20% like you,
Like, I was gonna say, like 20, I was gonna say generous. Right? And, and that's like a generous interpretation. And then if you add in, you know, African Americans or Hispanics or anything else of any total. Still.
So it's, um, so I think it's impossible for that to just not perpetuate if you don't make a conscious change to the system because all of a sudden you're like, that's just, you're just keeping that pipeline going and you're continuing to set up this.
Almost impossible barrier to those who wanna get into the field, who, you know, especially now, like we've talked about this, I know in previous conversations, and it's been reported in a lot of just the past year and a half in like workforce studies, whether it's ISE twos or I saw Frost and Sullivan had one, like, there have been multiple versions that have shown, um, we do not have a shortage of entry level roles right now Really. market.
We, no, we have a surplus. We have like, we have more qualified entry level candidates than actual available jobs. If you go on cyber seek.org and you look at like that supply demand, we actually have more supply and less demand for that, that role yeah, I, I, I thought I missed, I, I thought I'd interpret what you said in the reverse. So let, let me reflect back. We have a surplus of entry level professionals and not enough entry level roles out there. Okay.
Right, but like, but like carry that thought through. So now you have this surplus of candidates who can't get jobs 'cause there aren't enough roles for them at that entry level. But then in order to get the certification, that's kind of in demand for the next level. They have to have the five years.
Well, how do you get there? If you have, you have, you've just. Given them a, you know, you've closed the door on their face and walked away. And so that's, and that's where we see the most diversity coming into the field is in entry level. I think we've made the most progress in attracting more diversity and more candidates from different walks of life and different perspectives and different angles into the field.
But like then we close the door on them before they even get there.
Let me ask you the question I ask all my guests. Um. is the one thing that you, you would tell the audience to be aware of or to do differently? And I'll modify that to also say, what is the one thing we haven't discussed regarding the certification topic that you want the audience to hear? Answer, either or both of them as you wish.
I think the biggest takeaway I. That I would want anyone listening to, to really absorb and, and take some time to put it to heart is cybersecurity is a long-term game, but we're playing it with short-term incentives. And if we're gonna play this long-term game, which is actually getting better at security, then we're gonna have to focus on the things that are frankly hard, the hardest things, which are how do we have the right people with the right skills, doing the right things? And. All of the obsession that we often take with, you know, new tools, new technology, whether AI is integrated, those are all great and they're making our lives easier, but it's not helping us solve that long-term problem.
Yep.
Um, and so I think, well, and I say I, I'd say to sort of tie that into. The certification conversation that we're having. I think that certifications have to, I think that there's an opportunity to say, how does cer, how do certifications help this kind of long-termism as opposed to short-termism, like, let's go for long-term capital gains here with human capital, and what does that actually look like if we said.
What's that common core of knowledge? How do we get people there? And then how do we maybe work with industry, meaning employers so that there is actually an alignment between what we need and what we have. And I think that would be kind of like where you start to bridge that gap between the certs we have and then the needs we have in the market.
Simone, thank you as always. You know, I, I, I've missed you. I, I know. This is great. Thanks for having fun. We haven't was a lot of fun.
and that's a wrap for today's episode. Thanks so much for tuning in and for your support as N 2K Pro subscribers. Your continued support enables us to keep making shows like this one.
If you enjoyed today's conversation and are interested in learning more. Please visit the CSO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CSO Perspectives.
This episode was edited by Ethan Cook, with content strategy provided by myON Plot, produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones, and thank you for listening.
