Podcasts
CISO Perspectives (Pro)
Ep 137
CISO Perspectives (Pro) 6.17.25
Ep 137 | 6.17.25

Strategic approaches to talent: A practical guide.

Show Notes
Transcript

Kim Jones: Welcome back to "CISO Perspectives." I'm Kim Jones and I'm thrilled that you're here for this season's journey. This past season we've pulled the deep conversations out of the conference bar to tackle these conflicts and issues from every conceivable angle. Throughout this season we've examined many of the challenges surrounding the cyber talent ecosystem. Today we explore the question how do we address talent strategically. Let's get in to it. [ Music ] In one of my last corporate gigs I was tasked with standardizing how we hired security talent. Specifically I needed to answer the question how do we attract, integrate, train, and retain top tier cyber talent in the company. Despite being in business for over four decades, this was the first time the company had undertaken a truly strategic approach to its cyber talent needs. As this is a passion point of mine, shocking I know, I dug in to the challenge with zeal. My first thought was our job descriptions. We had recently done an overhaul of the security job family and associated descriptions, but I was concerned that we had not normalized the knowledge, skill, ability, and experience or KSAE requirements against any of the standard frameworks out there such as the NICE framework. For the better part of two months I worked with an external firm to dissect the job description levels and requirements and mapped them to the NICE framework. I came away with some interesting conclusions. Turns out that less than 70% of our brand new job descriptions were mapped to existing NICE KSAEs. In at least one case over 80% of the requirements for the position were skills and abilities not found within the technical cyber KSAEs. As I said to my peers, I'm not advocating that you change the job descriptions again, but we as a corporation needed to understand the impact of having non standard job descriptions on our ability to recruit new talent and retain existing talent. In the latter case we would be advancing individuals along a growth path the would make them viable for work only within our corporate ecosystem which for those savvy enough to realize this would impede their ability to be hired in to other organizations should their positions be eliminated here. My next target was our marketing efforts, specifically evangelizing within the cybersecurity community as subject matter experts. This meant not only blogging and publishing white papers, but also speaking at conferences and industry events. While the company had mechanisms for accomplishing this for its technology and development teams, it struggled to figure out how to support these activities for its security personnel in any organized fashion. Marketing the efforts of key security engineers and other individuals seemed anathema to the organization. Further getting approval to speak at conferences was usually a months long effort with the legal and communications teams that would result in delays beyond the point of conference submission and/or acceptance dates. Several of our team's senior personnel, myself included, found ourselves either leaving the speaking circuit altogether or speaking as non affiliated experts working for our own LLCs. It took another three months of pushing molasses up hill to get approval streamlined so we could actually showcase our talent without making the legal team apoplectic. Our last hurdle was training. Surprisingly the budget regarding training was the easy conversation at this time. The executive for whom I work recognized that we needed to spend on training if we wanted to grow and improve our capabilities. The challenge of course was how much to spend and what to spend our budget on. To me this felt fairly straightforward. I first needed to find a training provider that all of my peers agreed provided quality training and education. Next I approached that provider with my job descriptions and the KSAEs for them and told the provider that they needed to map our KSAEs to their courses so I could see which courses would allow our existing talent to grow their skills. A month later the detailed mapping was complete. I then negotiated a bulk discount for the training that was most relevant to our needs and put an enterprise contract in place. Lastly I distributed the course to KSAE map to my peers so they could plan their training for their respective teams accordingly. The end result of this six month labor of love was a focused strategic approach to security talent. Everything I had done was simply a repeat of approaches I had taken as a CISO in previous companies. Yet at every turn from my peers to my boss to the marketing teams to the training provider I heard the same refrain. No one has ever asked us to do this before. Most security organizations have a somewhat bipolar relationship with skills and training. On the one hand security leaders readily recognize the importance of a well trained resource. On the other hand training is often viewed merely as a perk to reward individuals. Training budgets are often the first thing sacrificed in times of fiscal belt tightening. Leaders often do not understand what training is best suited to advance an employee's skills either in their current function or to prepare them for a future role. And many leaders fear training and developing their team members past a certain point out of concern that they'll become more valuable targets for another corporation or organization to steal away. Remember that the current cybersecurity paradigm is to steal talent rather than to grow it internally. Benjamin Franklin said failing to plan is planning to fail. This truism also applies to talent and training. As security professionals we need to start linking the pieces of the talent chain together if we ever wish to break out of the non virtuous talent theft cycle we are currently in. This means one getting serious about KSAE based job descriptions, two making training a necessity, not just a perk, three mapping training to planned advancement in skills and abilities, four holding your teams accountable for demonstrating and executing upon these heightened skills and abilities after training, and five expending the resources starting with our time to plan to turn our teams in to talent creation engines. My 2 cents. [ Music ] On today's episode I'm excited to sit down with Jeff Welgan. Jeff is the CEO and founder of SkillRex and has been working for years to address how the industry evaluates both prospective and existing talent. Today's conversation revolves around examining how we as an industry evaluated talent and ask the question how do we address talent strategically. Let's get in to it. Jeff, thanks for taking the time and welcome. It's great to see you again, man.

Jeff Welgan: It's an absolute pleasure to be talking with you again, Kim. So thank you so much for having me on.

 

Kim Jones: I appreciate that. I appreciate that. So let's take a few moments and tell my audience about Jeff as well as tell us a little bit about SkillRex and what you're doing.

 

Jeff Welgan: Awesome. Yeah. Appreciate the opportunity. So my name is Jeff Welgan. I'm chief strategist and CEO at SkillRex. We are a cyber workforce intelligence consulting firm and fun fact. I used to work with N2K Networks. We used to do this at N2K Networks and I spun the capability out last fall. So before spinning this out I was the chief learning officer at N2K for several years from when we launched that as originally CyberVista. So I know you've had a couple of N2K folks on here including Ethan and the reversal interview the other day and my former boss Simone Petrella so it's an honor to be kind of among giants in this space.

 

Kim Jones: When you talk about, you know, talent and intelligence within understanding the talent pool, etcetera, one would make an argument that this is kind of a unique niche out there with the market space. So how the hell did you get involved in this, man?

 

Jeff Welgan: Yeah. Well, I think, you know, the evolution kind of came naturally over time. Right? So my background in cybersecurity -- actually the predecessor to my jump in to cybersecurity I was an intel analyst. I was in the navy for a number of years. I was an intelligence specialist during the time of 9/11. So 2000/2004. I was on the USS George Washington aircraft carrier. And I was also search and rescue so [inaudible 00:10:18] a little fun fact. So my trade at the core is analyzing information and putting the pieces of puzzles together and creating that picture. So fast forward. Moving out of counter terrorism work and operational intelligence that you'd kind of do in any military environment, I had an opportunity in 2010 to join Booz Allen Hamilton doing some contracting work for the DIA helping them out with their cyber threat intelligence capability. So that was really my entry in to it. And really my focus was really looking at national doctrines and strategic capabilities of nation states, particularly some in the Middle East, to look at capabilities. So over time that was really the core foundation of an analytic mindset around problems and solving complex issues for decision makers. Then I joined CyberVista which became N2K and I was pulling together -- I originally started as a -- pulling together the cyber risk program for boards and executives. And that's actually the first time I met you, Kim, because we -- we were out there in Camelback and you came to one of our sessions there. So that was a great opportunity to meet you and kind of, you know, put some of our content out there. But across that time my roll evolved and changed so I ultimately became responsible for looking at cyber talent using data analytics to start making more informed or smarter decisions about what to do for your workforce in this particular space with the idea that the data can actually point us to reasonable solutions or reasonable paths forward.

 

Kim Jones: So let's double click on that a little bit within the environment. Given that focus and given your history, I would love for you to take a half step back and tell me what are you seeing out there in the market space. What are my peers as CISOs doing? What are organizations doing? What are we not doing? What is the data showing you?

 

Jeff Welgan: The talent component is one segment like the -- when we think about talent component like talent management, the training, and all that, that is just one sliver of this entire ecosystem that spans from a number of activities on the talent acquisition side with recruiting through that talent management which means, you know, understanding job roles, understanding skills, positioning, training, up skilling people, all the way through retention. And there are a number of different stakeholders in that ecosystem that expand beyond just the cybersecurity professionals who are kind of looking at this ecosystem. Right? Or our component of it. So I think my view is kind of zoomed out a little bit because I work closely with cybersecurity teams. It's usually a CISO who's bringing us in to help them because the types of CISOs who really take a lot of value in this type of work are being very strategic about their workforce and how they're thinking about their workforce in two years. So they're not really thinking about them exactly at this moment today, but really planning for that strategic arc of positioning them for the future of the business. But that said, you know, I think once we kind of start working with clients the aperture expands kind of pretty drastically and quickly. Right? To see not just where the skills are in the workforce today or where some of the challenges or opportunities are to, you know, empower professionals, but what else is kind of broken in the process? Or what else can be improved across that ecosystem to make improvements for the business?

 

Kim Jones: So let's also drill down in terms of looking at talent strategically, Jeff. I'm going to bash my profession just a little bit. And when I do it hopefully from more of a data driven way based upon your experience in the market space what -- and I know this is a total swag. What percentage of CISOs are truly beginning to embrace the concept that you have to think strategically about your talent?

 

Jeff Welgan: Yeah. I can't give you a percentage, but I can say not enough. Not enough.

 

Kim Jones: Would it be fair to say that it's a significant minority?

 

Jeff Welgan: I don't know if I'd say it's a significant minority or even if maybe that's an unfair judgment to say not enough because sometimes I think there are a lot of CISOs who are thinking about --

 

Kim Jones: Actually I think you're being generous.

 

Jeff Welgan: But you know sometimes your hands are tied. And I think sometimes, you know, hands are tied by budget. Right? Or, you know, looking at your talent and what you're able to provide that talent from a training or --

 

Kim Jones: So I've got to push -- so I've got to push back just a little bit. You know, there's a -- if we're truly looking at a problem strategically and we're talking about linking in to the business and showing value, then we should be able to and we all understand that, you know, none of us prints money so that budgets are always a consideration, but what we end up is in a situation to say if I want more budget I need to show the value proposition associated with the training. And the end result associated with the business in terms of spending this money training saves me dollars in recruitment, saves me having to find a new body, creates a level of loyalty within the organization, increases morale, allows me to automate other things, all of the human capital model that's out there. You know, tons of things we can do. So when I hear that "My hands are tied," you know, my counterpoint is my hands are tied because you really aren't thinking about the problem strategically because you want the training, but you're not articulating the value of training which therefore means you're really looking at it at best operationally instead of strategically.

 

Jeff Welgan: Yeah.

 

Kim Jones: So are we just tying our own hands because we are failing to truly look at this from a value proposition standpoint or are there other factors out there and I'm -- and I'm the one being unfair to my colleagues who set the chair?

 

Jeff Welgan: No. I think you're right. I think you're right. And I think it's a value prop issue mostly. Right? You know, I think it's hard to communicate up to the executive suite and to the board why that investment has dividends. Right? And you say training, but -- and it is training. That's a component of it. But it's also other areas too. And I think that's, you know, one of our --

 

Kim Jones: Such as?

 

Jeff Welgan: So one of our goals at SkillRex is really to broaden the scope of this problem set so people see beyond just the training component because that is --

 

Kim Jones: And fair. And that tends to be the most visible one and the most budget heavy one, but when we talk other areas and components such as?

 

Jeff Welgan: Yeah. So let me -- let me kind of go on a story here. Your predecessor Rick Howard of CSO perspectives, you know, we used to be colleagues at N2K and Simone as well. And when Simone and I were kind of pulling together a lot of this like cyber talent insights component around how do we baseline skills and compare that to job role expectations to identify skill gaps it was really around to position training. Right? Maximize return on investment by focusing on the training areas where there's the most skill gap in relation to the job role expectations for where the team's at today. So when we brought that up and Simone had a conversation with Rick, you know, he made this really, you know, brilliant analogy of like, "Oh. It's the money ball approach to cybersecurity talent." And he was right about that. Right? So I think when -- what I'm looking at is kind of this combination of that concept of money ball, but expanded beyond just the individual and the team to look more at the department, the business units, and the industry or company at whole. So I'm positioning that we really need a sabermetrics, like a cyber metrics, for workforce across the board which includes, you know, talent and training information. Right? Like when -- when Bill James kind of created cyber -- or I'm sorry. Sabermetrics. They were really looking at different kinds of metrics for, you know, on base percentages and things beyond just batting averages. Right? And I think cyber as a profession or cyber workforce as a profession more broadly speaking needs to kind of take a different statistical approach to the entire ecosystem, not just on skill gap data. Although that's kind of the easiest place to start. But you said such as so like we can take data and metrics from, you know, applicant tracking systems. Time to hire. And weave all that stuff in. How well are your recruitings pulling in the right talent? All the way down to retention and culture issues. So there is data sets across that entire ecosystem that if we start to correlate with your talent itself and skill gap data then we can start to identify hot spots across that ecosystem that need repairing. Sometimes that's going to be training. Sometimes that's going to be on the talent acquisition side. Sometimes it's going to be a culture issue. And I think if we can get the data in front of decision makers so we can have powerful conversations about how do we be smart about the budget we have and focus our energy and time and investment in the most needed areas across that ecosystem then I think we'll start making some real progress against our cyber workforce challenges.

 

Kim Jones: Fair enough. Well, I'm going to push a little bit and I'll caveat this mainly for our audience versus you because you and I have been down this path and you know that much of what you're saying you'd have a lot of agreement with me because of some of the work we've done in the past and the conversations we've had in the past. But let me play devil's advocate out there. We're not the only technology field that's out there in the environment. We're not the only group of folks that have hard skills that may be perishable that require training within the environment. What makes us so unique that we have to go down this path when -- I'll pick on my IT brethren. I'm not aware of my IT brethren having this problem or this challenge. So what is it about us other than, you know, being prima donnas? You know and you know that forces us in to this situation when the vast majority of the folks out there in IT, and there are a lot more of them than us, aren't needing to do this. What makes us so unique that we have to go down this path?

 

Jeff Welgan: I think - well, first I would say I think every profession should take an approach like this, what I'm suggesting. I think it would only make us better. Right? And they did it with baseball players for crying out loud so, you know, if they can do it with baseball players they can do it with any other profession using that data to understand where to make improvements across that entire ecosystem. But I think what's a little bit unique about cybersecurity as a profession is we're still young. We're still a newer profession in the context of professions, especially if you like compare it to like the medical field. So we are I think still earning our sea legs a little bit of like how do we do this and do it well, especially in a profession that technology changes really, really fast. And, as such, we need to kind of evolve with those rapid changes on our skill sets to keep up with those technological advancements. So I think that's kind of a key part.

 

Kim Jones: Yeah. And again this is devil's advocate push back here. You know, I've been -- I've been hearing about how young we are for the 38 years that I've been doing this in the environment. And while statistically it is accurate compared to doctors, etcetera, it may not be as accurate in terms of just in general IT within the environment. They are older, I understand, but not much older than we are. And there's also an argument that says that an IT professional has the same rate of change that they have to deal with as we have to deal with in the environment. And while, you know -- while what you are describing would be useful there, there's a difference between utility and necessity. Given the shortages that we're dealing with here, given the lack of understanding as to what it takes to make a good cyber professional, we are in a situation where what you're describing feels like a necessity for us. And I'm not sure we can blame that all on the youth of our almost four decade profession within the environment. What's making us so unique here before I shift gears and talk about strategic planning for talent a little bit? You know, what's wrong with us?

 

Jeff Welgan: So I think what's different about us though is that, you know, I think with other professions and corporate environments you have the corporate structures to support those professions. Like and it's a little bit different with cybersecurity. Like and I'm really kind of driving at HR here. You know? HR, L&D, specific --

 

Kim Jones: That's where I was going next.

 

Jeff Welgan: Right. Great. We're going to segue in to it nicely. You know, I think the lack of understanding of those supporting components of an enterprise, the HR components and the learning and development team, around what the needs are for cybersecurity has kind of put the onus on cyber teams to figure this out by themselves. Sometimes that is out of necessity. Sometimes that's out of maybe just our own prima donna nature and, you know, alpha, you know, nature as well, just kind of being in control of some of that. But there has been for quite some time now this distance between L&D, cyber, and HR. And when we're working with customers it's 9 and a half times out of 10 we're being brought in by the cyber team. Not an HR team. And when we have conversations with the HR team they believe they've kind of got their hands around this. But if you talk to the cyber team they're like nope they don't because we're doing 95% of it. Right? So I think there's some despair or maybe despair's not a great word, but also just like some overload. Right? Overload of responsibility. You have to do your day job, but then you have to figure out this workforce problem on your own too. And, you know, I think that creates a sense of urgency around the problem set combined with, you know, the open positions, the supply and demand issues, and all the other things that we're seeing across this entire ecosystem and some of the pipeline opportunities to come in to this field which you've talked about in some of your other episodes already. [ Music ]

 

Kim Jones: So let's -- let's poke at that a little bit because when we talk about thinking about talent strategically collectively across the board and this great segue as you began to mention, HR, there's an argument that says business has been thinking about talent holistically strategically because your human resources or chief people officer person is usually in most organizations a senior executive position directly reporting to the chief executive officer within the environment. That indicates a business understanding the need to think about the problem strategically. I love what you said, Jeff, in terms of that sense of HR feels it has a handle on it yet cyber feels it doesn't have a handle on it indicates that level of disconnect between the two entities. So I've got a group of people whose job it is to think strategically about talent. And I have a profession that is at least as old if not older than mine that has been doing this thinking strategically about talent. Yet for some reason there remains a disconnect as they think about this new talent base here. One has to argue or consider that that's not an HR problem as much as it is a security problem in terms of us deciding and then communicating what's important to us and how we go get those important skills or abilities within the environment. You know, it gets back to the conversation that I've had in previous podcasts and with you. We've come up with these great KSAE frameworks that nobody seems to want to use within the environment because every CISO thinks he or she is a special snowflake in terms of their needs for the job and the environment. So are we perpetuating the problem regarding thinking about cyber talent strategically because we won't converge on what good cyber talent looks like, feels like, and how it comes to be? I'm curious as to your opinions on that.

 

Jeff Welgan: I think that's spot on. That convergence is the problem. You know, we do have different opinions, strong opinions in some cases, around, you know, how or what kind of talent we need or what we're looking for in the talent. You know and like I'm thankful for that [inaudible 00:28:35] you've had so far where you're talking about, you know, to cert or not to cert. Right? Like those are -- that's a one little tiny component of an opinion piece that, you know, thousands of CISOs share. Right? Like where do they fall on that? Are they kind of on the hybrid side or are they kind of like, "I don't really care about certs." Or do I really put a lot of value in those? Or are they forced to care about certs because they need to follow like 81-40 or something like that? The convergence is a problem and we're seeing that right now too in the space around workforce frameworks. You know, I know you are familiar with the NICE workforce framework.

 

Kim Jones: Oh yeah.

 

Jeff Welgan: But there are more and more skill frameworks popping up. And right now, you know, and coming fresh out of a NICE conference, you know, and as a team here at SkillRex, we want to be able to pivot, you know, across any number of frameworks. We want to be a Rosetta stone across them so that if you're using the European cybersecurity skills framework or the Australian one or the Saudi Arabian version of the NICE framework like we can make sense of it all. Right? So that is another problem set too is kind of like well what skills are important. How do you -- what taxonomy are you using to articulate the skills needed for these particular job roles? Do they align with the rest of the job family classifications and pay banding? So, you know, that's why I say like this problem set is a bigger ecosystem issue because it's connected to all these things. And if we don't have the data to kind of help us zone in and, you know, converge, as you mentioned, on an approach that makes sense for this particular profession or set of professions then I think we will continue to spiral and spin wheels, you know, in our own opinions on how to manage it on our own.

 

Kim Jones: I guess my next question would be -- and it again gets back to articulating the value. So can we look at other industries, other talent mapping efforts, etcetera, outside of cyber that can say, "If you do this, value proposition is you'll save in time to recruit." You'll save in, you know, cost and overhead for X. You'll increase turnover for Y. So while I can believe that doing these things will show that value, putting in a couple of bodies, the more senior ones being paid probably in the low six figures, to focus just on this problem requires a level of commitment in terms of business value that many organizations would be struggling with. And asking, "Why do I need that since I got this group here called HR within the environment?" So how would you go about articulating that business value to support, you know, your proposition to say that what you need is you need one to three people doing this full time for a certain amount of time, if not forever?

 

Jeff Welgan: Yeah. I think it's -- forgive the analogy here. So we need to throw the pebble in the pond. You know, when you throw a pebble in a pond it has a ripple effect. Right? And the pebble for us starts with work role analysis, really understanding the core expectations from skill sets perspective for any given job role at any given level. That's like the step one. And then there are ripples out from there. So once you have that data you want to understand well like now I know what I need. What am I going to do with that data? Well, I can go back to my job descriptions, as you mentioned, and update job descriptions based on an analysis of the expectations. But then two you're going to want to understand where are my people compared to my expectations. So you're going to want to go through some sort of measurement whether that is a self evaluation or through a diagnostic or using data from labs. Whatever the data is that you have to start getting baseline metrics of people's current skill sets in those roles. Then you have that. You can overlay that to the skill expectations and find skill gaps. Now we're starting to get to a spot where you have value prop return on investment. You look at your training ecosystem. You say, "Well, who in my training ecosystem can fill these critical gaps that I have on these teams or for these individuals on these teams?" Right? Now you're positioning a better value for the organization by using your training dollars, you know especially if it's by like being spent per head, right, if you're looking at like a sans [assumed spelling] model, you're going to send somebody through a sans training, you're spending per person on that training and that voucher. So who actually needs what kind of training? Now we're, you know, improving our actual capital expenses towards, you know, how do you utilize the training, but also you're making improvements on the overhead costs by focusing on training that matters most to the individuals or to the teams. Right? You don't want to put them through a bunch of training if they're already proficient in those areas. Let's focus on what most matters to the business where there are critical gaps. So we're spending less time in training or I should say we're spending that valuable time on the training that matters most while not spending time on training that doesn't matter which means they're doing more of their job that they've been hired to do. And then the ripple continue. Right? Now you can start to start looking at data saying, "Well, let's start bringing in KPI data for the business."

 

Kim Jones: Makes perfect sense. So I'm going to give you the last word. What is the one thing you would either like to double down on or the one thing we haven't talked about that you would want the audience to hear?

 

Jeff Welgan: Yeah. I think I -- it's kind of two things. I would like to double down and add. So, you know, mentioned the money ball approach. I think, you know, what I'm positioning is that we need a new model, a data model, for cyber workforce. We're trying to figure that out right now. That expands beyond just skill gap data and training. It goes in to these different areas of the workforce ecosystem including ATS, you know applicant tracking system, data, business APIs. Bring all of that stuff in to one. So a model. Right? And that's where money ball comes in. But I really, really have been latching on to big ag, big farming, and how they take approaches to create better yields for their agriculture. So I love the concept that big farmers use when they're using data driven data science approaches to make their farms more sustainable. So I've been using a lot of lexicon around the agricultural field of like sensors, treatments, yields, and sustainability and translating that back in to the cyber context. You know, so if we're thinking about big ag and sensors they have a lot of sensors that they use to improve crop harvest. Right? And yields. Like soil sensors, pH levels, humidity, environmental sensors. All this data that they kind of look at we have that in cyber too. The ATSs, labor market data, HRIS systems, LMS systems. There are a whole bunch of sensors we have at our disposal that we haven't leveraged yet. If we're looking at treatments in the farming concept that could be like targeted fertilization or precision irrigation, pesticide application. Same is true on the cyber side. There are lots of treatments that we can do including job architecture standardization or skills assessments, learning paths, career progressions, mentorship programs, etcetera. So we have a lot of different treatments that we use in cyber to make improvements to our harvest, our harvest being our people. Right? And then the ultimate goal is to have better yields. You know, you want -- you know, in farming they're looking at crop yield per acre or input efficiency harvest quality, etcetera. For us in the cyber profession it could be internal mobility rates, skill proficiency increases, role readiness, retention rates. The list goes on and on. So I like that construct that agriculture uses when they're thinking about their yields and their farms and applying that in the same way to the cyber profession because I think it's pretty straightforward when we think about it in these, you know, sensors, treatments, yields, and what do you do sustainability wise across the program year over year to make your cyber workforce programs as efficient and effective as possible.

 

Kim Jones: And Jeff we're going to leave it at that. Thank you so much for coming. We appreciate your time and talking to our audience about this topic. We appreciate you.

 

Jeff Welgan: Absolute pleasure, Kim. Thanks for having me on. [ Music ]

 

Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the "CISO Perspectives" page to read our accompanying blog post which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from "CISO Perspectives." This episode was edited by Ethan Cook with content strategy provided by [inaudible 00:38:28] produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing sound design and original music by Elliott Peltzman. I'm Kim Jones and thank you for listening. [ Music ]

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire