But what do you really want?
Kim Jones: Welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. This past season, we've pulled the deep conversations out of the conference bar; tackled these complex issues from every conceivable angle. [Music] And throughout the season, we've examined many of the challenges surrounding the cybertalent ecosystem. Today we ask the question, but what do you really want? Let's get into it. [ Music ] On today's episode I'm excited to sit down with Ed Vasko. Ed is the CEO at Highwire Networks and has been a serial entrepreneur and successful CEO in the cybersecurity space for years. Today's conversation centers around examining what business leaders want from prospective cyber talent. As someone who is both hired security professionals and advised leadership on how to address talent needs, Ed is uniquely positioned to help us answer the question of what do you really want?
Ed Vasko: Kim, it's a pleasure to be here; looking forward to the conversation.
Kim Jones: Likewise. So, you know, you and I have known each other for over two decades now, but my audience hasn't had the privilege. So take a few moments and tell them about Ed Vasko if you would please.
Ed Vasko: Sure. I mean, I'm CEO of Highwire Overwatch. We are a nationally-focused MFSP, about a thousand customers around the country. I've spent for the last 33 years as both a practitioner and five times CEO of different cybersecurity companies. I've work across 12 of the 14 critical infrastructure sectors -- or critical sectors of the US economy. And really have had a wonderful career talking to and working people such as yourself, Kim, throughout the country. I'm kind of, ultimately, if I can describe it, I'm just the bad guy [inaudible 00:02:31].
Kim Jones: [Chuckles] Amen. Amen. It's that CEO experience, and you've done some other things that I will probably bring up as we just, you know, have a conversation, but it's that CEO experience, Ed, that I want to hone in on a little bit for this conversation. You know, we've been talking a lot about the cybertalent ecosystem this season. In fact, this entire season's about the cybertalent ecosystem. And we've been looking at it from various angles, from certification, to do we need college or not? But the one group that we haven't talked to yet are hiring executives. And given what you have done, you have seen lots of resumes cross your desk from entry level to mid-tier to even senior executive to work for you. And you've supported CISOs in various sectors as hiring managers in helping them, among other things, solve some of their talent issues, etcetera. So, what I really want to get into is let's cut all the noise out. What do you really want or looking for in talent? And let's start that from the entry level position. A brand new person who this is their first job, or they've only been in cyber for a year and are coming over, etcetera. And they put a resume in front of you. What do you want to see? What do you want to know, you know, to consider even giving them half a minute of your day to take an interview. Talk to me. Yeah. I know. It's a great -- great question and it's a great segue. It's -- and I purposely didn't talk about one avenue of my career track; except I think it's going to be very useful as a kind of story. My last business that I exhibited, I sold to private equity in 2018. And, you know, we were a national NSSP, you know, we were top in the country, and you know, constantly looking for new, fresh, cybertalent. And this was back in 2018 when I sold the business. But as we were actually building the business from about 2008 to 2018, you know, we were constantly looking for new avenues, new pipelines, new pathways of entry-level students, or entry-level workers. And it's a weird challenge. You know, especially in that -- in that decade, a weird challenge, because many of these colleges and universities that that timeframe did not have what I would call robust cyber programs. And so we were headquartered in Arizona, and I took the -- I took the initiative at that time to go reach out to universities and colleges throughout the [inaudible 00:05:26] and tried to enable both internship pathways, apprenticeship pathways, and really tried to lend a hand as it relates to curriculum, industry-focused curriculum, so that ultimately not only my business, but you know, the ecosystem within Arizona at least could be bolstering through that kind of outreach and that kind of, we got kind of, I think, relationship. And what we kept finding consistently was that we would bring in the best and brightest, most passionate cyber-related talent throughout the state, and consistently found that these students who wanted to get into this career path at an entry level, still lacked critical experience, critical training, critical understanding of the what and how of being successful. And so like many of my competition, like many, you know, operational stocks and service providers, such as my -- such as my call of business, we went through the process of us actually establishing an internal university of sorts. That we would take in fresh college grads, fresh interns, convert them to workers -- to entry-level workers, and still put them through a six-month training cycle and enable them to get certifications, and enable them to get the necessary baseline training that they simply just weren't getting in their -- in their college, in their college experience, or even, you know, just normal, you know, non-college experience. After the acquisition of my last business, that got me thinking. And that kept -- that kept kind of running through my mind. It was a passion for me. It was like, how could we ever expect as a country to really fight the fight that we need to, and defend the nation the way we need to if we didn't, and couldn't get the workers out of our key education partners, or even key education pathways? We couldn't simply get those workers to come in ready to fight. And, you know, if I -- if I use a military analogy and you'll correct me because I -- I didn't ever have a chance to serve, I chose not to serve, and you did, so you're going to correct me here. But effectively, this would be, like, if we -- if we relied upon basic training to give infantry -- infantry soldiers an understanding of how to shoot a gun, how to crawl through muck, and how to do certain kinds of basic things, and basic training was failing to produce the type of infantry we needed in -- in, you know, on the battlefield. And that's effectively what we have and had, in 2018. And I would contend, still kind of continue to have of the nation. I -- I want to inject here before I lose this point, or to ask a question of you. That -- that is an absolutely fabulous analogy, and so well done on your military analogy. So let me take it to the next step. It seems to me though, and we've had guests here, and you know, Dr. Laura Ferri [phonetic] who is one of my guests as well, that part of the challenge here, for those institutions, in terms of providing what we supposedly want, is an understanding of what we want. You know, I know that at basic training, I need them to be able to shoot this standard array of weapons out here. And if they can do that, they're -- and -- and understand what a salute report is and what [inaudible 00:09:20] training is, etcetera -- the acronyms don't matter, that that will meet the needs. >>
Ed Vasko: Yeah.
Kim Jones: You know, part of the challenge that, you know, we seem to see now is you ask 15 CISOs what we need, and you get 457 different answers. And it seems that if I don't meet the answer that exactly what this particular individual wants, then the value proposition is considered limited. And you and I have been in rooms where people have said that -- and I've talked to, you know, senior executives in security consulting firms who have said, you know, they leave college, and they don't know how to do anything.
Ed Vasko: Right. Right.
Kim Jones: -- and therefore, we don't -- you know, yet won't define what it is you want them to do other than to run your specific tool. And we all understand that universities can't focus on running your specific tool versus understanding both the theory and being able to have the grounding to do that.
Ed Vasko: Right.
Kim Jones: So I -- I love the analogy, but how do we solve that? You know, even in an academic setting, when we don't seem to know what the hell we want?
Ed Vasko: Yeah. It's a great -- it's a great question, and -- and great piece to kind of next half of the story, and I think the outcomes that were achieved and --
Kim Jones: At least.
Ed Vasko: So as I mentioned, you know, I -- I had this thesis, how do we improve the type of -- of worker we're getting into a career path and into -- into an entry-level pathway. And so I had the opportunity to -- to depart the business after the acquisition and take on a different thesis, and that was again, how can we improve the pipeline of cyber workers coming into this career with a -- with a partnership with academia? And so I had a chance to go work with Boise State University in Boise, Idaho. You know, they've traditionally been known for their blue football field. And I was brought in to run an institute that focused on working with faculty and working with industry, most importantly, working with our students to build out experiential pathways. What do I mean by that? Well, what it comes down to, and my thesis is -- is straightforward, I think, and that is at the entry level, we've seen a -- a real strong focus on both the degree pathway and on embedded certifications. You know, so a -- a student comes out with let's say, an associates or a bachelor's degree, and they've got, you know, three to five industry certs, you know, security plus, net plus EPH, so forth and so on, and they've got this, you know, alphabet soup acronym name. And they would come in and they would conduct interviews, they'd go through the process of interviewing with my team, with myself, with other -- my peers and, you know, your peers, Kim, across the country.
Kim Jones: Yeah.
Ed Vasko: And inevitably, what's lacking? The one thing that's lacking in that process is the third leg of the stool. And the third leg of the stool is experience. It's actual understanding and operational awareness of what needs to be done and how it needs to be done. Not lab. Not -- these aren't -- these aren't skills and knowledge and experience you gain in a lab, because a lab is not real world. A lab doesn't all- a lab allows you to reset the button, you know, to press the reset button and reset the lab and get it right. Real world consequential experience is what's been missing, I would contend, in our career pipeline and our [inaudible 00:13:13] --
Kim Jones: So let's -- let's -- let's double click on that then. Real world consequential experience. So there are a couple of things that that seems to indicate. Well one, we -- we need to talk about the definition of consequential and how that can vary amongst folks, because in some cases, consequential tends to mean focused experience within the particular area of cyber that I'm hiring you for. But there's also the piece that says it seems that what that is saying is since the idea behind an educational pathway is to get the job to get the experience, that are we saying that there is no such thing as an entry-level position and cyber, because we expect that everyone comes in with some level of experience? And if we're saying that, you know, then that's fine. But --
Ed Vasko: Yeah. Yeah. Yeah.
Kim Jones: Well, talk to me.
Ed Vasko: The -- the sector metaphor, and the workforce metaphor that I have aligned to is the medical -- medical program; medical pathways. >>
Kim Jones: Okay.
Ed Vasko: You know, we anticipate and expect our medical professionals to not only get lab, you know, and skill development through classrooms; skill development through labs, where they're able to press that reset button --
Kim Jones: Yeah.
Ed Vasko: -- and get the procedure correct. But --
Kim Jones: But their third year is basically all working practical applications.
Ed Vasko: That's exactly it. That's exactly right.
Kim Jones: Okay.
Ed Vasko: And so ultimately what we're lacking in our academic structure throughout the country is a focus -- or have been lacking, let me say it that way -- have been lacking, is a focus on that experiential pathway, that experiential learning so that they can apply the practical experience that they've received in lab and the knowledge that they've received through classes in a real world situation.
Kim Jones: Let's double click on that, not just on the academic side, but it's also worth remembering that that works because it is an expectation of the profession such that the hospitals that are looking to receive these new doctors understand that part of this process is you're going to take on an individual and put them to work doing real work. I have seen a reluctance. I'm wondering if you've seen the same reluctance amongst our cyber brethren. We still have Fortune 500 companies who it's too hard. We don't want to take on the liability. If they do something wrong, then we're going to take the blame, etcetera, and don't want to do that. So is it just the academic side, or if what you're saying conforms to what we collectively believe, why the hell aren't we doing it as a profession?
Ed Vasko: Well, and that's a great -- that's a great question and that's actually kind of was one of the challenges of bringing experiential learning into --
Kim Jones: Yeah.
Ed Vasko: -- the programs at Boise State. Yeah. But the realization, the epiphany for me was that just like in medical -- in medical space, we have training hospitals. We have training programs that are not all medical -- I mean not all hospitals -- not all doctors' offices, except residents, you know, except residences. There is, you know, there are a select number and it's -- it's by that selection process that the industry within the medical program gets -- gets moved forward. And so there's this self-selection. And most of these teaching hospitals are attached to a university.
Kim Jones: Yep.
Ed Vasko: They are attached to a, you know, they combine the academic program and the experiential learning program. So I took the same kind of metaphor, you know, the same kind of alignment and said, well, the benefit I have here is that I'm attaching to a university. They've given me the opportunity to build these kinds of platforms. Let's say, you know, in your experience as operational cyber leader, you know, would -- would you be willing to allow early career professionals that opportunity to come in into a commercial sock or into an operational sock, like you run, and has [inaudible 00:17:53]. You know, I doubt you would. And I -- I realized you know, you're the exception. But everybody else we've ever talked to across the country would typically say, I'm not about to have entry-level --
Kim Jones: Right.
Ed Vasko: -- you know, not -- not even level one analysts, these are like level zero to the level point five analysts in my sock to drive consequence. [ Music ]
Kim Jones: You, as a CEO, are breaking on experience. Not just knowledge, not just certs, but just, you know, real world, you know, tangible, hardcore, constructive experience -- experience. You've created a model, and at least created one example of a model where academia can create an environment to provide that experience a la the medical model or analogy that you used earlier, and do it in a way that serves underserved communities within cyber by creating real world socks, providing information to smaller communities within the environment in a -- you know, that provides real defense with real consequence within the environment. So there are a handful of questions that come up from that model. The first question is, if you know, that model seems to indicate that the pathway for doing this is through some type -- not even four-year -- but some type of acade- a higher -- institute of higher learning within the environment, which can fly in the face of some of the things that our community has supported, again, starting back in the 20-teens in terms of migrating out of other job families into cyber boot camps within the environment, spot-training within the environment to gain the skills that you need. So let's put the academic piece in terms of this model aside. But I'm -- I'm going to push on the point and say, you know, based upon your model, do you believe that these other things that the profession, the industry, has been pushing on in the early days of oh my god, we have a talent shortage, are viable methods to transition to cyber?
Ed Vasko: So, you know, that -- at the heart of your, at the heart of your question that leads to the are we a techni- are we a technical field or are we a profession? And --
Kim Jones: Oh yeah.
Ed Vasko: And -- and I'm going to -- I'm going to make the CEO decision and not waffle. I lean towards the idea, and I -- not even lean, I -- I expect that we are a profession that has --
Kim Jones: Okay.
Ed Vasko: -- a technical representation. We have an opportunity to ensure that the pathways we create allow for people of not just diverse background, but diverse skills to engage in this field and achieve certain kinds of milestones at a career level. Is that to say that anybody -- that everybody should have a degree? No. But in the same fashion that not every single baseball, basketball, volleyball, pick this sport, player plays at a professional level. You have to recognize that those professional players that do play at the professional level, where is it that a high school orientation is going to take you to the professions?
Kim Jones: Okay. Okay.
Ed Vasko: And so if we -- we kind of align both of those aspects and, you know, I -- I will not just lean, I'm the -- I'll solidly be in the camp that says we are a profession. If we don't treat ourselves as a profession that has technical orientation, then we're ultimately redelegated into a position that's -- that doesn't have business orientation, that doesn't have all the other things that, Kim, you know, we -- I'm sure -- I know you've talked about in other -- others podcasts --
Kim Jones: Yeah.
Ed Vasko: -- we talked about for years. The interesting thing that we had when we set up the experiential sock in Boise State, and throughout Idaho was it served all of Idaho, was that we engaged not just Boise State students, but we engaged two-year community college students, we engaged master's degree students, we engaged other institutions of higher learning. So it wasn't just Boise State, but our community colleges, our other four-year institutions across the state, were able to join into this program. And we ultimately then had, you know, non-profits that align to different -- different communities. Service members that were -- military service members that were transitioning back into civilian -- into the civilian sphere that didn't necessarily have degrees, but they had experience, wanted to come in and volunteer so that they could put on their resume that they had experience working in this particular environment. We welcomed them with open arm.
Kim Jones: Okay. Fantastic.
Ed Vasko: So -- yeah.
Kim Jones: That -- and I -- and I think that gets to you -- you've answered one of my follow-on questions, which would be if I don't necessarily have the opportunity to go to an institute of higher learning, how do I get that meaningful experience? And reflecting back on what I think you're saying is, you've created something that was beyond just supporting Boise State. By creating this entity, it created opportunities for other entities, academic or otherwise, to bring people in to give them that level of experience. Am I reflecting that back correctly?
Ed Vasko: Yeah. I mean, again, the -- if I -- forgive the simple CEO metaphor, because I'm -- I'm the -- the kid at CEO, you -- my -- and if you think about Dilbert, [background laughter] I'm the pointy haired boss that -- I'm the pointy hairs bo- I'm the pointy haired boss [background laughter]. So not only do I have an etch-a-sketch, you know, I have a rock and a -- I have a rock and a piece of chalk, you know? So with that mindset in mind, you know, I look at it and say the simple metaphor is the best possible worker that we can get to and join this career path has to have the necessary knowledge from classroom. Has to have the necessary skills and certifications, the classroom being, you know, a degree pathway. Has to have the necessary skills for -- achieved through different labs or different certifications, or whatever the case may be. And then ultimately the third leg of that stool is experience. They have to be able to have a place where they could apply that knowledge and skill development in a way that helps industry hiring managers. Myself, yourself, you know, our -- our listeners across the country, gain the awareness that this person in front of them actually can do the work that they're asking them to do.
Kim Jones: So let me shift tax a little bit, and given the model that you have implemented around the thesis that you have proposed, I have two challenges that I -- I would love for you to address. One is the purple unicorn theory. We -- we still have a lot of -- of hiring managers. And I know you've run into this when you were at Boisey; I ran into it at Arizona State. In other words, that -- and -- and other places, where you have hiring managers who will bluntly come out and say, well what we're really looking for is a purple unicorn and those aren't exceptions within our environment. So how do we as the profession, we are a bright purple unicorn theory? That's one question. The other question is academia is slowly -- operative term being slowly -- beginning to look at the model that you have laid out. And you know as well as I do, there are only handful of schools that have even begun to embrace the model that you've put forth. And your success in that model was after three tries in other institutions to implement same [Inaudible background comment], and me being one of them.
Ed Vasko: Yeah.
Kim Jones: How do we as a profession persuade academia to adopt this model? And, you know, the caveat being the -- and we -- we've both seen this said, the model that exists in terms of reward and compensation in academia seems to differ from the one we're laying out, and by the way, as a profession, we're hiring these graduates without them doing anything differently.
Ed Vasko: Yeah. No. Great. So I would say, you know, enabling collaboration on a multi-state-wide basis. Taking the banner into different academic programs like the academic accreditation, programs like the NSA's Center for Academic Excellence program. The good part, the good news out of all that there is change occurring within the academic accreditation programs that the NSA is putting forward. There is now a need for showing how degree programs, you know, accredited degree programs from the NSA actually do have a -- an experiential alignment so that the work being done in the classroom can be shown to potential employers that this is the wor- the work that's being done, can apply to your job, or your job means in the following fashion. And more importantly, enabling these -- our students to be able to communicate that in an effective fashion. So there is this kind of -- of change occurring, and that's great news for us as an industry. The functional challenge that we have is that industry and the hiring managers and, you know, hiring executives across the country tend to look for those purple unicorn, like you said. And the real unfortunate challenge we face as a result of that is -- is that there's not a communication because cyber, unlike medical, unlike the medical profession, Fiverr has yet to codify itself. I would contend, and I would argue that we've yet to codify ourselves in a way that a -- that the medical program, medical degree, and even like legal and accounting have. And the scenario and the metaphor I would use, or the -- the question I'd ask is, you know, would -- would any solid hiring [inaudible 00:30:23] or [inaudible 00:30:24] executive across the country that's worth their salt go and simply -- go out on the sweep, have faith in somebody passing by, hey, I've got this contract issue. Can you take a look at it for me and give me a professional legal opinion? And the answer, I know collectively, they'd be no, that they wouldn't do that. Consequently, the next question I'd ask would -- would you turn around and go walk along the street and say, hey, person I'm passing by at random, you know, I have this -- I have this bleeding head wound, let's say. Can you help me fix it? And -- and the answer's probably, you know, maybe you'd get the right person, you know, in both cases? Maybe you'd get a trained attorney, maybe you'd get a paralegal that could look at that contract. Maybe you'd get a medical professional help you with the gaping head wound. But more likely than not, you know, you're trying to engage somebody who doesn't have the necessary experience bringing in codification skills necessary to give you and render a professional, qualified perspective. And therein lies the challenge. Because we don't have that codification and that professionalization. Again, this concept back and forth, are we a technical field or are we a profession? That's why I lean so hard on the fact that we need to be, and will be, and have to be a profession first. That by doing that and knowing that in this profession there are efforts. There are structures. There are methods that are now being undertaken at a national level for ac- accreditation that aligns to the type of professional that can be developed at an entry level and come into this field and through his career track in an entry level with the experience mapping. That it's on -- it's on us as an industry, it's on -- it's on are hiring organizations to demand that there's qualification of the people being hired, and that the people being hired have appropriate experience.
Kim Jones: So why don't we want to? Because I would contend that I -- you know I agree with you on this one.
Ed Vasko: Yes. Yeah.
Kim Jones: And I understand the history behind it because I'm an old fart, but I -- I would contend that there is still a very loud human cry within our big air "profession" that doesn't want to do that. Why?
Ed Vasko: We're still young. We've got to recognize the fact that even at--
Kim Jones: Oh I --
Ed Vasko: -- 40 -- 40 or 50 years old we're still young in comparison to the medical field or the legal field.
Kim Jones: Is it? Ed, I've got to push back a bit. Is it youth or -- is it youth or fear? Because remember, from a historical standpoint, you and I've had this conversation. The fear is that if we put requirements on because we didn't know what we needed, we would close off potential avenues for access and talent. Now, yes. We are still young in comparison, but we're not making aggressive moves as a profession. Even amongst the 500 -- Fortune 500 CISOs out there, to actually standardize within the environment. And where standardization is created, everyone wants to tell, or -- or talk about how what they're doing is so different and so special, despite the fact that we're still solving different variations of the same problem that you and I have been fighting for over three decades. So, there's a point here where I have to push as the cantankerous old fart and say, youth makes a great excuse. I'm not sure it's a full reason anymore. Talk to me.
Ed Vasko: Well -- well I would probably, as a cantankerous old fart myself, I would probably say that youth is a larger than 50 percent reason, and I mean youth of industry. You know, when you do the comparative analysis to medical, legal, accounting, you know, we're talking 50 years versus multiple -- in some cases, multiple centuries. You know, going so far back as, you know, Hippocrates and so forth, so you could, you know -- a millennia.
Kim Jones: Yeah.
Ed Vasko: The reality is that we have and are embedded in this aspect of uniqueness. Every single business is unique.
Kim Jones: The only issue is that the level of impact has begun to increase, and why haven't we solved this problem? So, it's a fair -- it's a fair observation. Ed, you get the last word. What's the one thing you want to double-down on, or the one thing that you want to make sure our listeners hear from you or discuss that we haven't discussed yet?
Ed Vasko: Well I -- first and foremost, Kim, I can't thank you and your team enough. It's been a real pleasure. I hope that the conversation's been helpful to your audience. I hope it invigorates some conversation across the country and just a huge, huge thank you for the chance to sit down and chat. If I could wave a wand -- if I could truly wave a magic wand and have a structural impact, it'd be to actually create a key baby step that we need at a national level to achieve what I've -- I've -- that metaphor I've talked about, about three-legged stool. And it's a recognition at the state -- across all 50 states and all US territories, that at the state-wide level, there is a huge opportunity in front of us to start tackling the workforce needs that we have, and that is through these kinds of experiential learning opportunities. The creation of state-wise, whole of state socks. That connection employ and engage interested learners and do so in a way that those learners, they experience become solid workers and solid career pract- practitioners. If we start there and we start creating success there, that our -- our commercial and employer communities, and you know, the commercial socks and commercial pathways and operational pathways, we'll start to recognize that this has success and has value, [music] and can start turning this tide eventually of -- in the war that we're effectively losing, and have been losing for decades.
Kim Jones: Yep. Ed, I really appreciate you giving us the time and the opportunity and your wisdom. Always good to talk to you brother. [ Music ] And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cooke, with content strategy provided by Myon Plot [phonetic], produced by Liz Stokes [phonetic], executive produced by Jennifer Ivan, and mixing sound design and original music by Eliot Pelzman [phonetic]. I'm Kim Jones, and thank you for listening. [ Music ]
