Podcasts
CISO Perspectives (Pro)
Ep 140
CISO Perspectives (Pro) 7.8.25
Ep 140 | 7.8.25

Bringing it all together.

Show Notes
Transcript

Kim Jones: Welcome to the season finale of "CISO Perspectives". I'm Kim Jones, and I want to start by thanking you for joining us throughout this incredible journey. Over the past season, we've taken the deep conversations out of the conference, or more realistically, the conference bar, and brought them to the forefront. We've unpacked the complexities of the cyber talent ecosystem, heard from a range of thoughtful voices, and challenged conventional thinking from every angle. Today, we're closing out the season with a special twist. I'll be turning the mic on our very own Ethan Cook. Ethan is the writer, researcher, and the sharp mind behind many of the conversations you've heard this season. He's been with us behind the scenes, and now he's stepping into the spotlight again to share his reflections on the season's biggest insights. Let's get into it. [ Music ] The last time you and I did this, Ethan, the roles were reversed. Got to tell you, I'm much more comfortable on this side of the mic, so -- [ Laughter ] So welcome, and how are you doing?

Ethan Cook: I'm doing well, Kim. It is a beautiful day in the DMV area, so I can't complain.

 

Kim Jones: All right. All right. So, you know, you and I came together and met as you were doing the production work and the uplift work and the editorial work on this podcast. What was your exposure to cybersecurity prior to taking on this role?

 

Ethan Cook: Yeah, great question. So traditionally, little to none. I, you know, I graduated from college and had literally nothing to do with cyber, and, you know, as we've kind of found throughout the show, everyone seems to find, stumble the way into cyber, and so I would say I have a understanding. Not a technical understanding, but an understanding.

 

Kim Jones: Cool. Cool. And that's one of the reasons I wanted my audience to understand and one of the reasons I wanted you to do the season wrap up with me, because you will be as close to having a non-biased tabula rasa view on the topic and the things you've heard, et cetera. So I'm hoping we can turn this episode into a, for lack of a better term, a highlight reel as to some of the guests, some of the themes, et cetera, from someone who is taking a big, air quotes, "outsider's view looking in", versus the biased, cantankerous old fart who's actually hosting [laughs] within the environment. So let's take a larger step back first, and take a look regarding the theme of the cyber talent ecosystem as a whole. Given what you have heard, read, researched, because you run my blog, what are your thoughts regarding the ecosystem as a whole, before we start deep diving on different portions of it, Ethan?

 

Ethan Cook: Yeah. So taking a step back and looking at it from a zoomed out view, I would say the first thing of my observations is fear. There's a lot of fear in the ecosystem right now, where it feels that people are unwilling to take a risk, whether that be on developing training and development programs, because they are sinking a lot of money in that could go somewhere else, whether it could be fear of upsetting other C-suite members and kind of rocking the ship to a degree, whether it is fear of bringing on someone who is maybe not the perfect employee. Maybe they're fresh out of college or a year out of college, they don't have a ton of technical experience, or the technical experience that you, quote-unquote, "need right away", and they may make a mistake. And because of that, you just choose to not do that and go for a very seasoned and probably more expensive person. So first observation I would say is fear. This second observation that I would say, is opportunity. While there was a lot of, you know, talk throughout the season of, wow, you know, this is a problem, that's a problem, none of it ever came away with, this is an unsolvable problem, or this is something we can't fix or we can't address or we can't do something about. It's more so, we need to come together as a group, whether that be in a quote-unquote "system", like a medical system, or like the bar, that was coming up a couple of times, and have a consistent defined way that we want to approach this, or acknowledge that that's not going to happen and be content with the results of that. None of it ever felt like, oh, this is a, we just have to accept the fact that we are never ever going to get the budget we need, or we are never ever going to get the perfect town pipeline or whatever. It was, we have to take a step back and really assess what we actually want.

 

Kim Jones: So, yeah, you -- we're going to double click on a couple of those things. So let's start with the fear aspect and in terms of how it relates to talents, and you talked a little bit regarding a lack of desire to accept the possibility where a mistake could be made. So back in episode, you know, 11, you know, we brought in Ed Vasko, CEO, serial entrepreneur, and he talked a lot about regarding that last component that seems to be missing as we're upscaling people, and that is practical skills and real world experience within the environment.

 

Ed Vasko: Just like in medical, in medical space, we have training hospitals. We have training programs that are not all possible, not all doctors offices accept residents, you know, accept residencies. There are a select number, and it's by that selection process that the industry within the medical program gets moved forward. And so there's a self-selection. Most of these teaching hospitals are attached to a university. They are attached to -- you know, they combine the academic program and the experiential learning program. So I took the same kind of metaphor, you know, same sort of alignments and said, well, the benefit I have here is that I'm attached into a university, they've given me the opportunity to build these kinds of platforms. Let's say, you know, in your experience as an operational cyber leader, you know, would you be willing to allow early career professionals that opportunity to come in into a commercial SOC or into an operational SOC like [inaudible 00:07:02] and has consequence.

 

Kim Jones: But it's really interesting that I think one of the things that I also felt from the season is, you're right, everybody wants that level of experience, but there's still that, couple of things, that still that reluctance to create the mechanisms that allow people that experience.

 

Ethan Cook: Absolutely.

 

Kim Jones: There's the reluctance to, okay, that's great, we need you to get experience somewhere, but you first, you hire the intern, you do X, you do Y. And, you know, it seems like we're talking out of both sides of our mouth about those things, you know, within the environment. So let's double click on the other piece that you said regarding the opportunity. And I'm -- I see you're right in terms of the overall, in terms of this is something that nobody has thrown up their hands and said it can't be done, which is great, but it seems to me that the nature of that opportunity is still ill-defined. And where I'm going back to is Will Marco's episode where he talked about the data regarding what is the nature of the cyber opportunity out there and the openings that are out there. You want to talk to me a little bit about that one?

 

Ethan Cook: Yeah. So, you know, for context, for those who hadn't heard that episode, Will Marco came on and talked about CyberSeq data. He was one of the head people behind that. And one of the things that I thought was just super illuminating about that conversation was how people are misusing CyberSeq data. Whereas people look on CyberSeq data and they see there's 700,000, 600, whatever-the-number-is-thousand of jobs that are open, and we say, oh my God, we look at this massive talent gap we have. We have nearly a million jobs on the field. And he said, that's not the case, reality actually is that that's data collected over a period of time. I believe he mentioned one year. And instead, that is not at a current moment, that is what we've seen over this year.

 

Will Marco: I have heard so many people, at very high levels of the federal government and other places, misuse the data. What that number actually is, is that's how many unique job openings we saw over the past 12 months, which were unique online. It also isn't just what we think of as core cybersecurity workers. We're also looking at the network administrators, who are responsible for cyber within an SMB, or other IT professionals, and even some cases, maybe even non-IT professionals who still have a significant security component to what they do.

 

Ethan Cook: When I think back to Will's episode, something that really stuck out to me was the impression, I think, one of his best moments in that, was his quote surrounding entry-level jobs.

 

Will Marco: When we looked at this, we found that for every 100 entry-level jobs, we had 110 entry-level workers vying for that. That means that we actually had about 35,000 more entry-level individuals looking for cybersecurity jobs than we actually had entry-level cybersecurity jobs that they could fill.

 

Kim Jones: And I will tell you the step further. There's another piece there regarding, not just what he said about data, but in terms of how the world, the industry, the world, business, et cetera, is looking at and is hiring cyber professionals within the environment.

 

Will Marco: I call it hiring for mercenaries, not missionaries. This has been the default in the industry for years. You go after the mercenary, who has the best resume. They look the best on paper. Maybe they went to some fancy school. They got some fancy certifications. They look amazing on paper. The problem is, you want to hire them? So do all of your 20 biggest competitors. And you are going to be in a bloodbath for talent if this is what you do.

 

Kim Jones: So, shifting gears again, I think part of some of the things we've heard centered around what makes a good cybersecurity professional. You talked about putting structures like maybe legal around things, et cetera, within the environment. But one of the conversations that came up several times, you know, during, you know, our discussions and was the focus of episode two was, are we a trade or are we a profession? You want to dig into that a little bit, Ethan?

 

Ethan Cook: Yeah. So, you know, it's -- this is a conversation that came up, not just in episode two. While that was the main focus of episode two, it came out routinely throughout the season.

 

Kim Jones: Yep.

 

Ethan Cook: And it was something that I grappled with, because when I first saw the statement, my first thought was, as an outsider was, why does it matter? Right? You know, that was my first instinct. I then dug into the conversation and dove into it more and got into the nitty gritty details and understood the cost and benefit of both. And I really liked both Larry's, who was in episode two, and Ed's characterization of the two, with Larry arguing that it transforms midway through.

 

Larry Whiteside: I've actually given some thought to that simply because -- and I'm going to say, I think we're both. I think we're both, because of a couple of factors. When you think about the entry-level components, right? The entry-level component of getting into cyber is very trade adjacent, right? It's not about certification. It's not about degrees. It's about skills. Which is why we say you can come out of high school and do this, because if you create, right, or foster certain skills on your own in high school, you can technically come into a cyber role and become proficient in the way that an organization needs you and go execute. So, at that level, I see it akin to a trade.

 

Ethan Cook: And then Ed arguing, or stating, that he believes that we're a profession with technical components.

 

Ed Vasko: I lean towards the idea that -- I lean, I expect, that we are a profession that has technical representation. We have an opportunity to ensure that the pathways we create allow for people of, not just diverse background, but diverse skills, to engage in this field and achieve certain kinds of milestones at a career level. If we don't treat ourselves as a profession that has technical orientation, then we'll ultimately be relegated into a position that's, that doesn't have business orientation, that doesn't have all the other things that we talked about for years.

 

Ethan Cook: Between the two of them, I think they hit the nail on the head, is that we are a profession. Cyber is a profession and we have to treat it as one. But that doesn't mean we just ignore the technical aspects and just blindly tune those off and put our blinders on and pretend like those aren't there. Those are a reality that we should acknowledge and build in to our systems. Similar to how, you know, if you look at other professions that are -- have a technical system, maybe not technical in terms of technology, but technical aspects of them, they have a defined pathway that goes through it in a logical progression system, but they still have professional elements guiding the whole process.

 

Kim Jones: And this is a -- you mentioned pathways, so this is a great opportunity to segue into some of the discussions we've had regarding the different pathways that you can take to get into cyber. One of the themes that we kept running into was, is college the only way to go into a cyber, do you need a technical background to get into cyber? And then of course, there's the value of certifications and taking a certification path in cyber. So let's start with, and I'll tee up the first one, in terms of the need for a technical background of some sort. And I'll actually go back to Ed Adams --

 

Ethan Cook: I was thinking the same thing.

 

Kim Jones: -- was in the first episode, you know, and one of the things his viewpoint is on that problem.

 

Ed Adams: You don't need to have a technical background to have a successful career in cybersecurity. Full stop. I think that's a very understated but incredibly important comment. Almost as important as the five words that I've heard come out of your mouth on many occasions, which is entry-level means no experience. There are so many talented people that I have personally hired and worked with at other companies that don't have technical backgrounds that are fantastic in cybersecurity.

 

Kim Jones: So let's shift from that approach to the viewpoint from college within the environment. And we actually had Dr. Lara Ferry, who is the VP of research and development at Arizona State, who has been involved in, you know, building or helped me when I built the cyber program at ASU, and some of the challenges she has from a college standpoint and the expectations of our partners and their viewpoints on college. So let's start with that expectation piece, in terms of what industry partners seem to be looking for within the environment from college.

 

Lara Ferry: When we talk to our industry partners, each one wants something different.

 

Kim Jones: Shocked, I am. [laughs]

 

Lara Ferry: Each company would like us to teach these students to code the way they code and to use the software they use and to be prepared to step into a job at their particular industry so that that company does not have to do any on the job training at all.

 

Kim Jones: And now let's take that back and reference an earlier comment from Ed Adams back in the first episodes in response to me saying, if you ask 50 CISOs what they're looking for in a cyber professional, you're going to get 436 different answers.

 

Ed Adams: Well, I did ask 50 CISOs the exact same question, and I took those 50 answers and what I was able to determine is that there is a distinct pattern. The most common trait or characteristic that CISOs are looking for had nothing to do with any degree, any certification, or any experience. The ability to be taught. Like, that was it. And, however, when I still read cybersecurity job descriptions, whether they're entry level or not, I do not see those words showing up. I see things like degrees and certifications and technical skills.

 

Kim Jones: So as we look at pathways, Ethan, is part of the problem in terms of defining what a reasonable pathway is still set around my peers and I not knowing what the hell we want within an environment, except perhaps the dreaded purple unicorn with pink butterfly wings that is out there? What was your takeaway from the dozen or so conversations we've had about this?

 

Ethan Cook: So certainly there is that purple unicorn hunting, which is a problem, and from everything -- and to me, you know, as someone as an outsider, it makes no like logical sense in my mind. Right? Like, I come in and I'm sure there's people who have done that and go, well, it helps me do X, Y and Z, this blah, blah, blah, and there's value for that. Right? But as an outsider, I see it as you are really misallocating your approach and funds and time to find something that you're probably not going to find, or you're going to find it and then they're going to get poached almost instantly, because they're going to get a better offer and they're going to job hunt. Part of it is, I think there's almost like, and this is, outside of this conversation, something that I've noticed amongst cyber, this explosion of the number of vendors, and we talked about this in the vendor episode, which was episode 12. But there is, and I wrote about it, how there is -- Gartner found there's over 3000 vendors. Each one of them do their own system, their own way, and people are contracting in a numerous ways, and everyone has their own system and everyone wants the system done the way they do. They don't want to train people up. They want someone who comes in with coding knowledge for that specific system to come in and be impactful. And Lara talked about that.

 

Lara Ferry: It is profoundly frustrating, when I've met with a group of 15 representatives from different industry to say, now have I built the degree you want, and finally they all said, yes, you've built a degree you want, and then I can't place any interns at their industry.

 

Ethan Cook: So I think that this unwillingness to accept that humans are humans, that they're not going to be perfect. They are not going to have every training. I find it really weird how, in this industry, every other industry that I've ever been a part of, I've ever had friends in, et cetera, has a tolerance for allowing people to learn the company, whether that's learning internal operating procedures, whether that's learning technological systems, whether that's training, whether it's anything. There's an allowance of, okay, come in. Yes, we expect you to be capable, we expect you to be able to do what you say you were going to do, but we expect bumps. We expect mistakes. We expect you to, maybe you send the wrong email to a client. Maybe you don't hit the right thing the right way or save a file, you lose some data. Things happen. But within cyber, that is unacceptable. It's one of the few industries that I have ever heard of like that, that there's zero tolerance for new people, let alone older people who have been in it for years. And this, to me, feels like it's an impossible race. And I am really -- it makes pathways -- and I think the one thing that really stood out to me as I was trying to think of solutions from an outside perspective, the conversation we had with Simone about skills-based hiring, and I know Jeff also talked about this, and I've actually worked with him so I've known this approach for a bit. But that, to me, struck as a very valuable tool to adjust.

 

Simone Petrella: We have seen in the last four years a push, not as big as a push, as I think either you or I would like, in the direction of skills-based hiring. Being able to rely on a credential alone can't be indicative of someone's true competence to perform the job.

 

Ethan Cook: Rather than saying, I want you to have four years of coding experience with this thing, say I want coding experience, or a high-level concept, and then instead of looking for very hyper-specific things that are probably unrealistic, instead looking for general concepts that can be universally applied.

 

Kim Jones: And one of the things you also mentioned is in terms of how we link that training to our actual needs within the environment, not only from a, what are the skills needed, but what are the levels needed. And in episode three, our guest talked a little bit about that when we were talking about planning workforce and taking the time to plan workforce.

 

Simone Petrella: If you're looking to build your workforce, really sit down and try to think what would be the development, what would be the career track from your entry-level person to your seat, or to a seat that sits next to you at the executive table. And how can you craft that within your organization? Because that is the way you can solve the problem.

 

Kim Jones: And then, shifting again, one of the things that you had mentioned, Ethan, when you were talking about Jeff Welkin and his viewpoint in skill recs, he had a very, very interesting viewpoint and perspective on the problem in terms of the data that we were looking at, the results of that data that we were looking at in the environment, and whether or not we were utilizing that data to help us plan what we need and think about training and uplift and onboarding in a strategic level within the environment.

 

Jeff Welkin: We need to throw the pebble in the pond. You know, when you throw a pebble in the pond, it has a ripple effect. Right? And the pebble, for us, starts with work role analyses, really understanding the core expectations from skill sets perspective for any given job role at any given level. That's like the step one. And then the ripples out from there. So once you have that data, you want to understand, well, now I know what I need, what am I going to do with that data? Well, I can go back to my job descriptions, as you mentioned, and update job descriptions based on an analysis of the expectations. But then, two, you're going to want to understand where are my people compared to my expectations. [ Music ]

 

Kim Jones: Before we head down any further, I want to take a step back. And we spent some time, or we spent an episode, and you and I talked about it midseason as well, talking about whether or not diversity matters within cyber. Again, as an outsider, what are your thoughts?

 

Ethan Cook: Yeah. So, as someone who is an Asian American, diversity is very important to me. It's always been something that, you know, the reality is, is America sometimes is not what I would like it to be, diversity-wise. And right now it has become a contentious issue for whatever reason. And I think that that episode was, to me, when I saw you list it, I -- my first reaction as an outsider was to say, of course. Why wouldn't it matter? Like, it brings tangible benefits, because I didn't even consider for the fact that it wasn't a common thing within cyber. And then as I dove into the research and looked at the demographic reports, and I want to note it's not just race, it's not just gender, but it's also in terms of background. And I can even say this from a perspective of myself coming in with a non-cyber background. There have been conversations that I have had where we are talking, and I have a bunch of cyber people around me, and they are seeing it one specific way. It is A to B to C and it's not making sense. Or they're trying to make it take four extra steps longer or whatever the case is. And I kind of take a step back and say, well, why don't we do it this way? Why don't -- please explain to me the logic, right? And it's not to counter, it's more to understand. And when I get the explanation and respond back, I view it -- it's like, wow, we didn't even consider that. And I think that right there is the value of diversity. It's not about checking off some box that, oh, I've hired X amount of minorities, or women, or et cetera. Like that's, I think that's what it's been politicized into. I think the better way to view it is, what I am bringing is different ways of thinking into my organization, because when you have one mono-focused way, one monolithic way of viewing the problem, sure, maybe that way works a couple of times, but it's probably not going to work every time. And it's probably not sustainable, because the system that we live in with cyber is constantly changing. There are new threats every single day and they think differently than you do. They are approaching the way they approach, tackle you, differently than you view defending yourself. So having multiple people come in with different lines of background, different ways of thinking, different ways of approaching problems, whether they are defense based, whether they are internal structure based, whether they are problem solving or acquisition based, et cetera, these mentalities are going to result in a more productive, more efficient, and more sustainable line of business. And I think that,as someone who is an Asian American, and Kim, I thought the episode was very, very important to have. And I think people who are ignoring that and pretending like that's not real are people who don't really want to actually delve into the data, and the data is very, very overwhelmingly in support of the value that diversity brings. And I wrote about it in the blog. There have been numerous studies that talk about it's not just a, oh, my team looks different than your team. If my team produces more than your team, my team is more effective in what we produce. They produce less errors. They count for more facts. They correct facts issue, they correct errors faster, et cetera.

 

Kim Jones: Well, let's pull that all together. Ethan, I thought your answer was spot on. I get equally passionate about it. It's important for cyber. It's not a political issue. So, let me begin, try and pull things together. You've heard lots of perspectives. You've heard lots of challenges. You've heard lots of points of view from lots of subject matter experts regarding this topic. So I'm going to ask you a similar question that I've asked Ed Vasko when he was on and some others as well: How do you solve it? And we've done a very, very good job of identifying the problems, plural, with the cyber talent ecosystem now, and we've hit it from about every conceivable angle we could think of, you know, for this season's arc. So we've done a good job of identifying the problem. I obviously am too close to the problem, having been in this profession for almost four decades, so I would welcome your perspective, as someone who has been handled this stack of stuff to fix. How would you solve the problem, if you could wave the magic wand and we're supreme ruling emperor cyber for a day? How would you solve it?

 

Ethan Cook: Great question. I, first, what I would say is you cannot have a monolithic approach. There is no one way that this gets solved because there is no one way to view this problem, as we have found throughout the season. There are issues with talent pipelines. There's issues with talent acquisition. There's issues with talent sustainability, talent development, et cetera. Name it, it's there. So the first thing I would say is, we can't say, oh, if we just fix the universities, this solves the problem. If we just fix the way business leaders approach it, it solves the problem. That's not how it works. I would say the two things that I would really drill down on and think are the most impactful for short term fixes are, one would be Ed's engagement with state governments. It helped the state of Idaho and giving people tangible real world experience for free, right, and that was helping out. And that gives more technical experience and creates a system that's similar to what nurses go through and how the medical industry approaches training people up, rather than just dropping you out of college and saying, okay, fend for yourselves. And that also removes the need to have as many internships or get private involvement and ensure private involvement is always going to be a factor and there's always going to be that aspect. But if you can't motivate private, privately-owned companies to get involved, this is a great way to still continue getting technical experience for younger talent coming in and still train them up, while still ensuring that they hit their university requirements, et cetera, and actively provide a service to the community and better cyber as a whole. My next thing, I would say, is I'm a huge advocate for, and it was talked about several times by both, I believe, Jeff, I, Simone, maybe, I think Larry as well, about the value of instituting a bar-like association for cyber. And I don't think that a nationwide approach can do that. I think that that was something that would have to be again driven on the state level, but to me, I'm a big systems guy. I'm a big, you know, setting up organization and systems. And what I see right now in the industry is a lot of people running around doing whatever they want and there's no consistency across the board. And I don't think you can ever have a nationwide, okay, this is the mandate nationally that we're going to file. But having a regional or state centered approach to drive up consistency, I think would be a huge step to solving this problem.

 

Kim Jones: So let me stop you for half a second there.

 

Ethan Cook: Yeah.

 

Kim Jones: And what would you say to the folks who would say setting up some sort of system within the environment would potentially be exclusionary within? I mean, take the example you've used from the medical profession and the legal profession. Both of those require college degrees within the environment in order for them to be a profession. And what -- is there a -- I mean, there's always a possibility, but could such a system be more exclusionary to talent that doesn't necessarily have the funds to get a four-year degree?

 

Ethan Cook: First, community college engagement. And that's a huge state driver right there. There are, we, you've already talked about it before, Kim, but I 100% agree, there are -- and I think the value of community colleges are continuing to go up as people are realizing that they're way more affordable and that they can be mapped to state requirements. And that would be a natural benefit for state and local communities while at the same time, such as like with that SOC program, right? So I would say that that would be a great entry or launching off point.

 

Kim Jones: So, reflecting back, the requirements can, and more likely in your mind, should, be set such that a four-year degree is not necessarily a mandate to meet the state requirements.

 

Ethan Cook: Yes.

 

Kim Jones: We understand what the KSAEs are and we need to demonstrate those KSAEs, college is not a mandate for demonstrating them. The issue is demonstrating them with maybe multiple pathways.

 

Ethan Cook: Yes.

 

Kim Jones: If I'm reflecting back what I'm hearing.

 

Ethan Cook: Yes.

 

Kim Jones: But let's also talk about some of -- let's talk about, yes, it can be an advantage, but within cyber as well as a lot of other places, college is being seen as elitist, costly, and disadvantageous to and exclusionary to a lot of folks with a lot of backgrounds. This is a great opportunity to drop the quote in about sitting on the laurels on the ivory towers and saying, trust us, that Lara made in episode seven.

 

Lara Ferry: We have sat back on our laurels in our ivory towers and said, just trust us, right? We're doing great things. We're helping the young people think. And that is true. I mean, I do, I'm very much in favor of helping young people to learn how to think. But we haven't taken it upon ourselves to explain the value of a university degree and to explain the ways in which we are trying to adapt and change and meet modern demands.

 

Kim Jones: So I will end this interview the same way I've ended all of my interviews to date. You know, what is the one thing that we haven't talked about that you want to make sure that we talk about, that we mentioned, et cetera, before we close this off?

 

Ethan Cook: Yeah. So, as I look at this problem, and problems with a plural is probably the better description, the problems that are related to this system, is this has been a issue that I have heard about since I've entered several years ago, and it doesn't seem like we're any closer to solving. It seems like we're, if anything, further away from solving. And I think, as this season has progressed and as I look forward, what I would say is, there needs to be, especially in the absence of and the decline of certain things like CISOs programs or some of these things that are happening right now, there needs to be more industry leaders. I think one of the best quotes that you had, Kim, was when you talked about, the first person to do it, it's always hard.

 

Kim Jones: When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply for a position in a company because there's no one already there like them. Every time someone says this to me, my answer is the same: How the hell is it going to get any better if you don't show up? Folks, being the first at anything is hard. Actually, it kind of sucks in most cases. But if no one steps up to be the first person, nothing ever changes. Worse, you provide individuals in that company the excuse to keep their hiring practices unchanged since they can't find underserved candidates to apply. The world doesn't change through complaining. It changes through direct action. That old story about everybody blaming someone when nobody did what anybody could have done is still true. Be the courageous hero. If there's no role model, become one. Show up.

 

Ethan Cook: And while you were referencing diversity in that conversation, I think that applies to just about everything in life, which is it's never easy to be the person to say, I'm going to solve [inaudible 00:38:50]. Like, that's a huge, that's a massive problem, as we've talked about. That's not going to be something that is going to happen. But I think -- or that's going to happen easily. I think -- or overnight. I think the better way in the thing is getting people together as CISOs, as industry leaders, to come together and actually make progress and not do the same thing that we've already been doing for 10, 15 years. Don't say, okay, let's design another program. We've already done the designing another program and it hasn't worked. Let's not say, oh, let's create a, you know, this training boot camp, right? That, we've already done those, and it's not working. Let's develop this thing that we've already done, whatever "this thing" is. Instead, coming together and saying, okay, what if we all tried and failed so we don't repeat those mistakes, and then say, okay, what have we not tried? And I'd rather us try something that we haven't done. And it's going to mean someone's going to have a lot of long nights.

 

Kim Jones: Yep.

 

Ethan Cook: Someone's going to mean, it's going to mean someone's taking a risk. That may cause an issue that may involve taking someone who's not ready, quote-unquote, to be a SOC analyst. It may mean you having to work with someone and rely on someone who you would not have normally worked with. And that is scary, and that can be intimidating, and that can mean a lot of extra work that you may not be financially compensated for, right? But if it matters and if you're passionate about this, and from everyone that I've talked to throughout the season and from the people that I've heard over the years, cyber is one of those industries where people are nothing if not passionate about this industry.

 

Kim Jones: Amen. [laughs]

 

Ethan Cook: Then if you're passionate about this and you're doing it for the right reasons, then yes, while it is exhausting and tiring, it is worthwhile and gives tangible value, not just to yourself, not to just your organization, not to just the neighboring organization, but to the people who are coming in the next 10 years, the people who your customers, who you are guarding their information or who you are protecting their financials, et cetera, whatever your industry may be, they are value to this outside of just, oh, I've gotten a paycheck raise or, oh, my industry, my job is secure for another two months, or whatever it may be.

 

Kim Jones: Yeah. And we're going to have to leave it at that. Ethan, I really appreciate you taking the time to give us your perspective and your insight and I look forward to working with you again for the next season.

 

Ethan Cook: Absolutely. I'm excited. [ Music ]

 

Kim Jones: Deeds, not words. I first ran across this phrase some 40 years ago while indulging in one of my longtime secret pastimes, watching B-grade action movies. While I remember the movie as being cheesy beyond belief, for some reason the phrase etched itself into my teenage psyche. The idea that what you do is more important than what you say, that your actions define who you are and what you're about. That resonated with me. I've taken this philosophy into my adult life, approaching the world with a "show, don't tell" attitude. Specifically, don't tell people who you are, show them. Do what you say you're going to do. And above all else, be consistent in word and in deed. Ironically, I find that these three tenets appear to be what's lacking in today's cyber talent ecosystem. And that deficit seems to be one of the root causes of our challenge. It's clear from this season's explorations that there is no one correct path to enter into and progress along the path in cybersecurity. But there are certainly a number of wrong paths. All of those wrong paths have one thing in common. They are riddled with inconsistencies on the part of the profession. Common themes are: One, the lack of agreed upon job descriptions. Two, the prominence of nonsensical job descriptions. Three, the seemingly endless complaining about a lack of skills without defining skill requirements. Four, the continued prominence of talent theft versus talent growth. And five, the prominence of myopic tactical approaches to the talent problem, focusing on the immediate needs of an organization, but ignoring long-term operational goals. There continues to be a cacophony of loud discussions on these themes without any change taking place, which has left us with a lack of credibility both within and outside the cybersecurity profession. If we want to get serious, truly serious about the cyber talent challenge, there are a handful of things that we need to do. One, map the terrain. In response to our industry's complaints, as well as our misreading of the data, there are now a plethora of pathways for entry-level candidates that are producing well in excess of the entry-level opportunities that exist. The first step must be for us to delineate clearly what positions we consider to be entry-level positions. SOC analysts, for example, comes to mind, or infosec security specialists. Next, we need to reframe our message to talent creation organizations to focus on those entry-level positions and the true quantity of opportunities available. This approach will most likely disappoint organizations and institutions who have invested time and resources in creating now-bloated pipelines. But it remains disingenuous of us as a profession not to address this situation with candor. Lastly, we need to reset experience expectations for entry-level candidates. As discussed in an earlier episode, we need to realize that entry-level experience may be a combination of internships and other cyber-related or IT work. If you're expecting new hires to have more than a year's experience, though, you're not looking for entry-level candidates, but rather looking to steal experienced assets. Two, create internal pathways for cyber talent. Many organizations treat cyber talent like mercenaries who are there to perform a specific task. There are no clear pathways for promotion, nor to expand one's capabilities by taking on other cyber roles within the security organization. Indeed, many companies, and sadly many so-called leaders within the cyber community, are afraid to educate, train and promote their personnel for fear of losing a resource that is performing a specific task right now. With this attitude, is it any wonder that talent tends to rotate out of organizations routinely? While promotion should never be automatic, it should always have a large merit component driving them. Holding resources back for fear of losing talent is a surefire way to, well, lose talent. Make sure your team understands all requirements for promotion, including skill levels, abilities, and knowledge required, and that you are providing them opportunities to acquire the necessary tools to be considered for advancement. Three, create consistency throughout your talent life cycle. This point has serious rant potential for me, so please bear with me. If I were to pick the one major source of our challenges, this would be it. Folks, I genuinely do not care which of the myriad opinions you hold regarding creating and advancing talent. I do care that, for the most part, we are failing to walk the talk around our opinions. If you believe, for example, that we are more trade than profession, great. If that's the case, then stop recruiting for talent exclusively at colleges and universities and create interview processes that focus on knowledge and skill demonstration. If you believe that a good cyber professional needs solid IT experience before entering the field, also great. If that's the case, then adjust your starting salaries for junior cyber professionals to account for the additional years of experience and start creating programs within your organization to migrate IT professionals into cyber. If you believe the best way to acquire cyber folks is to grow them organically from anywhere within the company, that's wonderful. If that's the case, then you need to create the organic pathways and training programs to allow this to occur. In one of my formal organizations, I proposed creating a pathway for our customer care people to become entry-level cyber professionals. These folks had already been vetted and hired as assets to the company. This initiative would give them a pathway to progress from holding a job to having a career. As an added bonus, since customer care staff tend to be more diversified than technology teams, it produced a mechanism to organically create more diverse organizations. If you believe that cybersecurity requires a degree, that's positively fantastic. If so, then you need to support the degree programs that are out there by providing meaningful internships, guest lecturing, or joining extended faculty in their degree programs and hiring graduates. Above all else, though, you need to stop nattering about how it should be, without also fighting to create the ecosystem that can get you there. Stop complaining about it and act. Rant over. [ Music ] This season, we talked about the various pathways to entry into the cybersecurity arena and the advantages and disadvantages of each. We explored some of the misconceptions, prejudices, myopia, cybersecurity leaders can cling to about these pathways. While there is no one right way to enter the field, we've shown this season that there are some wrong ways, and those all center around the inconsistencies that we, as cyber leaders, promulgate in the environment. If we want to restore our credibility and arete, we badly need to standardize our definitions and expectations of cyber candidates and stop being so afraid of having to backfill positions we refuse to educate, train and mentor our people. It's time to stop talking and start doing. In other words, deeds, not words. My two cents. [ Music ] We'd love to hear what you think of this season of "CISO Perspectives". There's a link to share your perspectives with us via the survey in our show notes. And that's a wrap for today's episode, and for this season of "CISO Perspectives". Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. We're so grateful to have had you with us this season. From all of us here, thank you for listening. We look forward to bringing you more expert insights and meaningful discussions in the next season. This episode was edited by Ethan Cook, with content strategy provided by Myon Plot, produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design, and original music by Elliott Peltzman. I'm Kim Jones. See you next season. [ Music ]

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire