Special Editions 4.19.24
Ep 61 | 4.19.24

Cyber Talent Insights: Charting your path in cybersecurity. (Part 2 of 3)


Sasha Vanterpool: Hello and welcome back to Cyber Talent Insights on N2K CyberWire Network. I'm Dr. Sasha Vanterpool joined again by my colleagues Cyber Workforce consultants Dr. Heather Monthie and N2K's Chief Learning Officer Jeff Welgan for this special three-part series sharing our insight on the current state of the cybersecurity workforce. [ Music ]

Unidentified Person: Cyber Talent Insights from N2K CyberWire will be right back after this. [ Music ]

Sasha Vanterpool: In today's episode, we're going to shift our point of view to provide guidance for those individuals who are entering the field of cybersecurity or perhaps making a transition from one career to another. We will discuss what a market-driven approach to career development means and how professionals can focus on identifying and staying abreast on in-demand and transferable skills to stay relevant in the market. We will also explore how to discover one's niche in cybersecurity, including how to stand out in this competitive market and align personal interests with career goals. Lastly, we'll examine the role certifications play when navigating the career path throughout the cybersecurity workforce management lifecycle. All right. Let's dive in by exploring what it means to take a market-driven approach to career development. In a conversation with Chief Strategy Officer Caroline Wong, she touched on this by explaining the following. Let's play the sound clip.

Caroline Wong: The advice that I give to folks in this type of a situation is to use a market-driven approach. So, a common question that I get asked is, "Caroline, I'm really interested in getting into cybersecurity. What certifications should I get?" And I'll say to that individual, "Hey, I think there's actually an alternate way of looking at this problem, which is instead of asking what certifications should I get, you should ask, what does the world need right now?" And you can actually do that in an extremely data-driven way. You simply go on LinkedIn or Indeed, or whatever job posting website there is. And you begin to familiarize yourself with the security roles that are open and on the market right now. And if you look at 50 or a hundred different roles that are at the level that you're interested in getting into, that data is going to be able to tell you far better than me, or I think anyone else in the field about what certifications you should go after and what sort of skills you should try and develop. I think that using a market-driven approach to identifying what skills you want to develop next is always going to be in someone's best interest.

Sasha Vanterpool: Heather, can you elaborate on Caroline's point and explain what a market-driven approach to cybersecurity career development means in today's contexts?

Heather Monthie: Absolutely. I think that when you are working on transitioning into the cybersecurity field, or maybe you already work in the cybersecurity profession and you want to advance your career, it's really important to go and just take a look at what it is that employers are looking for. What is it that you need to have? What skills do you need for a particular role? So I always suggest going on websites like Indeed. Go on LinkedIn, look at current jobs that are out there. Maybe they're jobs that you're not yet qualified for. But they're jobs that interest you. They pique your interest. You can go in there. And you can look at them and see what are the requirements that the employers are looking for and say, "Okay, I need to get these skills. I need to know how to do this, use this piece of software, do this particular thing." And you can start creating a career pathway for yourself. You can also go on LinkedIn and look at other people that are already in that particular role and just sort of reverse engineer what they did to get into that position. Oftentimes, people don't have degrees in cybersecurity. So you can go back and you can take a look and see, "Well, how did that person get into this particular role?" So it's really just looking at, what is it that the market is looking for and how do you align your skills, what you already have, and the skills that you will obtain and to create that pathway for yourself into a particular cybersecurity role?

Sasha Vanterpool: Oh, that's a really great point and a good idea, especially for those who are looking to break into the field. So, Jeff, for those who are, like, brand new to the field, how would you recommend these, you know, early professionals identify what are the in-demand skills that are needed in cybersecurity?

Jeff Welgan: Well, I think one thing I just kind of want to reemphasize from Caroline, and then also Heather just mentioned this as well related to, like, going to Indeed or LinkedIn. You can also go to cyberseek.org if you're looking at certifications specifically. They've done a really good job looking across all the job descriptions or job postings and then listing out what certifications are in demand. So, you know, not every organization is focused on certifications. But certifications certainly do have weight in this industry for a number of other professions or specific companies or agencies you might be looking for a position. So that kind of gives you a good idea of what's, kind of, in most demand. In addition to that, though, I think one thing that's really important for especially someone, kind of, coming into the field one, yeah, you want to understand what is being required of those positions and what's being asked. So, what is in demand right now? And I think Heather really had a really good approach to getting information on that. But I would add to that and say that you also want to think about what else can you add to the mix? If you think about it like a job being a cocktail, what ingredients can you add to that job description or that position that make you a little bit more unique? So think about, you know, how can you combine some elements of one job description or a high-demand skillset and add that to the position to make yourself stand out just a little bit more from other candidates?

Sasha Vanterpool: Sure. Yeah, I think that's a great point. And I think definitely, you know, for those who are making that transition, maybe this is their second or third or fourth career, you know, coming into cybersecurity, whether it's from a completely different professional background or just that non-traditional kind of route, they can, you know, take advantage of some of the things that you guys mentioned by identifying those skills. But then how would you guys say that once they've identified what the in-demand skills are, the certifications or, kind of, what those requirements are when you're looking at the job description, how are they able to identify, "Okay, these are the skills that I already have and what is transferable?" And how do they kind of make that distinction between, "Okay, let me focus on what I already have. And then how do I prioritize? What skills do I need to get further education and training on, you know, to make sure that I'm qualified for the position I'm looking for?"

Heather Monthie: I think it's important to recognize that you all have transferable skills. If you have done anything in this world, you have skills. So, it doesn't necessarily need to be something that you are paid to do. What I always suggest is just sit down with a notebook, you know, an app on your phone, whatever, and start making a list of things that you already know how to do and make 50 or a hundred items on that list because you really start getting into that nitty gritty. So, do you have project management skills? Do you have time management skills? Have you, you know, led a group of people from point A to point Z? It doesn't necessarily have to be within cybersecurity or even within tech. But you've done other things in your career. You've done other things through volunteering. You've done other things in this world that are really going to be valuable on the cybersecurity side. And then we add the cybersecurity skills on top of that as sort of the frosting. And I think that if you really sit down and get clear on what it is that you already know how to do, the things that you're good at, and maybe even asking other people around you because sometimes you don't always see, sometimes you take your own skills for granted. And you can start to see where you might be able to really stand out in the cybersecurity profession that you're just -- you're really good at this thing and now let's add that cybersecurity layer on top of that. And that can really help you figure out where you might fall within this industry.

Jeff Welgan: I think I'll just kind add to that. Heather, you were sharing with us just the other day about a really cool story about a yoga instructor that was looking to get in the field and how you were advising her on, you know, how she could think about her skillsets to make it more relevant to the cybersecurity industry. And I think you kind of alluded to some of that in your response just now. But I think one of the things that's really important, maybe for someone like that who is kind of making a really hard shift or transition from like what seems like a pretty unrelated field into this more technical field, good advice would be also talk to someone in that field to talk about your experiences and work with them on how do you frame that in a way that starts communicating in the lens or the perspective of cybersecurity. Like those leadership skills, those professional skills, those communication skills, how can you talk about it in a way when you're kind of coming from what seems like a pretty unrelated field and make it more relevant context for a cyber-position? I think that's -- it was really cool advice that you shared with us the other day.

Heather Monthie: Yeah, I think that just to give the audience some clarity on that. So the conversation that we had was around -- you know, I've worked with a lot of people over the years that are transitioning their career into some sort of tech industry, in this case specifically cybersecurity. This woman was a yoga instructor. And she was trying to transition into a cybersecurity career. And she really needed some guidance on that. And she felt like she didn't necessarily have any sort of related background at all because she didn't have the tech experience that we oftentimes hear that people need to have to get into cybersecurity. And so what I said to her was just, you know, what I said earlier is the same thing. Just sit down and think about all the things that you've done in your role as a yoga instructor. And think about how you have worked with people of all different kinds of abilities, all different kinds of backgrounds. You're able to lead a large group of people to an end goal that you can -- you know, being a yoga instructor, sometimes you work with people that are in an emotional state, that you've got a lot of really good people skills that are very much needed in the cybersecurity profession. So that can be something that she can use to really make herself stand out from other candidates, is that she's got this really great experience working with all different kinds of people and all different backgrounds and all different, you know, points in their lives that she can bring that into cybersecurity. So I think that it's just -- you know, we often hear times that everybody needs to have a tech background to get into cybersecurity. And while I do agree with that, mostly I do know that there are many roles within cybersecurity that you can sort of pivot into them from something completely unrelated. You might do this complete 180 in your career. And that there's really sort of that path of least resistance into that career in cyber is taking that thing that you already know how to do, that industry that you've already got some experience in and adding cybersecurity on top of it. And I talk about that too with, you know, if you're a nurse or, you know, you're working in some other highly regulated industry. You've already got that experience understanding things like HIPAA and some of the compliance things and, you know, all the things that go into the healthcare setting. You know, if you're a nurse, it's very easy to make that transition then into healthcare cybersecurity because you've already got that industry knowledge. You understand how things are supposed to work. You understand some of the compliance things. There's a lot of really good skills that people have that they might not recognize are very relevant towards a career in cybersecurity.

Sasha Vanterpool: Yeah, I think those are really great points. And I think that, you know, a lot of the times, we'll sneeze somebody who, as you said, kind of chooses that path of least resistance. And it's like, "Okay, I'm going to stay in an environment that's familiar to me and that's totally fine. Or I'm going to do something completely different. That's okay too." I think a lot of the times, you know, we do think about like those power skills, people skills, employability skills, often goes by so many different terms. So those soft skills. A lot of times, that's what's hard to teach. So if you are having, like, strengths in that and you have experience in that, like really hone in on that because I think the hard skills of technical stuff you can always learn. They can, you know, study and practice and get some experience, take certifications for. But it's a lot harder to find things when it comes to the more people side of stuff. So, really great points. And I think that kind of goes into, you know, for those who are already in the field. If they've been working in the field for a while, how will they know when is it time to kind of reassess the skills that they have, the knowledge and the experience that they have? If they're looking to, you know, stay relevant in the market. Or it's a time for them to, you know, take that leap and drove row and looking to get a promotion, is there, like, a typical timeframe? Is it -- any guidance or advice on those who are already kind of working in this field? How do they make sure that they are on top of their skills and looking for additional training and education?

Heather Monthie: Yeah, I think that the people who choose cybersecurity as a profession, generally speaking, they love learning. This is not a field that it's you go to school and you complete a degree, you complete a bootcamp, you complete a certification, and you're done, and you go and you work. This is something that you've always got to be learning. There's always new things happening. And so you've got to stay on top of those things. So, I think, just generally speaking, people that are attracted to the cybersecurity profession certainly love learning. And that is something that employers can take into consideration too when they're trying to recruit and retain top cybersecurity talent, is making sure that they have those opportunities for additional training, that they've got clearly established career pathways. So that if they're in their role and they're ready for something new, that you've got something established for them to help them make that transition into a new role. Whether it's a lateral shift in the cybersecurity profession, or do they want to move up into becoming a more of a technical leader? Do they want to lead people, lead teams of people? And so you've got to -- you know, if you've got those things in place that's really going to help make your cybersecurity team happy and want to stick around. You know, like I said earlier, they just we're a group of people that just love learning. And so if I'm looking at this from the individual perspective if I'm somebody who is in a role and I just kind of feel like I'm ready for something new, you kind of feel like you got a good handle on what it is that you're doing now, is to just -- I'm one of those, like, you know, I listen to podcasts like this one, listen, you know, get on, you know, YouTube, social media, look at some of the people, what people are saying about where the industry is going. And try to find something that really kind of piques your interest that maybe you can combine it with, you know, a hobby or something. And I'll give you an example. You know, I'm very into aviation. And, you know, drone security is a hot topic right now. So, I've really just been digging deep into learning all about drone security. So I think that if you're, you know, you've been in this profession for any length of time, you know that you've got to keep your skills up to date. You know, try to figure out what are some things that, you know, really pique your interest. You can also, like Jeff mentioned earlier, go to Cyber Seek. And you can see the different certifications, the different job postings. And it'll show you sort of what's in high demand for, you know, particular employers. So you can go and look and say, "Oh, I didn't even know that that certification existed." And you can go and you can start working towards that particular certification. So I really think it's just recognizing, you know, from an individual's perspective that you want to be learning things that are interesting to you, that are -- you feel are contributing to helping to solve problems in society, that they're -- you're contributing to a larger vision. And then from the employer perspective is, you know, recognizing that in cybersecurity professionals that, you know, we don't necessarily want to stay in the same role for three, five, seven years. It's -- you know, we want that -- those growth opportunities. So making sure that you have those in place for your team.

Jeff Welgan: I'll just put it this way. I mean, I like analogies. And I find that a lot of people in this industry like analogies. So I'll use analogy to try to describe my answer to how often you should be, like, evaluating yourself. If you're in this profession, you should kind of view it as though you're driving a car. And when you're driving a car, you're constantly scanning the environment. You're looking for, you know, other cars around you. Or is there going to be a deer that runs across the road? And that constant scanning is what needs to be done. I wouldn't say there's any set time that you need to reassess yourself. You're just constantly assessing the environment and yourself to making sure that you're heading in the right direction and doing it in the best way you can. There are, however, mile markers or exits along the line that are key indicators for a more formal review of your skill sets. And those could be, if you hold a certification, keeping up to date with that certification is key. Those certifications, you know, Sec+, SB, et cetera, they go through regular iterations or versions. So things change in the exam. And those exams are changing because the industry is changing around them too. So, if you hold one, you want to stay relevant. You want to make sure you're still credentialed and keeping up with your credits to stay credentialed. But you should also look at the topics that are being added or taken away from those credentials as a sign for, you know, are you still in line with where you want to go? And then the other point I would add is just, and Heather kind of made this, is you have to make a decision. Do you really want to be a specific, focused subject matter expert, or do you need to, kind of, be more versatile? Which way do you want to, kind of, go with your career? Do you -- does your road take you down a space where you're going to need to wear a lot of different kind of hats and have a lot of different skills to bring to the table? Or are you really interested in really being very focused on something that's really challenging and unique from a technical or other perspective for the -- for your organization?

Sasha Vanterpool: Yeah. I think that's a really great point. And I think that, you know, we're talking about, you know, sometimes it comes down to making that decision of do you want to specialize in something and find a niche when it comes to cybersecurity? Or do you want to kind of be a jack of all trades and kind of have a general knowledge? We had a great conversation with CEO of novoShield, Bat El Azerad, who was talking about this, but more from a product perspective. But I want to play that soundbite now as I think that really appeals to this.

Bat El Azerad: It is very difficult to explain your cybersecurity product in a way that you will like in one sentence differentiate it from the competition that everybody else know. I would definitely recommend to focus on a niche because I think it's going to be much easier to market, much easier to present it, and most importantly to make people understand what you are doing because not everyone understand what cybersecurity is. If you are speaking about the individual, I'm turning to the individuals. And when somebody is reading something about a new product, he wants to understand what exactly you are doing. The first thought that an individual or a business will have, or an investor, "Oh, they're probably doing what XYZ are doing." So you have to be very focused and to find the right niche to bring something new to the table because the competition in this industry and the level of innovation is great. I don't think there is any other industry with such advanced innovation and new products every day.

Sasha Vanterpool: So, Heather, can you share some of what are the emerging niches in cybersecurity that professionals should be aware of?

Heather Monthie: Yes. I think that if you take any sort of emerging technology and then add cybersecurity to the end of it, those are any great new up-and-coming areas to get into within cybersecurity. I think that if we look back five years, cloud security was a very small but fast-growing niche within cybersecurity. And then once the pandemic happened, there was this rush to work from home. There were a lot of organizations that weren't set up to have remote workers. And so there was this massive push to the cloud where things were not done, things were not necessarily configured correctly just in this mad rush. And so, as a result, I think we're seeing now that cloud security is a much quicker growing cybersecurity niche within this industry. There's a huge need for people that understand cloud security. We need people who understand cloud architecture and, you know, how to set cloud, how to deploy the cloud, things like this. But then there's also this other side of it is that once when we're setting things up, when we're having things up and running and operational, what are the security components that need to go into that as well? So I think that just we've really seen this explosion of the need for cloud security experts in the last, you know, five, six, seven years. You can take any other emerging technology and add security on top of that as well. So, you know, there's obviously been a lot of conversation around AI right now. And I think that, you know, it's sort of a normal reaction. I think it's becoming much more ubiquitous. A lot more people have access to being able to use AI. It's not new. It's been around. It's just becoming more and more widely used by companies. So I think if you think about it from this perspective of how can we use AI in cybersecurity, but then also what are some of the cybersecurity concerns that we have around AI? So there's two different schools of thought there. So what you can do is, you know, take any one of these emerging technologies that are out there, something that you might be interested in, something that you see is really coming up as a hot topic, and then add that cybersecurity layer on top of it. You know, I talk about the cybersecurity frosting layer, right? But just really adding that cybersecurity component onto any one of these emerging technologies that are out there.

Sasha Vanterpool: So with that, I want to ask as if I am, you know, new in the field, would you recommend -- is there a choice that has to be made as far as, "Okay, this is what's hot right now, this is what's emerging, and so I should do AI?" Or to your point earlier, "I love aviation, and that's my passion and that's my career goal. That's what I want to specialize in." Do you have any advice on these new practitioners? How do they make that decision? Do I go with what's my passion? Do I just go with hot and new? Can I find a way to combine the two? How do you navigate that?

Heather Monthie: Sure. I think that, you know, it's very important to follow your passion and to do things that are aligned with your interests and how you want to spend, you know, eight, 10, or 12 hours of your day, right? You just got to think about how do you want to spend your time. There's a lot of people that come into the cybersecurity industry because they want to become a pen tester, they want to become an ethical hacker. There's certainly a need for people who have those particular skills. But I think that that's a great opportunity as people are coming in to the industry because that is something that they're interested in. They think, you know, it's a really cool job. At that point, it's a really great opportunity to start helping them see all of the different opportunities that are available in the cybersecurity field, that there's a lot of in demand cybersecurity skills that they can get some good paying jobs. And, you know, they can still certainly combine their passions in doing some of the things that they love. But you also want to look at, you know, what does the market need? It's like any business is you want to take a look at, you know, what is it that the market needs? What is it that they're going to pay for? You want to look at that from yourself is that you're marketing yourself to an employer and saying, "I have these skills. These are in-demand skills that you need, you know, let's work together." So I really think it's a combination of figuring out what it is that you like and, you know, you got to spend eight, 10, 12 hours of your day doing this. But also making sure that you're getting into a profession or a niche within cybersecurity where, you know, there's demand for it. There's positions open for it. [ Music ]

Unidentified Person: Cyber Talent Insights from N2K CyberWire will be right back after this. [ Music ]

Sasha Vanterpool: Sure. Jeff, please chime in. I definitely want to hear your perspective on, you know, going the specialization route or maybe having a more generalist kind of approach and maybe being a jack of all trades or kind of just knowing a little bit about everything.

Jeff Welgan: Yeah. You know, I think both are important. And it's on us as individuals to kind of figure out what we want to do and what's needed in the market and kind of make those decisions for ourselves. I think one thing I would like to kind of just maybe add in to the conversation around, you know, additive value to your own profession and how do you do that? I think the solution is pretty straightforward. It's the self-discovery that's the hard part, right? I think the solution really is to find things that you're passionate about, things that you can contribute to in unique ways. The challenge, of course, is understanding that -- what that is for you. But I think we need to kind of expand our mindsets a little bit. Because it doesn't always have to be directly related to cybersecurity and whatever field you're in. You know, I think it could be related skill sets that you bring into it. Maybe you're really good at PowerPoint presentations. I like PowerPoint presentations. I feel like I'm pretty good at it. Like, there's a need there that you have a talent that you can kind of contribute. You could also, like, maybe you're just a -- you slay at like Excel, you know. And you're like, "I can do it all day long." So find the things that you're really good at, and you enjoy doing. And then go out and find people who need help doing those things and make yourself known for the person who can really help someone else in that thing. And I think that helps you in any career field you're in. You know, really become more in demand for, for yourself. And you'll find new avenues and new ways into other careers or opportunities that you might want to explore. Whether that's, "Hey, now there's an opportunity to be a chief of staff in cyber because I have really great project management skills. And I can kind of oversee some things really well. And I kind of like doing that." So it may open up a door for you that it was unexpected if you kind of explore those passions and those unique skill sets that you might have.

Sasha Vanterpool: Yeah, I think that's a really great point. And I think, you know, with that, there are going to be opportunities where you can really just hone in on the things that, you know, are your strengths. But there's going to be an opportunity also for you to identify something that you're interested in. You want to kind of specialize or have this niche. But you're going to need extra training and education for. And I think that's where we really see that opportunity for service institutions to play a role. So I want to think about, you know, these certifications and somebody who's, you know, entering into the field. And they're looking at job descriptions. And perhaps they're seeing, you know, there's required certifications. Or maybe the certifications aren't required. And they just want to make sure that they can stand out. It is a very competitive market. What are the role that certifications play specifically in the high role process? And that's how an acquisition phase of the lifecycle that we're seeing nowadays.

Jeff Welgan: Yeah, I'll touch on this quick. I know Heather's going to have lots of thoughts here as well. And honestly, we probably could do a whole episode on certs. So I'll try to be kind of quick on this point, knowing that there's a lot to unpack later. I think, first off, one has to recognize that some organizations value certifications and others don't. And it may come down to the job manager themselves. So it's really on the organization and in the hiring manager who make a determination on whether that's important to put into a job description as a requirement or not. And then you have other organizations where it's actually required. If you're going to DOD or you're working for the government, they have requirements that you have to hold certain certifications to be qualified for those positions. At the end of the day, as an individual, it's not going to hurt you to have certification. So I would say go get a few if you can. I think the thing I would recommend to folks though, is, like, look and see what's in demand. Look and see what your skill set is. Find those two where it's not going to, you know, cost you a year of your life trying to achieve a really high certification if it's not worth the effort for you. If it is, great, go for it. But I would say combine certifications in a unique way. You don't want to have too many from too many different cert bodies. I think that will be overtaxing for you to keep up with credits over time. But I think it may be smart to combine certain technical cybersecurity-related certifications with other non-cyber-related certifications. And I would just kind of say as an example, like if you want to go for your CISM or CISB or Sec+, combine it with a PMP or some other project management certification. This rounds you out in a different way that differentiates you from the market.

Heather Monthie: Yeah, I would love to add to that. So I think that when I think about certifications, I like to talk about them in this sense that I do think that they serve a value. If you think back -- I come from academia. I spent over 20 years in education. And if you think back, think -- like, let's go back way back to the 1900s. There really weren't degrees in cybersecurity, IT. I mean, there were a few, but not many. For example, you know, my degree is in computer science. People that, you know, even 70s and 80s, they got degrees in something like data processing, something like this. So the certification industry really started as this way to show that people that have some of these technical skills -- it was really a way to show employers that you had a specific skillset that wasn't necessarily showed through whatever degree you had. So that's where we saw the birth of, you know, some of these project management certifications, IT certifications, et cetera. And then you've got the vendor-specific certifications, which is really a good way for you to show an employer that you know how to use X, Y, and Z's product. That you get it. You know it in and out. You can come in and start working day one. So I think that there's value in showing that you've got certain skill sets. But I think that if you are somebody who doesn't have any sort of technical background, you have -- you know, you don't have a degree in some sort of, you know, technology-related field, you can certainly do what Jeff was talking about, is sort of stacking these certs to really kind of get -- show this sort of well-rounded skillset that you have in IT, in cybersecurity and project management things like that. So I do think that certifications do hold a lot of value. I was a hiring manager for over 16 years. And I've seen plenty of resumes in my time where they've got 27, 30 different certifications. And my question to them is, how are you keeping up with all the CEUs that are required for all those certifications? So you don't want to go overboard with it. But you really want to make sure that you're getting these certifications to really make you more, you know, more valuable to an employer. So I think that they do serve a really good -- they do a good service to the industry. But you want to make sure that you're picking and choosing the ones that are right for you in your career.

Sasha Vanterpool: Yeah, great point. Great point. I think it can be a little tricky as far as there's so many certifying bodies out there, so many different options. So it can be overwhelming. But I do think that there are different ways that you can, you know, find out what makes the most sense based on your previous experience or lack thereof. And then of course, thinking about, you know, where you want to focus and what particular roles that you're interested in and looking to apply for. And so, any other additional thoughts on maybe how certifications can complement the hands-on skills when it comes to cybersecurity, especially for those who don't have as much of the background? You don't want to just have them have all these certifications and just have a list of, "Oh, I can take this exam. And I've gotten this knowledge. But how do I show that I have some hands-on training and experience? Or what do I do to complement the certifications that I have to really make me well-rounded in that way?

Jeff Welgan: I'll just say. I think it's important for candidates who are looking to get hired for positions in the field to demonstrate their skills in a variety of ways. So yeah, certifications will play a role. But you know, when you have the opportunity, say, you get, you land an interview, don't be afraid to show them a DISC assessment if you went through one or an aptitude assessment. Results from something else, a skills-based lab that maybe you went through and show them results there that demonstrate other parts of who you are. Whether that's on the skill side or whether that's on the personality side, I think it's important to kind of give that whole picture. Because sometimes the hiring decision just doesn't come down to, "Yeah, you can do this job." It's can you do this job, and do I want to work with you? Do you contribute to our team? Do you -- are you an added value to our organization? So think about those parts of a, you know, the thought process behind a hiring manager and their decision when you're talking with them.

Heather Monthie: One other thing that I would add to that is really working on building your personal brand. I think, like, we hear about this a lot on the internet and social media right now. It's all about personal branding. But I think that it is valuable for people who are really trying to get noticed in a particular field. So I always would suggest to students, whether you're 18 or you're 55, you know, create a LinkedIn page and start posting on there, start posting, you know, articles that you find that you think are interesting and add your commentary to it. Share some of these things that you're learning. You know, create a blog and start writing about some of the things that you've done in your classes, in your training, in the stuff that you're doing on your own to, you know, help supplement your own learning. You know, creating videos, showing this is what I did. And then when you come to an interview, like Jeff said, you know, I really like his point about, you know, bringing the results from a DISC assessment or some sort of aptitude test. But then also bring some of these things that you've been doing and show an employer saying, you know, "Here's a project that I did," whether it was in school or something that you did on your own, or maybe you volunteered for a nonprofit that's near and dear to your heart. This is a thing that you did. And you can really show that, you know, you're doing sort of the theoretical learning. But you're also doing the hands-on learning as well. So I think that there's an opportunity there for you to -- you know, especially if it's your first job. Oftentimes, it's hard to get that first job to get that hands-on experience. But if you're doing some of these things, you know, outside of an employer, you can use these as sort of artifacts to bring with you to job interviews.

Sasha Vanterpool: Absolutely. I think that's really great advice for new and old practitioners. And I think it kind of really ties in and does a good job concluding kind of all that we touched upon. Because just like you mentioned, kind of building that personal brand, you can do so by utilizing market-driven, you know, skill development, how to identify what niche you want to focus on, and how to strategically take certifications to make sure that they are a qualified candidate trying to enter into the field. So I think that that is really great advice. Any other you know, insights or guidance that Jeff or Heather you would like to provide to our listeners as we wrap up?

Jeff Welgan: I think it should -- just one that I really would like to kind of emphasize, you know. On our first episode, we talked about the importance of employers in the enterprise level, getting what we call cyber talent insights correct, right? And making sure that they really understand what the skills are for the roles that they're hiring because it kind of affects this life cycle of, you know, management, the management life cycle. And then, as we're looking at the individuals here in this discussion, I think I just want to reemphasize that this is why it's important, right? This is why it's really important for those enterprise organizations to do that, right? Because when you're trying to match up a person to an organization if that organization miscommunicates their need or miscommunicates what's expected out of a position, then you're not going to find the right candidate. And on the -- it's the same on the inverse, right? If you were -- I don't want to say misrepresenting. I don't think that's kind of a fair term. But if you're not fully capturing who you are and what you bring to the table for the organization, then it's a potential mismatch. So I think really it's really important to not only know what you want as a company, but really know who you are as a person too and how those two marry up.

Heather Monthie: Yeah, and I would add that if you are somebody coming in new to the industry, that if you see a job that you should apply for it. Send in the resume. Send in the application. There are a lot of job descriptions out there that are, you know, not written the best. And as a result, sometimes what we see, and it's documented in the literature that we see that a lot of people will self-select out of a recruiting process because they'll read a job description, a job posting online -- Indeed LinkedIn doesn't matter. They'll read it and go, "I don't meet all of these requirements." So they self-select out and don't even bother applying for the job. So my message here is, apply for the job. And then on the flip side of that is that I think a lot of employers know that there's some opportunities to improve their recruiting process. And one piece to that is writing well-defined job descriptions that really accurately show what is needed for that particular position. And it's not just a laundry list of 20 different pieces of technology that we hope you have experience with. So, you know, my message here is really just to people who are trying to break into this industry. Keep applying to the jobs. And that the people that are working in this industry and really working hard to bring more people into the industry is to really take a look at your pathways and how you're bringing people in and how you're helping them to accelerate their own careers as well.

Jeff Welgan: Can I just, like, ride on Heather's coattails just for just like two seconds because those are really great points? I agree. Apply to the job. The next thing we need to start working on is on the employer side, though, around the applicant tracking systems or software to circumvent or like override or eliminate the barriers related to some of those automatic checkboxes it's looking for in the resume because you might -- they might be excluding really good candidates just from the application. So, in addition to what Heather said, apply, network as well. Find somebody who knows somebody at the organization you're looking to go to or, you know, work your networking channels to land you the position you want. Because sometimes that'll actually get you around the ATS compliance, you know, box-checking process that happens on the backend before human eyes actually set eyes on your resume. So, definitely use that.

Heather Monthie: Yes. I actually have a friend who -- she's an IT consultant. And she applied for two jobs. She's well more than qualified for. And within 30 seconds, she got an auto decline. So she called me and said, "What can I do to get around this?" And that's exactly the advice I gave her was get on LinkedIn. See if you can find the recruiter. Start doing some networking. Try to find those actual people because she's well more than qualified for those positions and was declined within 30 seconds.

Sasha Vanterpool: So crazy. And I think that, you know, to that point also and mentioned it earlier too, but while you're kind of, you know, browsing on LinkedIn, you know, and not focusing so much on just the job descriptions because we know they kind of stink but making sure that when you're looking for those people to network, really take a look at, you know, their career path and exploring their profile and seeing, you know, what skills, certifications and even what organizations they might be a part of that they have highlighted on their page with the caveat that, you know, there are a lot of cybersecurity professionals who don't put a lot of their information online because of security reasons. So we do get that. But if you can find those to really do some research that way. Because not only does it point you in the right direction on, "Okay, is this somebody I should know or try and get in contact with, or they might know somebody that knows somebody else who can help me get this job," but it helps you understand what path did they take to get to where they are today. And a lot of the times, it's not a traditional path. It's not the traditional, you know, "I got this degree, and then I got this job." It's because they know people because they met somebody. But also, you can kind of get an idea of, "Okay, well, I see they started specializing in this. And it took them here and then trying to just put those points together. So I think that that's also something really important to do and can help you as you build your brand. So I definitely want to encourage all of our listeners to do that. But to also connect with us on LinkedIn as well. And we want to just, you know, thank you all for listening today. And we hope you enjoyed this episode. We want to make sure that you stay tuned for our last one for this three part series for our Cyber Talent Insight special series that we have here. But I wanted to thank you again, Jeff and Heather, for your time and your insight today. And hope everybody has a great rest of your day. [ Music ]

Jeff Welgan: We'd love to know more what you think about this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts, like the CyberWire, are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's "Strategic Workforce Intelligence" optimizes the value of your biggest investment, people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. We hope you enjoyed this episode. And we'll tune into others in the series. This episode was produced by Liz Stokes, mixing by Elliot Peltzman and Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jen Elben. Our VP is Brandon Carp. Our co-hosts are Dr. Heather Monthie, Dr. Sasha Vanderpool, and I'm Jeff Welgan. Thanks for listening. [ Music ]