Chris Sienko: Welcome to another episode of the Cyber Work with Infosec Podcast, the weekly podcast where we sit down with a different industry thought leaders each week to discuss the latest cybersecurity trends and how those trends are affecting the work of Infosec professionals as well as tips for those trying to break in or move up the ladder of the cybersecurity industry.
Today’s episode is a webinar released on April 4th, 2019. It features three presenters, Kathleen Hyde, chair of Cybersecurity Programs at Champlain College Online and a former guest of the podcast, Scott Madsen CEO of Cingo Systems, and Henry Harrison, CTO of Garrison. During the course of this webinar, our experts will discuss some of the following topics, the effects and ramifications of the cybersecurity skills gap, strategies for finding new cybersecurity workers, ongoing skill training that will help workers to keep one step ahead of cyber criminals. We also answered some questions from live viewers.
Now, let’s listen to this one-hour episode, How Can Organizations Close the Cyber Skills Gap, featuring Kathleen Hyde, Scott Madsen, Henry Harrison, and moderator Camille DuPuis.
Camille DuPuis: We are excited to begin and let me take some moment here to introduce the panel of experts that we have with us today. They are excited to talk about the biggest recurring challenge that we hear about at Infosec which, of course, is that growing cybersecurity skills gap. To begin, we have Kathleen Hyde. She is the chair of Cybersecurity Programs at Champlain College Online. Katherine has an MCI… Kathleen, excuse me, has an MCIS and MBA. She oversees the cybersecurity and digital forensics program at Champlain College Online. She has more than two decades of experience in cyber-specific consulting for small to mid-sized businesses and is a graduate of Lyndon State and the University of Phoenix. So happy to have you, Kathleen.
We also have Scott Madsen. Scott is the CEO of Cingo Solutions. Cingo is a managed detection and response cybersecurity provider that has recently become SOC2 certified. Scott leads the organization with an emphasis on strategic process and integration. He’s passionate about technical solutions development, customer user experience, cybersecurity innovation and European automotive history.
Last but not least, we are fortunate to have Henry Harrison, and he is the CTO and co-founder at Garrison which is a technology startup focused on transforming cyber defenses. As a 25-year veteran of the technology and communications industry, Henry has focused on the cybersecurity in the mid-2000s when he started as part of his work for the national security customers at Detica. Following Detica’s acquisition by BAE Systems in late 2008, Henry became BAE’s technical director for cybersecurity as the company built its market presence for cyber monitoring and incident response services.
Incredible group to have with us today. We’ve got lots of awesome perspectives and just a great mix of people. We’ll go ahead and get this presentation started. Thank you again all for joining us today. With that, I’m going to just set the stage of what we’re going to be talking about. A lot of us have seen these different skills gap figures and that kind of thing, but let’s look at some of these stats real quick. There’s been a lot of studies and reports on the skills gap, but here, we’re looking at one of the most recent by ISC Squared in their cybersecurity workforce study.
One of the points that they found was the shortage of cybersecurity professionals has grown to nearly three million globally with almost half a million openings here in North America. Looking at that, 63% of those surveyed reported a shortage of dedicated cybersecurity staff, and nearly 60% said that the shortage put their organization at moderate or extreme risk of cyber attack just not having those folks that they need.
Then, lastly here, the lack of skilled cybersecurity professionals is now the top job concern for those surveyed outranking the previous concerns such as lack of budget, time, and work-life balance. Definitely something that needs to be addressed and figure out how to solve this issue. With that, we will go ahead and start hearing from our panelists on their perspectives here. First question we’re going to pose is has the cybersecurity skills gap ever affected you or your job duties? Let’s talk about personal experiences here.
Scott, I know part of what you do is kind of cybersecurity analysis. What have you seen regarding the shortage there?
Scott Madsen: Well, first off, I wanted to say thanks to Infosec for putting this on. It’s a very important topic of discussion that we need to be discussing more especially reaching a broader audience, people who are working outside an IT that are outside of the cybersecurity network. I think it’s a great topic and also grateful to talk to the panelists or fellow panelists, Henry and Kathleen. I think it’s going to be a great discussion.
For me, our company, we employ people from all the way from just a regular client customer support representative who just works at IT all the way up to software engineers who are constantly adapting and trying to innovate new product for us to guarantee or give a give our clients a greater guarantee of safety and security when out in the web. For me, it has always been difficult to locate qualified people. I think that we’ve taken attack where we look for people who are curious people, who enjoy working in IT where there’s a passion there, people who enjoy problems and puzzles and trying to learn how to solve them. That’s usually what we look for. Then, we bring them in again in the client support side and watch for people who stand out amongst the crowd. We try to promote really heavily from within.
Every once in a while, we get an applicant who’s just really well-heeled, has a good history in it. We love when that happens. We love to see how they integrate. But, historically, I think any company like ours, it is the problem to have is trying to find qualified people who have had some sort of history in the industry.
Kathleen Hyde: I know for me, I started off in IT. There was this natural transformation of going from information technology to information security. It was basically market driven in the companies that I was working for. Today though where I see it and basically it’s really affecting my job duties, is that I’m working in my role as the chair of Cybersecurity and Digital Forensics Programs with companies that are looking for talent. They’re coming to me, and they’re saying, “My goodness, we don’t have people who have X, Y and Z skills. What can you do to facilitate them being able to learn these skills and know them and be successful applicants? It’s almost on a daily basis where I’m having to look at my programs and see where do we fit in the market, but also what does the market telling us that they need?
I can tell you after talking to numerous different employers that what we’re seeing for these numbers for the skills gap, it is probably right on target. If not, it’s going to be worse than what we’re predicting.
Henry Harrison: From my perspective, I point out that, obviously, the cybersecurity skills gap rather tends to change its perspective as you get older. I’m not quite as young as I was 25 years ago. The skills gap was fantastic because it meant I could get great jobs, and I can build a great career. Now, towards the other end of my career, I’m focusing on building companies. My job is trying to find people to build my team, and cybersecurity skills gap looks like rather different from the other side of things. That’s just the nature of any industry that relies on skilled people. It’s an opportunity for someone. It’s a challenge for others.
Camille: Sure. I think we can all agree that whether or not the numbers are exact on the people that we need in their roles, every organization is facing some sort of difficulty from this. With that, I know you touched on just briefly right before, some of you had said what the differences are when you first started in the industry.
Transitioning to that, how has the skills gap evolved throughout your careers. Technology has dramatically changed in the past 10, 15 even the past couple of years. So wondering if you have any ideas on where is that true gap. Is the shortage everywhere or is there certain job areas and job skills where the gap is a gulf and others where it’s small or non-existent? Henry, you just touched on the involvement throughout your career. Maybe, you want to start out there.
Henry: As you say, there are skills gap throughout technology, and technology constantly changes. But one of the things, I think, we’ve all seen and that is very close to Scott’s heart, given what he does for a living is that about 10 years ago, I was starting to build a monitoring and incident response business in a market where that almost didn’t exist really. I would go to see people and go to see senior executives, potential customers. They’d go, “Cybersecurity. Yeah.” I think there’s a guy called Bob in IT somewhere who deals with that. We were building a monitoring capability. That was just not something people had done really. We were … brand new people.
Now, every organization I talk to is [inaudible 00:10:29] is building their security operations center or they’re contracted the security operations. Somehow, we’ve just seen this huge explosion in demand for folks who are in the kind of analysts, incident response people, other people involved not only in security operations from essentially almost zero 10 years ago.
It’s no big surprise that there’s a massive skills gap, but I think that the perspective that that also brings is that skill gaps change and although that’s where today’s skills gap is, I wouldn’t necessarily assume that, in another 10 years, that’s going to be where all the demand is because people change what they’re looking for and they change their security strategies. They change their priorities, but we do have a very… I certainly see that being a constant theme for folks is how do we get good social security analysts and operations people.
Scott: Right. I absolutely agree with that. I think the difficult thing about cybersecurity, in particular, is its lifecycle. That’s similar throughout all technology. You’re going to have a lifecycle for technology where, in software development, there’s always the new language that’s the best and the greatest. It’s going to revolutionize the world, and it does for about seven or eight years. Then, another language comes along that’s more efficient, more effective. It’s easier to learn. It’s easier to deploy.
I think of all the IT industries out there, cybersecurity has the fastest life cycle because the threats are consistently changing. I think that it takes a very skilled and dedicated personality type to deal with that. I think that if you’re working on a project that is a deterrent or whether it’s a proactive security measure, if it’s a deterrent or something like that, if you’re working on that for six or seven months and you deploy it and the next week, all of a sudden, it doesn’t matter, the threat is adapted, and it’s different, you can’t get discouraged in this industry. You have to be able to really take things on the chin and continue to develop.
I think that how it’s evolved is that I think life cycles get shorter the better technology gets. I think that people who work in the industry have to have, like I say, a genuine curiosity every day to go into work and to do this type of work. They have to have a tough chin, I guess. You have to be able to take it on the chin and let your work that is meaningful to you sometimes mean nothing because you’re behind the curve, and you got to get ahead of the curve. I think, psychologically, that can be tough on folks, but I also think that making sure that you have that genuine interest in cybersecurity that you enjoy solving puzzles, that you enjoy being at the leading edge of your industry. I think that if that’s the personality type, you’ll do well here.
Kathleen: I also think it’s important to note that there’s a big push towards automation and that when you start talking about the cybersecurity skills gap, a lot of people will say, “We’ll just automate everything, and that will solve the problem.” What I’m hearing and what I’m seeing from my partners is that that’s not going to solve the problem. In fact, it’s meaning that they need more and better skilled and more qualified applicants. That goes along with what you’re saying is that it constantly changes. What we had yesterday and what the needs were yesterday are certainly not going to be the needs for tomorrow.
When we start looking at artificial intelligence and automation, I think that we need to keep in mind that, yes, that’s going to help us with our overall cybersecurity posture, but that doesn’t mean that we’re not going to need human assets and resources.
Scott: I absolutely agree, and I think that that’s something that Kathleen is so interesting about the work you’re doing is that, typically, I mean the people that we get here, the applicants that we get if they have an IT degree or if they have some sort of college certificate or some backing, it doesn’t really mean that they’ve got with what they think they’ve got as far as actual application. I think that doing work specifically in an environment to help these prospects get to a place where they are trained, they are capable, they are up-to-date on the threat, and they are ready to deploy into the marketplace. I think that can be a tremendous aid to both mine and Henry’s style of business.
Henry: I do think that this fact, this demand for this particular type of cybersecurity analyst kind of operations person has exploded so much in the last 10 years, and the fact that, as Scott said, it changes so fast, and people are building protections or defenses that have been obsolete a few months later make you think, “But is this actually a sustainable model to go forward?” Cybersecurity threat’s not going away, that the attacker also has access to automation and artificial intelligence and so on. Is this actually really a sustainable way to keep going? We can’t end up turning every human being on the planet into a cyber analyst because somebody’s going to do the rest of the job.
Scott: I probably agree. Well, I think with the way that it’s developed since the early 90s, I think that you get to where you’re maxed out on current technology where you can’t see past. There’s always a revolutionary guy that comes along that breaks down all the barriers that everybody’s got in their mind. Then, it opens up a whole new decade of innovation. I think that for where we are, I think that companies are doing their best to stay ahead of it. I think that with the type of work, it seems like the Garrison’s doing and also that Cingo does is that, yeah, sure, you deal with the day-to-day.
You deal with what we’re facing, but I think that if any company like ours or any company that’s in cybersecurity isn’t looking forward for a total solution something that’s going to be completely outside of the framework of a detection and response or a until something happens before we can take any action or with the analyst building statistical data so we can understand the way the threats are coming and try to try to forecast, I think that everybody in the industry that’s going to matter is right now investing really heavily in new technology that’s going to be more of a global solution than rather just looking at taking a client as piece rate and saying, “Okay. We’re going to find a solution and make it work for this guy.”
It’s a good defense, but again, it’s not that proactive solution that’s going to fundamentally shift the industry.
Henry: Yeah. My perspective is that the pendulum swung very, very heavily in the last 10 years towards monitoring and response, detect and respond. Well, 10 years ago, that just didn’t exist at all. You have to go talk to people about security. It was like, “Well, I’ve got a firewall.” It’s inevitably going to swing back again, and people are beginning now to asking, “Okay. Hang on a moment. How do I actually protect myself better in the first place,” because that’s the only way you can deal with the kind of absolute runaway demand for as I say, turning every to human being on the planet into a cyber analyst.
Scott: Yeah. That’s right. Yeah. Go ahead. Sorry.
Kathleen: I was going to say on the employee side of things or the applicant side of things, employers are looking for people who don’t just have the degrees. They absolutely want them to have experience because they want you to hit the ground running, and that’s because of the way that we need to be protecting and dealing with the threats that are out there. It’s not enough right now to just have a degree. You have to have experience with that.
When you look at those job postings, that’s also where we’ve got a gap because you have people who maybe have the degree, they’ve got some experience, but they don’t have the experience that is necessary. That’s also part of that whole cybersecurity skills gap that we’ve got going on.
Scott: Yup. I agree.
Henry: Like the ads that say, “Yeah, I want somebody with 10 years of cloud DevOps.”
Henry: Good luck.
Kathleen: So does everybody else.
Camille: Certainly. That transitions well into the next question that we’re going to pose is what are these practical solutions that we’re looking for and, specifically, how can organizations better assess their cybersecurity skill gaps and find candidates to fill those roles? I think my thought there is it often gets brought up that a counterpoint is that there’s actually a training gap whereas, as you all were just mentioning, people want so and so many years of experience in this and five years in this and 10 years in this and practical experience and that, and that kind of thing. Kathleen, I know that’s something that you monitor heavily of what the trends are of what they’re looking for and what an organization would be looking for. Maybe, you could start out there.
Kathleen: Well, I do monitor that pretty heavily because that dictates where basically the strategic vision that we have for the programs at Champlain College. I’m monitoring those job position openings and then speaking with the employers. One of the things that I find is that there’s this tendency for HR departments, and nothing against HR, but they’re supposed to be sourcing the challenge. So, they go out and they say, “Well, we need this particular position.” They look for other positions. They see that they need 10 years of experience that we can’t keep replicating those ads.
What ends up happening is that we end up with an ad that really is an indicative of what we need the person to have for the skills that are actually required to do the position. That’s one area where we, organizations, can do a better job matching what their needs are to the talent that’s available and having more successful applicants.
What we’ve also seen is that there’s a difference between an organization saying, “We are going to embed and create a cybersecurity culture within the organization versus an organization that says… our business that says, ‘We need to hire for this IT or IS or cybersecurity division that we have that we’ll be overseeing our efforts to secure data and our assets.'” There’s really a difference there. I think from what I’ve seen, the organizations that are looking for that baseline cybersecurity position where they want to have everybody in the organization have some level of understanding, of cybersecurity concepts, how that interfaces with everything that is done on a daily basis for the organization’s goal.
They tend to do better in their assessments for cybersecurity and then finding candidates. That’s because when they’re doing those trainings and the assessments internally whether it’s through phishing campaigns, something like that, to assess what skills the talent already has, their existing employees, they’re basically assessing that. They have an idea of who knows what. Sometimes, that sparks interest. You end up having applicants from within that you can then promote and add training to.
One of the ways that they assess it really is by doing phishing campaigns and testing their employees. That’s how they do the assessments. I don’t think that there’s any one way to do it right. I think it’s based on the organization’s needs, but I find that the ones the organizations that do that basic assessment and they’re creating that culture are the ones that handle and manage this much better than the ones that don’t.
Henry: I always tend to focus for this question of training that, Camille, you raised on trainability. When I’ve been building technology organizations, I’ve always tried to work on the basis that you hire great people, and great people like learning stuff. They can pick up new things and take on new tasks.
I remember early in my career, I had a placement in electronics manufacturers quality assurance department. There was a guy I was working with who he worked on the line inspecting goods in, and I said, “I love learning the new stuff. I’m learning.” He’s, “Oh no. God, I’ve done enough of learning. I don’t learn anything more. I’m done with that.” Realistically, if that’s the people that you’ve got, you’ve got yourself trouble because this stuff doesn’t stand still.
Conversely, if you’ve got great people, then rather than trying to create the kind of job specification for a unicorn that doesn’t exist, let’s instead look around the people that we’ve got and say, “Well, you know what? I I reckon that Jane could take that job on or I reckon Bob could take that job on and give them opportunities.” In my experience, that’s always worked out really, really well. By and large, if you’ve got the right people, they embrace those opportunities, and they do a fantastic job for you.
Scott: Yeah. I think to add to that, one thing that we’ve seen with most of our clientele is this kind of anemic response towards cybersecurity from executives. I think that’s the hardest sell. There’s a cybersecurity analytic. Well, it’s a survey that comes out every year. It’s called the Net Diligence Survey. It’s put on by a company called RSM. In the back of it, they have a statistic. They build this off of actuarial data. It’s actually stuff that insurance companies have paid out on, but they say the cybersecurity special report revealed the 97% of executives are moderately very confident in their organization’s ability to save our data and, yet, there’s been 160% increase in breaches and mid-sized businesses. That’s –
That’s, really I think, the most dangerous part of this whole thing is that people don’t know what they don’t know. When they say, “Yeah I’m done learning,” and that happens a lot, and the worst part that you can have that attitude towards is internal IT. I think a lot of people will just be used to fixing printers and making sure the network’s up and running and making sure that people’s emails are functional, but they forget there’s an absolutely completely complimentary skill set that’s totally unaddressed. I think that-
Henry: Those are the things could be different. I couldn’t agree with you more. I was nodding my head seriously as you said that. The number of people not in cyber security specifically, but in internal IT who assume, “Well, this is the way IT is.” That’s just the way it is. It’s not true. It’s not the way it is. It’s going to be different in 10 years’ time.
Scott: Exactly. We do work for attorneys and just anybody that handles any kind of private data. I’m speaking to an attorney a while ago. They were talking me about like, “I wonder if Bob who sits in the IT, the CTO or the CIO in these companies, who is as mostly just worried about keeping emails and keeping things up.” They said, “I wonder if he understands the lightning-rod that he is in case that company experiences a breach.”
I think that helping companies to understand that and to say, “Look, these people who have worked in IT, if they’ve been there for 30 years and they haven’t had continuing education, they are drastically underprepared for the threat that they deal with on a daily basis.” I think that it’s a great opportunity for younger guys who are wanting to come in and actually add the cybersecurity element because you have to have the internal IT. It’s just a part of the deal. You got to keep the business running. But you also have to have people looking at the horizon making sure that the area and the direction that you’re traveling in is one that’s going to keep the ship safe
Part of the most important work that I think we can do is as people in the industry and also as educators is help convince that these executives of tomorrow that they’re not safe. It’s just because they have some Norton AntiVirus on the computers that somehow that’s the magic thing that’s going to create an unlimited amount of future security. I think that as we work towards that and especially with hiring younger kids and getting the next generation of workers in place and educated, that we can help impart to them the importance of this so that they can go in and help shift the culture of the companies they start working for.
Kathleen: I think it’s also very important too that we have to realize that there’s a place for people who are coming into cybersecurity, but they may not have all the skills, but they have soft skills that are outstanding. Those can go a long way. If you’ve got somebody who can communicate well, both with the end users and the C-suite but they can also problem-solve, that is fantastic. If you can find somebody who can problem solve, you can typically train that person very quickly to come in to cybersecurity and start handling tasks.
Scott: I agree. I think that if they have the right personality and the right demeanor, I think that sometimes, something that you end up with are people who just don’t have a good ethic toward learning. They want to come in and be right and be in charge at the beginning. I think that this is such a nuanced industry to work in that being… I mean if you’re not willing to look at a team and team success and work in that kind of a format, I don’t think you’re going to have the success that you could have in other areas because certain personality types are driven toward the lone wolf and doing well there.
But with here, I mean, everybody watches each other’s back. You really have to be willing to integrate and learn from each other. I think that if you do so, definitely, the soft skills and the curiosity, the ability to learn, I think the sky’s the limit for anybody who has those three skills together.
Henry: With soft skills, I think this was a big deal when you go back again 10 years ago, this was a really big deal because you had some technical guides, and you had people at the top of the organizations starting to get worried about cybersecurity and the two couldn’t communicate with each other at all. We’ve seen a huge premium on soft skills. We’ve seen the introduction of the CTO role which demands soft skills because they need to go talk to the board, but there’s a risk that you just push the problem down because the soft skills need to work in both directions. It’s no good as a CISO, for example, just having the soft skills to talk to your board.
If you don’t have the soft skills to talk to the technical guys-
Scott: That’s right.
Henry: … and all you’ve done then is recreate the problem that existed before, but just put it in a different place in the hierarchy of the organization and, of course, that’s a really hard problem for an organization to solve because, necessarily, boards are going to be choosing as their CISOs, the guys with the good soft skills. How do they verify they’ve got the guy who can actually talk to the guys who really understand the technological issues as the threats and potential solutions?
I think there’s some combination of soft and hard there, but there’s the magic combination you need to be looking for.
Scott: Yeah. I agree.
Kathleen: I agree.
Camille: Now, before we move on to the next question, I’ll just pose are there any other tools or techniques that can be used that you’ve heard of in the new hiring process to find the right candidates or new tools or services to maximize that existing employee effectiveness? I know the panel had briefly touched on finding people with those soft skills or finding people with those other skills. I think, from my own perspective, one thing that organizations could do is not automatically disqualify someone because they don’t meet every single requirement out of 15. But if they meet 13 out of those, I think organizations should be willing to take some of those and be willing to train that person or train those existing employees. You feel free to disagree with me if you have a different thought there. But I think that would be a useful way to fill that gap more closely.
Kathleen: No. I think that the organizations actually are doing that. There’s a lot of talk about upscaling and rescaling. I know some of the partners that we work with, that was what they were doing early on, say, three, four, or five years ago. Now, they’re actually coming to us. They’re saying, “Okay. Who graduated? Where can we put them within the organization?” It’s not merely enough to just come and get additional training, additional degree, certificates, whatever. We have to have those employers now come full circle and utilize that intelligence to place people in the openings that are available internally. I think we are seeing that.
The other thing is you mentioned that employers need to look at applicants who don’t meet all the criteria. I think, also, applicants need to look at that the other way around. If they don’t meet all the criteria, it doesn’t mean that they shouldn’t apply for the position. What they should do is apply for the position. Then, if they’re not selected, they should ask, “What else would have made me a better candidate?” That’s putting them in the driver’s seat so that if they do want to come into cybersecurity or if their information technology and are moving into cybersecurity, they’re going to find out what the employer wants that they can tailor, what they need to do.
Henry: I think when you’ve got a skills gap as you have, it’s really important to remember that the job market works both ways. It’s not just about employers going deciding whether they want this applicant or not. It’s also about the applicant deciding whether they want this employer or not. If you think about what you need here, as I said earlier, you’ve got a constantly changing field. You need to hire people who are trainable who are interested in learning new stuff who are fundamentally curious.
Well, they would choose you based on whether you’re going to give them interesting work or not. There’s no point to saying, “Well, I want to go out and get these really great people that are going to be endlessly curious and endlessly motivated and interested,” and then giving them really, really boring work because they’re not going to choose you.
Scott: Yeah. I think that’s a really well taken point. I think that, sometimes, the field gets tipped a little toward the employer having all of the say and all of the control, but I mean we really don’t. When you mentioned if you have an applicant who has 13 out of 15, the only thing I have to say to that is you find me that headhunter who’s getting 13 out of 15 on a regular basis because that would be…
But I think that what you end up with is finding people who are capable and who again have that ethic to work. I think that, for us, and like I said, I’m not familiar and that’s what’s so exciting about Champlain and what they’re doing in Kathleen’s work is because I don’t think that there’s a college that’s gotten out in front of this and actually said, “We’re going to produce high level, high-skilled, out-of-the-box cybersecurity specific capable people.” I think most of the people that we hire out of college, if they’re young and just out of college, typically, we’ve got a year or two of them doing mundane work to see if they have any interest in actually doing this.
Again, they get out of college with some great vocational skills and some soft skills. They interview well. They seem very interested, but then, when you get them in the seat, they just want to punch the clock. It’s a 9:00 to 5:00 and then, they’re done. I think that in this industry, they won’t survive. We, as employers, we can’t hire people who are just here to punch the clock and take the payroll them and then go home. We want people who are going to be obsessed with it, who it’s going to become a life’s work. I think Henry is a good example of that because he can give you … and verse for 10 years about the development and how he’s been on the forefront trying to build the state-of-the-art technologies.
That’s not a guy who’s tired of it or gets bored with it. That’s a good example. I think that if you are a person looking for a job and looking to join this industry, if you don’t see yourself doing that, if you don’t see yourself taking risks and eventually looking at starting your own firm or pushing the limits to the edge of what you’re comfortable with than what you know, then really, again, it’s just not a great place for you. I think an internal IT job, I think that even a DevOps job or a full-time engineer, those could be really, really good fits for you.
But if you don’t have that interest in hitting the boards after work every night trying to see what threats are coming and how you can deal with it I don’t see it being a long-term successful endeavor for you.
Henry: Don’t forget, it’s never mentioned on these things, but you’ve got a pay right. Good people, you got to pay them well. I think it’s always the case whenever anyone talks about the skills gap that actually some of that is about a pay gap as in people want… They want skills in a particular group of people, but they’re not prepared to pay for it. The reality is you better face up to the fact that actually you got to pay more if you’re going to get better people. That means your business plan get called into question because your business plan says, “I’m going to hire this many people at this salary.”
Well, actually, if you can’t get those people at that salary, it means you’re going to have to think about what people you do need. That means, well, actually maybe I can’t execute the strategy I was going to execute which comes back to my point about saying, “Well, actually, maybe the right answer here is not to build quite such a large monitoring capability.” It’s investing more money around protecting ourselves so that there is less demand on the cyber operations side of things.
Then, I can start that with a smaller number of good people rather than trying to pursue this idea where I can hire tons of people at a salary that’s realistically I’m not going to get them in the market.
Scott: Yup. Right. I couldn’t agree more.
Camille: I think that that transitions well into the next question here, a career opportunity. On the flip side of what those organizations are looking for, what should individuals in this industry be doing to take advantage of the cybersecurity skills gap? There’s some huge advantages to being a qualified person in a gap this large whether the pay they may expect would be some very nice pay most likely and that kind of thing. It’s a big opportunity for those people, but what should they be doing to take advantage of this demand? Kathleen, maybe we’ll start with you this one.
Kathleen: Well, I think the first thing is they basically need to look at or it is cyber something that interests them. Well, over that hurdle and they’ve made that decision that they’re interested in cybersecurity or they’re interested in, if they’re younger going into cybersecurity or they’re older, they want a career change into cybersecurity. Really, it first comes with you need to educate yourself about what cybersecurity is, what the different positions are that are available in cybersecurity, whether or not you’re going to be an operations person, you’re going to be a policy person. You need to become familiar with the domains of cybersecurity.
Once you’ve done that, you’ve gotten over that hurdle, and you said, “This looks like a field for me. This is where I want to go,” you’re not just looking at those dollar signs as opportunity, but you’re looking at it as a larger picture, then, what you need to do is you need to say, “What skills do I have? Okay. I’ve got really good soft skills, but I don’t have the technical skill. How am I going to get those technical skills?” You’ve got basically two options. You’ve got training, and you’ve got the academic side of the house.
Either way, whichever one you choose whether it’s training or academics, one thing that you’re going to want to look for is whether or not you’re going to get hands-on experience. Are you going to be learning the tools and using the tools that you’re going to be using the field? Now, that doesn’t mean that you learn those tools, and you don’t gain an understanding of how things work behind the scenes. You have to understand basic information technology concepts and how networks work and the different devices that are being utilized and software development for you to be successful.
You don’t want to go just with the hands-on. You really need to become a much broader education. I think that that’s really where it start, is you have to decide you want to do it. You have to figure out what skills you have, what strengths you have, what weaknesses you have. Then, you need to look for a program whether it’s training or maybe your employer offers training. Maybe they’re offering training, and I’ve seen this before that some of the partners we work with, they offer training. They offer tuition reimbursement for their employees who are willing to go get a degree in cybersecurity because they know that if they do that, it’s going to make the organization stronger.
You’re going to have people who are more cognizant of what the real threats are. They’re going to do things to protect the organization. You’re creating that cybersecurity culture which is more of the prevention that we’ve been discussing. Take advantage of those tuition reimbursements if you have them. Take advantage of trainings that are offered by your employer. Then, once you have that and you start building your skills, then, you can look at making an application and making that shift into a dedicated cyber position.
One thing that I want to mention is that a lot of people associate this industry with being male-dominated. There certainly is a place, and I would strongly want to encourage women and minorities who are thinking about joining the exciting field of cybersecurity and getting a position in it that they look at it as opportunity for them to really take on a new role and be quite successful in the field.
Henry: One thing, I couldn’t agree with more from Kathleen’s perspective, that is the fact that just knowing a set of tools is not good enough in this industry. You need to actually understand the technology. We see too many people. This is maybe a very unique… I’m based from the other side of the Atlantic. I’m in London in the UK, right in the middle of the political turmoil that the country is facing right now.
What we see quite frequently is people coming out of ostensibly very good university courses in computer science who know some tools, but still don’t actually understand how a computer works or how a network works. That’s profoundly depressing when you find that. What I would say to individuals is be careful about the courses that you take and try and discriminate between things that are actually just training in some tools which have their places, but it’s not a university course and university courses that are actually giving you some really good foundational understanding that you’ll be able to exploit throughout your career.
Scott: I agree. I think something comes to mind, there’s an old saying, and I don’t know the attribution. Please, if anybody knows it, please give it, but there’s an old saying of romance, precision, and generalization. What it means is romance gets you into a concept, gets you into an idea because you fall in love with this idea of what it could be. Then, when you have enough romance, that pushes you into precision because then you have to learn how to adapt and how to reasonably fulfill. It’s like the apprentice journeyman master. Then, when you emerge from the precision, you have generalization where you know enough of the basics, and you understand very well that you can start to really go out and innovate and change the framework of the industry if you have that skill set.
But I think that that’s an important thing for us to remember is that when people come into this as far as what skills we look for, we just want people who are willing to work hard and have a good attitude. We put them in. We’ll bring them in again into a low level position in customer service. If they excel, we want to continue to reward the excellence. I think that creating a culture inside the company of not just rewarding people who necessarily have the right to CE credits or things like that, but people who are willing to do the work, who love the work and who are involved and invested and want to get through that precision and get to generalization, that’s really what we look for. I think that if you have the passion, if you have the willingness, the stick-to-itiveness, then I think there’s a great future for you in the industry no matter who your employer is.
Camille: Certainly. Some really good insight there. Just, what do people need to look at to help with this gap? Finishing off here, this would be one of our last questions before moving on to the question and answer session, holistic view. This long-term look at the skills gap, how can we grow this pool of talent that we need as far as cybersecurity professionals to help close the skills gap? I know one thing we’re doing here at Infosec is encouraging people to look at our scholarship program, and that’s aimed at building a diverse workforce, getting more people involved in the industry.
Then, one other question I’ll pose is how do we encourage more people to enter the field and how do we encourage organizations to look at those non-traditional candidates as a potential solution? So, curious to hear some thoughts there.
Kathleen: I know that, for me, one of the things that I’ve been doing especially over the last, I would say, six to eight months is really encouraging women to come into the industry. That’s something that, as a woman, I started a long time ago in IT. Then, I moved into cybersecurity. It never really occurred to me to offer the opportunity to other women until I went to a conference last year, and somebody said, “If you’re a woman and you’re moving up in cybersecurity, you almost have a duty to offer that opportunity to other women and encourage them to join you.”
It just didn’t occur to me to do that. That’s one of the things that I’m doing is every time I’m out and I’m speaking, every time that I am on a presentation, I’m encouraging women because we need more women. We only have about 11 to 13% of the cybersecurity workforce is comprised of women. That’s a huge opportunity for women to come in and help fill that skills gap because a lot of them have the technical skills. A lot of them have the soft skills, but maybe they haven’t thought about having a career in it.
By offering that opportunity sharing what I have done in the field with them and encouraging them to step out of their comfort zone and then come into cybersecurity is something that I’m doing. I think that if we can have more women and minorities involved in wanting to come into the field, I think that we can have them assist us in filling that gap.
Henry: I’d take two things. One is if you’re willing to be open minded about the people that you might hire on the basis that they’re going to be good people who will want to learn new skills and so on, watch out for the recruitment supply chain because you might want that, but if you’re using agencies or HR partners in that process, they will often fall back on what they’re used to, and they won’t put it in front of you the candidates that you might be looking for. We’ve seen that here in our business with people, for example, returning after a career break or other unusual profiles where agencies start from the position that, well, you’re bound to be unemployable which is nonsense, and you need to watch out for that.
But the other thing I’d say with regard to long-term solutions is we sometimes get caught up in discussions about policy. How at a national or international level should we be planning for this in the long term? One of the things I often caution with that is watch out for assumptions about long-term planning because don’t assume that even in five years’ time, what we’re looking for is going to be the same as what we’re looking forward today.
If we put massive amounts of effort into teaching every high school student that they want to be a stock analyst and then they come out and find, “Actually, you know what? That’s not where the industry’s moved to. We’re particularly looking for different skills right now.”Let’s try and make sure we focus on giving people the underlying understanding and knowledge that can be turned to a wide range of things because there are things that I learned when I was 12 about how computers work that I still use today. Then, there are things that I learned very recently about some specific tool that are already obsolete.
Scott: Yeah. I think that’s a really great point. I think that the boom-and-bust cycle of technology can be a very dangerous one if we’re talking about long term. If we look back to late 90s, at least in the US, we had a dot-com boom and everybody that I knew was going back to college to get a four-year degree in IT. By the time they got out the dot-com bust that happened and every one of them was going back to their old jobs that they were at before. I think that is something that I don’t think cybersecurity is going away, but I think the adaptability and just thinking that you’re going to learn a skill in a four-year degree or even a master’s program, that’s going to be applicable endlessly is, I think, a mistake.
I think that as long as people continue to be adaptive, I think that’s the only really skillset you can say is going to add value long term is the ability to adapt.
Henry: And that’s how we should be selling people on getting into this industry is you get into this industry because it’s going to be endlessly interesting. You’re going to be constantly learning new things. That’s sort of people we want. This is the industry for you if that’s what you want rather than saying, “Hey. Yeah. The right answer is we’re going to train you on this tool and this tool and this tool.” Now, when you’re looking for a job and stuff, it cannot look like that because you do get these long lists of 15 points that you must have this and this and this and this. But the reality is that the people hiring off really going to get that. That’s just today’s list. Tomorrow’s list is going to be different.
Scott: Yup. I agree.
Camille: Well, for time’s sake here, we’ll move on so that we can get to the question and answer session, but again, wanted to thank our panelists for all these insights here. As noted, we’ll be starting that Q&A portion in just a moment. If you’ve got any lingering questions, feel free to submit those, and we’ll get to just as many as we can.
But a reminder here, after the presentation, you’ll receive copy of our new report, The 2019 Cybersecurity Insider or Cybersecurity Industry Report, Three Steps Employers Can Take To Close The Skills Gap. This report is based on a survey of nearly 800 information security professionals. We found some surprising results around the lack of confidence and career direction. Plus, we’ll outline a few ways that employers can empower their employees to create a culture that helps to close the skills gap.
Then, lastly here before we start the Q&A portion, wanted to mention again our scholarship program that’ll be opening any day now. That is aimed at bringing more women, diversity, more military members, as well as undergraduates into the field. Keep that link handy, and check that out. That will be opening very shortly. With that, let’s go ahead and move on to the question and answer here with our panelists.
Let’s start with a question that came through in the chat here about the skills gap causing stressed-out employees and a poor work-life balance. How do you address that situation so that we don’t lose the employees we do have in the field?
Scott: Well, I think at least for us, company culture is probably the most important part of what we do. It’s thing we stress the most. It’s the thing that we build the most value behind in a prospective hire. We try not to upset the environment that we’ve got. We currently mean we’re outside Las Vegas currently, but I mean, we hire out of San Francisco. We pay a similar wage to Silicon Valley which is difficult to do when you’re not in Silicon Valley, but trying to create environment. You have to understand these people are going to be working under stress.
You have to understand that it’s a never-ending stress. It’s a psychological taxation rather than just a physical one. I think that understanding how to give time off, understanding how to keep the lines of communication open when somebody gets burned out, they need to be able to communicate that with their management. You shouldn’t just keep saying, “Well, tough. It’s during work hours. Go deal with it.”
I think another thing is trying to provide other ways for them to break away from the mental exercise that it is. A big thing we do here is we encourage people to play video games, Call of Duty specifically, because it ends up you work as a team. You have these experiences. You have to deal with puzzles and different things. It familiarizes the team with each other, but it also gets your brain off of that constant thought process. I think that we forget sometimes that our minds are like muscles. The more they’re strained in one specific exercise, the more damage you can do.
It doesn’t just build the muscle. It actually can do damage long-term. Trying to understand the mental side of this and to persevere inside of it and trying to help the employees understand that there are ways to deal with it and that if they end up in getting too fatigued or getting burned out that they need to discuss with their management, but I think that if you’re going into a company and you’re going to get hired somewhere, I would make sure that they don’t run it.
There’s a term here in the US. They call it a dead shot basically. It’s like you’re taking on these really difficult development projects and your timeframe is nil. It’s basically at the Pony Express. You just whip the horse until it’s dead, and then you jump on another horse. That’s not conducive for anything long-term. I think that if you’re going and interviewing at these companies, make sure the company culture is something that has a lot of openness and transparency with the employees.
Make sure the middle management isn’t just going to shut you down and tell you to shut up and work harder. I think that is a legitimate gripe. It’s a legitimate concern for anybody who employs people who do this type of work and should be taken extraordinarily seriously.
Henry: I would say and I saw this quietly because I’m an employer, but if you’re an employee and you’re seeing that’s the thing, remember this discussion about the skills gap. I mean you’ve got power in the market. Go find another job.
Kathleen: Employers and employees, they need to realize that because this is challenging and because we do what we do because we love it, but also has to be a level of flexibility so that the employee and the employer create that work-life balance if that’s even possible.
I work all the time, but that’s what I love. I think there has to be on that side of it. The employer has to realize that there are going to be employees who love to work. That’s what they do best. There are going to be employees who it’s very, very important to be doing something with their children or doing stuff with their family or going out and hiking. You need to allow them that time and space so that they can be more productive employees when they come back. It has to be flexibility.
Camille: Another question here is someone is talking here about they have some different experience like an engineering, but every time they’d want to move into cybersecurity, they are offered a role that is like lower than their current grade. We want these people to move into cybersecurity from these different technical roles. Any tips on kind of proving your worth in a transition-type experience like that?
Henry: Well, moving career paths is always hard. It’s easier to keep in the rug. The thing I’d say is that it’s quite a unique field when I say this cybersecurity and tech, in general, because there’s so much that you can do online without having to be in a [inaudible 00:56:10]. You really can’t do aerospace engineering unless you work for an aerospace company. You can’t just go in your shed and tool up a jet engine. It’s not realistic, right? But you absolutely can at home. Fire up an instance in AWS. You can load in stuff. You can do some stuff.
There’s a whole bunch of things you can just do that turn you into a very different offering in the market from just saying, “Hey, I think I can learn this stuff.” That’s kind of a unique feature of this information technology sector, in general. I think you should take advantage of it.
Kathleen: I had an employer I was speaking with two weeks ago. They were talking about something similar to this. One of the things that they said was, “It’s great if you have this experience. It’s great if you’re outside of the field, and you’re coming in.” But what they want to see is they want to see you be able to demonstrate some of the skills that they actually need. The suggestion was made that so, for example, it’s great if you have a degree, and it’s great if you have some of these skills, but go out there and do some bug bounty hunting and demonstrate to me that you have successfully done that. That’s going to get you further in the application process.
Henry: Yeah. You’d be surprised how little of that you need to do. They always say the expert is the person who’s the page ahead in the book. You don’t need to be that far. It’s not necessarily three years of formal training that you need. You just need to demonstrate that you’ve done some stuff and that, therefore, you have a capacity to learn this stuff and get stuck in.
Scott: Right. I think too anytime you make a lateral move that’s not your specialty, you’re asking your new employer to take a little bit of a risk on you. I don’t think that that means that you should be paid far less especially if you have a lot of industry knowledge and you’ve got time in the industry, but I do think that it’s something you got to be sensitive too is that you’re asking someone to take a risk that you’re going to be able to integrate, you’re going to be able to become as proficient in your new area of interest as you were in your old.
I think that if he’s willing to do that, then you should be willing to hedge his or her bet to make sure that you’re willing to take the time and maybe a little bit of a pay cut to show them that you’ve got the chops to do it. If you do, then make sure that your employer that you have a predetermined agreement of if this works out, where am I going to be pay wise, where am I going to be in the company, but I think as long as it’s well communicated and that there’s transparency between the two of you, I think it could be a good move, but again, I would I would look at it for what it is which is if I’m hiring somebody who has the exact same history but is specifically skilled in cyber, I’m going to pay it that person more because there’s less risk in it for me. There’s less training.
I think that being open to that and open to the situation that the employer’s in could be a positive thing. If you’re proven up and once you get into the environment, you’re productive, then, I would hold he or she to their word in making sure that they’re keeping the deal that they cut with you.
Camille: Sure. Some good insight there. I know in the sake of time here, we’ll have to wrap up. With that, again, want to thank everyone for joining and a special thanks to our panelists for an awesome session today, just so much insight and so many ideas that I think we can apply to our own situations.
Chris: I hope you enjoyed today’s episode. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and other webinars. As ever, search Cyber Work with Infosec in your podcast app of choice for more episodes. Also, to see the current promotional offers available to podcast listeners and to learn more about our Infosec pro boot camps, Infosec skills on-demand training library and Infosec IQ security awareness and training platform, go to infosecinstitute.com/podcast.
Chris: Thanks once again to Kathleen Hyde, Scott Madsen, Henry Harrison and to moderator, Camille DuPuis, and thank you all for listening. We’ll speak to you next week.