Cybersecurity reporting and closing the skills gap with Dark Reading

Chris Sienko: Hello and welcome to another episode of Cyber Work with Infosec, the weekly podcast where industry thought leaders share their knowledge and experiences in order to help us all stay one step ahead of the bad guys. Today's guest is Kelly Sheridan, reporter and staff editor for the tech and security website Dark Reading. She's been researching and reporting extensively on the cybersecurity skills gap for years, so today we're going to see if we can pass along some suggestions that employers and would-be cybersecurity experts alike can take to bring up the cyber workforce.

Kelly Sheridan is the staff editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for Information Week where she covered Microsoft and Insurance and Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University and you can follow her on Twitter @kellymsheridan. Kelly, thank you so much for being here today.

Kelly Sheridan: My pleasure, thank you for having me.

Chris: So to start at the beginning, how long have you been researching and investigating the cybersecurity skills gap?

Kelly: So the skills gap has been part of my coverage since I joined Dark Reading, which time flies, summer of 2016, so just coming up on three years now.

Chris: Awesome. Okay, and I guess, even going further back than that, where did you first get interested in tech and security and so forth? Was that something that you learned about in college, was a personal interest before that, self-study, what have you?

Kelly: I dabbled a little bit in tech as a high school student, I studied telecommunications and computer science. Went to college and did the exact opposite and majored in English literature, but my first full-time job after I graduated was as an intern with Information Week. So that was sort of my segue into the enterprise technology space and I've been there ever since. Under the same company, going to different publications. I wrote for Information Week Education, went over to the financial side for awhile, and then came back as the Microsoft reporter for Information Week. I was there for about a year and a half-ish, and then I switched over to Dark Reading. So my career has been rooted in enterprise technology and then I made the pivot over to security when I joined the DR team.

Chris: Okay, well, a lot of our listeners are, I'm sure, Dark Reading aficionados and one of those sites that it's the first thing you check in on, first thing in the morning when you get your coffee and whatever, so could you walk me through a normal day as a reporter at Dark Reading? How does Dark Reading decide what stories are a priority and need to be written as breaking news? Is that something you collaborate with your editors on to make decisions of?

Kelly: Absolutely. It's hard to describe a normal day in an industry where so many different things are happening at once and there are so many different stories that demand coverage. So I would say the first thing I do every day is check in with my team and check my email, check the news and see whether anything happened overnight, what's new and exciting. Depending on the day, some days are obviously more news-intensive than others, so I'll work with my team to decide, "This is most relevant to our audience..." Because our Dark Reading audience is primarily enterprise security professionals, so what's top of mind for us is what matters to organizations. This big breach happened, what does it mean for them, what do they need to know about it? How should they react if something similar happened to them?

So there's a lot of news to juggle and it's a daily project with our news team to decide what demands coverage, what warrants a second look, or a longer term analysis. Because with big breaches, we might do a quick thing the day it happens and then do a closer look, you know, what exactly happened, how did they respond? What could they have done differently? What threat was at hand? So there's a lot of different facets to different stories that we can look into also, and that's another thing that we focus on a lot.

Chris: Okay, so how did you come to be assigned or choose to cover the cybersecurity skills gap in the first place?

Kelly: So that's something that our entire team has their eye on, because it's a problem that pervades the industry, it affects all businesses at all levels. So I am personally interested in it because I think of the skills gap as this sort of puzzle, so I think there are a lot of different factors that contribute to why companies are having this problem. There's the issue of technology moving so quickly and all of a sudden businesses are using all of tech that they weren't using X amount of years ago.

So catching up with tech is a challenge and then catching with securing it is an entirely different ballgame. Then there's the issue that a lot of security professionals, they were working on X problem before, now they're [inaudible 00:05:03] cloud security and AI and all of these other new technologies. Coming up to speed is an issue. Then the issue of education. Are schools teaching this subject? How are people learning? Are they learning in colleges, are they teaching themselves? And where do you find these candidates?

So yeah, there's so many questions to answer and I'm really interested in staying on top of this space and exploring all of this.

Chris: Sort of moving back to reporters and so forth, do you think that reporters covering cyber security need a certain baseline of skills or knowledge to accurately report on issues within the industry?

Kelly: It's an interesting question because I personally don't have a heavily technical background, so we live in a time, I think, when you don't necessarily need a super technical background to report on something like cyber security. But it does have to have some kind of background in tech and for me in the enterprise space, knowing which challenges businesses are struggling with, which technologies they're using, which threats are top of mind and being aware of all that, the technical component is something that I learn more and more about every time I report on a new piece of malware or any new security threat.

But I think the most important things for security reporters are A, to be interested in this space. It's a really intensive, multi-faceted area to be reporting on and I think it's really key to be just personally interested in the topic, for sure. And then there's also the ability to take those technical concepts and learn about a breach or learn about a threat and be able to convey that to your audience. Because there are a lot of time when I'll get a report that's like 60 pages long and the ability to digest that and figure out the key components and be able to present that to your readers in a way that's significant to them, in a way that gives them value. I would say that's probably my biggest strength as a reporter and I think it's important for security reporters to have that.

Chris: Yeah, I agree. There's got to be a degree of passion even more so because the technical stuff will figure itself out. Yeah.

Kelly: Yeah sometimes-

Chris: So-

Kelly: Yeah, for sure.

Chris: Yeah, so to get into the meat of the matter, I was looking at some of Dark Reading's materials about the skills gap and your article specifically, Security 101: How Businesses and Schools Bridge the Talent Gap, noted some disturbing statistics. "According to ISE Squared's 2018 cybersecurity work force study, the shortage of experts in security has hit 2.93 million and that 63% of respondents reported a lack of security staff, with nearly the identical percentage saying that they realize the shortcoming puts them at moderate to extreme risk."

There's something about that, it seems like people in corporations understand the magnitude of the issue of the skills gap and the lack of qualified security personnel in their company, but they seem to feel helpless to do anything about it. Why is that? Why does the problem seem so, to ordinary people, to be so beyond their control?

Kelly: That's a great place to start and I think it's definitely becoming a more and more pressing problem. I dug up some other data on this topic so we could chat about this and I found that there was a study by Cybersecurity Ventures that predicted 3.5 million unfilled security jobs by 2021, up from just 1 million in 2016, which is a huge number to start with. And a separate study found that the skills shortage has gone from the fifth most pressing concern to the top concern among security leadership.

So definitely we live in a time when businesses are becoming increasingly aware of the problem, but they're having trouble finding people to fit those roles. And this isn't just a matter of finding bodies to put in empty seats, you know? They're looking for talent, they're looking for people who have technical skills and communication skills and they're looking for people who can grow within their organization and stay there and above all, they want to be able to keep these people over time and not lose them to other organizations, which is definitely an issue also in the security space, is keeping the people who you are able to hire and who you are able to afford.

A big challenge is that a lot of the people who are really good and who have been in the industry awhile are both expensive and they're in high demand. So you have companies fighting over these people who have been in the industry for a long time and they've built this level of expertise that makes them really, really good at what they do.

With respect to the feeling of helplessness, I think the process of hiring security professionals is enough to frustrate businesses and to make them feel like they can't find these people because I think it's about six months it takes? Three to six months on average to fill a security role and then you have to onboard them and it takes a lot of time to fill these positions once you even find a candidate. Sometimes the problem really isn't in the security team's hands. An HR might be tasked with finding your next security employee, but they don't really understand the qualifications for the position and they don't understand what the security team needs, so oftentimes they'll go on a random job site and find a similar position and copy and paste the job posting and then you end up with candidates that aren't exactly meeting the needs of the security team and that can also lead to a lot of frustration.

So there are a few factors at play here.

Chris: Yeah, and we'll definitely be talking more later in the interview about HR's role in crafting good job qualification job listings and so forth, but moving along here, in a recent poll, 40% of Dark Reading's respondents said that there are plenty of less-experienced, trained people available, but the most skilled positions are hard to fill, while 35% say there's a shortage of IT security professionals at almost every level. So tackling the initial stat first, what are some reasons where there are so many cybersecurity professionals around, but so few of them have the high-level skills needed to fill these open positions?

Kelly: For sure. For starters, my thinking resonates more with the latter stat, which is that there is a need for cybersecurity professionals at almost every level. I have yet to speak with someone who's like, "Oh, we have plenty of X position, we don't need anymore professionals for that role." I think that this is an area of expertise that's definitely in demand and there are different... I guess the needs vary from organization to organization. So Dark Reading found in that same survey, for example, that technical professionals who have people skills and who are good communicators are actually the hardest to find. So the people who can bridge both worlds and be able to understand the technical matter and convey that to the business so that the business can get value from it, those people are unicorns. It's rare that you find someone who can do both.

And the same amount said that they were challenged to find experts who had experience in their specific environment or specific industry, so let's say you're in healthcare and you're looking for a cybersecurity professional who has experience in the healthcare space, that's much harder and you're going to have a tougher time finding people who have those skills. And interestingly, fewer people said that they struggle to find people with experience in the latest technologies. So more so than finding someone who is experienced with the latest tech, people are struggling to find people with relevant experience and people who can communicate, which I found really interesting.

So different kinds of skills are top of mind for different businesses.

Chris: So it sounds like it's pretty well, regardless of your industry, that there is a desire for someone who not only has the tech role, but also knows your industry specifically, things like healthcare, finance, I imagine.

Kelly: Of course, yeah, especially in a heavily regulated industry. Healthcare organization wants to hire someone who is up-to-date on different complaints, concerns and things like that. Whereas someone who's not coming from that industry would need to be brought up to speed on all that.

Chris: Right, right. So if you're in the healthcare industry now and you're looking for a job change, it might be worth your while to get the cyber training, because you've got one piece of the puzzle already there.

Kelly: Exactly, yeah, and you've already been trained in it.

Chris: Yeah, according to a recent Kaspersky study that I read, it says, "Most young women in the U.S., Europe and Israel have already decided against a career in cybersecurity by age 16." Do you think that the cybersecurity industry has a marketing problem in terms of women and minority candidates and do you have any strategies for attracting more women and minority candidates to infosec industry?

Kelly: Yeah, so the topic of diversity and women in infosec is another topic that I cover quite frequently, and marketing problem, I think, can be expanded to tech as a whole and specifically in cyber, just the idea that this is such a heavily male-dominated industry and traditionally has been a male-dominated industry and that can kind of be a red flag for women who are looking for community and they're looking for mentors and they're looking for people who they can aspire to be and connect to and things like that. So the lack of role models in the industry I think has historically made it difficult.

With that said, I think that there are more women who are entering this space. My colleague recently reported on an ISC Squared study that found women make up 24% of the cybersecurity work force, when taking into account the women in IT whose daily jobs involve cybersecurity. And the same study took a closer look at the ages of cybersecurity professionals and found that millennial women make up 45% of all women in the industry, compared with men, who make up 33% of men. So there is progress being made it seems like more of the next generation women are coming in and bringing more women into the space.

It's nice to see those numbers and to see things going up, but there definitely is still a major diversity gap between men and women. Then I think part of the solution that is just over time, we have kids today growing up who are surrounded by technology and they're learning how technology works from a really young age, so by the time they get to the point where they're thinking about careers, they already have all of this experience and all of this exposure and a tech career seems far more accessible to them, because they already have background.

I have noticed the presence of more organizations that are focused on helping women and inspiring women to join the industry. There's [inaudible 00:16:27].org, there's She Secures, there's the League of Women in Cybersecurity, there are all these organizations, which is great to see women lifting up other women and I love that. But I also think it's imperative that men be part of the conversation also, and all of the male-dominated security that are out there also need to play a role in bringing more women into this space and encouraging them and supporting them, for sure.

Chris: Yeah, and we'll definitely include the links to the organizations that you mentioned in the description of the video here.

Kelly: Yeah, there are many. That's only three.

Chris: Yeah, we've also had a week by week series of women in cybersecurity industry telling their stories and talking about mentor that they've had and so forth, listeners of this episode, go back and check them out. So moving back, you'd mentioned briefly before that cloud computing is a hot topic at the moment, and that so many companies want security professionals that are cloud-focused because there's still this mass migration going to the cloud at this point. Do you think that's still going to be true in a few years, for students or people getting into security now, do you think cloud computing is still going to be a desirable skill after the bulk of companies have done their migration?

Kelly: Absolutely. Cloud security is another coverage area of mine in Dark Reading. Cloud security is a hot topic right now, and I think that businesses will absolutely benefit from having cloud savvy security experts on staff for the foreseeable future, because they are moving their operations to the cloud and they'll need a means to secure that cloud-based data, applications and processes long after they make that migration.

So for people who are aspiring to enter the cyber security space, cloud is a great thing to know about. That said, I think that over time, as cloud becomes just becomes an expectation of how businesses operate, they won't specifically be looking for cloud-focused security professionals. This will be a skill that it's kind of expected security professionals have. I don't know how many X years into the future that will happen, but I do think that cloud will just be part of the security professional's arsenal.

And that all said, I think there will always be a new cloud computing. Right now it's cloud that's hot because businesses are deploying and they're moving all of their processes that way and this is something that's really top of mind for them, but once they get a handle on cloud security, they'll be worried about IoT security, whatever technology comes after that. So there will always be hot and trending security skillset for whatever new technology comes next.

Chris: So even people who are pretty comfortable in their job right now, probably wouldn't hurt to have some cloud security training on the fly, added to your-

Kelly: Definitely wouldn't hurt.

Chris: Yeah, it's going to come up later, there'll be a quiz. So another angle to consider is where companies are looking for candidates. Do you think it's possible that qualified candidates exist and that companies are just not reaching out to them in the right places?

Kelly: Yes. Absolutely, I do think that there is security talent out there that's looking to find more businesses that need them, but I think a challenge is getting those qualified candidates and those businesses connected and getting them in touch. So for starters, based on what I'm hearing, a lot of hiring in cybersecurity doesn't happen on job boards. For starters, cybersecurity professionals are usually too in the weeds with their day to day jobs to go on a job board and look for work and aren't really scrolling through those all day and I think a [inaudible 00:19:59] study found that they get an average of 1.5 messages from recruiters per week.

So recruiters are going after these candidates, so they're not really on job boards looking at job descriptions. A lot of companies who are looking for security professionals might look to the networks of their current security team members. So their current employees, they might be like, "Who do you know who might be good for this role?" Because cybersecurity is a really small world and it's a place where everyone knows everyone else, so the larger your network is, the greater opportunity there will be, for sure.

I think another good place to find candidates is conferences. Not just big events, it's just like everyone in security is one place, but there are also a ton of local and regionals conferences that are designed to bring people in those communities together. I think those are really important, they're great for networking, you can meet people who are dealing with your same challenges and people who you can collaborate with and learn from. I think businesses who use those as opportunities to meet potential candidates will have more luck than they would just throwing something on a job board.

Another place, there's another-

Chris: Sure.

Kelly: There's another place within their own organizations. I think for a long time, companies thought that they had to look outside their organizations to find security talent. "There's no way that someone could do this who we already have." And now that the skills gap is such a challenge and they're having such a hard time finding these people, they're starting to look internally. "Is there someone on our IT team who really stands out? Who has the risk management and detail-oriented skills that we could use in a cybersecurity professional and maybe think about moving that person over."

So I think internally, you also get the benefit of having someone who already aligns with your culture, so if you're bringing in someone from the outside, you have no way of knowing whether they'll click with your team, whether they'll like your organization, whether they'll get along with people, but if you have someone who's already excelling in that culture, it's a huge bonus if you were to bring them over to a security team.

Chris: Now I want to move from there to just the levels of education and knowledge and so forth, because the speed at which up-the-minute knowledge changes in the security game each year, one of the convenient metrics that use is that up-to-date knowledge has a half life of about two years, which means that roughly every two years, half the knowledge is just not useful anymore. Is the issue bigger than just getting people onto that skills treadmill so they're staying fresh? Is the technology moving so fast that people can't get caught up?

Kelly: Yeah, I think that right now is a really interesting time to be asking that question. As I mentioned earlier, we're in a time when there's so many new technologies at once and I think a lot of that technology has entered the work force and now businesses are struggling to keep up with tech in general, much less securing it. So two years even seems generous at a time when we're waking up to a new application or a new service or a new technology seemingly every other day.

But I do think that over time, as people become accustomed to using this technology all the time and working with it and as people who are students today come up and they come into the work force and they're used to being surrounded by all this technology, I do think that might lessen the learning curve a little bit when it comes to staying on top of securing all these technologies and figuring out how they work and how they fit within a business.

Right now, it seems like things are moving at a million miles an hour and people are racing to keep up, but I would hope that in future years, as we bring more people into the tech space and into the cybersecurity space that maybe we won't be speeding along on the treadmill with no help of catching up at all.

Chris: That's interesting. So you're saying that basically because the generation that's coming up behind this one is so steeped in all of this stuff that they might be able to learn at a sufficiently accelerated rate that they're going to keep up better with the speed of progress?

Kelly: I don't know that for sure, it's a suggestion, but I do think that being immersed in technology from such a young age will give skills that people who are in mid-level security roles today had to learn maybe when they were older, so who knows? That could play out, I could be totally wrong. [crosstalk 00:24:48]

Chris: It sounds great, and it speaks to immersion, whether in languages or tech or any other thing, if you start early and you're around it all the time, I suppose that definitely will speed things up. So moving on from there, I want to talk a little bit about the turnover rate, because you mentioned that it's hard to not only get someone on board, but also to acclimate them to your culture of your company, or your team or what have you. And we know from reporting in publications like Information Week that the tech sector has one of the top rates of industry talent turnover due to increasing competition for top talent. So when you combine the skills gap with hiring your perfect candidate, only to find them soon moving on to pastures greener, the problem gets even more frustrating, so what do you think companies who have trouble finding and retaining top-level talent can do to reverse this trend, if anything?

Kelly: I think there are things that can be done to provide a ray of hope. Yeah, it gets really, really competitive, especially for higher-level security roles to keep the employees you have, and I don't know the exact metric, but I imagine the turnover rate is... I don't know the timeframe, but I imagine it's pretty short that someone is at an organization before they decide to move on, and based on people I've spoken with, training or professional development, continuing education can make a really big difference in whether employees decide to stay with your organization or whether they decide to leave.

I've spoken with people who have told me that before bonuses or other compensation, training is one of the first things that people ask about. Because I think people in the cybersecurity space, they're curious, and they're looking for new challenges and they know that they need their skills to continue developing, because there will be new technologies and new threats and new challenges. So they want to learn.

The problem, I think, is a lot of businesses are hesitant to give them that education because they fear their employees will take that information and go use it somewhere else. So it's a challenge, for sure, but there was a study, I think it was also by [inaudible 00:27:01], that companies that give employees the tools that they need to learn retain them 60% more than those that don't. So creating opportunities for them to learn online or attend conferences or attend in-person class, whatever works best for them, can make a really big difference, because employees will see the company as investing in their future, so they'll be more likely to stay.

Chris: So if you were advising a student entering their education in cybersecurity right now, what would you tell them? What would you advise that they specialize in and what areas do you think they should focus on, what shouldn't they bother with that might not be happening in a couple years?

Kelly: Sure. That's difficult to answer because it very much depends on what the student might want to do. Because cybersecurity affects every part of an organization and there are multiple types of skillsets in the industry, so you have the technical skills, like penetration testing and forensics and analysis and incident response, but you also have communication skills, or policy and compliance expertise. So there are a few paths that someone can take. But I think it's also important to note that many of today's cybersecurity professionals didn't necessarily study cybersecurity as high school or college or graduate students, so it's not necessarily something you need to pursue as a student in academia if you want to make it your career, for sure.

So I think that if you have already graduated college and maybe you're looking to transition to the cybersecurity space, there are a ton of online resources and means for you to build those skills without necessarily needing a formal degree. I mean, back to the earlier point about hiring, it's something that not... A college degree, you don't necessarily need one to be a cybersecurity professional. And it's hard because that's something that a lot of people ask for on job applications and they just miss someone who doesn't necessarily have a college degree.

But in terms of skills that will be in demand, going back to your original question, Dark Reading has done a bunch of reporting on this, so some of the skills that have come up in our stories were automation orchestration for one. More security teams are going to be using automation for everything from threat detection to software delivery, so future security professionals will be required to stay current on the ins and outs of orchestrating those systems and knowing how they work and being able to manage them.

Data analytics is another skill that is super useful for security employees to have. More and more businesses are using threat intel and risk metrics to inform their security practices, so people who can combine data analytics with security expertise background, those will also be in high demand, absolutely. And coding another skill that's come up a bunch, of course, in our skills reporting. No matter what you do in technology, learning how to code, it's never a skill that goes to waste.

Chris: So speaking from an HR point of view, how do you think we can prevent HR departments from chasing after quote, unquote unicorn candidates when looking for a person who's the right fit for the organization or within the organization?

Kelly: Sure. I mentioned earlier that often HR departments will say, "We need X position, go find them." And they'll use Google and find job descriptions. But the problem with that is that a lot of those repurposed job descriptions don't necessarily meet the needs of their security team. So they'll ask for things like, "Oh, we need an entry level candidate with five years of experience," or a mid-level candidate who has X number of certifications that nobody at that level has. [crosstalk 00:30:59]

Chris: Then you can understand why there's only one applicant.

Kelly: Yeah, that's the only person who thinks they can fit in. Every time that there is an empty security role, I think that it should be approached like a project. Get the security team on board and talk about what you really need this person to do. So what are the non-negotiable skills? What do you really need this employee to have? What are you willing to train them on if they don't have X skill? How many years of experience do you want them to have? What type of experience do you want them to have? Do they really need a college degree? Do they need a certification?

Have those conversations and create a bullet list or a job posting note list or something to give to HR. So that they have a better idea of the candidates that you really need and you're having more communication with them so they understand what you're looking for. I also think it's important to think outside the box as I mentioned earlier when it comes to education. I've read studies that say work experience is the most important qualification when looking for a security employee. So more so than a formal education or a college degree.

Companies are looking for people who have contributed to the community, who can demonstrate their skills, who can show their knowledge of or participation in the industry, and if someone can demonstrate that, it doesn't matter if they have a college degree. They have the skills that you're looking for and the skills that you need. So if you want HR to stop going after unicorn candidates, tell them more about the candidate that you have in mind and I think that that'll help bring in more potential applicants who can fit your needs.

Chris: Awesome, so as we wind up today, I wanted to ask you a little bit more about your role as reporter and editor at Dark Reading. Can you give me a little thought on what you think is going to be the most important cybersecurity story this year and do you have any predictions of what will be the big stories over the next couple months?

Kelly: Sure, that's a hard question to answer because it's tough to predict what the big story will be or the most important, since that's different depending on the audience. I don't think that we've seen the end of major data breaches, so it'll be interesting to see whether another Yahoo! or another Equifax happens in 2019 and beyond that, how companies respond to major data breaches. I'm really curious to see how that improves over time, because I think we've started to see companies start to get better at responding to breaches and being more prepared for those. So that's something that I'll absolutely have my eye on.

I guess on a less exciting note, it'll also be interesting to see the emergence of different data privacy regulations. I mean, obviously we had Europe's GDPR come into effect last year and we've started to see inklings of the same thing happening in the United States, like in California. So it'll be interesting to see what happens on a local and national level with respect to that.

Chris: Okay. Do you have a particular story you did for Dark Reading that you'd call your proudest moment as a writer or do you have any strange or funny stories you've ever come across when you were asked to cover for Dark Reading?

Kelly: Proudest moment... Honestly, sometimes when I get through a super technical story, I'm like, "Okay, time to open the champagne, I got this." But in all seriousness, we started a series last year called 10 Women in Security You May Not Know But Should. So the idea behind that was to draw attention to women who weren't... Because there are some serious rock stars, women in cybersecurity and whenever you read of list of "These are X women you should know," you always see the same names, so we wanted to broaden the pool of women who were in the spotlight.

So what we did was we polled our networks and everything and we were looking for women who are sort of in the middle of their careers who not only have a ton of potential to be the next [CESO 00:35:19] and be the next security leader, but they aren't really getting any recognition. So we did two installments of that and we're going to do another couple this year, so if you're listening to this and you know of a woman who is in the entry to mid-level of her career who wants to be in the spotlight and deserves it, please email me, I would love to hear about her.

It was really cool to do that project and to give women recognition, because we got some amazing recommendations. There are women who I'm excited to see what they do in the future and it was a fun twist on the traditional, "Hey, these are people you should watch." And I'd like to think that it helped bring the spotlight on more women in the industry.

Chris: That's awesome. So if our listeners want to read more from Kelly Sheridan or Dark Reading or to send ideas for entry to mid-level women in the industry, where can they go?

Kelly: You can find all of my work on Dark Reading. Darkreading.com. Come check us out if you haven't already. You can also follow me on Twitter kellym, as in magenta, sheridan, and yeah, come read us.

Chris: Great, Kelly Sheridan, thank you so much for joining us today.

Kelly: Thanks for having me.

Chris: And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page. Just go to YouTube and type in Cyber Work with Infosec, and check out our collection of tutorials, interviews and past webinars. If you'd rather have us in your ears during your work day, all of our videos, including this one, are available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast app of choice.

To see the current promotional offers available to podcast listeners and to learn more about our Infosec Pro live bootcamps, Infosec's skills on demand training library and Infosec IQ security awareness and training program, go to infosecinstitute.com/podcast or click the link in the description.

Thanks once again to Kelly Sheridan at Dark Reading and thank you all for watching and listening. We'll speak to you next week.