Don't chase unicorns to fix the cybersecurity skills gap
Adrianna Iadarola of CyberSN joins me today to break down every spot on the cybersecurity job search, hiring, upskilling and retention pipeline. After her raucous and highly informative presentation at ISACA Digital Trust World, I knew I had to introduce you to this great analyst and thinker. Whether you’re doing the hiring or being the hiree, you will find something crucial to your new year journey today on Cyber Work.
0:00 - Problems with cybersecurity hiring
2:19 - How Adrianna Iadarola got into cybersecurity
6:03 - Skills required to jump cybersecurity roles
8:13 - How the cybersecurity job landscape has changed
13:30 - Skills gap in cybersecurity and timing
15:15 - Cybersecurity HR hiring issues
20:05 - Why is AI security executive level?
25:16 - Change in soliciting cybersecurity candidates
30:16 - Recommendations on changing a cybersecurity team
35:30 - Strategies in cybersecurity language
40:00 - Advice for people heading into cybersecurity
43:20 - Where are cybersecurity budgets and investments going?
49:52 - What is CyberSN?
52:01 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
Transcript
Chris Sienko:
Happy New Year y'all. Hope you are rested and ready after your holiday season because 2024 is coming in hot with a great episode of cyber work. Adriana Iderola of CyberSN joined me today to break down every single spot on the cybersecurity job search, hiring, upskilling and retention pipeline. After her raucous and highly informative presentation at ISAC and Digital Trust World in 2023, I knew I had to introduce you to this great analyst and thinker. Whether you're doing the hiring or being the hiree, you will find something crucial to your New Year's journey. And that's all today. On CyberWork, Welcome to this week's episode of the CyberWork with Infosec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, Adriana Iderola, is a seasoned cybersecurity professional and business leader with over 15 years of experience in the industry. As the managing director of CyberSN, a leading cybersecurity staffing and recruitment firm, Adriana is responsible for overseeing the company's day-to-day operations, strategic planning and business development initiatives. Throughout her career, Adriana has established herself as a respected thought leader and expert in the field of cybersecurity. Prior to joining CyberSN, Adriana held a variety of senior leadership roles in the IT and cybersecurity industry. She is also a passionate advocate for diversity and inclusion in the cybersecurity industry, which lines up with us too. She is an ambassador for Secure Diversity, a nonprofit organization dedicated to empowering and supporting women in cybersecurity. Adriana holds a Bachelor of Science from the University of Massachusetts, Amherst. Adriana, welcome, Welcome today, Thanks for joining me and welcome to CyberWork.
Adrianna Iadarola:
Thank you. Thank you for having me, chris, it's great.
Chris Sienko:
So yeah, just as a bit of background for our listeners, this is another person that I met at the ISACA Digital Trust Wheel this year in Boston, and we're going to be talking about some of the stuff that Adriana talked about in her presentation, which was around getting to the core truths about some of the skills gap and hiring gaps in cybersecurity right now. So before we start that, to help our listeners get to know you, I want to learn about your background and your work to date. So your career history has a lot of client services and solutions and engineer roles, both of which, I guess, suggest sort of a problem solving and client facing skills and responsibilities. So can you tell our listeners how you came to CyberSN from there and how these previous roles informed your current responsibilities and your areas of expertise?
Adrianna Iadarola:
Yes, absolutely. So I have been in technology solution sales my entire career since I graduated. I graduated, actually, with a degree in speech therapy and audiology, so technology science has always been something that was my interest. After I pursued that, I graduated and I felt that it was time for me to see if I could just dive into the workforce. I started working with a recruiter who actually brought me into an opportunity for a telecommunications company. So I started off in sales, solutions and telecom and as well as services and hardware. So it really started my career off in the sense of here's technology, here's sales, here's you can build relationships, get to know people. And it just went from there. I developed a phenomenal, I guess, passion and appreciation for recruiters in the sense where if it wasn't for them I wouldn't be where I am today.
Chris Sienko:
Yeah, they were your golden ticket, as it were.
Adrianna Iadarola:
Yes, yes, I actually had worked with one individual and he placed me at my second position and when I was looking at him like you know what I think I could do, what you do, I think benefiting and working with individuals, supporting them and growing their career, being able to give back and do it for work, is something that I was passionate about. So then I moved into recruiting all within technology that's developed my landscape and then I was exposed to working security roles and my team was a little hesitant to pick those up and work with clients because they truly didn't get the understanding, and so I was one in my group where I was like, hey, you know what this seems like a hard little niche, but it also seems like I could definitely do very well in it. So I started focusing in that my last career before, last opportunity before joining CyberSN and I started gathering kind of common people in the industry. And then I met Deidre Diamond and right from there she had just started CyberSN and she had just started Secure Diversity and being another woman in the industry, understanding of technology, understanding of cybersecurity, having a network that's kind of what exposed me to joining CyberSN eight and a half years ago. So since then I've held multiple roles within the company. I have been the right hand to Deidre for a very long time when it comes to client-driven stuff and really focusing in that area and that's kind of where things have led me to be here which I'm the leader of client services, meaning I handle everything. I support in marketing, I support in sales, I have services Just being involved. I support within our not-for-profit, I support within going out and doing speaking engagements, like how I met you, really just being a face for the company and building out solutions for anything that a security team may need, as well as just making introductions for professionals to one another outside of even work, just building relationships. I run the Cyber Breakfast Club for Boston as well as the Cyber Breakfast Club for New York. I mean there's definitely a lot that I do to give back to the community.
Chris Sienko:
So when you saw this other sort of life for yourself in terms of recruiters and recruitment and so forth, this was obviously a little bit out of what you were doing at the time. Can you walk me through what the sort of ramp-up of skills required you to make the sort of jump from one? Did you feel like a fish in water, Like it was just like oh, this is perfectly natural for me. Did you have to sort of change your skill sets very quickly to get into this other space?
Adrianna Iadarola:
To be honest with you, it was really being so. The client base I was dealing with CISOs. I was dealing with CEOs, cios, the sense of selling them solutions and services. So my client base was relatively similar. So what ended up happening was is understanding, you know infrastructure and technology and you know selling rack space, like I got the understanding of needing to secure these facilities, needing to secure the products and solutions. And so when my mindset got there and then all of a sudden, you know being exposed to cybersecurity from you know a product and services side in my beginning, and then moving into recruiting, it was just still working with people. It was still building solutions. It was still collaborating. I just developed a better and stronger understanding of working with individuals and making tough decisions right, moving to new opportunities, leaving opportunities. So the skill set definitely was an adjustment. However, the environment I feel like I worked in was similar. So it made it an easy transition but an exciting one because I got to really kind of gauge and get to understand what you know happens when somebody's looking for a new opportunity. I've gotten to be a part of a lot of success stories and impacting families and impacting careers and developing and helping to support people find one another, and so it was easy for me to sit there and learn it, because it was passionate, that's awesome, so thank you for that.
Chris Sienko:
Yeah, so, as I briefly mentioned at the top of the show, adriana, we met at this year's Digital Trust World and for our listeners I'll say that you had far and away the most animated and audience interactive session I'd seen during the entire thing. So from the very start, you encourage the audience to throw out questions while you spoke. There was no wait till the end. It was like just if you have an idea, throw it out, and they most certainly did. What drew me to want to talk with you more was both the way you seamlessly integrated audience feedback in the moment discussion, but also the whole presentation, which seemed to be built around the idea of puncturing the most pernicious and easily spread myths around hiring and the skills gap in cybersecurity. So I've hosted cyber work for about five years and change now, and the skills gap was a topic right from the very beginning. So it's not that much different now, but stock responses to the idea have evolved, but the core product remains. Problem remains is that we have one, we have a skills gap, and nobody seems to know how to even address it, let alone make up the difference. So to get things started, adriana, can you talk about how the cybersecurity job landscape has changed over the past five plus years, because in our pre-show discussion you said it hasn't changed much, but also it has, so can you tell me more?
Adrianna Iadarola:
Correct Skills gap has always been something that is going to be common and continue to be common and really can't be solved If you really stop and think about it. So cybersecurity has been something that was a little bit new. So five years ago and moving into this, it's when I first started cybersecurity was, I guess, not something new to tech, but it was newer to organizations. So it was sexy, it was exciting, people really wanted to be involved in it and that was something where it's like I've watched it evolve, where, hey, we're in cyber, not too many people know about it. So without that awareness is the gap. So unless you're in the industry and unless it's out in being socialized, people aren't really being aware of it. So the awareness started to develop, so people started to get excited. Students started to develop programs, colleges started offering more, and so we started to see a big push of professionals that were going to school. However, we started to also see technology and companies start to advance quickly, and what ended up happening was is that the professionals that were in the industry when I first started were all really at working right. So what ended up happening was companies realized that they needed these things. They realized that there was actually threat out there. They realized that the government started to create expectations, that there was definitely things that needed to be aligned with. So what ended up happening was we just didn't have enough professionals to fill those roles yet, right. So I feel like that gap has decreased a little bit over those past five years. And then what happens is technology evolves and if individuals don't have the experience or the ability or just the opportunity to advance those skills, what ends up happening is we have another gap. So not only is security already been made aware, people understand the technologies, they understand the industry. It's growing, and it's growing rapid. So when I started, it was like everything was security product companies I mean, there was one, a new one opening up every single day. And this company offered the new, latest and greatest and companies were buying it, but what ended up happening was there was no one in the technology field that could actually work on it right? So just because you have a product or a platform, there still needs to be professional there to support it, and if it's brand new, no one's got the experience. So it was always something that was happening and making sure that individuals continuously had that growth, continuously are doing trainings, advancement, development and technology as fast as it moves. I feel like it's always gonna be that lag behind of the amount of professionals that have the opportunity to gain the skills needed in order to continue with that gap.
Chris Sienko:
Yeah, I have a whole list of, like I said, the sort of things that people say, but it doesn't ever really lead to anything. And one of the ones that I hadn't thought of until you just said that is we talk about the stat of like six months after you learn certain cybersecurity skills. Half of those skills have been made, redone, unusable by the fact that the technology is speeding up. And we always kind of say it in this way of like ha ha, it's not funny. Well, you better keep up, lol. So, but yeah, that's worth slowing down and picking up. Yes, the things that you think you're gonna learn, that are going to future proof your skillset, are gonna be useless in six months, or if not useless, at least antiquated. And we say that as just kind of like well, keep up the speed. But not everyone can make up the speed, like you said, and not everyone has the wherewithal to stay on top of that while also doing their job, while also maybe caring for a family or a parent or whatever.
Adrianna Iadarola:
It's just the ability right. There's so much and that's like the key to life right now is like, how fast can everyone move right? What's ended up happening is it creates it like we need that time to catch up and so that skill gap in just the gap in general right, is never going to narrow unless we take that step back to say, okay, let's reevaluate, let's make sure that, but it's never gonna happen because it's money out there, it's investors it's ideas. It's excitement, it's passion, and you have to respect that too. So I guess the multiple things we can do is make sure that we're continuing to offer all of these avenues for students diversity, everyone to get into the education, create knowledge base, get people into great programs, develop them and then give them opportunities when they come out of school. Give them all of those entry level students, train them, get them out there right. I'm sure there is professionals that are just graduating that could build massive startups, just given the opportunity, right, these skill sets that are just unlike any other, and all they need is just someone to say let me take you on. So I think that with us, it's really just giving back. I know we're all busy. I know it's very hard to get a lot out of a little right, in the sense of we're pretty slim when it comes to different teams and security teams. Senior teams don't have the time to develop and grow junior staff right now they're being overworked, right. So I get it, but that is where the solution is right there. So we need to just make some adjustments.
Chris Sienko:
Yeah, so one thing we discussed last week in preparing for this episode is that, while the work landscape may have changed, the HR and hiring manager Red Tape has not changed. So we talk about the speed of skills acquisitions, but to start with, let's run through some of the common truisms around skills gap conversation with regards to HR hiring so we always talk about. Some of the issues are more pernicious, like the well-discussed trope of the hiring manager who asks for five years experience on a tool or process. It's only been around for three years, but I get the sense that there's a more systemic set of issues at play here, according to some of your nuanced discussions. So can you talk about the sort of friction between hiring and what a team actually needs?
Adrianna Iadarola:
Exactly, and I mean there's definitely many faults in it, right. So there is no right wrong, there's no one finger to be pointed. Human resources, like some of them, can be the biggest advocates for me. Right, working with internal teams, I we've created solutions here at CyberSN that directly support providing matches to internal recruiters, just because we're helping to give them the education, to give them the understanding, to have access to talent. So leveraging them has definitely been something that we've really strived to support right and CyberSN. And, with that being said, the gap has been there in the sense of just crappy job descriptions. Right, crappy for many reasons. Could be a hiring manager wanting too much out of one person. It could be because of budget reasons, could be because of inexperience in hiring, not enough market knowledge. Then we have human resources, who might be the ones that actually create the job description, or pull it from the web and just kind of copy it, where we all know not two security engineers that two different companies do the same exact things right it's just not common and it never happens right. So in technology, a backend developer at one company can do a different backend technology development at another and it can be pretty similar, right, the code, code, the product that you're developing might be different. However, in cybersecurity, there's so many different avenues. As a security engineer or analyst, there's different products, technologies, industries, regulations I mean you name it. So what ends up happening is when you pull a generic security engineering job description off the web because you don't either have the education to create your own, the knowledge of what is actually out there or the specifics of the technologies. You're looking for somebody. So say, someone comes in and they're like I need somebody with AI security experience. And then HR says, well, this is a senior lever role, we're gonna put them in this band. This band states that they need to have five years experience. There's a gap there. Ai security has just started, right, almost got 10 years of experience. However, human resources has. This is exactly where this band lays, based on the amount we have to pay the person, based on what level you wanna bring them in at. So then, by our regulations and standards of how we run our payments and all of that we have to say they need 10 years experience. So compliance and just internal kind of parameters cybersecurity hiring does not fit in there and no matter how many times human resources tries to put that round, you know peg in a square hole or what have you. It just does not work and there's many different avenues that affects this and that's exactly what you know we did at Cyber Ascendant. Creating our platform is making sure that this is a taxonomy. The language is common. Individuals go in its checkbox. It's like a Chinese menu is specific to how you created it. Yeah, you check things off right and it's tasks and projects and both the hiring managers do it, the candidates, and then they find one another. And this is where you know job descriptions. It's all based off of the skills. Yeah, so security engineer with this skill set can make 30 grand more than a security engineer with that skill set just because of the specific technologies they're in, the amount of time that maybe they're spending within different environments. It's just no rhyme or reason and you need to have the knowledge or you need to do the research prior to filling any role, or else you're not going to have a good experience.
Chris Sienko:
And I'll tease out a little more about, though, the one specific thing that stood out to me is when HR comes up with we need someone versed in AI security. But then there's also the assumption that this is going to be an executive level position for maybe five years. But, like, why does AI security need to be an executive level position as well? Like, is there an issue in terms of like, yeah, salary based. But also it seems like there's almost like an allergy to giving a person a lower job title with a higher salary, because maybe it sets precedent or what have you. But again, this is the thing that always worries me about this, and everyone hand waves me away. But if everything is an executive level position for the top intellectuals in the industry, there should be some bricklayer job security style bricklayer job, where you're just at the main level doing the thing for a while and then maybe you become a master mason. Then you become a master, you know, maybe you build your own architect, whatever. But is that an issue as well? Is there, you know? Because it seems like, you know, it's like the movie industry everything costs $280 billion or $50,000, and there's, it seems like everything either has to be like a C-suite level position or an unpaid internship. You know, is there like? Is this part of it as well, that we're yes, Because people are trying to get more out of less. They're trying to like stuff too many roles into one Uber position.
Adrianna Iadarola:
Exactly. So, what you definitely see is, you see that based on budget, right? So organizations might have a specific amount of budget that's allocated for a role. However, a hiring manager or a CISO might have six different opportunities that they need support on, meaning like, they've got a project with an infrastructure, they have a project within cloud, they have a project in application security. So it's like, okay, let me get a cloud security professional that has, you know, solid infrastructure background that can also work, you know, in secure applications in the cloud. And those are just three different profiles. So what they think is they stick a senior role or a senior title on it and, hey, we're going to be able to get somebody that's got this at a principal level because they've got enough years. That's not necessarily true, right? Just because they've dabbled in all of those areas. If they've only done it two years, then haven't been in it for five. What's that do? That makes sense. So they were relevant, right? Things don't always stay the same, right? So we just talked about that. We have to. By the time we're done taking a course, things within that industry standard or whatever have already changed. So what ends up happening is you go into and they're trying to stuff as many roles into one. So then they put that senior leadership title there and, in addition, they're also looking at the salary band gap where human resources has to be compliant. There's a lot of federal regulations around equal pay, employment, people at certain levels, you know, and there's a lot of things. So they try to work around it to pay the professional what they want, and the only way they can do that is because they're regulated to say, if someone's making from this band to this band, they have to be considered this level at this company and that's how they do the equal employment right. So, that being said, that bridges a huge gap to say this is an individual contributor. Now we're giving them a senior title, but they're supposed to be at this level, but we need to pay them here. So there's no kind of rhyme or reason around it. And it's very concerning because you can't stick a security professional in that standard pipeline, like we do a lot of retention as a service stuff, right, yeah. And companies, and the biggest thing that we look at is how they allocate right, so they align it on like almost like how their IT organization is built, so they have the entry level. They have like the engineers, the senior engineers, the principal engineers, this it right. So what the principal engineer pay would be X amount. Say you get a specialized principal engineer, they might be $30,000 more. So now we have an issue trying to pay that person. So I mean, it's what ends up happening is is we have to remove trying to place them under this like specific org structure, specific org chart of paying, you know, and really focus on saying, well, we have one for IT, why can't we create one for security too? Why are we keeping? We're trying to force them together and it does not work.
Chris Sienko:
Yeah, yeah.
Adrianna Iadarola:
And even though we might rename the titles, we keep the bands the same, and it's just not relevant.
Chris Sienko:
Yeah, yeah, I feel like I almost have six more questions to follow up on that, but I don't. I can't quite formulate them, so I'm going to. Maybe we'll circle back to it a little bit, but I wanted to ask you, since your job entails working directly with companies that you know obviously are, if they're hiring you, they're trying to sort of change this paradigm. So you clearly have the ear people who are willing to be proactive and finding solutions to all these problems that you just put out here. So what are some some signs or questions that they ask of you that indicate that they're interested in making real changes to the ways they solicit candidates and structure? You know teams and things like that. Are there any any of their common conceptions around what needs to be done that you need to talk them out of as well?
Adrianna Iadarola:
You know, there's always the conception when they are. They, you know, give me a job description and say this is what I want, this so much, I want to pay. Great, you know that's not always the case when I go in. I'm going to go in and I'm going to build a solution around what exactly are your needs? So I say, I know what you're looking to try to hire, but let me start from scratch. What's the end goal, right? What do you look to do here? Right, what is the project you have working? What's the one year mark? Look like the two year mark. Look like what's you know really the level of like, understanding and buy in you get from either your CEO, or your CEO or your board. What does that all look like? Right, so there could be a respectable level where they actually look at cybersecurity as a huge initiative for themselves. Right, so they're open to being flexible with compensation. They're open to being flexible. So I have a lot of clients that respect it, understand it and have a supportive team and board that also do. And when I walk into something like that, it's more collaborative. It's like let's get the best professional for what we need. Of course, we have a budget. We have to stick in. But what exactly can I get for how much I want to spend, and that's kind of where we're at right. So a lot of happens. There's already a number that's stuck to it. There's already a number that says I can't go above this. This is kind of what I need, and a lot of times I have to go in and say it's not going to match up. Right, I'm consulting them to give them the opportunity to understand in the market. This is the skill that you get to do the projects that you want for the amount of money you're looking to pay. And sometimes I get the buy-in right away. Sometimes it takes some education for them to spend time on interviewing, spend time on reviewing resumes and then finally I say are you ready to listen? Are we ready to do it the right way? Because interviewing all those people, looking at all those resumes, hr, involved taking people out of their J jobs. That's all. Time and money yes for sure, time and money resources. Right, by the time, you spend six months on trying to fill an opportunity that you're never going to fill one because the skill set doesn't align with the salary, or you've got four people. You know a position that four people could do in one role like. It's just not realistic. You're never going to fill it. So, now you just spent six months in your time, your team's time, human resources, and you probably spent $30,000 just in reviewing resumes, like I mean, going nowhere. And then I get a lot of clients like that that are frustrated. They get to the point and they are just, they're burnt out, they're tired, they need this help, they need this, you know. And we get to the point and say to them this is all you're gonna get in the sense, not all you're gonna get, but this is realistic. Yes, and this is why, right, this skill set is what you're gonna get for the projects you need. So, starting from the beginning is always ideal. Building the solution to say what is the number one project you need to complete? Two do you have someone on the team that can help and develop? Because, giving the opportunity to professionals that maybe don't have all the experience you're looking for is retention Giving people the chance to learn and grow and develop your career and their mindset. You know. Increased compensation, increased responsibility that is retention. That's how you retain your staff in a way, right. So all of that is educated. Every time I go in and speak with somebody you know the CISOs always are the ones they know. They know they've been doing it. I don't really have to educate them so much. I just have to educate them on how to go back to their business.
Chris Sienko:
Yeah, yeah, yeah, now, oh, sorry, good, go ahead. Oh, no, no. Well, yeah, I was. I wanted to sort of, yeah, that's all really really good stuff. I wanted to move from that a little bit to the sort of back and forth of a job listing now Because, okay, so it's. I guess what I was gonna say was that first, it sounds like Simon Senn does a lot more in terms of not just right person for the right role, but you're really like going in and making recommendations about how to change the nature of this company's relationship to its security team. Like you're saying like these four roles need four employees or at the very least two, and not one, and stuff like that. So, which I don't think is a standard recruiter thing. They see, oh, here comes an impossible position to fill and we're just I guess we're just gonna roll up our sleeves and figure out how to do it. But yeah, I think that's gonna have to be part of it in the future is there's gonna have to a lot of conversations saying like, yeah, this thing you need, you can't get out of one person, or you can't get out of, you can't find a leadership person who's gonna put in for people's worth of work, for mid-level salary or any number of other things, and also, I mean, when you. Another thing that pinged with me was the idea that, like a lot of times, if you have this overworked department, then you put someone new in this new untested position and then everyone else is so busy they're just left to sort of paddle for themselves and, like you said, that's a terrible, terrible retention strategy, cause if you feel like completely on a desert island and no way to sort of like improve or get better at your job or feel good about what you're doing in your job, then yeah, it's time to go elsewhere, I suppose.
Adrianna Iadarola:
I know and imagine how much untapped talent you have within your own team and that's something that we're looking into right, like that's a big piece of cyber ascent and yes, you're right, you hit the nail on the head Like I definitely don't ever view us as just a staffing company, staff and company that's built a solution to solve this in the cybersecurity community. The platform has definitely taken my career to the next level and educating me on projects and technologies that go within specific roles and functional areas. I mean it's a great resource for human resources to go to and actually be able to evaluate and start to learn what's happening right In our industry. In addition to that, it's like the whole gap of what's on a job description, what's out there, and working with individuals. It all starts with like making sure that they have clean content. Looking at their internal team to say who can I use? And that's why we go back to them to say let's reevaluate all. Let's build a consultative solution around. Do you need a contractor right now? Do you need a full-time person? Can we start a contractor, maybe this year? Convert them to PIRM, because that's how your budget's working right. What are the projects you have coming up? Where are the requirements that you need to get done within the next six months? When's your audits due? These are questions that, ultimately, are going to get us to the point where it's like the when, how and why and then helping to support them to say, listen, their hands are tied with their budget Once you sign that budget for the year. That's what they got right and we don't need that. So what my job is is to take what they have and try to give them the most out of what we can, and that whole solution is done with either hiring, like I said, contractors full-time, looking at their job descriptions, making sure that they're relevant, they're realistic and then coming back to the business to say what else do you have on your team? right, this whole retention service that we're looking at is based off of like okay, you don't have room for headcount? Great, well, let's try to see what we can take within your team. Restructure it, add to it, move it around. Understand what people want to do right, understand making them happy. What makes them excited with their passions are. Understand what's making them upset right, get ahead of it. Everybody is so afraid to get ahead of, like the red flags or the concerns when, if you just kind of open that door, you're like wow, I created a solution where my team is now gonna be happy. And so that's something that I've noticed since COVID hit and whatever, we've done a lot more of like our retention or RAS service, retention as a service, and a lot of big companies have come to us to say, hey, what can we do? And we've actually moved and helped support people in moving into leadership roles where now they do have the budget to enter somebody into a position on the backend and move things. I mean, it's been phenomenal solution for so many companies. So, again, removing that entire like we're a staffing company, like no, it's definitely we're advocates, we're solution based, we're coaches. We definitely focus on training ourselves because it's constantly evolving and I can't just pick up the phone and talk to a candidate like it doesn't work that way. I have to know their history, their background, technologies, what's going on, what's emerging, what's not, and then we go from there.
Chris Sienko:
Now going from there. Now, let's imagine sort of a utopian scenario here where you've you figured out okay, we've hammered out all the issues with the job description. We're no longer asking for five years in AI security, we're no longer asking for things that are unreasonable and stuff like that. Do you have any particular strategies in terms of the language or the way that you use the job description to in the other direction, to attract more or different people? Because, again, your organization and our organization are very committed to diversity and inclusion and more women in the industry, and a lot of that comes down to, unfortunately, the stats about who will and will not apply for a job if they feel they only have some of the qualifications and things like that, and that there's that sort of concern around there. Is that something else that you work with in terms of crafting of the language and the accessibility of it, to say, yes, this is an executive position, but you who are not in management, you could also do this, and here's how. Here's what we really need from you.
Adrianna Iadarola:
Absolutely. We've done that by the platform we've developed. So our platform not only removes all bias when a security professional is looking for an opportunity, your question areas that we've created are built off of taxonomy that aligns with niceness, those question in common language. That taxonomy is focused around functional areas, percentage of time in those functional areas, and then tasks and projects. So you've got a title, your salary, your location and then your specific skill set down to the projects and tasks you're working on. We've removed all bias. You can definitely put on certification information, but school system, like education, is not on there other than you have a degree. There's no needs, titles, any of that stuff, companies, this, that. So it's truly judging people on their merits. Okay, and that's the same thing that hiring managers will put into it and they're gonna answer and put all of those questions. So the key piece is that you apply, but the jobs apply to the professionals, right? So once you put in and build your profile out, you're anonymous. I don't even know what cyber ascend unless you expose to yourself, to me. I don't know who your name is Like, I don't know what gender you are. I don't know what color you are, I don't know what nationally. I know nothing. And what I'm looking at is your specifics, like functional tasks, projects, what you do for work and the percentage of time that you spend in what area, and then the hiring managers will create the same, and what ends up happening is, every week, we send out jobs based off the algorithm that we've utilized, that match your skill set, and then, ultimately, all the professionals sit back and jobs apply to them. So if we're sending you a job that based on our algorithm and the data that you've entered into our system and we send you that job, that means we feel you're a match. Technology is saying you're a match, so apply, which I feel has removed that inability for people to go and like, hit the apply button or issue we're having right now that jobs get posted right. Hiring managers are even posting their own jobs, which is unheard of, just because it's been such a challenge to find the right fits. So we're seeing these jobs posted in 24 hours 100, 200, 500 applicants. How is there any way to realistically even get through that?
Chris Sienko:
right, yeah, right right.
Adrianna Iadarola:
So you don't truly know who's a match because it's so easy to click that apply button on LinkedIn.
Chris Sienko:
Mm-hmm right. Are we?
Adrianna Iadarola:
a man or not. So these professionals on our platforms sit back and say here's an opportunity that came in, this looks great, but this system that I'm utilizing thinks it's a match for me, so that's why it's being brought to my attention. And then that happens. Communication can start through the platform again still all anonymous, and it just allows professionals to really search for matches, understand what's happening in the industry and Not be afraid to go for opportunities, because it truly states their skill set match for it.
Chris Sienko:
Yeah.
Adrianna Iadarola:
I don't.
Chris Sienko:
So so, moving in that direction, away from, you know, team builders and hiring managers and so forth Do you have any tips or advice for Up-and-coming people in the industry, you know, who want to get into the cybersecurity industry to make themselves stand out in that way? Obviously, there in this case, you know you have you either have the skills or you don't. But also, if you're just getting into it for the first time, do you have any Thoughts on ways to make a you know, a very limited job history or straight out of college or whatever Stand out over the other, as you say, hundreds of potential candidates.
Adrianna Iadarola:
Oh, absolutely, I mean entry levels a whole different. On this, hundreds of other candidates is for senior people, right, I wasn't even doing like, yeah, that's completely different, you know Avenue. The best thing that I can say for that is find yourself a mentor Hmm, find yourself a leader in the industry. Many of them are out there offering their support and advice. You know, tag on to something. Make a great following on LinkedIn. Listen, you know podcast, research, reading. Get to know your community. Go to events that security professionals love our events, right, we love to get together because we're constantly needed to educate ourselves. We're constantly need to like keep up with certifications, keep up with this, keep up with that, so we like to enjoy ourselves and get together. Join those conferences. A lot of students get to go for free, right, there's a lot of places where students get to join, ask questions but also take advantage of like Different, I guess co-ops, right, internships. I know everyone wants to get out of college and be paid and I respect that. The biggest thing is to gain as much experience as you possibly can.
Chris Sienko:
Yeah, an experience that you can write down and show.
Adrianna Iadarola:
Exactly getting on those co-ops trying for those internships right, reaching out to like the amazons and the apples and the big companies because they have a great you know program to offer for usually individuals like that. But my biggest thing is what I've seen work is getting out there, getting mentorship, building relationships in your community, being a part of your community, having something tangible, projects, stuff that you're, you know, your home, you know. Getting like different labs set up, just having something tangible To show somebody right and not just say you know I have a degree and not just say you know I have a degree in this. It's like here's projects and work that I've actually done or here's where I've actually developed or been a part of. Join into a lot of not-for-profits. There's a lot of awareness for diversity and inclusion. Women, you know underrepresented, like culture. It's like there's so many different areas for you to to grasp. So my biggest piece is get into your community.
Chris Sienko:
Yeah, awesome. Now I had a whole set of questions around dwindling budgets and you know the sort of general, but at this point I think we might have to make that a part to somewhere down the line, because we're coming up on time and this has been a great conversation and I want to keep us keep the ball rolling or the train rolling into the station here. So I'm going to just jump right to asking you about looking at the coming year, since this is going to be dropping Probably first week of January, give or take. Where do you see some of these issues? You're talking about going in 2024 and beyond, you know, barring additional unplanned for catastrophes like what do you see in terms of, like, industry-wide Snapbacks for budgets or investment? Or, you know, as you say, reworking of security? You know Profiles and job roles and things like that. What's the future look like to you, andrea?
Adrianna Iadarola:
I definitely do see the future being let's, you know, utilize as much as we have, right? You see that mindset being there, I do see companies being More cautious and keeping their team slim right, as we've known over the last few years. You know, funding goes out startups and then they grow rapidly, really fast, and they do phenomenal work, but what ends up happening is that they can't, you know, kind of get through an effort to get through the future. Economic decline. Right, that's unexpected, or? Yeah, what we're going to start seeing is definitely companies that are just a little bit more cautious, and you know. The other thing is I definitely see, you know investors going out and Putting their money into startups that are, you know, going to take off, but I feel like it's going to be in a slower, more strategic way. However, let's be honest, people want to still invest their money, people want to go out and make money, people want to be out there. There still is technology that needs to be developed. There's still is security products, like I do think that a lot of companies are going to combine Um, where you know we might not have, like, as many end point detection companies or managed service providers. You know they might be, you know, consolidated Um. However, it depends on the trends of you know technology and ai's huge. So ai security is there. There's new trends, new technology is happening, so with that, there's going to need to be security with that. Right, there's new regulations now from the government, like every breach has to be Exposed, right. But here's the mindset of companies. Now, too, I'm seeing Everyone knows they're going to be breached at one point or the next. It's not a big deal anymore, right, and what's happening is data is being stolen and collected, but let's be honest, all our data is out there anyways. So what data are they getting is what matters. But I'm starting to see as more companies being, you know, fearful of being hijacked, right, like wearing wears and being completely just shut down, inoperable, like you know, hey, you're not making any money, you're not functioning at all until you pay us, yeah, and so it's almost like a sense of warfare, like that's kind of like that cyber warfare and how people have talked about that. I I foresee more of that happening and I feel like more of that may happen because of what's happening within the you know, the world's right. The wars and the areas that these wars are happening in are large footprints for cyber security. Yes, for sure technology and, you know, talented professionals, whether, wherever they stand right, wherever they sit, the countries that are being affected right now are huge players and I just feel like you know we're gonna, we're gonna start seeing something happening, whether it be stuff coming back to the us. You know a lot more people need to be placed for work to support their other better halves and what they maybe have to do, um, you know. But in addition to that, I do see it's a, you know, a year of election, which we know like the world starts to just kind of move again. It's so unrealistic because so much has been going on. I do see it getting better, though I do see people posting more about starting new positions Than being released, so that for a while, all I was seeing was laid off, laid off, laid off. Now I'm starting to see Started, a new position, started a new position, which I think is phenomenal, and so I'm seeing the trend start and I'm seeing it start slowly, but it's there, and I'm seeing the strong product companies and the strong technology companies or any services that are valuing Cyber security or have the budget for it, they are starting to reach out and look for that strong talent again, our platform. Right now you can post jobs for free on it. You can find and apply for jobs for free, always for professionals. But Companies can go and post their job on there, build a job description for free, post their job for free, get applicants for free Mm-hmm, as we know that it's such a tough market and we don't want to stand in the way for people going to work.
Chris Sienko:
Right, it's like want.
Adrianna Iadarola:
Our industry is not going to go anywhere If we don't all step in and make the change. So that's exactly what cyber asset is here to do is like Not just utilize all of this to make money. Of course it's great building, developing, growing. We're all here to make a living, but we're also passionate about just giving back to everybody in our community and making sure everyone has success.
Chris Sienko:
I mean, I'm just, I'm just, uh, Encouraged to hear that you think that people are learning from the mistakes of the last couple of years in terms of like taking, you know, being more conservative with, like, you know, incoming, you know, money and and not just like going for endless growth and arrow goes up and all that kind of thing. That's, that's wild, because that's not been my experience.
Adrianna Iadarola:
So yeah, but I feel like that's going to be more, more based on the investors, more based on the boards, right. I feel like there's going to be constraints, right, in the sense of how fast they grow what they're doing and their growth. You know, projects I, I foresee and in all the discussions I've had, you know there's going to be people wanting to invest and make money. It's just, it is what it is, right, yeah, and it's going to start soon and I just think people are going to be a little slower with it for a while and, you know, no realistic, because there's just been so much to turn away.
Chris Sienko:
All right, well, um, one final question here. You talked a little bit about cyber sn and your uh, your platform, but but give our listeners the the full spiel, if you like, and tell us when you can. They can find out more about cyber sn and uh yourself, adrena.
Adrianna Iadarola:
Absolutely so. You can find me on linkedin Uh, under adrena idarola. I'm also at adrena underscore recruit on twitter. Okay, you can find all of my information on linkedin. Please connect with me. In regards to cyber sn, we are definitely where talent meets its match, so we are connecting security professionals to jobs that fit, based off a platform that we've created. Uh, built off the taxonomy. Aligning with niceness. This question sets these common languages. Removing bias, supporting Anyone and everyone in the industry to find one another is our goal and our drive, as well as making sure to support, you know, diversity, inclusion, helping organizations to understand. We offer contractors, we offer full-time placements. The best pieces to is our retention as a service, utilizing the team you do have now, making sure that they stay with you. That is the biggest piece of the puzzle that we've worked on this year is like how do we get the most out of what we already have if we're constrained on budget and increase Um? And then, in addition, we also started a service for human resources. Utilize us just for our relationships, meaning we send you qualified and interested candidates. You and your team take it from there. We don't stand in the way, we're not trying to get through the process. Just utilize us for our relationships. That's our matching service. All of that you can find on cyber sncom, as well as our not-for-profit, which is secure diversity, anything for growth and awareness for women, and cyber Uh security I would say inclusion diversity. All of that is on uh secure diversity dot org, also founded by daedre diamond.
Chris Sienko:
Fabulous Well. Thank you so much for joining me today and continuing this conversation, adria, and I really enjoyed it.
Adrianna Iadarola:
Perfect. Thank you so much for having me, crissie. I appreciate it.
Chris Sienko:
And thank you to all of our cyber work listeners and video viewers, whether this is your first episode or you've been with us since the beginning. We are so happy to have you along for the journey. Uh and by this instance is coming out in january. Happy new year. Hope everything is off to a good start. If you have any topics you'd like us to cover or guests you'd like to see on the show, always feel free to drop them in the comments below or or or linked in me. So before I let you go, I want you to remember to visit info sec institutecom slash free to get a whole bunch of free and exclusive Stuff for cyber work listeners. We have our security awareness training series, work bites, which is just awesome. Please watch the trailer. It's a hoot. It's also a place to go for your free cyber security talent development e-book, where you'll find in-depth training plans for the 12 most common security roles, including sock analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. One more time, that's info sec institutecom slash free. And, yes, the link is in the description below. Thank you once again to adriana, ida Rola and cyber s? N, and thank you all so much for watching and listening and, as always, we'll speak to you next week and until then, happy learning.
Subscribe to podcast
How does your salary stack up?
Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.