How to become a great cybersecurity leader and manager

On today's podcast, Cicero Chimbanda, Infosec Skills author and lecturer, discusses his cybersecurity leadership and management courses. We discuss the many paths of a cybersecurity leadership role, the soft skills that separate a good information security manager from a great one and why a baseline of cybersecurity knowledge can enhance any job, even if you don't plan to pivot into the industry.

– Get your FREE cybersecurity training resources:
– View Cyber Work Podcast transcripts and additional episodes:

  • 0:00 - Intro
  • 3:37 - Getting into cybersecurity
  • 6:43 - First learning cybersecurity
  • 7:54 - Skills needed to move up
  • 10:41 - CISM certification
  • 13:00 - Two tracks of technology
  • 15:13 - Are certifications important?
  • 18:50 - Work as a college lecturer
  • 22:43 - Important cybersecurity soft skills
  • 27:40 - Cybersecurity leadership and management
  • 32:33 - Where to go after security leadership
  • 35:26 - Soft skills for cybersecurity managers
  • 37:23 - Benefits to skills-based education
  • 39:40 - Tips for lifelong learning
  • 43:46 - Cybersecurity education's future
  • 45:21 - Outro

[00:00:00] CS: Today on Cyber Work, we welcome Cicero Chimbanda, InfoSec Skills author and lecturer, to discuss the cybersecurity leadership and management course on skills. We discussed the many paths of a cybersecurity leadership role, the soft skills that separate good information security managers from great ones, and why a baseline of cybersecurity knowledge can enhance any job even if you don't plan to pivot into the industry. That's all coming up today on Cyber Work.

Welcome to this week's episode of the Cyber Work with InfoSec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Cicero Chimbanda has over 25 years of experience in information technology and cyber risk management. He currently serves as Senior Vice President for an investment bank responsible for information technology, cybersecurity risk management, and he co-chairs the firm's cybersecurity task force. He also serves as a college instructor and as a content author for InfoSec Skills. He has a CISM, Certified Information Security Manager certification, a CIPM, Certified International Program Manager, and his disaster recovery business continuity professional certified, that's a BCPDR. He has a Bachelor of Science in Information Systems from DePaul University and is completing a master's jurisprudence at DePaul Law School. He's also the founder of CVC Ventures LLC, a STEM and cyber development practice.

So because our free monthly skills challenges are ramping up in popularity, thank you all for people who've been checking them out, playing the games and sending them to our LinkedIn. We love seeing it. So we're inviting some of our skills authors onto the podcast to talk about some of their areas of expertise, where their passion comes from in these subjects, and what they've learned about this specific benefit of online skills based learning. So Cicero has written a skills learning path on cybersecurity leadership and management. We had some recent episodes with other skills authors talking about starting level knowledge areas, including Jasmine Jackson, talking about Linux fundamentals, and Chris Thorson on secure coding, and Ted Harrington on AppSec. So now I'm looking forward to talking with Cicero about what there is to be learned about leadership roles, and how InfoSec skills can play a part in that education.

So Cicero, welcome to cyber work.

[00:02:29] CC: Thank you, Chris.

[00:02:31] CS: So I like to start the show by giving our listeners a sense of your background. So where did you first get interested in computers and tech? And when, specifically, did you get excited about cybersecurity? What was the initial attraction?

[00:02:45] CC: So that takes me back, Chris. My father, actually, he was in the computer science career. He worked as a mainframe developer. He actually did assembly and COBOL back in the mainframe world. And I remember, as a young middle schooler, I believe, he took me to a career day, a shadow, father shadow. And so I was responsible at that time. I remember carrying punch cards. I don't know if you remember those punch cards. They're stiff paper with digital data represented. You got holes. And so I used to carry that from the programmer to the individual that's putting that in putting that, I also remember carrying big blocks of paper, those prints. So that was my introduction to computers, IBM 1403. Also, I remember getting a computer when I was a young kid, VIC-20, Commodore 64. Ring a bell? Those little –

[00:03:50] CS: Yeah. 64 was my first computer too. Yeah, we're about the same age, I think. Yeah, a little before we even. But yeah, that’s awesome.

[00:03:56] CC: Absolutely. So I remember playing the games, but also being interested to do programming. So we can write a little code. And I remember writing my first program in middle school, it was the elements table. It was an if-then else statement. If A equals H, then b equals hydrogen. You just kind of link very simple. Then if you go if A equals H2 and B equals O, then C equals water. You link the elements. And with that, when I enrolled in college, I ended up going into computer science. And that really launched my career.

Now, shifting over to cybersecurity, it became more of the writing on the wall. You could see that cybersecurity issues were becoming larger than technology issues. It was really a business issue. It was outside. And so with that, I wanted to get myself uh the acumen there. And so then I jumped over to that side of the fence.

[00:05:12] CS: Okay. Yeah. So what year would that have been when you decided that cybersecurity was getting too big to ignore?

[00:05:18] CC: That was right after the crash, the market crash, around 2008, 2009. You could just see the writing of the wall that computer-related risks were big, right? So you can have an event that can literally crash a whole market.

[00:05:34] CS: Yeah. Yeah. No. Absolutely. Now, as you were looking into this, what were the first sort of steps you took towards learning about this? I mean, it's one thing to say like, "Oh, yeah. Cybersecurity is too big to ignore." Did you have some experience of this to this point? And if not, like what did you start reading first? Were you reading about like system security, or pen testing, or malware, or reverse engineering, or what have you?

[00:05:59] CC: Sure. Really, the exposure of security that I had up to that point was really building application software in the secure fashion. So the accountability and the oversight of cybersecurity controls were not in place. But because of that, I ended up – Really, it was more individually reading. Going to webinars, asking my employer at the time if I could go to certain conferences. I remember going to the RSA Conference early on in San Francisco. So that was a big exposure of cypher. And so that helped me propel me to take some courses and eventually getting certified as a security professional.

[00:06:47] CS: Okay. So I had a question, and I think you're sort of answering it here. But I want to sort of dig in a little bit deeper. So looking at your past jobs, I saw there's a pretty big jump in job title and responsibility from around that time, 2007 to 2009. So you spent two of these years working in program management/project management. And then in 2009 you became the director of technology, certified information security manager responsible for the strategic planning and execution of the bank that you are uh currently at. So what skills or experiences did you take from your previous employment that helped you make this big career step? And how's the scope of your work changed in this current role? Because you've been there for a long time it sounds like.

[00:07:27] CC: Sure. Yeah, really, when I look back. And, again, digging back and thinking how that pivot happens. It really started with a mentorship. I had a mentor that I don't even mind mentioning his name. His name was Frank Clark. He was the President of Commonwealth Edison. I used to work at ComEd early on. And he mentioned to me, he said, "Cicero, in order for you to move up to the leadership ranks, which is what one of my goals was. I wanted to go into leadership. He said, "You have to build your soft skills." So he encouraged me and said, "Maybe with your technical skills, maybe getting an MBA, maybe going into a legal field, maybe finance." I tried to dabble a little bit in the legal side because I always wanted to go to law school, but I just got married. I just had a little baby. So it was too much to muster.

But because I was getting interested in investments and getting interested in finance for my own personal need, I had another mentor that jumped in. He said, "Cicero, why don't you think about getting certified? Getting your security?" And so I ended up getting my Series 6, 63, 26. These are all producers, financial producers, life and health. And I actually ran my own business, consulting business, while I was doing the project management and program manager. So I was kind of doing a double shift. I was running my own practice and I was doing working at the bank.

And what that did for me, it really built my confidence, one. Two, that soft skills of interfacing clients and business and being able to take complex issues and presenting it in a way that's palatable to non-technical people. And then, obviously, that also helped me get into the finance investment banking because I knew the language as a director and a manager. So that's what helped propel me.

[00:09:35] CS: Great. My next question is about certs and specifically about the CISM, or the Certified Information Security Manager certification. Can you tell me about the type of learning and study that you needed to perform to achieve that certification?

[00:09:50] CC: Yeah. So the CISM, I think that is a great um certification. It's one of the hardest ones. I’ve taken several exams both technical and non-technical. But it has a five-year prerequisite of experience, first of all, okay? You can't just take the test. You have to prove that you have certain hours within your field. They do they do check that, validate that with your managers, and co-workers, and whatnot. That test itself is four hours and 150 questions. So it's a long longevity there. You need to have minimum of certain project hours. I don't quite remember how many hours. I know the PMP was about 7500 hours.

But, really, what it did for me was I had to communicate to my loved ones, the people that I am influenced, responsible for, that I am taking a focused approach. And this is important for my career. So even at the time I was battling some health issues. So it really had to be a kind of a spear heading of 10 to 15 hours a week outside my work hours to take that test.

But what it did for me, Chris, it really shifted my perspective on what cybersecurity in the corporate world is all about. Again, it shifted from saying you know it's not a technical IT issue. It's really a governance issue, okay? It starts at the corporate governance and leadership. And if the board, if a publicly held company is not on board with cyber security, they're not getting any KPIs, then they're not going to hold the company accountable. If the CEO, if the CFO, if all those business units are not there, then it becomes a challenge. So that's part of what I got out of taking that CISM back in the day.

[00:11:53] CS: Now, can I ask you a little bit about actual – Because you just said something, and this just put me on a tangent here. But do you feel that there is even a technical requirement necessary to do CISM the way that you did it? Because it almost sounds like something where if you want to be the person who's in charge of the information security and the management of that in your company, but you're coming to it from a different sort of C-suite direction, that this is almost as applicable there. Or is there still a baseline technology that you need to do that?

[00:12:29] CC: Yes. And I always say career – In technology, there's always the two tracks, right? You got depth and you got breadth. And what I mean by depth is, as you know, is what we call in our industry SMEs, subject matter experts. And when you have a subject matter expert, or typically you can only be a subject matter expert of one, maybe two, potentially three things. And so you're going deep into that realm. You become a subject matter expert, whether you're a developer, or a firewall, or a perimeter protection coding.

But you can also build your career not necessarily on the depth track, but on the breadth track, where you understand a good knowledge of each component. But the key is being able to connect the dots between those levels. So you're able to connect and see how a firewall perimeter protection is important just like a developer controls, just like – And on a host control. I would say I was more at that breadth level. So I understood technology at various points. But I wouldn't consider myself a subject matter expert.

And so that's what I would say for individuals. You can move from a track, from a subject matter expert and become a manager and have that one or two things that you have that competitive advantage or influence. Or you could be somebody who has a breadth and understands high-level, and some low-level, but you're able to connect the dots. That's the most important thing. And you're able to have managerial and good people skills.

[00:14:07] CS: So what are your thoughts in general on certification and cert study? Because we get a wide range of answers here from guests ranging from it's unimportant as long as you can demonstrate your skills in a hiring situation, over to completely crucial in all aspects of the job. Where do you see certs as fitting into the modern cybersecurity landscape especially as regards attempting to rapidly up skill and place people in cybersecurity amidst our skills gap?

[00:14:33] CC: Yeah. Yeah. I mean, definitely you hit that right in the nail. The jobs are much greater than the candidates. And we're seeing that in our industry. But certifications is really a good confidence builder, because what it does, it provides you with knowledge where you can get it at a shorter period of time obviously than a traditional – A degree if you will.

And the other thing, really, what it allows you to do, really, it's all about taking the time the effort. Like I mentioned earlier, communicating to the individuals around you. And what it does for you, it gives you the ability to pivot, right? Pivot either from within your industry, okay? Or your position. For example, if you want to go from an analyst, to an administrator or to somebody who manages administrators, you could take certifications and then pivot and get that upward career. Or if you want to do a lateral. If you're in a completely different industry but you want to do it in a way that's safe for you. In other words, you don't want to lose your job. You want to still work. It's not going to cost you a lot of money. So you can get that cert to help you make a lateral movement within your specific industry and then transition out once you get that cert.

And that leads me to the second point. From employer's perspective, when you have a certification, it helps. It's an attention-getter. If I see somebody has a CISM, they have a ethical hacker. If they have a Security+ or a Cisco certification, then that candidate is going to go up my ladder when I bring him into the front door. Gives you a competitive advantage when you come in. But you still have to differentiate yourself. You still have to show why you're the best candidate for that position. So that's what I would say.

[00:16:41] CS: Okay. And that often comes down to projects that you've completed outside of a cert or other things you can show on your resume, like other soft skills, or other areas of inquiry, or research, or blog writing, or what have you.

[00:16:52] CC: Absolutely. And I know we'll talk a little bit more about this. But a lot of it is just you can even – If you don't have a lot of those skill sets in professional way, you can volunteer. Volunteerism is a great way of you building your resume with application of knowledge. You volunteer at an education, institution, or a community, and you're helping individuals apply your knowledge and you can put that in your resume.

[00:17:17] CS: Yeah. And you're helping out people who may not have money or resources, but really need – We hear so much about all the sort of regional infrastructure that's so badly secured, and the water hack in Florida and things like that. So it seems like there's so many places that you could throw your hat in the ring and then also have something you can point to a thing that you specifically did that shows that you know how to do that thing.

[00:17:43] CC: Absolutely, Chris.

[00:17:45] CS: So can you tell me about your work as a college lecturer? What classes or topics do you teach? And as someone who like all educators has had to make changes during the current pandemic, have you seen this type of education change over the past 20 months?

[00:17:58] CC: Sure. We talk about careers. And I think careers are always metamorphosis. As an individual, you want to modify yourself to meet that ultimate goal. What I did about five years ago, I shifted my profession to want to be an educator. Not just apply. And so City Colleges gave me an opportunity. They were looking to hire industry professionals to teach courses in what they actually do. And so I came on the early end of it and we actually developed a cybersecurity course for City Colleges with the help of other academics and other professionals.

And so what we do teach is we partner up with CompTIA, which is a well-respected cybersecurity certification course. And we built that course with Security+, Network+. And now I teach that course, but we do it in a different manner. We really think of three tracks, right? So when it comes to the students, we believe in getting that knowledge and teaching the student to be successful in passing those exams. Number two, we give lots and lots of hands-on learning. We believe in labs. So labs is a strong component so individuals can have that technical confidence of applying what they learned in lab environments. And it's easy to do with cloud computing now.

And then lastly, it's really the career focus. So we focused on what are the industry careers out there, positions in the different industries, and we help the students even do what's called reverse engineer their career, their optimal career. And we expose them to different professionals. They come in and teach and talk about what they do. And so that career soft skills, real-life business use case is the third track of success.

[00:20:03] CS: Okay. Now, is City Colleges back to doing in-person learning? Or is this all virtual? Or is it always been virtual?

[00:20:10] CC: Yes. And that goes to the latter question that you mentioned. We actually started doing a hybrid model before the pandemic. And so when pandemic hit, we just went fully virtual. So that was not a problem. Now, this cohort, I’m actually in the cohort, is I would say two-thirds virtual and then one-third where we're coming in on Saturdays to do some labs and the students can meet each other. But again, that has changed, right? What has changed? The students have to be – We're also teaching students how to be more professional on video, virtual classroom. Being able to have the right lighting, the right mic, that type of – Turning on your video when you're talking. And then, also, the other thing is the students are now in multiple portals because you're virtual you know. So you're having to have homework in this portal. Having to do the video and the recording. So we're trying to consolidate and make it a one-stop shop. But it is a challenge because the students have to keep up with all the different portals in order to just take one course.

[00:21:21] CS: Yeah. Yeah. I was going to say. Just to take a class these days, everyone has to be a project manager because you're dealing with so many inputs right now.

[00:21:29] CC: Yes. And then, also, just as an instructor, you have to remember, especially in the five-hour class, to have lots of breaks.

[00:21:36] CS: Oh, yeah. Yeah, exactly. Yeah. Yeah, burnout is real for sure. So can we speak about soft skills a little bit? What are some skills that people do you think are overlooking in their studies in preparation in cybersecurity?

[00:21:49] CC: So I think a lot of people get intimidated when they think of cybersecurity and they automatically associate with I’m not a coder. I’m not in robotics. I don't know AI, artificial intelligence. And so they you hear a lot of the buzzwords that's out there. And some people might be intimidated and think that they're not really adequate to go into that field. And I would say it is important to have those skills. Certainly, it gives you a competitive advantage. But there are so many aspects of cybersecurity that you can fit your career without being a sort of subject matter expert in a technical side.

So the soft skills, for example, what I would say is even having what I call bridging the gap capabilities. Bridging the gap between cyber security technology and the business. There's a lot of people that don't really know in cybersecurity technology talk business. And there's a lot of business individuals that don't know how to talk cybersecurity technology. So if you can place yourself in the middle there, that isn't a competitive advantage that's really needed today, Chris. Because it is going into the business. Cybersecurity is going – And so they're looking for individuals that can be able to communicate, can be able to negotiate, prioritize, can be able to talk about processes and procedures. Project management that you talked about, a person who can manage the life cycles of delivery of controls for security, for example. Training, if you're a good trainer. User awareness is huge. They need individuals that can train. So those are some of the soft skills. And then I just call them connecting the dots.

For example, I’ll just give you an example. If you're a nurse or a med tech in a hospital, you know a lot about the procedures and life cycles to deliver successful results for your role. Now, couple that with cybersecurity knowledge. In other words, being able to understand, "If I’m in that role, how can I protect the confidentiality, integrity and availability of that patient?" If I understand, "Who are the threat actors in the healthcare and what kind of techniques do they use for healthcare? What are the technical controls, and administrative controls, and physical controls in a healthcare environment?" So a nurse or a med tech can make a very easy jump to be a cyber security professional because they already have that acumen, that soft skill. So I call them connecting the dots. Those are some of the skills. Along with being an influencer to your peers and upward management.

[00:24:45] CS: Yeah. I don't think I’ve ever heard that said specifically in that way on this show. So I think that can't be – I want to really like go into that. And I think if you're in healthcare, for instance, and you understand cybersecurity, but you're still a nurse. Like you're still providing extra value in your own position as well. Like it behooves you even if you don't plan to make the jump to cybersecurity, I imagine, to at least understand it and be able to contribute and say, "I know what the threat actors are. I know why our –" And you can make the case to your hospital. We need to secure this medical data. And then that just sort of speaks to the sort of security mindset across the entire society.

[00:25:26] CC: Absolutely. And my mom was actually a nurse profession. And I remember one instance that she had where she was able to notice that a doctor was actually wanting to operate on a patient on the wrong leg. They used to use marking. They used to use pen marking. Yeah. And apparently somebody had – He had marked the wrong leg. And so he when he was going to go open, my mom actually caught the hand and said, "No, it's the other non-mark," because she followed it.

Now that's a serious mistake. Now, so you think about cybersecurity, if you're a nurse and you have cybersecurity acumen, you can understand vulnerabilities. You can understand where there's risk, high risk. You can communicate that and you literally can help add value to whatever profession you're doing without, like you saying, necessarily making that jump to be a cybersecurity professional.

[00:26:25] CS: Yeah. So let's talk leadership now. The main topic of our discussion today is your InfoSec skills learning path, which is titled Cybersecurity, Leadership and Management. So for listeners who are currently subscribers or who maybe even decide to subscribe to skills-based on today's episode, what will they learn from your cybersecurity leadership and management class?

[00:26:48] CC: So I think the the first thing I really want to stress is what I’ve been talking about in the theme of cybersecurity is not a technical issue. It really is a business issue. It's a business risk. In this course, we do a lot in communicating to the candidate, or professional, or student to learn alignment, bridging the gap and building those skill sets. For example, we use a lot of business models to convey the importance of cyber security controls. So in other words, your controls are fitting into the business models in order to achieve the business outcomes, right? Because that's really is the end in mind.

I give an example. We all know the three pillars of cyber securities; CIA, triad, right? Confidentiality, integrity and availability. So we use, for example, the STS model, which is the security trust availability. So you take security. You understand the organization's strategy and then you bring in confidentiality, for example. You take a trust, which is the second pillar of the STS model. You take trust. You try to understand what are the regulatory systems. For example, what are we regulated by? Because whether you're a small mom & pop or a big organization, you have to abide to some laws. It behooves of a security professional to understand what are the statutes, the legal, the regulations. And so we talk a lot about that, the alignment, so that you can bring integrity into the organization.

And then lastly, stability, right? We all know lights has got to be kept on, right? You have to you know fulfill your commitments. That's how you get reoccurring business. You have to be stable. And that's where you meet your operational demand. And availability is a big component to that. So we talk a lot about alignment. The course itself has two learning paths. One path is leadership, where we talk about governance senior business models. And then the second path is management. And that's how do you deliver the controls. How do you communicate? What are the goals? And it's a little bit more technical, but it still keeps it at a high level to help you manage people who are technical. Because you might not be the technical person, but you need to manage the technical people.

[00:29:27] CS: We don't have to go through your entire syllabus. But can you sort of tell me what the main sort of concepts you're working with in these two tracks? Especially the management one. I’m very curious about the sort of like working with technical people aspect of that.

[00:29:43] CC: Right. Right. So in the management one, we break it down into there are many types of controls, but we have physical controls. And within physical controls we'll talk a lot about, for example, data center SOC. We talk about perimeter protection, physical. How to protect – Depending on what industry, making sure that you are aligned with your physical structure in security. And even talk about events such as disaster, natural events that can interrupt your physical domain and people's physical security. So that's one. And then we talk about technical controls. So we focus on things like hosts, zero-day appliances, next generation firewalls. We talk about IAM, identity access management controls. How to make sure you're protecting your passwords and multi-factor authentication. So we delve in deep into that. And then we talk also about, for example, your administrative controls, programs, such as patch management programs. BCP, business continuity and disaster recovery. Those are processes. They're bringing together. It's a program. It's a project. So we talk a lot about that.

The user awareness training. We delve in in user awareness. We talk about pen testing, vulnerability assessment. Those are all programs. So that's where we delve in and how to be able to deliver those components.

[00:31:28] CS: So once students have taken and passed your skills path, what are some next directions that you would recommend for their study? Where should they they move on from the sort of security leadership? Is this something that is there like a next level up or are you sort of like preparing them for the top level there?

[00:31:48] CC: It could be either or really, because I’d say the course itself is acumen enough to give confidence for somebody to say, "Okay, maybe I want to go in the same position but a different career, different industry." Because in cyber security, you have the ability to choose your industry. So in other words, let's say – Because I always believe if you're going to do something, do it with the industry that you are passionate about. So if you're passionate about, let's say, the governance. You want to go into the government sector. Then choose your industry. What interests you? Because cybersecurity fits any vertical. If you want to go into finance, you can target that. If you want to go to a private sector or a public sector, if you want to go into sports and entertainment, because they need cybersecurity. So you literally take a step back and evaluate what industry do I want to practice my cyber security professional acumen? Because that will give you a leg up because you're interested in it and you're going to be good at it, right? So that's the first step.

The next one is find a mentor, find a partner, start networking. Because, really, I believe in reverse engineering careers. So if you network with a CISO, for example, and you want to become the CISO of NBA. You find yourself a CISO of NBA, the current one. You write them, you go to sports conventions or whatever, and you network there. And then you can literally find out how they got there. And then you can strategize your steps to take in the way that that individual took.

And then the last step, I would just say take a chance. Implement what you've learned, okay? Apply your knowledge. Update your resume. Apply for positions. You might think you're not qualified. But I tell you, a lot of the industries, like myself, I’m looking for quick learners. Individuals that can pivot. Individuals that can deliver. Individuals that have good soft skills. And they're willing to learn the tactical skills. I’d rather mold you in the technical side because you have a lot of industry knowledge. Depending on what role of course you're taking, right? And then also you can volunteer if you're not able to get jobs. Volunteer. Volunteer to your local community.

[00:34:21] CS: So speaking from a strictly – We talked a little bit about soft skills before, but in the leadership role, what do you think are some soft skills and attributes that separates a good cybersecurity manager from a great one?

[00:34:33] CC: Yeah. So I think that's analytical. Being a person who's very analytical weighs pros and cons. I always like to talk about matrixes. Having the ability to have multiple ways of weighing things. You think about Gartner and the Foresters of the world, they rank. And so because as a leader in a cybersecurity profession, you're not really making decisions for the business units. You're giving them options and you're giving them the pros and cons and the impacts, the likelihood of choosing a specific choice, right? And so being able to be analytical and present and also influence, right? Because you have to be able to communicate in such a way that you're negotiating, right? And the skill set there is being a great listener. Being able to be understanding, being able to allow individuals to present to them their goals, right? What are the business units goals? What are their challenges? And then translating that into win-win scenarios. Being able to negotiate. Being diplomatic is a skill set, right?

And then lastly, you want to be able to influence and take responsibility, right? Because ownership is the importance. You can't point your finger anywhere else if something goes wrong, right? That's the main important thing of a leader. You take ownership. Because if you own it, you're going to go to it and you're going to make everything. You're going to do your best to make sure you have the necessary resources to achieve the goals that you're trying to achieve.

[00:36:18] CS: All right. So, Cicero, so you have worked in education from a number of different directions. You're a lecturer and you also work on InfoSec skills. Can you talk about some benefits to skills-based education and training that people might not be aware of? Obviously, not everyone has the time or resources to do college courses. But can you talk about what you saw in InfoSec skills that made you want to do this work and why do you think why it's specifically useful to different users?

[00:36:48] CC: Yes. I think of rapid delivery, right? With, again, formal long-term educations, it takes you a little while to implement your learning. With this skill-based education, you can implement what you're learning real time literally. When you do a chapter, for example, when we talk about onboarding employees and off-boarding, the importance, and that's a subsection of IAM, identity access management. And if you are in HR and you're taking this course, you literally can implement some of those controls right away as you take this course, some of those acumens. So that's the instant application. That's one of the advantage.

A lot of skill base is you can also apply it to educate your family, friends. You can practice what you're learning. There's a huge gap. And senior elders being attacked with cybersecurity. And they need education. They need how to be able to not to be scammed. So I actually encouraged one of my students, and this is another domain, to go and volunteer at a senior's home to teach them how to watch out for scams. Literally, that's a huge need. Or parents at schools, right? Teenagers.

The other thing, advantage, is it's a minimized risk of transition. You can still stay employed and do what you're doing and you can take the skill-based education while you're still employed. It's kind of a soft way of transitioning. And obviously, the last one, the cost is lower, right? That's also one of the advantages.

[00:38:32] CS: Yeah. And so that leads nicely into my next question. Obviously, one of the benefits of skills is that you have this open-ended schedule. You can do it when you have time. Like you said, you can put 10 hours aside a week. Unfortunately, the downside of that is I think we know with human nature is that without a professor assigning weekly tasks it can be hard to stay on track to meet your learning objectives. Do you have any tips to help lifelong learners stay focused on training and accomplish their goals?

[00:39:00] CC: Yes. Yes. I'll put my risk assessment hat. And you have in life planned events. And in life, you have unplanned events. And when you're doing something like a transition or planning for a transition, it's actually good to plan for both. So in your planning, you always want to say, "This is my ideal schedule to get this accomplished. But you know what? There's going to be some unplanned events. There's going to be things that I’m not even thinking about that's going to happen." And so you actually bank into your schedule some unplanned events that you not might not even know about at that time.

So in this course, I would say it's two tracks. If you break it down into either a month or two per track, depending on your life stage, and then break down each subtopic and plan it in your calendar, but always have buffers for, like I said, unplanned events. But again, the key is always to be consistent and also tell your loved ones, "Hey, I got to do this." And this is one of the mindsets. When you say no to something, it means you're saying yes to something else. So don't feel like if I say no to that particular event, social event, or even a family event, what you're communicating is I’m saying yes to a future of my career. So that's one of the principles.

[00:40:34] CS: That's great. So do you have any other skills learning paths on the horizon that you're working on? And if not, do you have any other areas of learning that you'd want to teach someday?

[00:40:42] CC: Well, I mean, right now, I don't have any right now. I’m actually in the middle of teaching a cohort. I have about 20 students at the City Colleges. So that's what I’m doing. That finishes Q1 2022. And then I’m also helping my father. He just finished the book. During the pandemic, he wrote a book. And like I mentioned earlier, my dad is a great influencer. And not only has he finished the book. He also opened a scholarship foundation, where he's helping children in Africa get scholarships. So I’m helping my dad with that. That's one of my thing.

But future, I do hope to implement cybersecurity. Bring it at a lower level. I really believe you can introduce cybersecurity acumen to middle schoolers. I was just having a conversation with one of my TAs, teacher assistants, and I wasn't around at that time. But I remember seeing movies and documentaries about Robert Hoover who, when he did the CIA or FBI, I can't remember which agency, he used to have the little agents. And they used to promote little CIA people and you'd get little box, their little top boxes. You get a little badge. And in fact, if I’m not mistaken, that's where the boy scouts started. It's all about being a good citizen at that time. I really believe we need to do that with cybersecurity. We need to start introducing cybersecurity, what we call white hats, or blue hats, to the younger age so that they want to become a protector of virtual world, because that's where they're living now. And so we need to introduce that at a lower. So I’m thinking of developing some type of acumen at a middle school age type level.

[00:42:40] CS: Yeah. Well as we wrap up today, that leads into my last question, where do you see cybersecurity education going in the years to come? With more time currently being spent at home with laptops and good WiFi, do you see career learning changing demonstrably over the next decade?

[00:42:58] CC: Well, we actually get paid to be in the predicting. They call it predictive analysis, right? But to be honest, with this pandemic, I’m going to tell you, I really don't know where it's going to land. I mean, I don't know honestly where it's so – There's a lot of gray area. There's a lot of cloud around to be immediate. I think long term, we all know that eventually with people going out to space, the Jetsons life world is eventually in the horizon, right? But in the short term, I can only tell you what I hope. I hope that we will be in physical domain. That there will be – Because you can't lose that physical touch, that eye to eye. But I think it'll be more of a semi-hybrid mode where you have virtual built in with physical. Maybe two-thirds physical. A third virtual. That's kind of my ideal spot. Because right now, today, we're more like 70% to 90% virtual and then 30% to 10% physical in the corporate and education world. But again, semi-hybrid. That's where I would love for it to land.

[00:44:16] CS: Yeah. So one last question here, if our listeners want to learn more about Cicero Chimbanda and maybe even take his classes, where can they go online?

[00:44:24] CC: I think LinkedIn is always a good one. You can search – It's a unique name, Cicero Chimbanda. So that's a good way to learn about myself. I do also – If you Google Cicero Chimbanda InfoSec training, it'll come up with some of the courses that I teach in the different domains. So I would say those are the two ways of picking me up.

[00:44:47] CS: Cicero, thank you so much for your time and insights today. It was really great talking.

[00:44:51] CC: Thank you, Chris, for having me.

[00:44:54] CS: And as always, thank you to everyone who is listening to our podcast at home, or listening at work, or listening at work from home. New episodes of the Cyber Work podcast are available every Monday at 1pm central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. I’m also excited to announce that our InfoSec Skills platform, which Cicero is on of course, will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month you'll build new skills ranging from secure coding, to penetration testing, to advance persistent threats and everything in between. Plus, we're giving away more than one thousand dollars’ worth of prizes each month. So go to and get started right now.

Thank you once again to Cicero Chimbanda, and thank you all so much for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.