Today on Cyber Work, I’m very excited to welcome back to the show Diana Kelley, this time to discuss her work as board member of the Cyber Future Foundation and the goings-on at this year’s Cyber Talent Week.
Whether you’re a cyber security hiring manager who doesn’t know why you’re not getting the applicants you want, a candidate who hears that the profession has zero percent unemployment, but still can’t seem to get a call back, or anyone in between, do not miss this episode. This is one filled with books, folks. Keep it right here today on Cyber Work.
[00:01:33] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast . Each week, we talk with a different industry thought leader about cyber security trends, the way those trends affect the work of infosec professionals, while offering tips for breaking in or moving up the ladder in the cyber security industry.
Diana Kelley has been in the IT and cyber security industry for over 30 years and serves on the board of Cyber Future Foundation, CYS, and the Executive Women’s Forum, or EWF. Prior to joining siberX, Diana was Cyber Security Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group, now Gartner, a manager at KPMG, CTO and Co-Founder of SecurityCurve, and Chief vCISO at Salt Cybersecurity.
Her extensive volunteer work has included serving on the ACM Ethics and Plagiarism Committee, Cyber Security Committee Advisor at CompTIA, CTO and board member at Sightline Security, Advisory Board Chair at WOPLLI Technologies, Advisory Council Member at Bartlett College of Science and Mathematics, Bridgewater State University and RSAC US Program Committee. She is a sought after keynote speaker. The host of BrightTALK’s The Security Balancing Act, co-author of the book’s Practical Cybersecurity Architecture and Cryptographic Libraries for Developers, and has been a lecturer at Boston College’s Master’s Program in cyber security, the EWF 2020 Executive of the Year, and EWF Conference Chair 2021 and 2022, and SC Media Power Player, and one of Cybersecurity Ventures’ 100 Fascinating Females Fighting Cyber Crime. I like that one.
I really enjoyed my talk with Diana last year, I believe it was, in which we discussed some of her past work with The Analyst Syndicate, her early tech knowledge, and touched on a few things that I wanted to return to, such as ethical considerations when utilizing AI. And I was going to get to that. But based on some of Diana’s new work and her recent appearance at the Cyber Future Foundation’s Cyber Talent Week, I actually have a bunch of different questions to ask her. Because it sounds like this group is getting very involved in a set of topics that’s very near and dear to InfoSec’s heart, that of talent gap issues, hiring new diverse groups of talent from other workforce sectors, and continuous education and learning. Those are all gongs you’ve heard me beat on the show many times. Not to mention the community benefits that your contribution to the work of cyber security brings.
Let’s get into it. Diana, thank you for joining me today. And welcome back to Cyber Work.
[00:04:05] DK: Oh, thanks so much for having me back, Chris. It’s great to be here.
[00:04:08] CS: Awesome. Since you’ve already told us your fascinating origin story, and I highly recommend going back to Diana’s previous episode, because it’s really great. It involves learning about the pre-Internet at the highest levels, let’s say. And I’ll leave it at that. Let’s start by catching our audience up on your activity since you were last on the show a year ago. What have you been up to?
[00:04:29] DK: Yeah. As you know, I do a lot of volunteer work. And the more volunteer work you do, it seems the more people you run into that need mentors and need guidance. And something that’s really emerged in the past year that I’ve seen is a big need in the industry is to help people who want to get into the field actually be able to train up and get jobs. And that just sounds – To some people, it may sound like what’s that person all about? Because we see the headlines, right? The headlines are there’s zero unemployment. It’s a very highly paid profession. And that if you get a degree or certificate in cyber, because there’s zero unemployment, that means that you will not have any problem finding a job.
And a lot of people go into cyber either reskilling from different careers, coming back from military service and looking for a way to get into the private sector, or coming out of school. A lot of people have come up to me and said, “I did this. I did the cyber thing. I got the degree. I got the certificate. I can’t get a job.”
And some of these stories are outright heartbreaking, Chris. I mean, people who have come back from service for example and get trained up, and then get 400, 500, 600 either rejections after they’ve submitted their resume, or just get ghosted. The ATS, the Applicant Tracking System, just spits them out.
That was really – I saw that, that this is a big problem. There’s also the side of the CISOs trying to hire. Because this is also a real problem. We don’t have enough people in the field to hire. How to solve this problem? And a lot of people go at it with let’s make better training. Let’s get more certificates. Let’s create new programs. Those are all wonderful. But sometimes it’s hard for people to actually navigate which program they go into. Which one is going to help them get the job?
What we’ve been working on at Cyber Future Foundation is to really – And with Cyber Talent Week as supporting this work, is to really help to try and understand how do you help people navigate all of these options so that they can get jobs? Get the right training? How do you talk to the hiring side help them get the right map for what they’re going to hire to be able to recognize their operational model, or their OpMod? How do they write job descriptions? How do they help hire and find the next generation?
And then the big thing, which is the bridge in the middle, which we call the National Cyber Help Desk, is designed to give support to the people that can’t get experience, because that’s a big problem, Chris. It’s chicken or egg. National Cyber Help Desk supports small businesses in concert with local and state governments and provides an opportunity for people that can’t get internships and externships anywhere else. Gives them that opportunity to get real-world hands-on experience, which is very often the difference between knocking on a bunch of doors and having some of those doors open and there being a job on the other side.
[00:07:32] CS: Absolutely. I mean, that’s something that, just by sheer experience of doing this for all these years, is you watch the episode and one CISO after another says, “There’s so many positions available. Please come. Learn this. Learn that.” And then the comment section tells a different story. It’s a bunch of people saying, “Can I have a job?” And they say, “No.” Or, I’ve been trying for a year, and nothing’s available to me. And I don’t have experience. And then the guest say, “Well, you don’t need experience. As long as you can show interest.” And then the comment section say, “I have interest. And I don’t have experience. And it’s not helping.”
I’m really glad to be able to sort of like drill down into this in a really practical way, because while I don’t – I’m not disparaging anyone. And I’m not saying that it’s not true that there’s a lot of jobs available. I still think that there’s this very thin connecting bridge that needs to sort of connect the possible utopianism of we have all these jobs. We wish we had candidates for them. And these candidates standing on the other side of the chasm saying, “I can’t do it.”
[00:08:39] DK: I can’t get that job. Yeah, that’s exactly it. And so, we didn’t want to reinvent any wheels. We know there’s an amazing set of tools already out there. What we want to do is bring together and provide navigation and bring the different stakeholders together so that we can help to solve the problem in a coherent way.
[00:08:57] CS: Absolutely. Yeah. Like I say, we normally start with the current topic first and then talk career and education strategies later. But today, I want to eat my dessert first. From April 18th through the 22nd, the Cyber Future Foundation hosted Cyber Talent Week 2022. To quote the website, “Cyber Talent Week brings together a comprehensive and multi-stakeholder approach towards assembling the pieces of the puzzle required to establish a nationwide solution for cyber workforce development. This event is organized as a North America-wide effort to identify recognize and highlight the various programs, resources to address the much-recognized challenge of cyber security workforce development.”
I may have some other topics we can cover later. But honestly, I think this is going to be the whole episode. Because this is so in line with what InfoSec is trying to accomplish. I want to start out by finding out who founded this group and this conference and how you specifically got involved in it.
[00:09:50] DK: Sure. The conference is a product of the non-profit Cyber Future Foundation, which is a nonprofit that’s trying to bring together business and people and solve major problems in cyber. We do some humanitarian work. Right now, we’re supporting some refugee groups that are supporting Ukraine. We’ve worked with helping with Afghanistan as folks we’re getting out of Afghanistan. Working on humanitarian efforts, as ell as the humanitarian effort of trying to help more people get into cyber and thrive in cyber.
And as we saw this this gap between exactly what you – And, Chris, I love that example of you’ve got CISO’s coming on saying, “We’re desperate for people. We need people.” And the people in the comments have that different story. That is really something that we started to see coming up. And it really just felt almost alarming. That’s why Cyber Talent Week happened.
And how did Cyber Future come to happen? Val Mukherjee, who is one of the people who was early involved in the formation of CSA, Cloud Security Alliance. He is the founder and visionary behind the Cyber Future Foundation. He was at EY. He’s now focusing entirely on the cyber talent problem and on work that we’re doing at Cyber Future. And there’s another venture too that I can’t speak about yet, but is also focused on this very same problem.
And thanks to his – And he’s just one of these people that he sees a problem, he goes in, and he says, “Look, how do we solve it? How do we address it? How do we fix it?” That’s why Cyber Future Foundation exists, really, is as a nonprofit to support the good work in cyber and the people of cyber and Cyber Talent Week, because this problem just started to become far too acute not to bring people together. And we brought together – It was a North American, as you said. We started the West Coast. We were virtual for the first three days. And we ran out of West Coast in the middle of the country. And then we landed in-person in the DC area. And all along the way we brought – Yeah, we –
[00:12:06] CS: It was a traveling road show.
[00:12:08] DK: It was. It really was. Yeah, three days virtual, two days in-person. And the engagement and stakeholders were industry leaders, obviously, the government, right? Because there’s a lot of work that goes on in the government, between INL, and NIST’s NICE, and the DOL, and DHS. And there are a lot of stakeholders in the government that have a very vested interest in addressing this problem, but also have given us wonderful tools that are part of the toolkit, like the NIST’s NICE framework, for example, to be able to – We brought stakeholders in from all the different – Marian Merritt from NIST’s NICE was with us virtually. We had folks. We had Christian Todd with us in person in DC. And it was just bringing together the stakeholders.
And the reason we landed it in DC is that because a lot of this really does have to be a public private. There’s a lot of talk about public private partnership. But what’s nice to see in cyber is that we’ve gone from just kind of talking about it to actually seeing some real examples of how this can work more effectively. And cyber workforce is going to be one of those where it’s going to take both sides. That’s why we landed in DC and those conversations in-person. And we want to go from a discussion to action.
[00:13:26] CS: Yeah, that’s so exciting, because it does feel like there’s been a lot of theory being spoken in the last couple years. And it’s nice to see. Because that’s always the question you don’t want to ask, is like, “Okay. Well, how is this all going to happen?” It’s like, “Well, we just need to think hard enough at the problem and it will –” But, yeah, these are real physical structural barriers that need to be crossed in order to make these things happen. That’s why I’m so enthused about this. Yeah.
Yeah. The article you sent me on LinkedIn, which is titled Reflections on a week with inspiring cyber security leaders was written by Chris Foulon. Am I pronouncing it right?
[00:14:06] DK: Yes.
[00:14:07] CS: Foulon. Founder and co-host of the Breaking Into Cybersecurity podcast. And he provided me with a bunch of great sign posts about some of the main strategies that you and your stakeholders are concentrating on to address the many issues the industry is facing.
One of the short-term issues you addressed is something we’ve been beating the gong about on the show for ages, “We would encourage employers to start re-examining their job descriptions to prioritize the problems that need to be solved and include the skills competencies and abilities to help solve those problems. Then prioritize internal training and continuous education processes to develop all the other nice-to-have skills and aptitude you can teach candidates over time.”
I guess, first, how do you plan to “encourage employers” in this way? This seems to be a fundamental issue of – We talked about the hiring departments that are – We’ve got to keep them away from their love of unicorn candidates. 10 years in a certification has only been around for five years and so forth. How can we do some sort of industry-wide reset and readjustment of hiring requirements? Do you have suggestions for maybe like templates for rewriting job descriptions more useful and less alienating ways?
[00:15:20] DK: Yes. Yeah. And job descriptions, really, it all starts with that. And the job description is often then used as the baseline for that ATS, the Applicant Tracking System, if you don’t get all the keywords right. And a lot of times, especially if you’re newer to the industry, you don’t understand that you’re first going to have a system who’s looking for pattern matches. And if your resume doesn’t exactly match the pattern that they’re looking for, then you can get kicked out of the system. And that’s it. That’s how you get these –
[00:15:48] CS: No human will see your resume.
[00:15:50] DK: Right. For you, it may be that you’re like, “Well, I’m really good with cloud systems.” But then, specifically, and maybe you’ve used Azure, for example. But instead you write cloud. Or I can set up service in cloud. I can manage servers in the cloud. But what it’s looking for is the word Azure.
And you put cloud because you can work in Azure. You can work in AWS. You can work in DigitalOcean. But they want Azure. Helping to understand with the writing of the job descriptions that write it in a way that’s going to be more inclusive. Something like if you want somebody who’s an expert in cloud, say expert in cloud. And you could say Azure preferred. And then make sure that the ATS is looking for that cloud experience. Not for the exact pattern match to Azure. Unless it’s only an Azure job, and you really want. Because there’s some talk on the side of those being hired to helping them jumping ATS.
Some other things to do, inclusive language. It’s still not uncommon to find job descriptions that are written for, “He will do.” And it’s like, “Are you hiring for a gender? Or are you hiring for the experience?” If it’s for the experience, make that that word and gender neutral.
[00:17:07] CS: Yeah. Also, it sort of speaks to what the company culture is going to be if you’re assuming that as well. It’s one thing to say, “Well, I’m not a he. But I can do the work.” But you also say, “Well, this is a place that assumes that I’m a he,” and underlying maybe would prefer that I’m he.” Yeah, yeah. Yeah, that’s sort of ugly in both directions.
[00:17:30] DK: It’s true. And just make that word in general. And these are simple fixes for companies once you make them aware of it. And I’ve worked with hiring managers that have come to me at companies I’ve worked out previously and they’ve said to me, “Nobody’s responding. Nobody’s a good fit.” And I’ll say, “Well, can I look at the job description?” And then I’ll ask questions. And they’re like, “Oh, I didn’t even think about that.”
And the biggest one that they tend not to think about when they’re writing the job description is exactly what you said, which is that unicorn. That phenomena of the fact that certain kinds of people will apply for a job if they have about 60% of what’s in that job description. And so, that has led to managers creating those unicorns stacked up job descriptions where they’re like, “I’d better ask for a lot more than just that 60% because I know –”
[00:18:17] CS: It would be great if we could get this other thing too. But, yeah.
[00:18:20] DK: That’s it. Exactly. And helping them kind of come back to earth and say, “Genuinely, what skills do you need? Where is their flexibility or wiggle room?” Like I said, if you’ve been doing security and running the systems at a company that’s a big AWS shop and you’re going to a company that’s an Azure shop, that can be learned. That’s like learning a different tool set. It’s not becoming a security expert. You’ve clearly been doing the job.
Helping the hiring managers understand how they write is going to make a big difference. And to be very realistic about what those actual skills are. If you need somebody who can turn the knob left and right, say turn the knob left and right. Not say create a knob or add extra knobs. Be really specific about what it is that you’re asking people to do. And not forgetting that, in security, how many of us learned something 10 years ago and we never had to relearn it because it never changed and everything’s exactly – I mean, the basics, right? TCP/IP is TCP/IP. But still, there’s IPV4 and IPV6, right? I mean, I know that IPV6 won’t run for decades. But even our basics, right? We do have advances [inaudible 00:19:40] security, for example. But come on. I mean, you came out of school –
[00:19:46] CS: Yeah. Those are just add-on learning packs. You can spend the weekend and get caught up or whatever. Two weekends.
[00:19:52] DK: That’s it. Being able to manage one cloud versus another cloud, this is something that you can pick up that skill. And so, being more realistic about genuinely what you need, what you can train up, and having a little bit of flexibility. If you have somebody who’s perfect for the job and knows 100% of how to do it. Unless they’re the kind of person who’s decided, “I like my job nine to five. I don’t want to advance. I don’t want to learn anything. I just want to to as little –” Most managers actually want somebody that they can skill up and move forward, because that’s how we keep people engaged, and learning, and excited.
So you want somebody who doesn’t have maybe all this. Be realistic. And also, understand where you can be flexible about what parts can be skilled up. Which leads to another one, Chris, which you probably hear a lot. Because the the next thing that I always hear is, “Well, but if I hire somebody and train them, they’re just going to leave me.” You hear that a lot.
[00:20:49] CS: Right, right, right. Yeah, yeah, sure.
[00:20:52] DK: Yeah, I hear that a lot too from managers. I paid for them to go to school. And then they left me. It’s like we’re all sort of like this fear of abandonment now because –
[00:21:03] CS: I know. Yeah. Well, yeah. And that’s just sort of a mental block on their part because they forget all the other people who are like, “I actively withheld training from them and they left me.” But you’re thinking of them as good riddance rather than, “Wait, come back.”
[00:21:21] DK: That’s it. It’s true. Because not everybody gets – You probably had – Often, managers have workers that they just really love. Then they help to advance their careers. And if one of those leaves, that does feel very personal.
[00:21:33] CS: It feels like an abandonment. It could just as well have been a toxic workplace or no room for advancement. It’s like, “I paid for your schooling,” and then refused to promote you. There’s so many intervening factors. When someone tells you the story, “I gave them all this education, and then they left me.” It’s like there might be other supporting evidence in there that we’re not talking about.
To that end, I have a couple questions related to that. It feels what I’m hearing is it almost sounds like this would be a good opportunity to have some kind of a class for hiring managers that we could sort of offer for free, how to write an inclusive job description. And maybe also one for aspirants. How to jump the line, honestly, of the automated tracking systems? It’s if no one’s going to take action, it seems like we need to get the information to the right people. But when you’re talking about that, I feel like the dream description would be to focus entirely on the soft skills, the areas of interest, and only put technical requirements if they’re really required. We want someone you know who can read a lot of log files and is fine with repetitive work, but is also eager to automate their position and eager to sort of move up in learning and continues learning.
Also, you absolutely need to know these five tools. Maybe learn them before you get to the interview. I think there’s this fear that like if you give them the keys and the tools to give you what you want that somehow that that’s like a lesser candidate. But honestly, a lot of people are still aren’t going to do that. You can tell them like, “Put this in front of this in front of this in front of this. Put it on your resume and send it out.” And you’re still going to get a bunch of garbage candidates. But you’re going to get a lot more real ones, I think. Am I off-track on that?
[00:23:31] DK: Yeah. I mean, there’s always people – There are people that are really hopeful. People that have been rejected so many times that they’re like, “I’m just going to throw my resume anyway.” It’s like spaghetti at the wall. I mean, there’s always going to be a certain amount. And that is why ATS systems came into play initially, because I think it was just to really help – It was an attempt to make things better so that hiring managers didn’t have to go through just stacks of resumes that weren’t.
Unfortunately, I mean, it’d be nice if people stopped submitting resumes that they really weren’t good candidates for. But on the other hand, Hope Springs Eternal. And I think that’s why people do do that. And then you do hear these unicorn stories of, “I didn’t think I was really going to be accepted for that.” And then, “Oh, lo and behold, I was.”
I mean, a colleague of mine actually just is going to be a first time CISO. And went through a lot of conversation with herself, “Should I apply for this?” But it was a dream. And she really had the right building blocks to get there. Because everybody’s got to get that first job as something wants, right?
I don’t want to discourage people from applying for jobs that they may not be 100% perfect for. Because sometimes you really do fit the bill. But, yeah. I think on both sides you’re right. If the hiring managers can be a little bit clearer about genuinely what they want.
And if you look, there’s been interesting studies coming out indicating that it’s not the tech skills that end up being the problem when someone comes in. If somebody has a baseline tech, as we were talking about. Let’s say you’ve been running Palo Alto firewalls. And the requirement is to be able to run the Microsoft Cloud Azure firewall. Firewalls or firewalls. I mean, once you know – I’m not saying that you –
[00:25:18] CS: Yeah. The button’s over here, instead of over here this time. Yeah.
[00:25:21] DK: Exactly. I’m not saying you can go in on day one, you’ve got all of the – But it’s something that you – You know firewalls work. You know what they do. Yeah, you’re right. The button moved. The rule is slightly different. You have to figure out a different UI. But the core of it is the same.
But those soft skills, as you were mentioning, that is so critical. Can people fit in with the culture of the team? Or can they challenge the culture of the team in a healthy way? Do they have the right – A good friend of mine, Nicola Whiting, is neurodivergent. I’m also neurodivergent. She’s neurodivergent. She’s autistic. And she talks a lot about the skill set that autistic people bring to an organization. The ability to focus, right? Because some jobs in cyber require you to be able to just tune out all the noise. It doesn’t matter what’s happening in the news. You got to be able to like dive right in and focus.
Then here’s a benefit that – If you have a job where it’s a dive right in and focus, think about who would be good in that job. As Nicola points out, that something – Many people who are autistic would be very good at a job where dive in, left alone, focus.
But now, also think about the ATS. Did that kick them out for some reason? The interview process too, Chris. Because some people may not make eye contact in the same way that other people – And actually, being on video for some people, which many of us are now interviewing on video. It’s incredibly uncomfortable for some people.
We’re losing people in the process for reasons that are traditionally like, “Well, the resume didn’t fit. Or they didn’t make the right eye contact with me when I was interviewing.” There may actually we may be losing some fantastic candidates.
[00:27:09] CS: Mm-hmm. Mm-hmm. I agree. I want to get back to the article here. There’s another quote from Chris’s piece on Cyber Talent Week, “The focus on the problem to be solved opens up the apparatus to new diverse groups of talent from other workforce sectors interested in solving those types of issues and a retainment mechanism via continuous education and training.” This is something that’s interested me ever since I started hearing from listeners who are having trouble transitioning into the industry from other fields. Did you come up with strategies or ideas for bringing these diverse talent groups from other industries into the fold by, say, appealing to their sense of problem solving?
[00:27:46] DK: Yes. Yeah. And again, I want to thank Chris so much for his article. Thank you for bringing it up. And he did just a wonderful review of what happened at the week. But, yeah.
Part of the bringing people in diversity is to talk more about the different jobs in cyber that exist. Because we tend to all immediately kind of go to these super tech even we’ve been talking about. I did this myself. I’m talking about firewalls. I’m talking about security cloud management, right?
We tend to go tech. And, yeah, we certainly need human tech in cyber. But cyber is now the business of work, which means that we need to have people with all kinds of skill sets. There are whole legal practices, legal or law firms, that have been created to address the different aspects of cyber. Whether it’s understanding the security implications of a contract that you’re signing, or the implications of new regulations, and things around things like data privacy, right? Lawyers, we need lawyers in cyber security. Insurance, cyber security –
[00:28:53] CS: We just did a live webinar on all about privacy. And one of the three guests was a lawyer. Yeah, yeah. And of course, the comment section was like, “Is this really cyber security?” It’s like, “Absolutely, this is cyber security. It’s all tied together now.”
[00:29:07] DK: It is. Yeah. Psychologists. One of my favorite things when I’m telling people about phishing and trying to explain phishing, and how the attackers are getting us to click, is to go back to Professor Robert Cialdini’s book of Influence and the Power of Persuasion, because he’s got six dimensions of influence. And guess what, when you start looking at phishes, they used them. These are tools from marketing and psychology. We need those people to help us how do we do security awareness training? People who are educators, right? When you start talking about how cyber is – And sometimes people say to me, “Oh, you think cyber is everywhere?” Well, it is.
[00:29:44] CS: Yeah. Oh, yeah.
[00:29:46] DK: As evidenced by the fact that we’re talking over computer screens right now.
[00:29:51] DK: Exactly, exactly.
[00:29:52] CS: Semi-permeable meeting software. Yeah.
[00:29:54] DK: I think is how we create some of that diversity, is to help people understand that this is a incredibly diverse practice that we’re talking about. It’s not only the technical piece. It’s many, many other pieces coming together. That really matters. Looking at helping more people get into. That’s one piece.
One piece is getting more people that would not standardly go into cyber security. We’ve opened the aperture of what the job can be. Now let’s also open the aperture on who can be in that job. Things like a four-year college degree. For some roles – Look, if you’re going to be a lawyer, you probably have to go to four years of school as well as law school.
[00:30:35] CS: Yeah, please do.
[00:30:36] DK: Yes. However, there are many, many jobs in cyber security that don’t necessarily need a four-year degree. It could be an associate’s degree. It could even be a GED from high school. Helping to also look at, on the hiring side, can we just increase that so we have more diversity of people that maybe weren’t able to come up with the money? It’s not free to go – For most people, it’s not free to go to college. Helping people. And then maybe you bring somebody in you train them up. You send them to school.
But you can also do a little bit of that tie, that fear of abandonment. You can say, “Look, you’re going to have to pay back that degree if you don’t stay with us for X number of years.” It’s not indentured servitude. It’s just saying that, “We’ve paid for this for you.”
[00:31:24] CS: We want to make sure that what you’re actually using this for is to apply into this job, if possible.
[00:31:29] DK: Exactly. And then the neurodivergence, as we were talking about as well, helping to understand what kind of job? Is this going to be a good job for this person?” That level of diversity. And then, ultimately, keeping people engaged. And there is a fear of sending people to conferences now, to education. And if I could plead with one thing for any hiring manager, it’s do not take that away from your team. In the long run, they’re only going to leave because they want those opportunities. That saying of people don’t leave companies. They leave managers. I found that to be very, very, very true even in companies.
I used to say, “Well, for companies dying, people want to leave.” But I’ve actually seen that dying companies, a really great manager still be able to retain a core of their team. Yeah. As a manager, if you’re losing people, think about why. And not giving them opportunities is going to be one of the biggest reasons. They want their manager to be an advocate.
Now, I’m not saying it’s all Pollyanna. I get it. There are some big-name tech companies out there that I’ve seen what they dangle in front of some people. And, yeah. I mean, if somebody comes up and triples your salary, it’s a little hard to say no.
But for the most part, really, just stop with the fear, worrying about fear of abandonment. Really, make the strongest, happiest employees you can. And most of them are going to stay because they’re committed to what you’re doing and building.
[00:33:06] CS: Yeah. Something mentioned in the article coming from the job candidate side really, really resonated with me. And I’d love to discuss it further. It says, “On the candidate side, start with narrowing down the problems you would like to solve and the roles you would be interested in pursuing.”
We’re always letting people know on this show, and we just talked about a little bit here, but there’s more to cyber security than pen testing and incident response and secure coding. But I want to get into this idea further of candidates asking themselves what types of problems they’d like to solve as a way of refining their focus of study and learning. This almost seems like it’s screaming out for a book pitch, or at least a really solid flowchart infographic. Can we discuss some of the job roles that line up with some of the problems to be solved that you identified?
[00:33:52] DK: Yeah. And you’re right. There are actually some tools that are emerging to help people understand both where their technical skills lie, as well as their aptitude. Because a lot of this really is about aptitude and what we want to do.
Yeah. I mean, some of the things is really to get into what it is that that person does want to do or accomplish. I mean, I ask this if anybody who comes to me as a mentee, “What do you want?” And a lot of times I get, “I just want to make a lot of money.” And that’s okay. I mean, there’s nothing wrong with that. But if your driver is just money, you might be better off going on to Wall Street and being in a hedge fund. Because while this is not a low-paid career. It’s also not going to get you unless you’re like an Elon Musk. You’re probably not going to become a billionaire if you become a threat hunter. Ask yourself seriously what you want to do.
I’ve also had a lot of people say, “I want to get the bad guys.” Okay. All right. But what does that mean to you? Does that mean that you want to go through a whole bunch of log files? Find something that indicates where that – And hand that off to law enforcement or to some Interpol or something so that then they go? Or do you want to actually be the person who like busts in the door and says, “We have traced that ransomware back to you, back to this house. Come with us.” And physically arrest them. Those are two really different sides of it.
[00:35:24] CS: Oh, yeah. And I think that understanding that distinction is also something that keeps some people away. Like you get that fear of like, “Well, if I’m in cyber security, suddenly there’s a target on my back and my whole family’s back, or whatever, if I get too close –” Because we did an episode where we talked about the bahamut threat group over in the Middle East. And I was like, “What’s going to happen? Am I going to start getting ransomware?” No, of course not. We’re way down the food chain. But, yeah. I think that still also keeps people out of certain aspects of the job. Like I just don’t want to even deal with that mess.
[00:36:00] DK: Yeah. And some people want to help people. I mean, do you want to help people?” Well, then there are a lot – As I was saying, there’s security awareness training. There’s educational opportunities, evangelism. Some people, they love selling. And there’s a lot of sales jobs in security. And they see sales of a really good product as their version of helping people.
Thinking about what it is. The number one thing is you have to get up in the morning, and most days be really excited. I get it that not every day you’re going to go like, “Yay! I get to go to work.” But if you canget up most days and go, “I really want to do this work. This is important work for me.” Then you’re in the right place.
I realized what’s the important work and what’s inside are two different things. But then once you understand what’s really motivating you, then you can start looking at all the different paths in cyber. And as we’ve spoken about, there’s this huge spectrum of opportunity in cyber. Thinking about where do you want to focus? What are your skill sets? Instead of trying to just go, “I think I have to be this to get this job in cyber.” Think more about what it is you bring. And then starting to understand where bringing that is going to have the most effect.
Actually, sometimes people who have been looking for jobs – I’ve talked to people that aren’t super technical, but they think they have to get an entry level analyst or threat hunting job. And they keep getting no, no, no. And then they start turning to something like they’re an artist who does absolutely beautiful renditions of very tough technical security concepts that other people can – Suddenly, their career just opens up in a different direction. Don’t be afraid of what it is that you bring to the table, because you’re going to be able to find ways to apply that. And don’t try and fit yourself into a job that just isn’t right for you.
And there’s one more thing I wanted to say, if that’s okay, Chris.
[00:38:00] CS: Yes, of course.
[00:38:02] DK: Which is that a lot of people think that you have to get your first job in cyborg. But if you are more on the – Well, actually, any side. But the technical side. But this could go for the legal side, for education. Get skill sets in that adjacent piece and then maybe see if you can transfer that to cyber. What I mean by that is a Unix admin. A great Unix admin is going to become a fantastic security admin, because they understand how Unix works. A developer. Some of the absolute best application testers, penetration testers you’re talking about, that I’ve ever met, they were developers. They didn’t have any interest in security. But you know who can figure out how an application works really well? The person who wrote. They can also help to figure it out.
In fact, I was talking to one penetration tester who said – And I guess we’re trying to get rid of that term. I don’t know what the new term is. But an application security tester, who had been a developer for years and years decided to go into cyber. Took a class, and after a week was sitting next to folks who’d been doing application security testing for years.
And a week later, because of their expertise and development and all of their knowledge of it, that one-week course then really put them into the ability to be a practicing tester, which is great. Don’t write off doing something that’s not in cyber, but is adjacent to what you want to do and then being able to transfer that out.
[00:39:37] CS: One of my favorite stories that we’ve gotten on this podcast is talking to someone in digital forensics who said that one of her best employees was a former child psychologist who was able to go through thousands upon thousands of text messages that a cyber stalker was sending to someone and being able to see sort of what the mindset is, to understand the shorthand of people of a certain age and so forth. It’s almost kind of a good intellectual exercise. It’s like, “Well, think of the industry or probably you want to solve. And then how about you imagine what the cyber security component of that would be?” It’s like if you’re in healthcare, what’s healthcare cyber looks like? Well, protecting patient records. If you’re in the military, what’s military cyber looks like? Well, a thousand things. If you’re working at a grocery store chain, what does the grocery store security look like? It’s like, well, supply chain reinforcements and stuff. It’s so easy to sort of pivot from there. And then you can jump into the whole crisscross applesauce network of it.
[00:40:37] DK: Yeah. No. I mean, that’s such a great example of someone who came from a psychology background, I was able to bring that in. I come from an English background. I was an English major. And even though I was techie before that, I was an English major in college. And it’s been incredibly helpful to me to be able to write in a clear way that people understand.
Yeah, I think people just need to, again, both hiring managers and employees, open up the aperture. There’s a lot more to cyber than just the – But there are many more jobs than analysts. We need analysts too.
[00:41:13] CS: Absolutely. As regards to long-term strategies, you recommend that, “Companies need to work on developing effective talent development pipelines so they can start to ingest junior candidates while working with educational institutes to help work on ways to provide them with continuous education programs based on the needs of the organizations and the general area.” And you mentioned, of course, NIST’s NICE as a good reference point, as well as NCAEC and SFIA.
Did you come up with any strategies or ideas for implementing the systematizing of this type of educational pipeline for a company? And to that end, for the junior professionals who are already exhausted from the day-to-day work of the job, can you talk about ways that this model of continuous learning can become, say, as integral to the work week as the essential tasks of the job?
[00:41:57] DK: Yeah. And part of it is really just write it into the sizing of the job. As a manager, you should have a sized idea of what your employees are doing and how much time they’re spending. And very often, we just kind of like – It’s like, “Just throw that on the cart. Throw it out on the cart.” It’s like, “Oh, and here’s 40 hours of required training.” Because especially if you’re at a larger company, you’ve got a pretty heavy load. It could be up to like an entire week of required training for your just overall employee development.
And then, of course, if you’re specialized, you’re going to want to have separate training for that. Go out to conferences. Make sure that you put that in your budget when you’re going through the budget rounds, that there’s travel capacity for people that you sized that in so that they can go off and take a week to get educated. That’s really the big thing, is to not just kind of – This is not something that’s going to take care of itself. It has to be in the employee plan for that year.
And also, I’ve done this a lot when I manage people. You put it into their goals for the year. Because now you made yourself responsible. Your employee knows how important it is. And it’s a lot harder if they’re getting – Their bonus is going to be dependent on whether or not they did what they were supposed to for that year. And one of those things was education. It’s a lot harder to let that drop off. If it’s a, “Oh, yeah. That’s nice.” It’s much more likely to drop off. Really solidifying codifying it and making sure that your organization has committed to it um by giving the space and also giving the financial support to pay for that.
[00:43:40] CS: Yeah, the space is so important too. Because I feel like it’s not out of the question if you like told your boss, “Well, it’s Friday afternoon, and I’m not doing the day-to-day work because I’m studying for my next certification thing or whatever.” They might say, “Oh, you’re really doing that on company time,” or whatever. That’s going to have to take, I think, a fundamental shift of, “Well, can’t you just do that after dinner?” It’s like, “No. No, I can’t. I have kids. I have a parent I’m taking care of.” It’s just not going to work out like that. We can’t live at our jobs all the time anymore even though we’re all at home all the time.
[00:44:15] DK: No. I mean, then it’s like the performative work-life balance stuff, where the companies that are like, “Oh, we really value your work-life balance.” Yeah, they value it until the company wants you to do something. Then it’s always the company’s going to come first at the – Some words, they are. They’re performative. They say it. And they don’t actually live it or do it. So, yeah. And training definitely can slip off if you don’t make time for it.
[00:44:39] CS: Totally. I love this next line from the article, for Chris’s article. So, “With talent pipelines, companies can create paths with consistent levels of developed skills, knowledge areas and proficiencies that allow candidates to see pathways for progression, which can start to open up the hiring aperture to a more diverse set of candidates with a foundational set of competencies transferable to various career verticals.”
We’re kind of circling back to the beginning when we were talking about getting rid of unattainable unicorn candidates in the job description. The next barrier to knock down, I think, in hiring diverse candidates is to hire based on strong skills that can be transferred from other work while knowing what you can train on the needed tech. And in this way we strengthen the history by bringing in new perspectives, and new talent sets, and new backgrounds, which we’ve been talking about. Can you talk about some of the practical ways that this can happen? Not just in terms of hiring people from unconventional backgrounds, but also reaching out to these non-tech communities and making adjustments for difference in social stability, economic issues, health issues, family issues, etc.
[00:45:40] DK: Yeah. And it gets to that being very realistic about what do you need in that employee? And where can they be? And what is a little – Do you really need that four-year degree? It may be that your company has been saying we need the four-year degree. But do you really need it? What is it representing that the company or organization needs? And if it’s not actually contributing to how well they’re able to do this job or to even grow in the organization, rethink that.
Another thing that you’ll see very frequently is that they have to have a certain certification. It maybe I want CASSP. And somebody comes along with CompTIA Security+. Being a little bit more flexible about truly what certifications do they need. And why are you asking for that certification? Is it just because, “Well, because I think I should.” Someone told me I should. Or is it something that’s actually going to be very specific to that job? Because a lot of times, again, with people that may not have had the opportunities. They may not be privileged with the opportunity to go to those four-year colleges. This now gives them a better path to come into the company.
Things like you had mentioned, health issues. There are some jobs that you don’t need to go into an office. You can sit at your desk. And maybe you may have flexibility in hours. Some health issues, people are fine. And I found this more in the past couple of years with people who are suffering from post-COVID or long-COVID. They may they may have 40 hours in a week that they can work. But they are not the standard continuous eight hours.
[00:47:16] CS: Yeah, yeah. Yeah. And a couple of friends I have who are chronic migraine sufferers. It’s like what do you do when it just jumps out out of the blue? And it’s like you don’t power through something like that. But, yeah.
[00:47:28] DK: Exactly. And some jobs, sure, if you’re like third shift of the SOC, you got to be watching it during those hours. But there are a lot of jobs that you don’t have to. You need the 40 hours a week from the employee. It can be on their own time. That can be – Again, if you can have flexible hours for these employees and there’s the opportunity for you to know if they’re delivering or not – And some jobs, we know, when I was at Burton Group, for example, it was all about the reports. Your report was in or it wasn’t. I didn’t care when you wrote it. I didn’t care where you wrote it. As long as it was high-quality and it was on time, that’s what mattered.
Yeah, again, opening up and being more flexible about what truly does this job need. And giving opportunities for people that may have different constraints on their time, on their health, but can still deliver on that job.
[00:48:22] CS: Another topic that came up is apprenticeship programs, I want to talk about. So, “Candidates can work to highlight their skills, passions and competencies through constant learning themselves and showing employers how they solve business problems through working with the technologies that employers are using and demonstrating their use of them on the scales available with an approach that can later be scaled to meet the organizational needs.”
If I could ask maybe an impertinent question here, are we talking about a paid internship? And if not, how does apprenticeship differ from an internship?
[00:48:54] DK: I would say, when you have a week-long conference with so many different speakers and opinions, it’s pretty rare that you come out with something that’s pretty near unanimous. But pretty nearly unanimous was pay your people. Pay them. If it’s an internship, pay them. This is not about asking people to – If you’re a nonprofit, you’re asking for volunteers, that’s very different. But if you are an organization that’s looking for internships, yeah, it’s really important to pay them. They’re not going to get paid at the same rate as a full-time employee. They may not have benefits, obviously. But pay them something. Their time is valuable. And it helps them. And it helps the employee to have a feeling of commitment to the role. And just being respectful.
Yeah, find the money. Pay them. And hopefully that can improve. Because there’s a whole other progress of like internship programs. It’s not sort of the field of dreams. If you get an intern, they will come and automatically know what to do and how to do things. There’s a whole process.
[00:50:02] CS: Yeah. I mean, that’s one of those things that starts out as a small problem that spins out to the entire company. Because I think about like a lot of what these unicorn candidates represent is this feeling of we don’t have time to – Our resources are already stretched so thin that we need someone who can just step in and figure it out for themselves, because we can’t allocate any – And we’ve all had that issue in a past job or whatever, where you get a new hire and it’s like, “Okay, this is going to take a lot of work off of your plate.” However, you’re going to have to spend the next 60 hours training them. And all you can think is like, “I’ll just do the task myself. It’s going to take longer to explain it to them than it is.” And that’s a that’s a whole systemic failure of like the HR department, as far as I’m concerned. There should be able to be like, “We’re taking these things off your plate while you spend more time getting this person up to speed and being available to explain things to them.”
And I think internships are like the absolute terminus point of that, where it’s we’re just going to plug you in. You’re going to be opening mail. Or you’re going to be doing the most boring thing imaginable. And if we do train you, it’s like here’s the book. Go figure it out, or something like that.
[00:51:18] DK: Yeah. No. I mean, some very large companies, they actually don’t want the intern to deliver anything that’s going to be usable. What they want the intern to do, because their process is internships is how they do a lot of hiring. What they want the person to do is to understand the company and the culture and see if you’re a good fit and you like being there. So that when you graduate, you’re actually ready to come in as an employee. Those kinds of interns, it’s more about their job is to learn how the company works. And you give them a project that is about them. It’s maybe not actually operational. It’s more educational for them.
And then there are some interns that come in that are very operational. If you’re that kind of – And I’m actually preparing for an intern like that this summer right now. And what I’m doing is I’m creating this framework of this is what needs to get done. This is what it needs to look like. So that they can come in and see the steps to fill in and have actually a path laid out.
Because if I just said to them, “I want you to kind of go figure this out.” That’s interesting. But in an operational side, what you want is for them to have the steps that they can complete. But if it’s more on the educational side, you might just kind of say, “Figure something out.” Because you’re not looking for them to actually deliver for – It’s more about education and about them fitting in with the organization.
Many different ways to bring in interns and externs. I’ve seen shadow-level, where they let them shadow for like the first week or two. And then they actually put them into things like doing analysis in the SOC. A lot of different ways to do it. But think it through in advance. Because just like as you were saying, “Ooh! Wow! We have an extra pair of hands.” It’s like, yeah, make sure you’ve got a plan.
[00:53:04] CS: Yeah, absolutely. And time to implement it. Yeah.
[00:53:08] DK: Yes.
[00:53:09] CS: As I expected I would, I seem to have structured my entire episode around Chris Foulon’s article. And I have no regrets, because every paragraph just what popped in my head and got me all jazzed about this stuff. Here’s one more insight that blew me away before I let you go. So, “Just because someone might have access to training and education does not mean that the student or the community see the value in that career path as valuable to generating value for their community.” Can you talk about this and all its implications? Because it feels to me like you’re talking about everything from the satisfaction of doing meaningful work to the benefit to your community if you’re, say, doing ICS security and keeping your local infrastructure safe. What are the ways that our industry can help to foster this type of pride and excitement and show value in the work potential candidates who might not otherwise be thinking to pursue it?
[00:53:56] DK: Yeah. I think that we can start showing more about what the work of cyber is and how it is helping local communities. I mean, for example, if you’re giving people, in rural areas, jobs because they don’t have to go into the office, then you’re supporting that community. But it may not be known. The community may not understand that – Maybe if it’s 10% of – Because it’s not unusual where people start referring friends and things from the same geo or something.
Start talking about it. Talk back to the community. And be engaged in the community too about the work that’s being done, about who’s being brought on board, so that there could be this visibility around cyber. We tend to kind of disappear a little bit. And a lot of times people will say, “Well, either that’s not –” Like you were saying, that’s not cyber. Or what is cyber? It doesn’t matter. I’ve had people say to me like, “I don’t think it’s really – I don’t understand what it is. Cyber doesn’t touch my life.”
And I think that the more people that understand it – When we say ransomware in so many people – Or phishing. Cyber is everything. It’s down from the email you get in your inbox. Can you trust that that email came from your bank or that it came from a phisher? That’s the work of cyber. The work of cyber is making sure that when you look inside your fridge at the store and you see the milk in there, or you look at your doorbell when you’re away and see who’s at your front door. The thing that’s keeping that safe and secure are the cyber experts.
I think, also, educating the community not just on who’s working and why cyber may be creating opportunities. Whether it’s remote opportunities, building a data center in the area and staffing the data center. Although, a lot of data centers want to keep it a little bit on the down low where they’re located. But for other reasons.
[00:55:47] CS: Yeah. Sure, sure. Yeah, understandable. Yeah.
[00:55:50] DK: And also, talking about how people in cyber are actually helping the entire community. And then outreach too. I live in New Hampshire, and the New Hampshire Tech Alliance and Small Business Association just went through a program of providing free cyber security assessments to small and medium businesses. And that helps a lot because – And they promoted a couple of the folks working in cyber in New Hampshire. I was one of them, which was nice.
And I did some of the assessments. And it was just a really good way of showing, like, “Hey, New Hampshire, small and medium businesses, there’s support for you in cyber. Cyber is important to you. And guess what? You have people working in cyber here in the state.” I think those kinds of outreach and conversations can really help to make people feel a little bit better about what opportunities are and how it can help their local area.
[00:56:44] CS: This is a random this is a random thought I just had. And I don’t know if you had any experience with candidates coming in. But I think they’re still, especially in non-urban areas, sort of a thought of tech jobs and maybe security specifically as jobs that don’t produce anything. That there’s not an end product out of it. It’s like I made cars. And now I push numbers around. And the information economy and all that. Have you seen any resistance in that regard in terms of this isn’t a real job because I’m not in the medical field helping a patient get better? Or I’m not doing this. Or I’m not doing that.
[00:57:21] DK: Yeah. I mean, there’s partly the invisibility. There’s the other side of it, which is that if you guys are working so hard and so good, how come I still got a phish? Or how come the Colonial Pipeline got stopped?
Yeah, I mean I think that there’s – And when people are coming into the field, I actually say – I sometimes think of this as being like an oncologist, a cancer doctor. Because nobody really expect – I haven’t heard anybody go up to a cancer doctor and say, “Why haven’t you solved cancer?” Because it’s like we understand, this is a really big, complicated problem. Cancer is actually a constellation of different issues, right? And so, that’s the same thing. It’s like that’s what happens in cyber.
Yeah, I think it can feel a little bit like, “Oh, what are you doing?” Or you haven’t done enough lately. And, look, that does come with it. I’ve heard it. I’ve heard from people that I work with basically go to some family party and be blamed for somebody who got – A family member that got ransomware lock up their laptop.
Again, I think the best thing is education, conversation in most people. If they’re thinking that we’re not doing anything, it’s because they really don’t understand the work of what we do. I think that the real answer is doing things like what you’re doing, Chris, and having these conversations. Talking about what the work of cyber is.
Cyber Talent Week, again, trying to get this out there. Elevate the conversation so that the rest of the world knows that we are here. We are doing good work. But unfortunately, there’s no perfect.
[00:59:03] CS: Right. Well, I’m going to end on that. Because it’s a very good button on the whole thing here. As we wrap up today, I know that you have things that you may or may not be able to announce or that you might not want to talk about yet. But can you tell me what you can talk about that you’re excited about on the horizon? Can you talk about ways that people can find out more about Diana Kelley and where they can contact you and talk more about this kind of stuff?
[00:59:31] DK: Yeah, thank you, Chris. Yeah. Val and I are working on a commercial venture, which will help to expand and extend the cyber work that we’re doing with the nonprofit. The nonprofit will be there. We will continue to be there um at the nonprofit. But we’re also working on extending the mission. We’re going to be announcing that hopefully in June. You know how it goes when you’re doing a new co kind of thing.
But my LinkedIn is there. I’m posting regularly on LinkedIn. If anybody wants to follow me, that’s great. And also, reach out. I can’t get everybody a job. In fact, I don’t have jobs right now. But, certainly, if I can do anything to help people, I always want to do what I can and help to support. Yeah, follow me on LinkedIn.
[01:00:21] CS: That sounds great. Diana, thank you for all of your great insights. This was such a treat.
[01:00:25] DK: Thank you so much. It’s wonderful to be here, Chris.
Thank you so much once again to Diana Kelley. And thank you all for watching and listening. We’ll speak to you next week. Bye now.