Take control of your infosec career with CyberSeek

Tim Herbert, vice president of research and market intelligence for CyberSeek, joins us to discuss the National Initiative for Cybersecurity Education's CyberSeek model.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Chris Sienko: Hello and welcome to another episode of CyberSpeak with InfoSec Institute. Today's guest is Tim Herbert, Vice President, Research and Market Intelligence for CyberSeek. It's going to be an interesting day. We're going to be cyber speaking and cyber seeking at the same time. We at InfoSec are very excited about the CybeySeek platform and our role as cybersecurity instructors, we love to give students the tools they need to do great work, but it's equally important to ensure that they know where to find jobs.

So Tim is going to give us an overview of the CyberSeek platform and then we're going to do a thorough walkthrough of the site's capabilities live on the show so you can see the benefits for yourself. Tim Herbert is a self-described data junkie who works to connect the dots and make sense of the ever changing technology landscape. He oversees the research and market intelligence program at the Computing Technology Industry Association or CompTIA. Previously he was one of the leads of the research department at the Consumer Electronics Association, owner of the International CES Trade Show. He currently spends time analyzing trends associated with cloud computing, mobility, big data, collaboration technologies, the IT channel and workforce issues as well as the application and impact of technology on industry sectors such as healthcare, retail and government. Tim, thank you so much for joining us today.

Tim Herbert: Thanks Chris.

Chris: So we like to start our episode usually by asking our guests a little bit about their security journey. Have you always been interested in cybersecurity in tech and if so, what brought you to your role with CyberSeek?

Tim: Well, I think I've always had a fascination with data, so that's probably been my entree into cybersecurity and I've been with CompTIA for 10 years now, so certainly I've seen quite a bit the past 10 years. And then previously to that about 13 years with the Consumer Technology Association. So I would say my journey certainly is a function of what we do at CompTIA via our certifications and our training. And as head of research, I spend a lot of time working with our teams internally to really understand the trends.

So I would say most of my interest really comes from understanding the market, understanding what's driving it. Then certainly as of late data has really become an analytics, really become a core part of cybersecurity. So I think that's another part of my interest in the topic.

Chris: Yeah. So you said you've been interested in data for a long time. What was the attraction?

Tim: I think part of it is understanding the world around us. So whether it is understanding stock market trends or understanding the expanding universe, like you name it. I think I've always had an interest in just how things work and a lot of that stems back to the data. So a lot of times I just play around with numbers and what you can do with it, especially. So mapping has always been an interest of mine, so it really worked out well. It was kind of via the natural intersection between the data, the mapping and what you can do with it.

Chris: That that jumps right perfectly into the CyberSeek platform, which seems to be extremely data driven. So where did the idea for CyberSeek come from and what do you think the problem was in the cybersecurity industry that a CyberSeek was created to address?

Tim: The problem that we were originally trying to solve, the Bureau of Labor Statistics, they do an excellent job at a top level of categorizing our workforce. But there is quite a bit of a lag, especially in the area of technology where it takes many, many years between when they introduced a new occupation and then when actually the data is starting to be collected.

So in the case of cybersecurity, they do have a category, but it is somewhat a niche in nature and it only classifies about 100,000 professionals in the US. So even if you are somewhat far removed from the cybersecurity space, that sounds pretty low, just given the size of the tech space. And the fact that technology touches everything that we do today. So part of it was to better capture especially the roles that maybe it's not a dedicated cybersecurity professional, but cybersecurity could be 50% of the jobs.

So think about a network engineer. So we wanted to one, better size the workforce, and then we wanted to better show the dynamic between what employers need in terms of their workforce and their skills and the specific types of certifications they're looking for. And then what does cybersecurity workforce looks like. When you put those two pieces together, that's how you arrive at CyberSeek. There's more to it than that. But that was basically the gist of the problem that we're trying to solve.

Chris: I guess I'm very curious about this labor statistic. The 100,000 people work in cybersecurity. What is the choke point? What are they not seeing about these positions that makes the focus seems so narrow. Is it just people who are only working in this one very specific sort of tech corner?

Tim: They capture cybersecurity analyst. Okay. They would be captured in another managerial category, but there's not a breakout. Someone that maybe is a cybersecurity engineer, they show up another category. Some of the emerging positions. So if you are a pen tester, you may show up in a catchall other, and it usually takes about seven years or so. That's just how long it takes for them to update. And to their credit, they don't want to necessarily jump on every new buzzword because they want to have data consistency over time.

You want to be able to track the year over year changes. So it does take a long time to evaluate. And groups such as CompTIA, we do participate when they have open forms and when they're putting the call out for what new occupation categories. So hopefully over the next few years they will have a more granular look at cybersecurity roles.

Chris: Yeah. They have to make sure that the job title is going to be around in five years or 10 years or whatever.

Tim: Exactly.

Chris: So one of the big sort of talking points right now, understandably in the news is the concept of the cybersecurity skills gap, that there's a far more sort of job openings available than there are people to fill them. What in your opinion, is the biggest cause of the skills gap?

Tim: It is a nuance question and I'd like to preface that by saying, one that what we often see is that the concept of skills gap, it is often a catchall term that may describe many different types of labor market challenges. And certainly beyond the technical skills. It could be a function of soft skills or business skills. It could be a function of location. The jobs are in one market, the workers are in another market. It could be a pay gap. We still have situations, especially small businesses. It is very difficult to compete in certain markets for scarce skills.

Then also perception gaps employers that they may zero in on just one type of candidate and they're not casting a wide enough net. So there's a lot of different components to it. But I will say two of the things that we see in our research, quite often it is the speed of change. Simply we are seeing new technology enter the market, new platforms, applications. So certainly net strains, not only the workers that have to keep up, but also the training community and others that are producing the training and certifications.

Then also, there's simply more, I would say the other component, and there are somewhat tied together, but just there are more moving parts to security today. It's not just about defending the perimeter, but it's understanding where your data is located around the globe. And especially with the IOT trend with edge computing, essentially your data footprint is expanding. There's a much more of a business component now, especially with new regulations, GDPR and obviously the people components always there, but I think there's just more to the job today than it was even five years ago.

And certainly again, it gets into some of the nuance that the skills gap, it, it really covers a lot of different topics. But I think those are some of the factors that we tend to see bubble up.

Chris: You sort of alluded to this briefly, but one of the theories is that there's not so much a skills gap is there's a training gap in the sense that HR departments are looking for that sort of magical unicorn candidate with the exact right certs and the exact rate, years of experience and practical background and they're only getting one candidate or less further job postings when they have people in their company that could possibly be sort of trained up to that. Is there an issue with just the way we sort of cast out the net for cybersecurity people that's causing these choke points?

Tim: Yeah, I think that certainly contributes to the challenge of some employers. And when you look at enough job posting data, we often joke that you see situations of an employer, they are demanding five years of experience for a technology that may be two-years-old or they're just asking for to your point about the unicorn candidate, they're asking for the impossible.

Chris: Yeah.

Tim: Yeah. I think that goes hand in hand, skills gap and training gap and it certainly in some situations it is under investing in training or not crafting the right type of training program for the teams. And we also hear that employers, sometimes they are reluctant to train because they're fearful the employee will then hop to another employer. And usually the counter argument is, well if you don't train you could certainly lose that employee. Or how does it affect your bottom line if you are unwilling to invest in your employee.

So again, it's always difficult when we're talking about a very broad category to over generalize too much. Certainly that's something that we do work with a lot of employers and try to provide guidance in terms of what is realistic in terms of your candidates. I think we have seen evidence, especially now the unemployment rate for IT occupations is about 2%.

So for cybersecurity in some markets it's approaching zero, meaning that every single person that is qualified has a job. So we have seen some evidence that employers, they are starting to forego the requirement of say a four-year-degree. They're casting a wider net and they're looking at candidates that perhaps didn't have quite the same background that they were expecting. In many cases that works out great and oftentimes they are able to bring in people and in a diversity of opinion that actually helps the company.

Chris: So speaking to that nuance, obviously cybersecurity is not a monolith as we're saying here. Since there's lots of different facets to the cybersecurity industry. Are there areas within the sort of umbrella term cybersecurity where the skills gap is shrinking? Are there certain job positions that have plenty of people to cover? Or is the skills gap pretty much across the board?

Tim: It is a little bit difficult to precisely quantify the size of the skills gap. But I think I would be comfortable saying that yes, in certain types of positions where maybe security is 30% of the job, but it is not a dedicated cybersecurity roles. So again, network engineer or IT support. Yes, we have seen tremendous progress in terms of training that incorporates more of a security element and in those positions, yes, I think we do have a well-qualified workforce. We have a solid pipeline.

Where we see the gaps begin to emerge or become more prevalent. We are becoming more specialized with cybersecurity. It's not just a Jack of all trades type of position, but really there are some very specific skills that are required. And as you move up the ladder taking on more of the governance role as well. Certainly yes. I would say the other component, increasing the industries, they want industry specific expertise. So it's not just knowing the technology, but it's really knowing the business behind the technology.

So if you work in manufacturing or agriculture or healthcare, so that's where you do begin to see some of the shortages. In some cases it is a function of experience that you just have to, you're not going to produce someone that's an expert in all of these fields overnight. So sometimes we just have to make sure people are on the right career path and that we know that they will get there eventually.

Chris: Tim back to something you spoke about previously you were mentioning and this is something we've talked with other guests about, but the sort of the treadmill of the sort of constantly evolving tech and how not only are you having your current people, needing to, their knowledge is out of date after six months and then you have new people trying to get on the treadmill but are also trying to keep up with the new trends. Is there any way off of that? I mean, it just seems like it's just going to keep getting faster and faster and sort of a shorter half life for technology.

Tim: Yeah. I think that's the reality of the sector we're in. But I will say that what we often hear from employers is that, and this is why they tend to prefer candidates that have a broad foundation of technology education and training and they know that it's going to change, but oftentimes those types of candidates, they are better equipped to learn and they have that learning mindset and it's not just the candidates, but the organizations that really have a learning mindset and they are really focused on agility scent tend to perform better over time.

Chris: So turning the attention of the interview over to CyberSeek can you tell me about a little bit about CyberSeek and its alignment with the NICE Cybersecurity Workforce Framework as a sort of a method, the United framework for career pathways and so forth?

Tim: Yeah. I would say one of the really foundational pieces of building out CyberSeek, I created a beta version of the map in 2015 and presented it at a cybersecurity conference and the recession went over very well. There's a lot of interest in it. And that's when we really made the decision to scale it. We began our partnership with Burning Glass that is a data company that supplies the job posting data and then also with NICE, and that is the cybersecurity education arm of NIST National Institute for Technology and Standards.

So one of the other problems that we recognize that there wasn't really enough of a common language in how we talk about cybersecurity. Again, it gets the point of at times we over-generalize. And as the field has matured, we do have new specialties and NICE, I think did an excellent job. It was a public private partnership. So there was mini groups involved across the industry and they developed the NICE Framework and I think they're on maybe iteration 3.0 now, but it has seven top level knowledge domains in the field of cybersecurity.

Then under those domains, I think there's roughly 53 or so specific skills. What we did with CyberSeek, we mapped all of the data directly to this framework. So it provides a common way to describe the knowledge domains and the skills that are required to really have a holistic cybersecurity posture within an organization. And the expectation is that not one person has all of these skills. It's again, it's what an organization should strive for in terms of their cybersecurity team is able to fulfill all of the functions.

Chris: Right? Right. We're still sort of learning how to sort of map our employees or the potential employees to the actual expanding needs of the organization. So I guess to that end why don't we have you open up the CyberSeek platform here and Tim, if you can share your screen and walk us through a little bit of how this works.

Tim: All right, so this is the main page of the interactive map. You will see there are a few different areas, and I'll get to this in just a second. But for most people, this is the starting point for their use of CyberSeek. Just a very quick view, you do see that there's lots of different toggles here and there's lots of different ways to interact with the map and it's really meant to be hands on. That's what we hope users do, that they play around with it. They explore different areas of the map, both in terms of the location, skills and some of the different ways that they can interact with the data.

Chris: I'm sorry to jump in for a moment here, but if for people who can't see the the URL, this is a www.cyberseek, C-Y-B-E-R-S E-E-K.org/heatmap, H-E-A-T-M-A-P.HTML. We also have an audio podcast version of this. Definitely want to make sure that they hear it. So yeah, so this is the sort of, this is the page where you should be starting your journey basically.

Tim: It defaults to total job openings. So this is the data that I referenced. It comes from Burning Glass and there's a number of different providers for job opening data. But I think Burning Glass does an excellent job. They are a dedicated data company and they invest a lot of time ensuring that the data is as high quality as can be. What you will notice is that the initial view, it's based on essentially the nominal size of job posting.

So as you would expect, some of the larger States are going to have more job postings. It could be just a function of the size of their workforce. And hence they're going to have more cybersecurity professionals. So certainly California, Texas, Virginia, Illinois and so forth. Then some of the less populous States. So as you would expect, Wyoming, there's going to be fewer job than just Wyoming.

Tim: So I think that's pretty straight forward. And then you can certainly view this at the Metro area level as well. In many ways it functions the same way. So if you were to go to a New York, you're going to see one of the highest counts for cybersecurity job postings, Washington DC. This is at the Metro area level. So you will see in some cases Washington DC spans quite a few different areas. But this gives me a general feel for the data as a function of size.

Then one of the things that you immediately start to wonder though, how does it compare as a proportion of the local workforce? So this is more of a relative major, and one of the ways that we do that is through the location quotient. So this is relative to the overall number of CyberSecure number of IT job postings within the state.

And you do see some changes here. So most notably, you see something like Colorado. So relative to California as a proportion of jobs in Colorado. There's a more concentrated or a higher concentration of cybersecurity demand among employers in Colorado. And you see the same with Virginia and Maryland and a little bit in Massachusetts as well. And it's not to say that, again, there's not job postings in Texas or California, but it's relative to the overall number of postings within the States.

And then of course we can do this at a Metro area as well. And I think this is where you see some of the interesting stories emerge. Obviously there's a lot of focused on Silicon Valley or some of the other tech hubs around the country, but you do begin to see some areas that maybe they're overlooked to some degree. You see in Montgomery Alabama and relative to other job postings in Montgomery, cybersecurity has a pretty high concentration. So that's an indicator that demand is relatively high in Montgomery relative to many other Metro areas around the country. No, I'm sorry, go ahead Chris.

Chris: Oh no, as I'm looking at this, I was just going to point out that if you are interested in getting into cybersecurity, but you are for whatever reason, geographically bound to an area that doesn't have a great tech concentration, it's still interesting to note that even in what otherwise look like sort of tech deserts like Montana or North Dakota, you can still sort of freeze down into what are the actual metropolitan areas that have relative cybersecurity tech concentration as well. So if you're taking care of a family member but you still want to do it, you're not zeroed out here.

Tim: I would just to follow up on that, I would say this tool is also used heavily by employers. That may be thinking about where are we going to locate our next new headquarters? While they may be thinking, yes, I'm going to go to one of the tech hubs, they also will be competing with many other companies. This is where they begin to think, well, maybe if I were to place my headquarters in Omaha, I have a much better chance at securing the talent that I need relative to say San Jose.

So that's a pretty useful way to interact with the data as well. Then just a couple of other features here. You will see that the data can be segmented between the public sector and private sector and this is also a function of our partnership with mist. So we wanted to make sure that we had the government presence and that's certainly an area such as Washington DC. There's a heavy concentration of firms that support the cybersecurity needs of the the federal government.

But you see that in many places around the country where there's a need, whether it's the military or even supporting local government. That's one segmentation as well.

Chris: Very cool.

Tim: And then there's also a segmentation by the size of the Metro area. This is somewhat more just of a drill down. It gives you a chance to, if you just want to look at small Metro areas, it's a way to toggle between some of the different [inaudible 00:23:40].

Chris: Got you.

Tim: So that's the base to the map. And there's a few other metrics that we use such as the ratio between supply and demand. And that's simply looking at the base of workers. The thing that I always remind people that the current base here, if you see the figure, it's roughly a little over one or 700,000. That doesn't necessarily mean these are people sitting on the sidelines waiting to be hired. These are people that are employed. So in many cases it's a matter of recruiting someone from another company or they may be looking for a promotional opportunity or new experience, or maybe they're relocating to another part of the country.

But when you compare this to other industry sectors, and we do this with Burning Glass across every sector, cybersecurity has one of the I would say the lowest ratios between the demand and then the base of the workforce. So in some ways it does, it corroborates that the unemployment rate is very low and it corroborates that there is intense demand in a lot of areas for cybersecurity skills and talent.

Then one other reminder, again, I alluded to this earlier, it doesn't necessarily mean that these are all dedicated cybersecurity roles. In some cases you will see, if you look over here at the top cybersecurity job titles, you do see vitals such as network engineer. So these are individuals that there's a heavy cybersecurity presence, but that's not the only component of the job. A systems engineer similar situation, software development system administrator and so forth.

But generally this gives you a pretty feel for employers as they are posting for different types of positions. Some of the various types of job titles that they're using.

Chris: Okay. So these are the titles you're probably going to be seeing a lot in the one Ed's or the sort of job postings on the corporation sites.

Tim: Correct. And then down in the left bottom left, this is the NICE framework that we discussed a little bit ago and as I mentioned, there are seven high level categories and NICE if you just search NICE Cybersecurity Workforce Framework the site comes right up and it is a helpful reference tool. We do have some of the descriptions here of what each category includes. But as I mentioned, there are 53 sub categories of skills. So if you need a deep dive, obviously go to the the NICE website for that.

But you have a pretty good sense of how the data syncs up with what employers are demanding. In many cases there may be some overlap, but operate and maintain this is the biggest category and this really goes to maintaining the infrastructure of the organization. Obviously there's a cybersecurity component, but it's probably broader than just maintaining data security, but it's really maintaining the entire infrastructure.

Then the second biggest category is securely provision. It does allude a little bit to the acquiring technology, but a lot of it is a function of integration and how different technologies make their way onto the network or how different platforms are expanded through API.

So a lot of it really comes into how the company designs and expands their IT architecture over time. Then certainly if you go down through each of the categories, you do see some of the smaller, more niche such as analyze. That's I think one of the areas that is really starting to gain momentum in terms of the interest in using analytics. Certainly AI will play a role here in terms of how we are using data to really understand what is happening on networks and where the red flags are in terms of potential threats.

Then governance. That's another area that companies, they really have woken up to the fact that cybersecurity is not just an IT department issue, but it's really a board room issue and a C Suite issue. So I think this is probably another area that companies are focusing more attention on governance and making sure that they are really thinking about the entire organization and the impact of cybersecurity.

Chris: You think that these numbers will probably go up over the time as, as organizations start realizing the value of having these types of positions?

Tim: I think we probably will see some of the growth in these areas. And the last one's a little bit hard to see but investigate and in many ways investigators pretty closely tied to analyze. But that's really thinking about the proactive nature of cybersecurity and not just playing defense, but thinking about penetration testings-

Chris: Things like threat hunting and incident response so far.

Tim: Exactly. Other offensive majors to protect yourself.

Chris: Very cool.

Tim: But I think, yeah, these are some of the areas that we will see some of the growth on these bottom categories here.

Chris: Now, is it counterintuitive or should you really, if you're looking to sort of get into a niche that has lots of opportunities, should you be looking towards operate and maintain or should you kind of put your chips on one of the smaller ones with the idea that it's going to grow? Or is it just where your interests lie?

Tim: It's probably... Yeah, it could be a function of interest. So certainly if you have a strong interest in analytics that may guide your decision, but it may also be where you are in your career. If you are head of an IT department and you are thinking about moving into a CSO role. Yes. I think you would want to focus perhaps on the oversee and governance.

So really understanding how you're developing the policies that guide the organization. If you are working in IT support and you are looking to make that next career step, you may be thinking, operate and maintain and then that may lead to securely provision. So getting into some of the higher level designing the network and some of the architecture and then obviously the cybersecurity that sits behind it. So it could be a function of your career path as well.

Chris: Okay. So some of the shrinking numbers are also just a sort of pyramid notion of some of these are higher level things than previous things. So there can be less positions.

Tim: Correct. Then lastly, the bottom right here, we do list some of the top certifications that are popping up in the job postings as well as the number of certification holders. So this is essentially the supply of individuals that hold these certifications. Again, it doesn't necessarily mean that they are available for employment. But that is the base of potential workers in a particular area. In some cases these could be individuals that they are recruited to a new company or they may be focusing on additional training to move up the career ladder or so forth. But this gives you a pretty good sense of some of the different certifications that pop up in terms of employer demand.

Chris: Now can we read anything into so for example, systems down there, it shows that there are more openings requiring a CISM certification than there are CISM certificate holders. Now is that something worth keeping in mind if you're sort of gauging your career path that if you can get as a CISM under your belt, you're now open to positions that were previously not available to most people or... I mean it looks like, Security+ obviously everyone has Security+ but you get this very very strong ratio. Do we read anything into those ratios?

Tim: To a degree. In some cases, yes. It does mean that there is significant employer demand for a certain certification. What you will see, and I will show this once we move to the career pathways portion of the map, it does also though it highlights one of the challenges that we see in the market where employers, they are including certifications. Some of these, the CISP in particular they often recommend five to seven years of experience in some cases and employers, they are including these higher level certifications for an entry level job that may have two years of experience.

So in some cases it's also employers that they're adding everything that they can think of into the job posting. That creates a situation where it's inflating the perception of demand. Then when they really think about their needs chances are they need something that's probably more hands on technical. Then conversely, what you see with a Security+, you see a lot of the positions such as network engineer that they may not specify Security+, but the job has a heavy security component. What they're really calling for without saying is they need someone that has some of the technical skills associated with a Security+.

Chris: Yeah, just another level.

Tim: Yes, in some cases the demand here, it understates to a degree because of a Security+ baked into some of these other roles. But that is a good segue though I think to the career pathways portion of the path.

Chris: Absolutely.

Tim: This is the second tab up here and as the name implies, it is really designed to help whether these are job candidates or even employers to understand what are some of the pathways that we see from feeder roll up through entry level, mid level and advanced.

If we were to start with the first networking role here, it does give you some additional information in terms of what are the common job titles associated with professionals in the networking space. The certifications, the skills, and then the likely cybersecurity skills that will be required to move to the next level. If we were to click on the cybersecurity specialist or technician role, again you see the bottom fields, they are dynamically tied to the role above.

But it gives you a general sense of I'm working in networking. I would like to make the leap into cybersecurity and from cybersecurity I may even be thinking the next five years, where do I want to go with cybersecurity technician role and I may want to move into a cybersecurity analyst role. Then from there perhaps I want to move into a managerial role or an engineering role or so forth.

One of the things I like to acknowledge, as much as we could, we'd wanted to base this on the data. We were also though cognizant of the fact that in certain industries the job titles may be slightly different and they may be interpreted in a slightly different way. So I think usually the one example that comes out in the government space, IT auditor may be considered more of an entry level role in other organizations though, when you think auditor, you're typically thinking high level.

You're thinking of someone that may be more advanced. So we do have to recognize that this doesn't necessarily apply to every company situation. They may have a slightly different interpretation. And again, a lot of it is a function that we wanted to make sure that we reflected the various types of the government positions and how they map back to the data.

Tim: Then if I can just jump back to the cybersecurity technician role.

Chris: Sure.

Tim: If you scroll down, it does give you some additional information. If you are, say, just thinking about I'm working networking, where do I want to go next? And cybersecurity is one of several options that you may have, but you want to get obviously one important question is what are the salary expectations? What are the education requirements? What are some of the certifications that I should expect to have to demonstrate to a potential employer? Then some of the skills as well.

I think one of the interesting things here, and again this ties back to some of the discussion points earlier that so many of the roles today, the expectation is beyond the technical, that there is a soft skills component, that there is a business skills component. You do see in the list here and again it's not real time, but these do reflect what we're seeing with employer data. But you do see customer service and project management show up in the top nine in terms of the skills for this role. I think that again, reaffirms the importance of having well-rounded candidates and not just individuals that have the technology down.

Chris: Yeah. This is all very exciting stuff here. So I guess we've got a pretty good overview of the site here now. You've sort of shown us all of the major tools. Let's sort of imagine that you're sort of an imaginary cybersecurity expert or you're a student or whatever, and you're coming on to CyberSeek for the first time. Trying to think about where you want your career to go. What sort of path would you take through the site to sort of help you win her down? Where would you start? Would you start with the heat maps or to get the geography or would you start with looking at jobs or what do you think?

Tim: I will say the tendency I see most often when I give demos at trade shows and whatnot, the natural tendency is people want to see what's in their backyard. So people usually will want to immediately go depending on... I grew up in the Pittsburgh region, so if I was coming to this for the first time and I should say one other feature that you can drill down. Probably my natural reaction would be, what's happening in Pittsburgh.

I think probably I would start with your backyard just to get a feel for in Pittsburgh. It actually looks like there's quite a few job openings relative to some of the surrounding areas. So I think that would be a probably a pretty good starting point. Then from there I think it is always helpful to have the big picture and to understand what may the career pathway look like.

And this is going to vary. Obviously if you are starting with little technology background, you're coming to essentially to the tech space for the first time. I would be looking at some of the different feeder roles. I think it just both this map here and just as a general principle that it can be overwhelming thinking about your career over the next 10 or 20 years. But trying to break it down into smaller pieces. So thinking about step one, maybe the feeder roles and what do I need in terms of some of the education requirements.

This may be an opportunity to say you actually this is something that we see expanding, but increasingly there are employers that they recognize that there are many quality candidates that don't have a four-year degree. So I would be thinking potentially what are some of my training options?

Does it involve going to a two-year program? Does it involve working with a training company or a training partner? That's I would say where CyberSeek helps to provide the general roadmap for where you want to go. We work very closely with the training community and CyberSeek. I think it's probably unreasonable to think that you're going to have one stop shop for everything, but we recognize then that there are many underlying details.

So for example, if you do want to pursue one of these certifications, what does that look like from a training program? If I want to tailor a training program to my needs, to my situation, where do I get that information? So whether it's working with a InfoSec Institute and using some of your material or many other quality training partners or university programs. Typically, that's where the handoff occurs. You get the general big picture, you get the next level down in terms of what you're going to need.

You get the general path of where you may want to go over the next five years. And then we are getting ready to really execute and you're really beginning to start your training. That's when you begin to work with other partners in the cybersecurity community.

Chris: So it seems like you've given us tons and tons of cool information here. Are there any functions of the platform that you feel are sort of under the radar and under utilized that you would like people to notice? Everyone's probably looking at salary stuff and like you said, things in their backyard, but what are some things that you think people aren't taking as much advantage at CyberSeek.

Tim: I will say from an employer perspective or even from say a university or others you will see here there is a embeddable widget. So any groups out there that they want to offer a CyberSeek light version on their own site certainly something is available and again, not necessarily a job candidate would be doing this, but for others that are working with job candidates. I think this is probably a pretty interesting feature and probably a little bit under utilized.

Certainly the career pathway, this is probably an area that I think, again, a lot of people, they go to the map and they get a pretty good feel for employer demand, the career pathway. Then especially under the career pathway, how some of the feeder roles map back to the NICE framework.

I think that's another just general best practice for both employers but also job candidates to be familiar with the framework. So I think that's something that probably is useful and perhaps overlooked not just on CyberSeek but within the cybersecurity space in general. Then I will say as well something that I often remind people, especially if you are on the go, that the the map does work. For a map, so data maps are always a little bit tricky, are tricky on mobile devices, but it works very well on a mobile device. So-

Chris: Very good.

Tim: ... it's pretty handy. If you are out in a situation or you're ready for a job interview and you would pull up a few quick stats-

Chris: On the subway on your way to a job interview or something like that.

Tim: That exactly.

Chris: Pop it in. Okay. So let's let's close up the CyberSeek thing here. We'll wrap up the interview a little bit. So one last question as we wrap up here what are some upcoming features that CyberSeek is working on that you're looking forward to?

Tim: We are continuing to build out some of the feeder roles and you can see that some of these roles here are probably not very entry levels. So certainly adding in some of the help desk and some of the IT support positions and then even some of the positions that may be coming from another area of the organization such as project management. If someone wants to move into a more technical role.

So we're going to continue to work on the feeder roles. We are hoping for international expansion. So we have been working with the government in Australia and the UK. So our fingers are crossed that we're going to be able to expand. Certainly we recognize that cybersecurity, it certainly is a topic that goes well beyond the borders of the US so we want to reflect that with the platform.

And then certainly just keeping the data maintained and building out as new certifications emerge, as new facets of the NICE framework emerge. We will continue to keep CyberSeek updated.

Chris: That's great Tim. Tim Herbert, thank you so much for being here today. This was a really, really cool and educational.

Tim: Great. Thank you Chris.

Chris: Thank you all for listening and watching. If you enjoyed today's video, you can find many more of them on our YouTube page. Just go to youtube.com and type in InfoSec Institute to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday. All of our videos are available as audio podcasts. Please visit infosecinstitute.com/cyberspeak for the fullest of episodes and we're also on Spotify and iTunes and all the usual places you get podcasts.

Chris: Podcast listeners can also go to infosecinstitute.com/podcast to see our current special promotions. Finally, if you'd like to try our free security IQ package, which includes phishing simulators you can use to fake phishing and then educate your colleagues and friends in the ways of security awareness, please visit infosecinstitute.com/SecurityIQ.

Chris: Thanks once again to Tim Herbert and thank you all again for watching and listening today. We will speak to you next week.

Join the cybersecurity workforce

Are you a cybersecurity beginner looking to transform your career? With our new Cybersecurity Foundations Immersive Boot Camp, you can be prepared for your first cybersecurity job in as little as 26 weeks.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.