Yes, we want more people in cybersecurity. And the lure of great pay is definitely there. But just because there’s a great want for more bodies in cyber. It doesn’t mean it’s going to be easy to get in.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Steve Zalewski, and our guest Adam Keown (@akbitbucket), director, information security, Eastman.

Got feedback? Join the conversation on LinkedIn.

Our sponsor for this week’s podcast is VMware

Full transcript

David Spark

Yes, we want more people in cybersecurity and the lure of great pay is definitely there but just because there’s a great want for more bodies in cyber, it doesn’t mean it’s going to be easy to get in

Voiceover

You’re listening to Defense in Depth.

David Spark

Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series and joining me for this very episode is my co-host Steve Zalewski. Steve, let everyone know you’re there.

Steve Zalewski

David, great to be here and welcome to all of our listeners today.

David Spark

Our sponsor for this very episode is VMware and VMware has been a phenomenal supporter of the CISO Series and we thank them greatly for that and you’ll hear more about VMware later in the show. Now, over on LinkedIn, Randall Frietzche, CISO over at Denver Health, wrote a post making it clear to all those looking to enter the field of cybersecurity that an associates or master’s degree isn’t going to cut it. You actually need experience, you need to put in the years of experience, especially with a foundation in IT. The response to this post was overwhelming with well over 4,000 reactions and 600 comments causing an enormous debate. So, Steve, I want to know, do you agree or disagree with Randall’s very stringent assertion of you’ve got to have experience to get into this field and to dominate this field?

Steve Zalewski

So, what I’m going to say to that first is, wow, I actually read the majority of the 600 responses because I couldn’t believe the energy that went in.

David Spark

Overwhelming.

Steve Zalewski

Overwhelming, but what I’m going to say now that sets up for this is the interpretation of the statement from Randall clearly shows that just as the security domain is expansive so is the variety of opinions as to what it means to have sufficient credentials to be part of the community of practice and that’s what is so exciting about today’s conversation.

David Spark

Excellent and someone who’s going to be joining us in that very conversation is somebody I met a year and a half ago at the RSA conference and hopefully we will both be there again in 2022. It is Adam Keown who is the director of Information Security over at Eastman. Adam, thank you so much for joining us.

Adam Keown

Thank you, David, Steve, glad to be here.

What aspects haven’t been considered?

00:02:32:06

David Spark

Jerich Beason, CISO over at Epiq said, “Many roles aren’t technical in nature. Also highest paying roles are now for niche areas such as appsec and cloud security which are very narrow in focus.” And the post really said, like, you need a very expansive knowledge and again having a broad knowledge is valuable but if that’s where the money is, the niche, that’s often where people will want to go. Dre S of Coalfire said, and this was referring to a previous consultancy he was at, “Entry level consultants generally had very sharp minds, good leadership skills, team skills, analytical skills, presentation skills and some cyber security background and a huge drive to learn more.” We hear that theme comes up a lot. And Edwin Martinez at EnBW said, quote, “If I needed a company to perform incident response for a major incident, a consultancy isn’t going to be on my short list.” So, that was kind of a lot of things to debate of, yes, there is that, but if I really need something, that’s not where I’m going to be going, kind of attitude. So, I’ll start with you, Steve. What do you take of these kind of comments of, yes, there’s a lot of roles but, oh, yeah, sure, there’s great roles, but, you know, I’m going to hire a doctor if I need to get fixed.

Steve Zalewski

Yes, and that was where I was coming from with my open statement around the interpretation of the question and I’m going to start with a question back, because they said you have to ask, why is the pay so good? Because the point is, the question posed was the pay is so good, we need everybody, but it’s very technical. Why is the pay so good? And I’m going to say, it’s not so good, across all of the domains. And it really depends upon what you do and the difficulty in cybersecurity is based on whether you’re looking at operational roles, like, if you’re in ops and you’re using runbooks or on your help desk and you’re using playbooks versus if you’re in the more technical realms or interpretive realms like GRC, where there’s a lot of ambiguity and your experience is to be able to understand that ambiguity. Or in architecture, where you have to understand all eight domains of security in order to be able to build the vision of what needs to be done, in which case the pay is correspondingly more. So, my netted out statement there is, if you can be a vocationalist versus a specialist then of course the pay ranges are very divergent.

David Spark

Where do you take on this, Adam, in terms of this argument of, yes, there’s other jobs out there but if you go really niche and technical niche, that’s where the serious money is?

Adam Keown

Yes, I agree with that and actually I’ll expand on it partly. Not only is the very specific areas where you will get the higher pay but it’s also sometimes a trend. There may be a specific tool set that is extremely popular right now that won’t be popular five years from now and if you don’t keep those skill sets strong and continue to build on them, you may get yourself out of a job just within a few years.

David Spark

And when one goes into cybersecurity, should they immediately be thinking how niche I’m going to go, because, like, you know, medical school, they’re like, well, figure out what your specialty is, what do you think, Adam?

Adam Keown

My say is no. I don’t think they need to focus that much that early and I’ve read Randall’s post several times and I think his argument there is between education and the reality of the cybersecurity world. Just getting that education degree is not going to make you that expert. Cybersecurity, I even said this on another interview, is not a subset but more of a superset because the volume of information that you need to be excellent at the job. Now, you can come out of school with an education and go into a specific area and perform very well but in order to be effective across the board in IT, you have to know those other foundational principles.

Steve Zalewski

So I’m going to jump in on this and here’s what I’m going to say. You’ve referenced doctors twice now as an analogy and I think it’s the wrong analogy and here’s why doctors aren’t the same. I say the path to being a doctor is several hundred years old and it’s well defined and it starts with being a generalist in all parts of the medical field in the first eight or 12 years of education and then you become a specialist after you’ve become a generalist and everybody knows it takes 12 or 14 years to become a doctor. Whereas if you look at the cybersecurity path today, it is not defined, it is evolving. There are lots of fields of practice and the key is, we can’t afford to put 12 or 14 years in for everybody to be a security generalist and then specialize. It’s the other way around what we’re trying to do is generate specialists and have a limited number of generalists. So, I would say it’s the other way around that right now given the maturity of the two fields. So apples and oranges.

How do we handle this?

00:08:18:07

David Spark

Stephen Germain over at the Walt Disney Company said, “A non technical person in my area will not last long. We hire for technical security chops first with a compliance background as a secondary strength.” And Steven Gamatan of Akamai said, “You really should not judge a person based on how long that person has been in a company. You should judge people based on their knowledge and their drive to do a job or wanting to be in the field.” So this segment is all talking about, like, criteria for hiring. There are a lot of people that are, like, “I need X years of experience in this,” and then there are others that, which this is a little soft and squishy, are, like, “Well, I want someone who is just really eager to learn and really eager to be in this field,” not always the easiest thing to see from a resumé. Where do you stand on hiring and is it always kind of a case by case basis or do you have some things that are kind of universal, Adam?

Adam Keown

Yes, there’s a few things. One is that when it comes to hiring, there are certain skill sets that we need for a certain job and that’s what we’re aiming at. Being part of a global company, you can get very specialized in the type of job that you’re looking for. But outside of that, I would say that many folks are making comments, you know, Steve even mentioned in our last segment, from their point of view based off what their team looks like. I’ll give you a great example. There are some cybersecurity teams that are in legal, there’s some that are underneath an audit per view, there’s some in IT. They’ve all grown from many different areas, especially over large enterprise companies and because of that they need specific skill sets. Some cybersecurity departments own privacy. Here in my position as the global CISO, I do not own privacy. We have a whole privacy office that takes care of those items, so I don’t need that specialty. A great place to look is actually, CISA has the nice framework, an ICE framework, at cisa.gov, and that will give you a breadth of how large the cybersecurity world is and the many different jobs that are associated with there. My past includes being a cyber-investigator. I don’t have one of those on my team today but there’s so many jobs. I would encourage folks to look at that, so they have an understanding of what’s available out in the market.

David Spark

And, Steve, what about you? I mean, I would assume, I have hired for passion but when I truly see, like, there’s some people really want it, they prove it, they show it, I’m like, “Well, this is the person I definitely want,” because they proved they can do it and they’ve done it in such a quick, rapid fashion rather than the person that’s just coming with X years of experience and I don’t know how passionate they are. I mean, doesn’t passion play an enormous, enormous part in hiring?

Steve Zalewski

It can. Passionate people, intelligent people, creative people, there’s a whole set of domains in cybersecurity that pay very well, that require that type of individual. But, just like I said earlier, when I got back to the different domains and what pays well, not every domain in security requires that level of intellectual curiosity capability. When you get to the help desk, when you get to the operations teams where what you want is consistent execution of known process, that oftentimes requires a very different type of individual for you and them to be successful. So I challenge the whole idea that everything in security is about solving hard problems and having to be really good. If I look at the doctor, I go, “If you’re a general practitioner, you haven’t spent all the time specializing and being a thoracic surgeon.” We need a lot more general practitioners than we need thoracic surgeons. And so, what I want to do in the next segment and transition here, is I want to talk about what I think the right analogy is, not doctors and cybersecurity, but what I believe is a better way to look at this so that you can actually characterize the caliber and capability of the people against the domains of security.

Sponsor – VMware

00:12:45:10

Steve Prentice

Digital transformation is a phrase that’s on everyone’s lips these days, but it doesn’t mean the same thing to everyone. Sandra Wenzel is a cybersecurity transformation engineer for VMware and part of her job is to make sure companies deploy their digital transformation plans safely and avoid the many threat actors that are waiting for them.

Sandra Wenzel

I think it’s a misnomer for people when we talk about digital transformation. Just because you go through a re-platforming, meaning you go from a data center to the public cloud, doesn’t necessarily mean you’re going through a digital transformation. And I feel that companies out there that actually don’t do that accurately, they’re going to crumble and fall and unfortunately as that technology progresses, so do our threat factors. So the popular topic for me typically is ransomware.

Steve Prentice

She points out that much of the ransomware technique is not new nor is it necessarily sophisticated. For example, moving a command and control server to the public cloud so it looks like a public IP. So for companies and organizations–

Sandra Wenzel

They really need to pull up their socks as we have to really go under this assumed breach paradigm, where they’re already in our network, it’s what are we going to do about it to find them and assess and be able to contain the damage. Not only just reputation but also the money because we are seeing ransomware as a service where these actors are a double edged sword, where they are the broker of the information as well as they hold the keys to our kingdom.

Steve Prentice

For more information, visit vmware.com and while you’re there be sure to also register for Sandy’s presentation Anatomy Of The VMware SOC at the upcoming VM World Online, October 5th through 8th.

What are the complaints?

00:14:29:15

David Spark

So, I’m going to read you two quotes from two people who are looking to get in cybersecurity and they are clearly frustrated. And I will say, this is emblematic of what I have heard again and again and again. Violett Kim of El Paso Community College said quote, “What I get from this post, with all of my 

optimism intact, is that getting into cybersecurity is harder than becoming a doctor. Does cybersecurity even have an entry level?” That is questionable and it’s brought up in the next quote here from Dortie Dorvilien of The Home Depot said, quote, “I was told by a recruiter and a hiring manager that there’s no such thing as an entry level in cybersecurity, they needed people with 

years of experience, but they couldn’t answer my question as to where I would obtain those years of experience if they don’t give me a chance. I’ve been denied countless times despite my efforts in continuous learning, setting up a home lab, tweaking my resumé, having the will, and trying to stay up-to-date with cybersecurity.” So, Adam, I’m going to start with you on this one. Both these quotes I’ve heard and this last one from Dortie so sums up the frustration of entry level and to have someone say there’s no such thing as entry level, that’s pretty fierce, but there’s no question that the number of entry level jobs out there is slim. How do you respond to this?

Adam Keown

I think there’s an issue between a lot of the people who are hiring cybersecurity and their HR room. When they are talking to HR and they say, “Ah, I’d love to have someone with X Y Z certification or A B C certification,” HR runs with that and says, “Oh, we’ve got to have this,” when really they’re not giving them a full set of what they’re trying to bring into the team. I regularly tell my team that the people I’m looking for are folks that are hungry, they’re humble and they’re smart and they’re able to connect with people. That comes from a book called The Ideal Team Player. Those type of people, I can bring in and teach them something technical but I can’t bring in someone technical who’s brilliant and teach them character, things their mom didn’t teach them growing up. And so those are the type of things that I convey to my HR team is these are the type of character traits that we want and the hard technical skills are needed but they’re not an end-all-be-all to getting the right person in the right position.

David Spark

A very good point right there on all levels. Steve, what do you say to that and specifically both Violett and Dortie’s comments here?

Steve Zalewski

I say, to a certain extent, we’ve created this problem for every security manager or every manager out there that’s putting together the recs. It’s too easy to aim high in the hopes that you find the perfect candidate. We’re not writing the recs to aim low to get the entry level folks that are creative and bright at the forefront of the queue. The way I position this and why I say it’s our problem, is we do want to think about this as doctors whereas what we should be doing, I think, is looking at this as car development and the types of people we need to be able to build and develop cars, which is, we need a certain number of engineers that can design the car. Those people need a lot of experience, they need a lot of degrees, okay, the architects, the solution designers, the senior CISO’s. But then I say, but wait a minute, I don’t necessarily have to have all that if I have to do specific domain expertize. So, just like when you bring your car in as a mechanic, I can have a mechanic that specializes in brakes and alignment, I can have a mechanic that specializes in engines. Look at how many lube techs out there that do lube oil and filter changes. That’s a vocational, you can learn how to do that, you don’t have to learn how all the rest of the car works or work on the rest of the car. So where are the job specifications that look at this as a set of vocations where we can hire new people and train them in and they may become experts in that area or they may want to choose to learn more and move on to other areas? And then when I say that, I go, so for everybody out there, look at the eight CISSP domains. Let’s just use that because it’s technical and that’s where the pay is good. If I look at security operations, first is software development and security, two very different domains. One’s lube oil and filter, the other one is transmissions but you still have to be able to bring in vocational level expertize in each of those areas to go forward and you have to acknowledge that they’re different. Look at identity and access management and security and risk management. Identity and access management is very process driven, very technical deployment, security operations. Security and risk management, GRC, like I said earlier, a lot of ambiguity, you need to take a look at controls and determine if they’re appropriate. So, let’s think about that as we write the job recs and institute a little more vocational thinking in the specifications.

How would you handle this situation?

00:20:24:17

David Spark

Jason Cambra of Acushnet Company said, quote, “Look for knowledgeable hungry candidates who have enough aptitude to understand the technical and non-technical nature of the roles you need to fill.” And Tim McCain, CISO of City of Aurora said, “Knowledge not applied rarely results in professional growth and acumen.” And that last line, I think, kind of hits the money, in that if you do education without immediately applying it to something real world, it is in one ear, out the other. Adam, do you agree or disagree with that?

Adam Keown

I agree 100%. We recently even were hiring a position here at my company and started interviewing folk who have sent in their resumés for some pre-screens, for a Splunk position and we get people on the phone and they’re like, “Yes, I don’t know how that word got in my resume,” and we’re like, “You don’t know anything about it?” They’re like, “No, I’ve never used the product.” And then we talk to someone else who had used a dashboard one time. They’re never actually in the product, they had seen it as a label. And so people are unfortunately, I think, going to extremes to get some of these jobs or to get some of these pre-screens, to get some of these initial conversations going just to get in the door because of some of these posts and things they’re hearing from these hiring managers. But to your point, you have to apply this knowledge and you have to use it. It’s very embarrassing when you’ve got a cybersecurity teammate talking to a networking team partner and in that discussion, they don’t realize that they’re talking about an address that’s not routeable and you lose all credibility when you’re having a discussion like that if it becomes a, if it’s a bogon address. Those type of things happen, I even saw them in the government when I was there and the only way to combat that is to get that exposure and to get into these tools, to get into the environment and to gain on-the-job experience to go with the education that you have.

David Spark

Steve, I very much like what you said in the last segment regarding we need to make cybersecurity more vocational so you can just learn one experiential thing, but nobody in the industry has been talking like that, which by the way I’m pretty sure you do, but really, like what Tim says here at the end, there’s a need to tie education with experience and not enough of that is happening.

Steve Zalewski

So, here’s how I would say that. Knowledge not applied rarely results in professional growth and acumen. Here’s what I’m going to say in security. Knowledge not applied, true, but the real thing is intelligence not applied rarely results in professional growth and acumen. We need to be able to balance the limited knowledge that you can get in cybersecurity or require in cybersecurity and focus on the fact that we’re hiring intelligent people. You can hire a physicist, an artist, a psychologist. All of them are needed in security because it’s not purely a technical domain. Look at security awareness training, look at help desk when you’re talking to people that don’t understand security, you’re better off talking to somebody that actually better relates to what they do. So, to me, that’s why what I say is, knowledge out of education is important, because you do want to know if you’re going to enjoy doing this, but the intelligence that you’re applying to be a member of society, a functioning member that pays back, get on that part of the game. So, let’s have that balance at a vocational level rather than at a professional doctor level. That was my whole point was, let’s bring it down, there’s so many pieces.

David Spark

No, and I agree, there’s no reason why there cant be a significant portion of cybersecurity that is vocational.

Steve Zalewski

Absolutely, and that is my whole point which was, the sooner we get there, the sooner we’re all going to be able to help each other, because mutual defense is absolutely mandatory now and so if we’ve got to hire a lot of people, that’s why I say, let’s think about it as cars and mechanics and not as doctors and thoracic surgeons.

David Spark

Alright. So, if you want to fix Steve’s brakes and you have only that skill, Steve wants to hear from you. Am I right on that, Steve?

Steve Zalewski

Absolutely.

Adam Keown

Now, let me argue just a little bit here. I agree about taking it vocational but there’s a lot of activity that students can do on their own that they’re not doing today.

David Spark

Like?

Adam Keown

I have interviewed people who come in and they say, “Hey, I’d love to have this job.” Let’s go back to the Splunk reference. How many of them have actually downloaded Splunk? There’s a free version. Then ran it in their own lab, had some sort of lab activity. I had another person who I was interviewing who said, “No, I don’t touch a computer after I leave work, I do other things.” And I’m sure that’s healthy and that’s great for them and their family, but it’s definitely not going to inspire me to hire you to come to my cybersecurity team.

David Spark

This just goes back to, there’s enormous value in showing passion and the way I see it is, as we all discussed, cybersecurity is all about risk and when you’re hiring people, you’re also taking a risk. The more the people take the risk on themselves, as in experimenting, creating that home lab, getting the education, the training, so he says, “You don’t need to take a risk on me because I’ve already done this,” that is the whole point. They want to hire to reduce their own risk and if you say, “Take a chance on me,” where you haven’t even experienced it, you’re throwing the risk on the hiring manager which they don’t really want to do. It’s a question of where are you putting the risk.

Adam Keown

They’re going to be happier in the job if it’s something that they’ve got that experience at home and they’re drawn to it. Then they’re going to be happier in the job when they get there. That true passion is going to be there versus the pay check that I’ve ran into many times that a lot of young students are wanting.

David Spark

You can get that pay check and you can also show the passion. They are not mutually exclusive.

Adam Keown

Exactly.

Closing

00:26:51:01

David Spark

Alright. I will ask you, I’ll start with you, Adam, what was your favorite quote here and why?

Adam Keown

My favorite quote is, “Getting into cybersecurity is harder than becoming a doctor.” I think that theme came up multiple times today and I don’t agree with it but I thought that was a fantastic quote from the discussion.

David Spark

But the way it is described makes one believe that and that’s what is the whole thing with the quote and that’s what I liked about it.

Adam Keown

Exactly.

David Spark

Steve, your favorite quote and why?

Steve Zalewski

Although I picked on Tim McCain a little earlier on and his statement around knowledge versus intelligence, I’m going to go with Jason Cambra from Acushnet Company, “Look for knowledge hungry candidates who have enough aptitude to understand the technical and non-technical nature of the roles you need to fill.” So I’m really calling out to the managers, the hiring managers and the HR people, which is look for knowledge but look for intelligence slash aptitude and let’s go ahead and start bringing in those people that we know can do the job and let’s get the vocational pipelines built.

David Spark

Thank you very much, Steve. Thank you very much, Adam. Adam, I’m going to let you have the very last word here and pretty much I just ask all our guests, are they hiring? And then any last things you want to say about Eastman or, heck, anything else about this show. Steve, thank you as always. He was from his remote studio in Texas on today’s episode. And I want to thank our sponsor, VMware. VMware, thank you so much for sponsoring these Defense in Depth shows. Alright, Adam, are you hiring?

Adam Keown

Yes, I am definitely hiring. You can follow me on LinkedIn where I post the jobs. We’ve even got a senior cybersecurity architect position open right now.

David Spark

Do you have any entry level positions open?

Adam Keown

We do. The entry level positions that we are hiring are more global and in multiple service centers.

David Spark

Excellent, awesome to hear. Any last words about this topic?

Steve Zalewski

Well, I’d like to take a moment.

David Spark

Sure, Steve.

Steve Zalewski

And actually call out and acknowledge my son Mark Zalewski who is in cybersecurity and has only been in the field for about three years. So he came out and much of the conversation I had today, I was actually leveraging his experiences and some of his knowledge. So, I do want to thank my son for helping me leverage some of his thinking and his knowledge as he entered the field.

David Spark

So we have to credit your son’s wisdom and not actually credit you, is that what we’re saying?

Steve Zalewski

Yes.

David Spark

Alright, so we’ll make sure that he’s credited appropriately and we’ll take you off the credits.

Steve Zalewski

But just don’t tell him, don’t tell him, okay, because I’m down here in Texas with him and I’ll never hear the end of it.

David Spark

Adam, any last words?

Adam Keown

I would encourage cybersecurity professionals out there, if you’ve not been a part of a great communication group, a wonderful example is Toastmasters, get in touch with one of these communication groups. The most difficult skill set that seems to be hard to come by in the cybersecurity world and even in IT in general is that communication set. Having people that you can bring in, that can have a solid communication with people that are outside of IT and convey that message in a concise and direct way, is very important.

David Spark

Alright. Well, thank you very much, Adam. Thank you very much, Steve. Thank you to our audience for everything, we greatly appreciate your contributions and listening to Defense in Depth.

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.