Defense in Depth: What’s the Value of Certifications?

Why should security professionals get certifications? Do they actually teach you what you need to know to solve cybersecurity challenges? OR do they act as gateways or approval checks to be admitted into the field of cybersecurity?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, guest co-host Will Gregorian (@willgregorian), head of IT and security, Rhino and our guest Shawn M. Bowen (@smbowen), CISO, World Fuel Services.

Got feedback? Join the conversation on LinkedIn.

Thanks to our podcast sponsor, Palo Alto Networks

First, every company became a software company. Now, every company needs to be a cybersecurity company too. Prisma Cloud from Palo Alto Networks a single security platform that delivers comprehensive protection from code through app, so your company can keep doing what it’s supposed to do. Learn more at paloaltonetworks.com/prisma/cloud.

Full transcript

David Spark

Why should security professionals get certifications? Do certifications actually teach you what you need to know to solve cybersecurity challenges? Or do they act as gateways or approval checks to be admitted into the field of cybersecurity? 

Voiceover

You’re listening to “Defense In Depth.” 

David Spark

Welcome to “Defense In Depth.” My name is David Spark. I am the producer of the CISO Series. And on this special episode, I have a guest co-host – very excited to have him on – it’s Will Gregorian, who is the head of IT and security over at Rhino. Will, let’s hear that sound of your voice. What does it sound like? 

Will Gregorian

Hello. How are you all? 

David Spark

That’s what Will’s voice sound like. Guess what – you’re going to hear a lot more of it. Our sponsor for today’s episode is Palo Alto Networks. They are a returning sponsor. We love the fact that they have come back again and all their awesome support of the CISO Series. So thank you very much, Palo Alto Networks. More about them and what they have to say later on in the show. But first, let’s get to the topic. Will, I asked you to join me as co-host for this discussion because on LinkedIn, you argued the value of certifications to doing the job of cybersecurity. And you questioned that value. In particular, you called out the CISSP and asked CISOs to rethink using that certification as a hiring criteria. Now, I want to point out that Chris Zell, CISO over at Wendy’s and an Air Force veteran for 12 years, had tons of real-world experience but no certifications. And that prevented him, he believed, from getting hired by big companies. Over time, he then eventually got the certifications and got hired but admits they have no value in what he does today. So is that the rationale? Like, essentially, Chris’ story why you question the value of a CISSP as a hiring criteria? 

Will Gregorian

Absolutely. And there is a reason why I actually went on my rant of sorts. And it had to do with the fact that there are a number of individuals who go on to humble brag, if you will. And they brag about the fact that they got their CISSP or their CSMs or CISA or whatever equivalent certifications they have. But the reality is that they’re going through boot camps. They’re not really, necessarily, learning the material that, you know, is in those books. Anybody can go to a school for a week long and take the course, do a brain dump, go take the – you know, the test and at some point pass it. Does that mean that they’re qualified? So I took issue with that. And for the record, I do have my CISSP. So I’ll just put that on the table because I know Shawn cares about this. What do you think, Shawn? 

David Spark

Well, hold on. We’re going to get to Shawn in just a second. And by the way, we have divided up this discussion between pro and against arguments about getting the CISSP. So I’m really eager to hear both sides of it because there definitely seems to be issues on both sides. But let me introduce our guest, who we’ve had on the CISO Series pretty much across – I think you – I think, by the way, you may be one of the few people who’s been on every one of our shows for that matter, Shawn. 

Shawn Bowen

I believe I have. 

David Spark

That’s awesome – thrilled to have you on all of them. Well, it is Shawn Bowen. He is the CISO for World Fuel Services. Shawn, thank you so much for joining us. 

Shawn Bowen

Oh, thank you for having me again. I love talking cybersecurity. 

What’s everyone obsessed about? 

3:23.415

David Spark

RJ Friedman of Buchanan Technologies said, quote, “they’ve – referring to certifications – they’ve become more necessary, more expensive and less relevant.” He said, without one, it’s actually an uphill battle when trying to make a good first impression. And Jules Okafor of Revolution Cyber said, we fail ourselves when we allow certifications to relieve us of the duty to truly understand the baseline knowledge required for a particular role. Does this outline your aggravation with using certifications as a hiring criteria, Will? 

Will Gregorian

What RJ mentioned, I don’t know if I agree on the stance that it helps with a first impression. The first impression often is made with the HR folk, not necessarily the hiring manager. So by the time the hiring manager comes through the door, they don’t care about the CISSP or the certification. 

David Spark

But, no, then RJ’s comment does make sense. It’s a first impression with the – literally the first person who’s going to see it. 

Will Gregorian

But does that really matter at that point? 

David Spark

Yes because you don’t get to the hiring manager if you don’t make a good first impression with that person. 

Will Gregorian

How many times do you find yourself reviewing your resume and, by default, scrolling all the way down to see what certifications a person has? That’s my big question. 

Shawn Bowen

But I don’t think you’re doing. I think the computer systems are doing it, right? It’s the recruiter that’s doing the algorithms and finding those five magic letters in your resume. 

David Spark

Yeah. And that just becomes a checkbox. 

Will Gregorian

And here we go. And who is really defining what the criteria are for the hiring and for the candidates? 

David Spark

But aren’t there also – and, you know, we’re going to address this as well. Aren’t there certain – in certain industries, regulatory requirements of having someone with a CISSP? 

Will Gregorian

You know, in my experience – and, Shawn, I’ll turn it over to you. In my experience, even in health care – being where I am, where I have been – CISSP wasn’t necessarily the benchmark. It’s certainly valued. And it does help. Often, I will see that, you know, the contractual obligations will define that you must have at least one security professional that has at least one industry accepted certification. But it isn’t necessarily a regulatory requirement. I would hope it won’t ever be that. 

Shawn Bowen

Yeah. So they’re actually – for the DoD, there is a regulation that has certificate requirements. I worked very closely with the working group that developed a lot of those and the replacement for that, which is actually not being so rigid. And then there’s a whole bunch of tiers of certificates. But outside of that, I’m unaware of any specific requirement for any specific certification. But to Will’s point, it is very much we want to validate. We want some validation that this person is competent in this field. And a certificate is a little bit more rigid than, say, a college degree. Not saying that college degrees are bad or good, but the curriculum is not as defined from one university to another, whereas a certificate can give you a little bit more – we know exactly what the body of knowledge that you’re tested on, and we can validate that you have some baseline level of knowledge. 

David Spark

Let me ask – and I don’t – honest to God, I don’t know the answer to this question at all. But do having certificates in any way affect cyber insurance? 

Will Gregorian

I just went through the exercise. The questionnaire that they will often provide from an insurance carrier provider perspective makes no mention of certifications. It does make a mention of having a CISO or at least some professional that is operating in the capacity of cybersecurity. But we haven’t gotten to that pinnacle, if you will, of having to sort of, like, define certifications for cyber insurance. 

David Spark

OK, so not to your knowledge. 

Will Gregorian

Not to my knowledge. 

David Spark

Not to mine either. Well, then I would just say that we recognize it’s often being used as a checkbox, and there’s an aggravation around that. Yes, Will? 

Will Gregorian

Agreed, 100%. I actually think that, you know, it becomes a checkbox exercise. That’s my struggle. I think that, you know, we need to get beyond that. We do need to acknowledge a human being. 

What problem is this solving? 

7:46.304

David Spark

George Bailey of Purdue cyberTAP said, quote, “I use certifications as a basis to understand a candidate’s commitment to the profession. And if you are committed to keeping the certs active, you are committed to further developing yourself as a cyber professional.” And Angel C of Denver International Airport said, quote, “A CISSP cert requires both five years of experience in the field of cybersecurity and an attestation from another CISSP holder before you can get one. It’s a bit harder to just, quote, “brain-dump” or cram for the CISSP. And lastly, Brandon Wagner of Kitware said, quote, “I do not view certifications as a standard entry to hiring, but rather as additional focused training for a team, to show continued interest in the field and help stay up to date.” So I’m going to start with you, Shawn, on this. All these people are very pro the CISSP in that it has its sort of place in the development cycle of a cyber professional. What do you believe? 

Shawn Bowen

So George’s comment has me on a fence because in one half, I like the idea of where he’s going. But reality is, those of us that have a certification know that the quote, unquote, “continuing education” is a joke. 

David Spark

Right. You could just listen to – you could listen to this podcast, and that’s your continuing education. 

Shawn Bowen

Yeah. I think I got, like, 32 hours for participating or something. Like, what? And that’s where I wish we had – that we used ANSI ISO 17024 for that continuing education, to manage it. And I think that’s a boondoggle for the certification bodies. And that’s actually what bothers me the most. I noticed, Will, you recently re-upped yours. I re-upped mine. 

David Spark

So I’m sorry. You have a CISSP, too, yes, Shawn? 

Shawn Bowen

Yeah. So I’ve got – mine’s 14 years now. I’ve been just dumping money into the continuing my education, which just meant I attended conferences and stuff. I don’t feel like I’m getting a $100 back, you know, or whatever the renewal is per year in return. But it’s – to everyone’s point, it is that first step to get through the recruiter to get to where you’re going. I’ll throw another bombshell in here. I don’t have a degree. I’m probably one of the few Fortune 150 CISOs that don’t have a degree. But I grew up in the IT world when you had to have an MCSE, CCNA. Those were what they wanted. They wanted certs. They didn’t care about degrees. And so that was kind of where I was chasing when I was younger. And from there it got to a point where I was like, when I went back to college, it wasn’t relevant to what I was doing, and a certificate was. Not saying it was better, but it was relevant at the time that – like, the current version of that certification was relevant to what I needed to know. And so there was value to it. But my CISSP from 2007 is not the same test that they’re taking today. It’s not even the same body of knowledge. It’s different domains. And I’ve been paying to keep it live, but it’s not relevant. I feel like I’m relevant. But that’s the problem I have with this, is the commitment to it is kind of lost. So if you have a CISSP from the last year or two, I’m going to give you a lot more cred than if you had one from 10 years ago. I’m not saying that you lost. Now I have to look at the rest of your resume and see if you have the proper experience to tie to that 10-year-old CISSP. 

David Spark

So Will, I want to mention about Angel C’s comment about – saying that to get a CISSP certification is a far more stringent requirement, it appears, than some of the other credentials. Do you agree with that, and does it have value because of that? 

Will Gregorian

I do. And I think the value – it might have been more valuable 20 years ago. I don’t think it’s as valuable now. 

David Spark

And hold on. What’s your rationale for that? 

Will Gregorian

Well, here’s the thing. To – kudos to you, Shawn. I agree with you on every point, first of all. Going back to the topic at hand… 

David Spark

We sometimes like it when it’s a debate here, just so you know. 

(LAUGHTER) 

Will Gregorian

I know. It’s tough because I do have to agree (laughter). There are some points, I disagree. But nonetheless, I digress. Here’s the thing. Look. The five-year mark might have made the barrier to entry more difficult, and that was sort of like, look. You know, you have to basically prove your domain knowledge, et cetera. We now are fighting this battle of shortage, from a workforce perspective. Why would we create artificial barriers to stipulate that you must have five years to get a CISSP to get certified while also, like, crying that we have a shortage in the cybersecurity industry? Get rid of it. Let’s start bringing people in. Let’s make them believers. Let’s not try to create artificial barriers where they can’t get past the muster. 

Shawn Bowen

OK, so I disagree with that. There you go, David. 

David Spark

(Laughter). 

Shawn Bowen

So while I think it’s a little bit of a joke, obviously, in the five-year piece, and someone’s got to validate, we all know a friend that’s just going to sign this stuff for us, and the same with a certified CISO so from EC-Council and a variety of ones. The object that they’re trying to go for which is what I do appreciate is, it’s not the same as a Sec+ or a Net+ type thing. Those are entry-level certs. So they want to kind of validate that you’ve gotten somewhere. Someone with a CISSP that, to your point, passed the test and has no experience – I’m actually going to look down on them more than I would look up on them. 

David Spark

Well, according to Angel, they need at least five years of experience. 

Shawn Bowen

Oh, yes, they do. But that’s why I’m saying, is if I take the test, Will’s my buddy. He’ll sign it for me. And you know, the ethics space, blah, blah, blah. But reality is, people will find a friend that will sign it for them because they passed the test. They want to help them get a job. We all want to help people out, right? So the idea of this is, there’s plenty of people – like, the CCISO one from EC-Council. I know quite a few people that have taken that, and they don’t have any experience anywhere near the CISO course. So it’s kind of – the idea of having tiered structure I like, as long as it’s tied to your appropriate experience. But a CISSP for someone right out of college – they don’t understand the management side of the CISSP requirements. 

Sponsor – Palo Alto Networks

13:51.592

Steve Prentice

The bigger a company’s involvement with the cloud, the more there is to keep track of and defend. Here’s Matt Chiodi, chief security officer of public cloud at Palo Alto Networks, talking about Prisma cloud, a security platform focused on all phases of the software development lifecycle. 

Matt Chiodi 

We work with customers who are looking to get their multi-cloud security under control. So they’re working in all the big cloud platforms, and they have no single view into the security and compliance data as well. That is our Prisma cloud platform. And then oftentimes we have customers who maybe start from there, and then they say, you know what? We need to better secure our containers. And so Prisma cloud also supports vulnerability scanning and end-line protection for containers. And then sometimes we also hear from customers that, you know, we need a better way to understand and secure our entire dev ops pipeline. And so Prisma cloud is built in such a way that it is integrated, and it enables organizations to do full shift left, where they can scan as developers are creating new containers, as they’re creating new infrastructures, code templates. They can scan all of those, identify security issues, before those templates or before those containers are even created. And making sure they are only sending high-quality secure templates and applications into production. So Prisma cloud is fully integrated across the entire software development lifecycle and supports all major cloud platforms. 

Steve Prentice

For more information, visit PaloAltoNetworks.com. 

Does it play nicely with others? 

15:27.147

David Spark

Andy Strunk over Crowdstrike said, quote, “Your current employer probably won’t give you a raise for completing the certification. It’s really just padding your resume for your next job. And Renee Small, a recruiter with Cyber Human Capital, talked to CISOs about hiring experienced people without certifications at senior levels. And she said, quote, “I was made aware that there is occasionally some wiggle room, but needing the certs was mostly based on some compliance requirement.” And referencing what I had said earlier. So they’re saying that there is a certain time and place for a certification. Will, what say you? 

Will Gregorian

There’s always the time and place for certifications. For me, especially, it was a challenge. 

David Spark

So when in your career did you get your CISSP? 

Will Gregorian

So I think I was 12 years in. I was trying to transition from web operations and IT-adjacent work into security. I had a job already, and I was already wearing the information security officer hat. And I decided, you know what? I’ll spend three months studying for the book. I went and got the Shon Harris bible for CISSP. You know which one I’m talking about, Shawn. And I studied. I studied. I read the book. I basically took the test quizzes, and I did this religiously for two hours every day for three months’ time. When I took the test, I was – I have to admit, I was underwhelmed. Everybody sort of, like, you know, trumped it up as something very big, and, you know, you walk out, and you’re like, OK. I passed a test. But I did it for my own sort of, like, sanity and just validation, that, you know, yes. I know the path, and I understand it. 

David Spark

Now, what did you feel changed about your career once you had it? 

Will Gregorian

Nothing, honestly. And here’s the thing. I did it without ever so telling or holding it against my employer. It was on my own time, doing it out of leisure. That’s the – that’s one of the reasons why I think I went on my rant on LinkedIn, was because I don’t weaponize it to get a bigger paycheck. And it wasn’t even a barrier to entry. I think the information security transition often will happen organically when you have believers in you, when you have opportunities. And those happen. Sometimes they don’t. Sometimes it’s about networking. For me. It was mostly about the validation that you just understand that, you know, information security is important. And I have to basically sort of, like, you know, benchmark my knowledge against something. That was my own, you know, sort of, like, framework that I could use to do that. Beyond that, nothing more. 

David Spark

All right. Throwing this to Shawn, when you got your CISSP, how far were you into your journey? And did it give you any value after the fact? And did you actually use it as leverage to get more money? 

Shawn Bowen

Well – so I was a contractor for the government and military reservists at the time, so I was required to have it. But government contracts actually give you a bonus. So there was more money tied to those things because they… 

David Spark

But it was like an automatic bump. 

Shawn Bowen

Yeah, exactly. But I never used it as a negotiating – like, ooh, look what I got. I actually – like, you know, a pet peeve of mine is if you have your name, comma and 35 letters after it with all the certificates you did on Saturdays, I’m actually more frustrated with – like, I appreciate it. And at the same time, I’m going, oh, that’s kind of annoying. But so I never put it in my signature block. I didn’t put my number. You know, like a lot of – I didn’t wear the pin on my lapel. But I took it about 13 years into my career. I was a senior network engineer. I was, like, a regional engineer in enterprise design, like, my admin person that also had this security hat on because – let’s face it – in the 2000s, a lot of people, security was an additional duty, not a primary duty. I wanted to be more in security, and so it helped me get into certain positions because one thing I will say that it does is – and, to Will’s point, kind of underwhelmed. When I took it, I did a six-day bootcamp. It was paid for by the company, so I’m not going to say no. There was a lot of tomfoolery on my part where everyone else was doing study group. I was not. And I passed it. And I think out of the 45 people that took it, there was only three of us that passed. So… 

David Spark

Really? 

Shawn Bowen

And that was really bad. So I don’t know if it was the training or not. I wasn’t paying attention too much. But I had a lot of experience under my belt, so there wasn’t like there was a lot of new things to me. It was just about knowing answers that they wanted. But the pass rate, I think, is still something in the 50s – 50%. So it’s – that’s where I give the credit to it, is it is weeding people out – not saying that people can’t study hard and practice the practice test 35 times in a week and then just go take the real test. But the reality is the pass rate on the CISSP is still very low. And so that’s where I will give that a little bit credit. Like, OK, I’ll look at you a little bit. You know, still, it’s not a criteria. It’s not the entry. You know, I’m not going to give you a raise because of it. I’m not going to automatically give you a job. I will give that differentiation. 

David Spark

It is a point of validation is what… 

Shawn Bowen

Yeah, absolutely. 

Will Gregorian

That’s exactly it. I would look down upon anybody who uses – and Shawn, I agree with you. We’re not doctors. Let’s not add the acronym alphabet soup in the titles. But it is that. It’s exactly that. It’s the validation that, you know, you have made it, and now your knowledge base matches the expectations for the next level. 

How do we go about measuring the risk? 

20:54.276

David Spark

I argue there’s some risk to hiring people, and this is a mechanism to reduce the risk. Jerad M. of DarkStar Intelligence said, quote, “The purpose of certifications have little to do with prowess to perform the job. Rather it’s another check-the-box requirement” – or, as we were just talking about, validation. And he goes on to say, “to make a recruiter or hiring manager’s job a little easier.” I don’t necessarily think that’s a bad thing. And Steven Carter of NAVSEA said, quote, “Read a hundred resumes, and try to narrow them down to the top five or 10. You actually want to interview without looking at certifications as a differentiator.” So I’ll start with you, Shawn. Is this – I kind of see it as maybe a mechanism to just reduce the risk. Like you said, 50% get in. All right. I’ve now taken this big pile of resumes and reduced it by 50% by just using this criteria. Now, I know, Will, you don’t like this as a criteria, but it is a mechanism to do that. How dangerous would it be to do just that, Shawn? 

Shawn Bowen

Doing just that, I think, is relatively reckless. I think that there’s got to be a balance. I’ve always tried to strive for 20% of my organization to not be security. Like, that’s not their natural job. I want to bring in the outsiders because they give me a different perspective. And so I’m – it depends on what I’m looking for. If I’m looking for my director of a GRC or something, it will definitely be an easy way to filter out my positions, especially a CISSP for GRC lead versus an architect. I might not care so much. It would be interesting. I’d give them, you know, a little props on it, but it’s not going to be what I filter off of depending on the position I’m looking for. I think if you’re doing it purely by this that it’s a little bit reckless. I think there’s a couple other things you want to look at. But I do agree with Steven Carter’s comment of try to read a hundred resumes without looking at the certificates, and pick, you know, a handful out of that. It doesn’t – definitely makes it difficult if you don’t have that cheat sheet, which is certifications.

David Spark

Will, let me ask you. What’s the biggest stack of resumes you’ve ever had for a job opening?

Will Gregorian

So the last round where I was interviewing for a information security analyst, I had over 600 resumes to review. 

David Spark

How did you weed them down? 

Will Gregorian

I didn’t use filters for certifications if that’s what you’re asking me. 

David Spark

But you had to weed them down somehow. How did you do it? 

Will Gregorian

Right. Look; you know, here’s the thing is, like, you know, in every organization, it’s going to look different. So you’re undoubtably looking for a persona. For us, being in the health care industry and, you know, in some cases, like, you know being in other verticals, the first thing that I did was, really, look for anybody who has, basically, worked in a compliance and a security, you know, sort of a capacity at a SAS company. So start looking for that sort of, like, you know, like, Web 2.0-ish, you know, shops, and then start narrowing it down. And I have to be honest – I think the certification part was the very, very last check mark for me at least. I could not care less about that. I was more looking for people who understood various technologies around cloud security, SAS, PAS, IS, et cetera, then start talking to them about their ambitions – the human being, before I even explore the fact that they have, like, you know, maybe a knowledge base that I can use. That’s how I optimize. It is definitely a fruit of labor. It is not easy, and it takes a lot of time, and you’re doing a lot of talking. 

David Spark

But I think you came up with an interesting criteria for your case, and this might be good advice to others is – your criteria should be industry specific, not generic cybersecurity specific. Shawn, do you agree or disagree? 

Shawn Bowen

Oh, that one actually kind of bothers me a lot… 

David Spark

OK. 

Shawn Bowen

…Because – no, I don’t disagree with the idea that – what Will said and I think what – David, your spin was a little bit where I started not to agree. Will said, were you in a regulated industry? And I’m sure he did a search for, like, high tech or something related. 

David Spark

Well, he wasn’t necessarily regulating; he was just looking for people had like-minded experience. He was in a – sort of a SAS environment. 

Shawn Bowen

Yeah. 

David Spark

He wanted people who had that kind of same experience. 

Shawn Bowen

Yeah. And the concern I have is when we started going vertical, industry vertical narrow, because there’s a lot of value – this goes back to that 20% where I talked about someone as a complete outsider. I also think a security person who’s got a lot of security experience in a completely different field brings a breadth of value to me. So I left the government – I left not even the government; I left the intelligence agencies, which was very rigorous, and I went – my first job out was to a franchise organization. And holy crap, that was – I could not be 180 degrees further from a regulated government intelligence agency organization. And now I’m back in, a little bit more regulated, and I feel comfortable here. It’s kind of a good mix between the two. But I want to look at someone that’s got that experience in multiple different types of environments but has the security experience, again, that goes back to – it’s a little bit more difficult. It’s a fruit-of-your-labor type thing. You’re going to have to definitely invest some time, but that’s the reality. And to your question about most people, at least people – I’ve had, you know, a hundred-plus resumes, and I’ve also had – you know, here’s a week, and we haven’t gotten an application. You know, like, wow. You know, and those balances – like, how do you – do we need to – did we write something wrong in the position description that we need to narrow it down? And that balance of trying to find the right person – I’ll say this. To speak – we see this a lot. Females, minorities, apply for jobs even if you only feel like you meet two or three bullets because a lot of people, they don’t; they don’t do that challenge. And so this goes back to, like, what Will and I are looking for. I might be looking for someone who’s got marketing experience but took a security certification back to – I know we don’t like certs, but this person got a security certification and marketing experience. Well, I might need to secure the marketing office. That might be the person I want to bring in. So you miss every shot you don’t take, right? 

Closing

26:50.932

David Spark

Good point. And that brings us to the end of this episode. Now, it comes to the point where I ask the two of you, what was your favorite quote and why? I will begin with my guest co-host, Will Gregorian. Will, what was your favorite quote and why? 

Will Gregorian

If I didn’t give a shoutout to Jules, I would be in deep trouble. So, Jules, I give you a shoutout. I 100% agree with her stance that we fail ourselves when we allow certifications to relieve us of duty to truly understand the baseline knowledge, and that resonates. I don’t think certification is a direct replacement and in-line replacement for practical knowledge and experience. Let’s not do that. 

David Spark

Good. All right, Shawn, your favorite quote and why. 

Shawn Bowen

Yeah, so I love Jules’ comment as well. But Chris’ comment resonates very well. When we worked in similar industries – I was also an Air Force veteran that struggled with translating my experience to the corporate world or to other industries, and the certifications helped some of those conversations. Or maybe you have a buzzword in your resume or a certification that definitely gets you the attention you were looking for. And once – my attitude’s always been, you know, I might not be great in the box, but once you get on first base, I’ll steal second, third and home. So it gets me that opportunity. 

David Spark

Excellent. All right, I want to thank, again, both of you. And I’ll let have some final comments here, especially if either of you are hiring. Please do mention that if you’re hiring. Thanks to our sponsor, Palo Alto Networks. Thank you again for sponsoring, Palo Alto Networks. I think you all know where to find Palo Alto Networks – just throw a dot-com at the end of it. All right, I – Shawn, you get the last word here. Will, any last words on this topic? And are you hiring? 

Will Gregorian

I am definitely hiring. We are all hiring. Never be discouraged to apply, to Shawn’s point. 

David Spark

Especially if you don’t have any certifications. Shawn will look at you. 

(LAUGHTER) 

Will Gregorian

That is correct. 

David Spark

All right. Shawn, any last comments? And are you hiring? 

Shawn Bowen

Yeah, absolutely. So World Fuel’s doing some great things. We recently moved 20 of 22 data centers into the cloud. We’re finishing off those last two this year. And we are definitely hiring a lot of security roles, as well as a lot of other roles – software development and cloud engineers. So if you don’t see them on our website or on LinkedIn, hit me up directly, and I’ll get you in touch with the hiring man. 

David Spark

Excellent. I want to thank both of you. And thank you so much, Will, for being my guest co-host for this episode. That was Will Gregorian – he is the head of IT and security over at Rhino – and Shawn Bowen who’s the CEO of World Fuel Services. You, our audience, are fantastic for participating and listening to “Defense in Depth.”

Voiceover

We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site: CISOSeries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@Cisoseries.com. Thank you for listening to Defense in Depth.