How Can We Make Sense of Cybersecurity Titles?

How Can We Make Sense of Cybersecurity Titles?

What’s the difference between a head of security, a vp of security, and a CISO? Do job responsibilities change whether you’re a security analyst or a threat engineer? Roles are confusing and so is the pay and responsibilities attached to them.

Check out this post and this post for the basis of today’s discussion. this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Hadas Cassorla, CISO, M1. Our guest is Renee Guttman, former CISO of Coca-Cola, Time Warner, Campbells.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, IANS Research

CISOs, how does your compensation compare with your peers? Download IANS + Artico Search’s 2022 CISO Compensation Benchmark Report. Find objective insights and comprehensive compensation data from over 500 CISOs across the U.S. and Canada.

Full transcript

[David Spark] What’s the difference between a head of security, a VP of security, and a CISO? Do job responsibilities change whether you’re a security analyst or a threat engineer? Roles are confusing, and so is the pay and responsibilities attached to them.

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, producer of the CISO Series. And guess what? We have a special guest cohost. Very excited to bring her on. She’s been a regular guest on our show but now a guest cohost. It is none other than Hadas Cassorla, CISO over at M1. Hadas, thank you so much for joining us.

[Hadas Cassorla] It’s my pleasure. I love being a special guest, not just a guest.

[David Spark] Yes. Well, guest cohost, too, is the key thing.

[Hadas Cassorla] Oh, I’m fancy.

[David Spark] Now, I’m going to bring you in again in just a second. By the way, everyone, that’s what Hadas’ voice sounds like. It’s a little different than mine. So, that’s how you’ll be able to tell the difference. But I do want to mention our sponsor today. IANS Research, which actually has some research on the very topic we’re discussing, which is cyber security titles or roles and responsibilities. So, let’s go to the topic at hand. This has to do with a post that you put out, Hadas. You posted a question asking for some clarity on all the confusing titles that are out there. Now, this is creating a real problem for everyone in the hiring ecosystems, whether you’re a recruiter, those being recruited, and the hiring manager. I will ask you this question, and we will address it all throughout – do we need standardization, or do we just have to constantly deal with this confusion? Or is there a happy medium? What do you think?

[Hadas Cassorla] We definitely need standardization. Otherwise how am I going to hire the person I need for the role I need them to. They won’t know what I really want. I don’t know if they actually are a good fit. And yes, there’s resumes, and there’s interviews, and stuff. But we need shorthand, and that’s what job titles are for.

[David Spark] Yes, I agree. But I will say that I think in a lot of the comments, a lot of people kind of put their hands up on standardization like, “I don’t know. I don’t think that’s going to happen.”

[Hadas Cassorla] I know, but this kind of reminds me of when I was first in IT, and you would see a job title called systems administrator. But it was actually a systems analyst, and that ended up becoming a new job title. But at first, systems analyst and systems administrator were considered the same role. And so they realized that those were really different functionalities. Which I know I’m dating myself for saying that I’m old enough to remember that there was only one title for that. But as we mature as an industry, we have to recognize that there are a million different types of roles and that there has to be proper naming for the roles.

[David Spark] Very good point. Well, let’s bring on our guest, who you know very well, and who I know very well, and our audience very well because she has also been a guest on our show before. It is none other than the former CISO over at Coca-Cola, Time Warner, and Campbells, Renee Guttman. Renee, thank you so much for joining us.

[Renee Guttman] David and Hadas, it’s a pleasure to be with you both.

Why is this relevant?

3:14.245

[David Spark] Matthew Biby over at Satcom Direct said, “It directly impacts…” It being the cyber security titles. “It directly impacts not only our ability to recruit but also impacts the employee, compensation, professional development, career ladder. And in the end, the business’ ability to retain talent.” That I think is kind of the best summation of the problem, Hadas. Kind of just, “This is what we’re dealing with.”

[Hadas Cassorla] Yeah. And I also really liked at the end of that where he talks about the ability to retain talent. I think that that’s something as well is what is that career ladder, and especially for the leadership roles within security. I’ve seen things from director, to head… Which isn’t even a banded distinction. It’s just like, “Head of information security.” ISO, CISO, VP. It’s all opaque.

[David Spark] I agree. I agree. Renee, we’ve already heard from Hadas and her initial concern with this whole issue. So, just your opening thoughts on the need for standardization. I’m going to ask the question, how possible do you think it is? Because you’ll hear in the future comments a lot of people don’t think it’s that possible. What do you think?

[Renee Guttman] I think there’s some amount… Because there were different words used in the post. Normalization, standardization, harmonization. And so I did a bit of a look up, and I think that you can have some common variables and attributes that are consistent like application security testing. Where I sort of wonder a little bit is when I… So, yesterday I did a bit of a look up, and there were 5,081 jobs open on Dice for information security, so I started to look at them all and the different titles. And so it got me thinking is it a good idea if you really need somebody to do embedded software testing to put that in the job description versus generally application security testing. So, I got a little stumped about is that okay to be a little bit more specific so that you can decide, “Yeah, that’s a specific skillset, and I’m either going to be happy doing embedded software and am qualified to do it, or I’m going to be a generic website tester.” So, I don’t know. I’m in the middle on this.

[Hadas Cassorla] I love that as an idea, but I will tell you that something I’ve experienced is that people don’t read the job descriptions that you post when you’re asking people to apply to your job.

[David Spark] Not at all. Not at all. And I’ll just tell a brief story. We put out a job posting for something, and I asked, “Please go to CISOseries.com and acknowledge you’ve been there when you respond.” And of the I think it was about 60 responses we got, six people actually did it. Of those six, only three actually spelled our company named correctly. Those were the three people who actually got an interview.

[Renee Guttman] I guess it does whittle down the [Laughs] playing field.

[David Spark] Yeah. I literally did… Honestly I didn’t look at anybody’s resume. I just like, “Can you clear that incredibly low hurdle?” And only six people could do it.

[Hadas Cassorla] But I have posted roles for analyst, which were strictly analyst and not engineer type roles, and had engineers applying, wanting an engineering role. I’ve posted for engineering roles and had analysts apply that have no engineering experience. And it almost feels like people see anything cyber security, and they just apply. But that’s why I think that standardizing or harmonizing or whatever word you want to use job titles helps in the job search.

[David Spark] Don’t you think the problem could lie in what you just described, is the simplicity of applying? The, “Click here to apply.” You got to make some hurdles to application or else you’re going to get exactly the problem you just described. Agree or disagree, Hadas?

[Hadas Cassorla] Yeah, you got to make some hurdles. But I also really want the best candidates to apply for the roles I have. And I will tell you that when I have been applying for jobs in the past, if I have to retype my resume, I’m already not applying to that job. I do think there should be an ease to application.

What are the best practices?

7:38.295

[David Spark] Tony M. said, “Using the NICE Cyber Security Workforce Framework seems like the simplest option to me. It even has the KSAs.” Which I didn’t know before, but it stands for knowledge, skills, and abilities. “…listed for each role to help write the job description.” Now, Matthew Biby of Satcom Direct counters with, “I struggle with their use of the nomenclature/definitions and work roles. Example – security analyst, vulnerability analyst, cyber defense analyst, cyber defense incident responder, etc. While they all have somewhat different functions, the framework has a tendency to use some of the same words and vernacular to describe certain functions and roles. In NICE, there is a tendency to break each function into a distinct role or title when, again, it is just not feasible to have that many in an organization.” So, it seems like a good place to start, Renee. I didn’t know about this Cyber Security Workforce Framework before. But it sounds like if you have an endless cyber security team, you could fill all these roles. What do you think?

[Renee Guttman] Yeah, I like the purpose of the framework, and I didn’t know what it was before, David and Hadas. I had to go look it up. And so it’s got a couple of goals – helping to define or develop skills, helping job seekers to demonstrate their competency, and employers to accomplish the task of hiring. That said, it’s got some good reasons for being in existence, and I think it wants to help. I don’t know how easy this would be to really implement from a practical perspective, and I think it could end up in the situation that I described earlier where you would end up with more granular job title than Hadas is really seeking to have. That’s where you could end up with that term embedded as part of the position description. So, I like it, but I’ve never seen it used. And I’m more curious about whether it’s actually being used and how it’s being used, and how successful it is.

[Hadas Cassorla] I agree with Matthew Biby on this in that I also didn’t know of this framework for the job titles, and I went and looked at it. It is overwhelming. It is…

[David Spark] If you had an endless cyber security team, it would work, right?

[Hadas Cassorla] Sure, sure, sure. If I was working for NICE, great. I would be able to hire each one of these roles maybe. But in my start up culture with a lean team, I need everybody to understand the difference between an analyst and an engineer, a Cloud engineer and an ap sec engineer. Even if they just brought it up one or two levels, that would be great. And we could then have some standardization. This is just a little too into the weeds, into the minutia.

[David Spark] But what I like about this… And there can be an argument for a, “Here’s the roles for a company of X thousand employees. Here is the roles for a company of just a hundred employees. Here are the roles for a company of just 500 employees.” If they could break it down that way, that… And it doesn’t seem like it’s that much more heavy lifting to go from what they have now to I guess simpler roles. That, I think, would sort of build into this standardization we all want. What do you think, Renee?

[Renee Guttman] No, I think that would help. Especially if they could define more generalist roles – people that have to have…that probably will have multiple different skills including process skills and some technical skills. I think it will matter, too, to your point, the size of the company. You’re not going to hire, for example…probably not if you only have three people and as your security AIM lead.

[David Spark] [Laughs]

[Renee Guttman] No, listen, but I’ve got to tell you the reason why I think this whole topic makes so much sense is because I actually found one yesterday. To your point, Hadas, the job description or the title was senior system engineer. And you know what it was? It was a manager that was a liaison to an MSP and who knew how to open tickets within the ticketing system. I kept thinking, “Is that really an engineer?” So, that sort of I think speaks to what Hadas…

[David Spark] I could do that, and I’m not an engineer.

[Renee Guttman] Yeah, you could do that and you’re not an engineer. [Laughs]

[David Spark] Well, now this may also just come to a lot of things. Just plain ignorance – just not knowing what an engineer and an analyst is. It could come down to laziness. It could come down to copy and paste somebody else’s thing, and just use it and not think about it. Hadas, you’re nodding head like all of these happen. “What else?”

[Hadas Cassorla] Yeah, I think all of that’s true. I also think that there is… I’m going to blame myself a little, and by myself I mean CISOs, people in my position. It’s not just me. I’m blaming…

[David Spark] Oh, so you’re blaming yourself and all other CISOs. I’m sure they’ll enjoy that.

[Hadas Cassorla] And all other CISOs. Which is that there is a little bit of laziness. There is a little bit of, “I need…especially in a startup or scaleup culture, I need a jack of all trades, and so I’m going to call them a threat engineer, or a cyber engineer, or a Cloud engineer. And I’m really going to want them to do all the things.” So, there is… Some of the blame definitely lays at my own feet and at our own feet, but I think that if we could even just standardize on the difference between an analyst and an engineer, and Cloud and ap sec, and architect versus app sec or things like…or analyst or things like that… I think even if we just, one high level, “Hey, this is what probably…”

[Renee Guttman] Yeah, the attributes. Yeah, the attributes of an engineer versus an analyst. But I’ll give you one other thing that I think creates some of the issue here. One is that you generally don’t get to comp these things by yourself. You have to work through HR and their compensation books. And so if they have analysts and that analyst in their comp book or however they do their comping is half of what you probably need to pay, you’re going to have to change the title to engineer.

[Hadas Cassorla] That’s also true.

[Renee Guttman] And you’re going to have to fake the system.

[David Spark] Good point. And by the way, all nasty letters from CISOs…

[Hadas Cassorla] Come to me. Send them directly to Hadas.

[David Spark] …just go directly to Hadas. Don’t send them to us. Send them directly to Hadas.

Sponsor – IANS Research  

14:06.783

[Steve Prentice] Being a CISO can sometimes be very lonely, especially when you need advice or guidance on tackling new challenges, whether they are high level strategy, deep in the technical weeds, or dealing with compliance or the politics of keeping an organization secure. Wouldn’t it be nice to be able to pick up the phone and have a live conversation with an expert who can truly deliver the unbiased and solid expertise that you need right now? Zach McMahon is territory leader at IANS Research, and his team can deliver the comfort and strategy that you need right now.

[Zach McMahon] IANS exists to help CISOs and their teams make faster, more confident security decisions from a technical and operational standpoint while also supporting security leadership to improve their community and alignment with their business. IANS clients have unlimited access to 95 subject matter expert practitioners that we call faculty, and they join a rich peer community with over 100 end user only events. They also get access to a deep library of written resources and tools that are all developed based on the needs of your peer CISOs and their teams so that you know that they’re relevant. What we’ve found and I guess why we exist is really that when security teams look outside their four walls for third party guidance, they often find that it lacks the technical depth that they need to really move the needle on critical decision making. And sometimes it’s academic. Sometimes it’s theoretical, market driven. So, our practitioner model where all the insights are derived from experience really allows us to make up that gap.

[Steve Prentice] For more information, visit IANSresearch.com.

What are they looking for?

15:41.183

[David Spark] Samuel R., formerly over at the United Nations, said, “I highly doubt standardization is achievable.” This is what I was referring to earlier, Hadas. “I would advocate for cyber security job title salaries and job descriptions harmonization.” Now he refers to this as getting close to standardization. So, what do you think he would mean by that? But hold onto that thought. I also want to read Gabriel Silva’s quote. He’s the CISO over at PDC Technology. He said, “A CEO and CFO is a specific role. A secretary is a specific role. Technology changes faster than any other industry and creates new jobs, morphs others, and the crossover technology, skills, and people make it very difficult to distinctly separate.” All right, Hadas, I’m going to… What do you think about the harmonization that Samuel brought up and Gabriel’s comment of, “It moves too fast. We can’t put labels on it.” What do you think?

[Hadas Cassorla] What I think is that he’s using a different word to say the same thing I’m saying, which is I want to understand what the main functions of an architect, an engineer, an analyst…what those are. And I want to have differentiation between them so that when I post a job, somebody knows what I’m saying. He calls it harmonization. I’m calling it standardization.

[David Spark] Although he said it’s not standardization.

[Hadas Cassorla] He did. And I asked for a clarification, and I didn’t really get it. So, at least maybe I’m just a little slow. I didn’t understand this.

[David Spark] But also this is what…to add on Gabriel’s comment here. I think we kind of all know what CEO, CFO, secretary…generally what those responsibilities are. Obviously it’s going to be specific company to company. But he argues that we can’t do this because of the change in technology. And I think, “Well, that’s just part of the game of the job is that technology changes, and you stay ahead.” You stay on top of it.

[Hadas Cassorla] Sure, sure, sure. We used to say bookkeeper for accounts payable, accounts receivable, and everything in between. And now we have an accounts payable role and an accounts receivable role. But knew that at the time that bookkeeper meant all of that, and now we’re saying, “Oh, okay. Payroll is different. Accounts receivable…” So, yes, that is as we grow, as we mature, as technology changes, things are going to change. But we do have an ability to even now to say, “This is what this role means.”

[David Spark] Good point. Renee?

[Renee Guttman] Yeah, I didn’t know this because I started thinking about other industries. And so I actually found out when I was looking on the job boards that there’s jobs for a lounge concierge and a lobby concierge. And it wouldn’t have ever occurred to me that there would be two different concierge type jobs and how they would be different. And so I think maybe this is the point.

[Hadas Cassorla] Is that in the hotel industry?

[Renee Guttman] Yeah.

[Hadas Cassorla] Okay. I didn’t know if we were still talking about the security industry. I would like a lounge concierge.

[Laughter]

[Renee Guttman] No, but my point is this. I think that maybe there’s just a level of maturity that we haven’t achieved yet and that maybe those are terms that everybody understands, and they know what it means to be different…the difference between a lounge and a lobby.

[David Spark] This is going back to this could be our problem, Renee. That we’re the back numbers.

[Renee Guttman] We are still young as an industry, so let’s go back. The first CFO title supposedly is 1964. The first CISO title is 1994. The internet came into being as a commercial thing in 1994. People were worried about tapes falling off of trucks and losing their backups in 2008. We are moving so quickly. I think that comes back to what I was saying earlier. I’m sort of mixed a little bit here about whether it’s a good thing to say that you need to have maybe an embedded software engineer versus just a software engineer. And I don’t know. But we are moving so quickly, and we’ve come so far so fast that eventually we will be like the hotel industry maybe, and we will have some common titles. But we’re not there yet.

[Hadas Cassorla] Right, but even the hotel industry started somewhere. They started with concierge, which meant a thing.

[Renee Guttman] Yeah.

[Hadas Cassorla] And maybe even before that, it was just front desk person. And then they realized, “Oh, shoot, our customers want a little bit more extra benefit, more information. Let’s have concierge.” And then they adapted.

[Renee Guttman] But to your point then, Hadas, I think we’re at the point where we haven’t even defined concierge. Right? That’s exactly what you’re saying. We haven’t even defined…

[David Spark] Yeah, simple things like engineer and analyst.

[Renee Guttman] That’s right. We haven’t even defined that. I think that’s where we really do have a pickle.

[Hadas Cassorla] And we have to start somewhere. I think now is the time to start.

[Renee Guttman] Yeah, I agree.

[David Spark] But then you get this problem with the startups. I’m throwing this little wrench into our conversation. Where they just play with titles like chief fun engineer where you get these kind of random titles that people just impose on themselves that mean nothing. And they’re being cheeky. When you see them on somebody’s card, your eyes just roll. And it’s just like, “Oh, geez. Who am I dealing with right now?” What do you feel about…? And we see this heavily in startup culture. You’ll not see it at any banks. I’ll say that.

[Renee Guttman] I think we lose credibility because you don’t see the CEO, unless I’m completely off base, with the chief head honcho on his title. You know? Right? You don’t see that. I think we actually as an industry are losing credibility. Our HR partners think that we just make stuff up on the fly. And this is one where there should be some basics, some building blocks. And we don’t have those yet. I think it’s silly, and it just diminishes our credibility.

[Hadas Cassorla] Yeah, I’m going to change my title to chief department of what used to be no but now is yes. [Laughs]

How do we determine what’s most important?

21:34.408

[David Spark] Ed Contreras, CISO over at Frost Bank, said, “Regulated industries have stipulations for just using the term manager.” This sort of goes to the compensation issue you were referring to, Renee. He goes on and says, “Note impact to vendor management, risk managers, etc. A great partnership with your HR and legal teams will ultimately drive your specific organization but across industries may be near impossible.” So, that’s a really good point he says right there. Kip Boyle of Udemy said, “Outside of the government and defense sectors, there is no forcing function in the private sectors to strongly adopt them. Hiring managers appear to enjoy the freedom to define their roles as budget allows.” So, it seems like in some organizations we can do this. Across industries, not a chance. This is where we get into the confusion.

[Hadas Cassorla] I think the forcing function in the private sector is the employees. They want fungible titles so that they can put them on their resumes and show that they have experience and get the next security job. And if we are not doing them a service then we’re doing ourselves a disservice.

[David Spark] Renee?

[Renee Guttman] You and I were on a call, weren’t we, Hadas, recently where they said that every job that people would apply to had to have Cloud in the description or something like that. Or AI.

[Hadas Cassorla] Yeah.

[Renee Guttman] Right? But I think there are some checks and balances, and I think HR will give them to you if you get too crazy.

[Hadas Cassorla] It depends on where you work. It’s like David was saying in the last segment. If it’s chief fun officer then your HR might be a little off the rails. But, look, I think that we can have fun and that we can be a fun industry to work in, but we also have to mature. And we have to take ourselves seriously. One of the ways to do that is by getting some standardization or harmonization or understanding of what the heck we’re even trying to bring into our environment, what we are trying to employ for, what the hot jobs are.

[Renee Guttman] I think some of the things that are going to drive the standardization is the increasing regulation and the scrutiny of the CISO jobs and the visibility to the board because I don’t think boards at medium sized and larger companies are going to put up with silliness anymore. They’re going to want to know do you have people on the staff that can do X, Y, Z. And probably they’re going to want to see it through some reflection of an org chart. So, I think it’s coming. But it’s going to take a little bit of outside push and governance from other parties to make this thing a little bit more… I guess the word is going to be standard. You’re not going to want to be developing software if you’re a product company and not have testers on staff and prove that.

[David Spark] But I don’t think it’s going to go down to the title level. Here’s why I say that. Because if you look at the regulations now, they don’t ever specifically say the word CISO. They just say someone needs to oversee this in a very kind of vague way. I don’t think those regulations are going to call out specific titles. Hadas?

[Hadas Cassorla] Maybe not yet. But I do think Renee has a point. I think that the evolution is going to be right now we need somebody to be in charge of security, and eventually it’s going to say, “And we need that somebody to be a CISO.” And eventually it’s going to say, “And we need the CISO to be reporting directly to the CEO and to the board on a quarterly basis.” And those regulations are going to become more stringent as this becomes…

[David Spark] So, we’re just at the very early stages of the evolution is what you’re saying.

[Hadas Cassorla] I do think so.

[David Spark] Renee, you get the last comment.

[Renee Guttman] No, I think so, too. And I’ll tell what I think will drive some of this. I think that… When I was at Black Hat, people said they wouldn’t want a CISO job, and they gave me the list of reasons that they didn’t want the title. And now I think CISOs are being told, “Look, if you’re going to take that job, you need to have directors, D&O type of insurance.” So, maybe that will force everybody to have the CISO title because you’ll have officer in the title. I don’t know.

[David Spark] Director and officer insurance, the D&O that you’re referring to.

[Renee Guttman] Yeah, director and officer. Yeah.

[David Spark] Well, this gets to a whole other thing about the fear of the job of being a CISO.

[Laughter]

[Renee Guttman] Yeah, because you have to create job respects. See, that’s why you don’t want the job.

[David Spark] There you go. Well, there’s a lot more to it than that. All right. For another show.

Closing

25:55.271

[David Spark] Now we come to the part of the show… And I will start with you, Renee. Which quote here was your favorite, and why?

[Renee Guttman] I really like the quote that talks about the impact of not having this. Matthew Biby, it directly impacts not only the ability to recruit but also…

[David Spark] Oh, at the very beginning, yeah.

[Renee Guttman] Yeah, right at the beginning. I think he’s right. And I think that’s why this whole topic was put up on LinkedIn. This is a problem. I don’t know what it’s going to take to kind of create some of the building blocks that we’re talking about, but it impacts our credibility, and it impacts our ability to elevate people inside our organizations as well to get them compensated properly. So, we’ve got some homework to do here.

[David Spark] Hadas, your favorite quote, and why?

[Hadas Cassorla] I agree actually with Renee as the quote she chose, but I’m going to choose a different quote just to have some flair. I’m going to go with Kip Boyle’s comment. Because I like arguing, and I disagree. I think that there are forcing functions. I think we just… They aren’t as pushy as the government and defense sectors, of course, but there are forcing functions. I think we just need to recognize that and start moving towards some sort of harmonization or standardization.

[David Spark] I think is there a yay for regulation here or no?

[Hadas Cassorla] No.

[Laughter]

[Hadas Cassorla] You’re never going to get a yay for that from me.

[Laughter]

[David Spark] I didn’t think so. All right. Let’s close this sector out. Thank you very much, Hadas. Thank you very much, Renee. I’ll let you both have the final comments here, but I do want to mention our sponsor for today. IANS Research. Check out their report on I believe this very subject, of cyber security job positions, as well as I believe salary attached to it as well. So, find out more about that from IANS Research. Hadas, any last comments? I know that you’re hiring at M1. Or no, hold it. Are you no longer hiring? No longer.

[Hadas Cassorla] We’re not hiring.

[David Spark] You have filled all your positions, and you do accurately title them all.

[Hadas Cassorla] Probably. [Laughs] I told you, some of the blame lays at my feet.

[David Spark] Exactly. Well, any call outs you want to make? Do you want to mention M1, anything else?

[Hadas Cassorla] No, but I do want to say thank you to Renee. I really loved many of the things you said but some of the stuff you said at the end of just the maturity and the fact that some of the regulation that is going into the government is going to hit us anyway in our industry even if we’re in the private sector and that that will be more of a forcing function. I think that the demands from boards is going to also be that. So, I like that. I was nodding my head a lot while you spoke. But since we’re not video recording, nobody saw that.

[Renee Guttman] [Laughs]

[Hadas Cassorla] I want everybody to know I was nodding my head so much.

[David Spark] Renee, you get the last comment.

[Renee Guttman] Well, the last comment is that I honestly didn’t think that this would become a problem. David, you and I have talked. There were five vendors on the security floor at RSA when I first started and how quickly in my lifetime we’ve evolved. And so I do think we’re at…

[David Spark] More than five currently.

[Renee Guttman] More than five. There’s more than five security positions. Who would have thought that? I wouldn’t have thought that. So, I think we’re early stage. We’ve got to give ourselves a little bit of room to grow, but we need to grow up. We’re still babies in the lifespan of this industry. I think it’s time for us to at least pretend to be teenagers and create the building blocks here. That’s what I think Hadas… Which I actually agree with Hadas completely. Define an engineer. Define an analyst. Here’s another one that got me – what does senior me. Senior generally means five plus years of experience. Can we agree on stuff like that? I think it’s doable.

[David Spark] That’s a good point. Well, we’re all teenagers now in cyber security. That means we’re all sort of having our awkward sexual awakening.

[Hadas Cassorla] It also means we all have to go clean our rooms.

[David Spark] Exactly.

[Laughter]

[David Spark] Thank you very much, Hadas. Thank you very much, Renee. Thank you to our audience. We love, love your contributions. We love them. If you see an awesome discussion online and you think, “Oh, this should be an awesome episode of Defense in Depth,” send it to me. Just send it to David@CISOseries.com. I’d love to see it. We appreciate it. And thank also for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thanks for listening to Defense in Depth.