Why Is There a Cybersecurity Skills Gap?

Why Is There a Cybersecurity Skills Gap?

Why is there a cybersecurity skills gap? Practically everyone is looking to hire, and there are ton of people getting training and trying to get into the industry, but we still have this problem. Why?

Check out this post for the discussions that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap), CISO, LinkedIn. We welcome Edwin Covert (@ebcovert3), head of cyber risk engineering, Bowhead Specialty.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Orca Security

Orca Security is the pioneer of agentless cloud security that is trusted by hundreds of enterprises globally. With continuous first-to-market innovations and expertise, the Orca Platform ensures security teams quickly identify and remediate risks to keep their businesses secure. Connect your first account in minutes by visiting www.orca.security.

Full transcript

[David Spark] Why is there a cyber security skills gap? Practically everyone is looking to hire, and there are a ton of people getting training and trying to get into the industry. But we still have this problem. Why?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark. I’m the producer of the CISO Series. And joining me for this very episode, it’s Geoff Belknap. He’s the CISO over at LinkedIn. Geoff, grace everyone with your presence.

[Geoff Belknap] David, here’s my presence. You have henceforth been graced. Thank you.

[David Spark] Not just me, our audience as well.

[Geoff Belknap] All of us are better because of you.

[David Spark] And our audience is going to be graced by our wonderful sponsor. Huge thanks to our sponsor, Orca Security. Quickly discover, identify, and remediate Cloud risks to keep your business secure. More about them later in the show. Our topic of discussion is from Reddit. So, a redditor on the cyber security subreddit… Which I love, by the way. A phenomenal subreddit. If those listening are not already on it, I highly recommend it. But this person sked why are we having a cyber security skills gap? Adding, “I am dismayed that there are so many surveys asking employers what they need from workers but very little out there on what workers are experiencing regarding barriers to entry, retention, and upscaling.” Almost all the responses came from people expressing their frustration with the system of hiring junior people, training, and preventing burnout. Many complain none of that is done. I’m sure you’ve heard plenty of complaints. Yes, Geoff?

[Geoff Belknap] I have done some of the complaining myself. I have…

[David Spark] They don’t have the monopoly of it.

[Geoff Belknap] No. No. I’ve done some of the complaining about why is there a skills gap. I have heard a lot of the complaining about why are my skills not enough to fill the gap. So, I think this is going to be a great conversation because there are companies like mine where we are investing in people, and trying apprenticeship programs, and we have training, and still very difficult to hire people. I realize not everyone that takes one of our training programs comes to work for me. But there are certainly a lot of effort going into bridging that gap. And boy, it doesn’t seem like it’s been filled in much.

[David Spark] No, it has not. And a person who’s going to help us in this conversation… And by the way, great opinions on Reddit, so I’m really looking forward to getting our thoughts and our guest’s thoughts on this topic. It is the head of cyber risk engineering for Bowhead Specialty, Ed Covert. Ed, thank you so much for joining us.

[Ed Covert] I am absolutely thrilled, David, to be here, joining you and Geoff.

How did we get here?


[David Spark] Before I start here, I just want to point out this was a Reddit discussion. I’m going to be reading Reddit user handles. I apologize for the silliness and the goofiness of all these names.

[Geoff Belknap] These are always my favorite shows because I get to watch David squirm in the studio.

[David Spark] [Laughs]

[Geoff Belknap] You’re really missing out by having this be audio only.

[David Spark] All right. fabledparable provided a long, extremely popular answer with the following summary – there’s controversy on what constitutes “entry level” in infosec work. There is employer conflicts with onboarding unskilled/inexperienced staff. There is business conflicts with dedicating large budgets to infosec teams. And there’s a mismatch in the development of immerging professionals. Kind of an amazing summary there. I also want to add transfer 42, who said, “A lot of the problems listed above are an issue across the computing field, but cyber security seems worse than most in my experience.” So, two questions for you, Geoff. A, what did you think about those sort of four summaries from fabledparable? And is cyber security worse than most industries?

[Geoff Belknap] I don’t work in most industries, so I have a tough time seeing it from that perspective. But I think it is probably worse based on the data points that I have because of the kind of things that fabledparable is laying out here. Because there is a lot of confusion still about what infosec should do, what the scope of security should be. And that plays into a lot of these concerns. And there are a lot of people involved in hiring. So, a hiring manager might have some specific skills that they want. A recruiter or if HR is involved and posting jobs or interviewing people might have a slightly skewed version of that. And certainly there’s an expectation when you’re taking computer science people out of college…there’s a rough expectation and a really well understood sort of path to get them to full performance – what work you can give them, what kinds of things they’re good at. I think we’re still figuring out a lot of that for infosec. And companies are also still figuring out what they want from those teams, so it’s still a very fluid environment. And that leads to a lot of this confusion.

[David Spark] All right, I throw this now to you, Ed. Pick any of these topics that this fabledparable mentioned. What would you double down on? It just seems like a prefer storm of problems.

[Ed Covert] I agree. I will add that I think Geoff is accurate in everything. The one thing about our industry being worse than everyone else’s is the fact that I think that’s absolutely true. And the reason I think it’s true is because we’re so high profile right now. There’s a lot of attention focused on us as an industry, a lot of things we’re not doing well in terms of development. So, I think it’s probably in reality not actually worse, it just appears worse right now for us because we are so…how many cyber skills gap press releases have been released in the last 18 months. So, we’re sort of all over the place.

[David Spark] And we’re going to get into this more, but this conflict of onboarding unskilled, inexperienced staff and dedicating large budgets to infosec teams, that seems to be a major bugaboo for kind of everybody here. Do you see this as an ongoing issue, Ed?

[Ed Covert] I do, but I think it’s two issues. And they need to be solved differently. The budgeting issue is not one we really can control. The business is going to make a risk decision hopefully based on what they know, what they think they know, what we tell them about where to spend the money. The one that we can control is this idea of onboarding unskilled staff. And I was looking in preparation for this the other day, and I just unfortunately couldn’t find it, but it sticks to my memory very clearly a job description that’s asking for like ten years in Kubernetes experience. Well, Kubernetes hasn’t been around ten years.

[David Spark] Yeah, we’ve seen this classic mistake.

[Ed Covert] But that’s the kind of stuff. We really as an industry need to focus on what’s actually important for the job, and then assign appropriate experience requirements based on that. And the NICCS has a great website for their knowledge, skills, abilities, and tasking. And that’s where I used to draw when I was hiring all the time…I would pull statements out of that based on the job description of what I wanted that person to do. And it was very focused. If you were a brand new cyber person, I didn’t expect you to have more than two years doing something. Zero to two years. But if you were more senior then the questions and the tasks obviously get harder and more complex. But we need to really put some effort into not asking for pie in the sky stuff that just doesn’t exist in the real world, one, and two, is unattainable for the average junior cyber person.

What are they doing wrong?


[David Spark] ghawblin said, “I blame bleeping colleges and bootcamps for pushing the, ‘Take our subpar cram course for $15,000 and come out with 20 certifications, your degree, and get your six-figure job right away,’ narrative because then we end up with a ton of workers with some theoretical knowledge but zero experience to apply it properly.” And bateau_du_gateau said, “There is a genuine shortage of people with ten plus years’ experience because the threat landscape became more hostile more quickly than anyone anticipated.” This is a good point. “There is however a glut of people trying to enter this industry without experience but with unrealistic expectations of how much money they can make.” So, I’ve definitely heard these six-figure story, get into cyber plenty. I’m sure whether it’s being sold directly or indirectly by these education institutions I don’t know. But there I guess a feeling out there in the industry that it is a great financial win to get into this industry. Yes, Geoff?

[Geoff Belknap] There is no lie there. If you can get into this industry, there is definitely plenty of money to be made. I think the big but there though is you have to have skills, experience, and I’ll say mental attitude that makes you useful. If you go take a bootcamp and you’re expecting just to be able to do the things that are in the bootcamp every day and that’s your job, that’s going to be a real shock. And it goes both ways. So, if I’m expecting I’m going to just do the pen testing or the, I don’t know, whatever I did in the bootcamp every day in my corporate information security job, and it’s not like that, I might be disappointed. But if I took that course because I am a committed learner, and I’m constantly going to be learning about what’s going on, how my business works, how the techniques I learned in this class can apply to that, and what else I need to learn, you’re going to go very far.

And if you’re willing to work hard, you’re going to go even farther. And yeah, money rewards will come. Almost certainly. If your expectations are relative. If you’re expecting to be driving a Rolls Royce, you might want to temper those. On the other side, we have the same problem where there’s a lot of employers who are expecting people to come out of bootcamps or have lots and lots of experience to just know what they’re going to do. You come in, you tell me what you do all day. I don’t know. You just make their security happen. And I think that’s an unreasonable expectation as well. You have to have a formal or at least a formalized perspective of how is this security organization put together, what skills do you need to hire for, and what’s a reasonable expectation for those people in terms of what to accomplish. And there are misses on both sides of that spectrum.

[David Spark] I wholeheartedly agree, and I want you to tag this, Ed. The expectation issue on both sides. And we’re going to get more onto the employer side in just a moment. What’s your thoughts?

[Ed Covert] Oh, I’m over here just like preach. Preach, brother. Just preach. We have screwed this up as an industry. Not intentionally. I think we just got a little ahead of ours skis.

[David Spark] I agree. There was a lot of excitement. There was a lot of hiring. There was a lot of talk of the industry needs X millions more security professionals.

[Ed Covert] Right.

[David Spark] So, everyone was like, “Run, run, run. Let’s get into it.”

[Ed Covert] Right. And there’s a lot of… And I’m not going to name names. There are some really crappy certification programs out there that aren’t worth the paper they’re printed on in my not so humble opinion. That being said, there are a lot of good ones out there. And I think Geoff’s point about expectations is key. If I am taking a pen testing course from Sans [Phonetic 00:11:34] or something, but I expect to be a pen tester… And you as an employer expect me to be a pen tester, that lines up perfectly. In my mind, that’s golden. But if I am taking this pen testing course, and you expect me to be working on GRC stuff, and I thought I’m going to be…I can leverage my pen testing skills into GRC, that’s a bit of a mismatch. And there’s some communication breakdown on both sides of the house about what I wanted to do versus what you need me to do.

[Geoff Belknap] Yeah, I’ll say there’s a couple of bootcamps that are really solid, and there’s lots of training available. But there is about somewhere between half a dozen and maybe 15 disciplines in infosec depending on how you want to count. There are not bootcamps that cover all of those things practically from a vocational perspective.

[Ed Covert] Nope, absolutely not. I’ve never seen a GRC bootcamp or a policy writing bootcamp. [Laughs]

[David Spark] I liken this to medicine. My dad, who was a doctor, his specialty with endocrinology. And he had friends in medicine who wanted to try to learn everything in medicine. That’s impossible. I think the same is true in cyber security. You can be a generalist, like a GP in medicine. Or you can be a specialist, but you can’t be a specialist in everything.

[Ed Covert] Absolutely.

[Geoff Belknap] I hate to jump in on this, but I think that is a great analogy. When a hospital wants to hire a doctor, they don’t just go hiring, doctor, ten years’ experience. And then they found out, “Well, I don’t need a radiologist. I don’t need a cardiologist. I don’t need a whatever ologist.” They get very specific. And also when you get hired, there’s lots of follow on training. There is recurrent training in your field. It’s not just jump out of medical school, and now you’re a doctor for whatever specialization exists.

[Ed Covert] I used to tell my junior cyber people, who are like, “Well, I want to do X, Y, and Z.” All right, cool. There are…let’s go with the [Inaudible 00:13:24] There’s eight domains, right? There used to be ten when I started, but there’s eight now. Whether you believe it or not or they’re the right eight, whatever. It’s irrelevant. You end up learning a lot in this GP analogy about all eight. You end up focusing as your career progresses on one of them. And it may shift. I started out doing security compliance for the government, for contracting. And now I do enterprise security architecture kind of stuff. So, you shift over time, but you specialize in one of those domains over time. And you’re not going to find somebody, to David’s point, who specializes in all of them. Because that’s just that person doesn’t exist. And if they do then that’s God level access.

[David Spark] Well, the example I was trying to give of my father’s friend in medical school is he wanted to try to achieve that, but he… Even if you wanted to try to do it, it’s not physically possible.

[Ed Covert] Exactly.

[Geoff Belknap] No.

[David Spark] You can’t do it.

[Geoff Belknap] That’s not realistic.

Sponsor – Orca Security


[David Spark] Hey, before we go on any further in the show, I want to talk to you, Ed, about your company, Bowhead Specialty. Let me just ask you a quick question – why is it awesome working in security at Bowhead? And I know it’s new for you currently.

[Ed Covert] It is new for me, but I will say it is very awesome. It is awesome in the fact that it is a supportive environment. Everything is discussed in an open sort of forum. Everybody’s opinion is valued. Everyone…you feel like everyone has got your back. Whether they agree with you or not, they generally feel like they’ve got your back. So, that’s very supportive.

[David Spark] That is great to hear. And I’m going to ask the same question, why is it awesome to work with Geoff Belknap at LinkedIn security?

[Geoff Belknap] Is it awesome to work with me? You’d have to ask some people.

[David Spark] What is awesome about your staff? Let me ask you about that.

[Geoff Belknap] Well, I’ll tell you what’s awesome about my staff and my teammates is we have a fantastic set of challenges ahead of us that both come from the fact that we’re a very high scale organization, that there are lots of people that are interested in the data and the infrastructure that we protect, and we’re a very unique organization. There’s probably only about maybe four or five companies that are similar to LinkedIn. And certainly probably even fewer that work at our scale. That presents some really interesting challenges to work on, and it attracts wildly talented people that are creative and just a joy to work with.

[Ed Covert] Can I just throw a plug in for Geoff’s stuff?

[David Spark] Yeah.

[Geoff Belknap] Yeah, sure.

[Ed Covert] Yeah. Why not, right?


[Ed Covert] LinkedIn has got a great infosec cyber community structure. A lot of great people I’ve met on there, so it’s a great way to interact with people and colleagues in this industry.

[David Spark] I would say 80% of our audience comes from LinkedIn for that matter. I do want to mention that I know that both Geoff and Ed are always looking for talented people. So, if you’re interested, please reach out to them via LinkedIn is always a great place. We’ll have links to both of their profiles on the blog post for this episode. But let me also mention our sponsor right now, Orca Security. Now, Orca Security, they’re our sponsor, and we’re thrilled to have them on board. They are the pioneer of agentless Cloud security that is trusted by hundreds of enterprises globally. Now, Orca makes Cloud security possible for enterprises moving to and scaling in the Cloud with its patented side scanning technology and unified data model. The Orca Cloud security platform delivers the world’s most comprehensive coverage and visibility of all risk across the Cloud with continuous first to market innovations and expertise. The Orca platform ensures security teams quickly identify and remediate risk, that’s key, to keep their business secure. Connect your first account in minutes by visiting, get ready for this, just orca.security. Simple as that.

This problem won’t change on its own.


[David Spark] Several-Listen7915 said, “It’s a self-perpetuating problem. Cyber teams are short staffed, so they can’t be taken off critical work to train people. Which means there aren’t enough skilled people to lighten the load.” lipgloss_addict said, “Companies do not want to hire anyone junior, which is ludicrous. It means that junior tasks go to overworked senior professionals which leads to burnout.” And ReptarAteYourBaby aid, “There are a lot of teams running with no system in place to ensure transfer of knowledge. Self-study and tuition reimbursement are nice, but not a replacement for having senior people teach junior people on the job.” And akinfinity713 said, “In my experience, it’s because the industry has a ton of gatekeepers that don’t do anything to mentor or groom the next wave. They act like it’s some exclusive secret society.” I have definitely seen that. And I know there’s a fight against that. I’m going to start with you, Ed, on this. There is a desire to groom. I know we talk about it a lot. But it doesn’t seem that there’s enough of that within the industry to really promote the next wave of talent. What do you think?

[Ed Covert] That is absolutely true. I think all four of these comments boil down to a single concept, which is we have bad leadership in cyber.

[David Spark] Now, both of you are great leaders in cyber. I don’t want you to knock yourselves.

[Geoff Belknap] Well, present company excluded.

[Ed Covert] Yeah. No, obviously a person can be excluded. No, but I mean so there’s this book out called “Compassionate Leadership,” and we can get you the link later if you want it. But essentially what it says is people really want servant leadership, and we’re not giving it to them. We’re not giving them that idea that we value them, and we’re building their skills up because it helps us, helps the company, helps them. We’re not doing a good job at it, and we haven’t in a number of years. And so that’s what this boils down to in my mind is leadership.

[Geoff Belknap] Yeah, I think it’s a great point. I don’t even know if it’s that we have weak leadership. I think it’s really just one of those things where we haven’t internalized that unlike some other roles in tech, you cannot just treat the talent as commodity. And there are definitely roles in tech where the talent is a little more commoditized. It’s very similar from person to person. And in this case because the work is very different than a lot of the other engineering work that happens in tech orgs. But the skills that are needed to execute even in a single discipline… You have to be pretty flexible. Like I said, you have to be a committed learner. And the space changes all the time. Let’s say five, ten years ago there were people that were specialists in firewalls, and they spent all day working on those things and got expert level talent there. And that’s just not a focus area anymore, but a lot of those people have moved on to work on other things that are similar. And I think where some leaders and some orgs struggle is not recognizing that they have a part to play in growing, and nurturing, and sort of enhancing that talent as needs arise. You can’t just swap people out and plug and play.

What are they looking for?


[David Spark] BubbaSquirrel said, “It seems to me that part of the skill gap could be due to cyber security being a field which encompasses such a vast array of very different topics. I have a master’s degree in cyber security and several years of experience in cyber security research. However, if you put me in a SOC then I would essentially be a n00b with no experience and very little education in that role. Lateral career moves within cyber security often mean that we are starting back at zero experience.” MrSpeedyPanda said, “The problem with cyber security is it’s made up of several sectors of IT, and you have to know a very broad range of skills in depth. It’s very hard to get experience in one sector, let alone several.” And lastly, Joy2B said, “Cyber security job ads often demand one person who is actually four very different midcareer people.” That I have seen a lot as well. I’ll start with you, Geoff, on this. There is this feeling that you could kind of do anything if you’re a cyber security professional. But like what he said with medicine, there are specialties, and you kind of need the person for the specific specialty. You can’t have a radiologist, endocrinologist, cardiologist all in one.

[Geoff Belknap] Yeah, I think you can. I could get a cardiologist to theoretically do brain surgery.

[David Spark] Would you really want that? [Laughs]

[Geoff Belknap] Yeah, your outcome is probably not what you’re looking for. I think very similar, if you’re a helicopter pilot and you take them and put them in an airplane, they know the very basics of flight. But I don’t think that’s going to be a positive outcome. So, I have this conversation a lot in my team where it’s like, “Hey, great, if you’re a product security person, you want to transfer to incident response or threat detection response, you’re starting from scratch. You are now not a principle engineer just because you’ve lateraled over.” They are very different disciplines. And I think people are figuring that out.

The thing that still I see is what Joy2B highlights here is that there are still people that are looking for cyber security generalists that go very deep and very broad. And those are very rare. They exist. They’re very valuable. I will buy them away from you every chance I get because they’re wonderful. But there are like… Maybe those are one percent of the available talent pool. The rest of the talent pool, there are great people if you are very thoughtful about what skills and what problems you need to solve in your org. You can find people to solve those. But those are generally going to be not as flexible. They’re not going to be zone defense. They’re going to be man defense. I’m sorry for the sports analogies. But you just have to be thoughtful about how you’re organizing your team and what you’re really going to accomplish.

[David Spark] But also even if you got a generalist who could go very deep, it’s just one person. So, that person can’t do four things simultaneously.

[Geoff Belknap] Not for very long. That’s for sure.

[David Spark] No.

[Geoff Belknap] And you got to be sustainable.

[David Spark] Ed, your thoughts?

[Ed Covert] I agree with it. I guess one thing that we haven’t really talked about and I think…or we got into it a little bit in the last segment. But this idea of gatekeeping and where we’re finding the talent is a huge issue for me. I’ve taken degree requirements off my job descriptions. One of the smartest people I’ve ever met in cyber actually has an undergraduate in philosophy. So, it becomes we need to be expanding where we as employers are actively looking to hire from and not… I can teach anybody to do basic cyber, but I can’t necessarily always teach aptitude to learn and things like that. You want to find those people that maybe they’re not cyber experts yet. They’re just starting out in their career. But we want them to have a willingness to learn to be able to do things, and we have to be willing to invest in those people.

[David Spark] Let’s close on this thought. I like what you brought up there, Ed. Because this is something I also feel passionately about. I’m okay with someone not having specific knowledge. But if people can demonstrate eagerness, willing to learn, and passion, that’s what I would want to hire. But that is not the easiest thing to put on a resume, is it, Geoff? How is the best way someone could demonstrate any of those? And do you agree with me that those are three great things to hire for?

[Geoff Belknap] Those are three great things to hire for. They are hard to screen for. You can’t say…

[David Spark] Yes.

[Geoff Belknap] “…must have a high level of ambition or dedication to the work.” But they’re very easy to see once that person is in the job. And this is where I think it’s useful to do apprenticeships or interns for early career folks. It’s harder for people that are making career transitions. But I’ll tell you what – the fact if you went and did a ten-year career in networking and then transitioned to security or, I don’t know care… Maybe you were an airplane mechanic, and you transitioned to security. The fact that you went through that transition and that you built some skills, and now you’re interviewing with me, that tells me a lot about whether you’re ambitious, and committed, and you’re going to be a hard worker focused on better themselves and learning the space. I got everything I need to know by the fact that you went through that. you put yourself in that position, and now we’re here talking.

So, I think there’s a lot of subtle ways to pick that up, and I think frankly there’s a lot of subtle ways that people miss. If you career transition, there’s a lot of people that are like, “Aw, you gave up on your other career. Or maybe you don’t have experience.” I think those are where the diamonds in the rough exist. Those people that have pulled themselves up by the bootstraps. And a lot of times, I think just like Ed, I find that those people are better than the people that have a PhD in cyber security because those are the people you can apply against almost any kind of problem. No offense to my friends who have PhDs in cyber security.

[David Spark] Ed, I’m going to let you close this segment out, and I want your thoughts on how do you screen I guess I’m going to just generally call it the soft skills or this… Not the soft skills because that talks more about communication. But…

[Geoff Belknap] People skills or not…

[David Spark] People skills but more the… It’s not so much that but the passion, the desire to learn, the wanting to be… Honestly I don’t think you necessarily need to be a people person to have that kind of level of interest. How do you screen for that?

[Ed Covert] A lot of it is, to Geoff’s point, get them in the room. Ask questions, engage with them. Are they engaging back to you? Do they ask questions about what it is they’re potentially going to be doing? Do they say, “I don’t know if I know how to do that. Is there another thing that you could show me or talk to me about?” It becomes…it’s a discussion, which is unfortunately hard because we’re all pressed for time. We all have a million things going on. And so to dedicate that level of energy into six, seven, eight, ten interviews is a challenge. I’m not going to lie. But I think we owe it to the people that put the time and energy into applying for the job that we want them to fill.

[Geoff Belknap] I would just stress, get more people in the room. If you’re hiring for people right now or if you’re an HR person and you’re listening, take a moment and just hear what I’m about to say. Broaden your requirements. Lower your requirements. Don’t lower the bar but opportunity is hard to come by. But there’s a lot of talented people out there. I think the more you engage with them, the more you’re going to find people you want to hire that you wouldn’t have thought of before because your requirements were out of whack.

[Ed Covert] Absolutely.

[Geoff Belknap] Relax those. Talk to more people. You’ll find more experts.



[David Spark] All right, that wraps it up. And now we get to the point of the show where I ask the two of you, which quote was your favorite and why. And there was a lot of really good insight in this episode. I’m going to start with you, Ed. Which was your favorite, and why?

[Ed Covert] Okay, so mine came from shadow_kittencorn.

[David Spark] And it’s not one of the ones I read, I guess.


[Ed Covert]  It is not one of the ones you read, no. I went and did my research on the Reddit forum. 

[Geoff Belknap] Impressive.

[David Spark] All right.

[Geoff Belknap] Let’s have it. What’s the quote?

[David Spark] And what did shadow_kittencorn say?

[Ed Covert] “Even in an internal role, you have a lot of resistance to doing your job. The no person who doesn’t let people do anything.” This resonated with me because we have to stop as an industry being the industry of no. We need to be the industry of yes, and here’s how. Do it within these guiderails, and you can go as fast as you want. You don’t need to…we don’t need me to apply the brakes.

[David Spark] I like it. Geoff, your favorite quote, and why?

[Geoff Belknap] I wanted it to be from BubbaSquirrel just so I could say BubbaSquirrel another time.

[David Spark] You just did.

[Geoff Belknap] BubbaSquirrel.

[David Spark] We still like BubbaSquirrel’s comment.

[Geoff Belknap] But I’m going to pick another one as my favorite here from akinfinity713, “In my experience it’s because the industry has a ton of gatekeepers that don’t do anything to mentor or groom the next wave I assume of talents. They act like it’s some excusive secret society.” I think this is really the problem. I want to see more and more people see it as a necessary part of their career to extend the ladder and help people up to where you are. You got here not because you are… Let’s face it. If you are in a great role in cyber security today, that came…some amount of that was luck. Some of that was people helping you and giving you guidance along the way. And you need to make it easier for people to follow in your footsteps. I think more of that would be great for the entire industry.

[David Spark] Let me echo that. I truly believe that. I’ve been to some pretty geeky security conferences, and they can seem really intimidating if you are not in the know, you’re not part of the club. And sometimes there’s not a lot done to stop that behavior.

[Geoff Belknap] Now, it’s not all bad. There are lots of people that are perfectly willing to invite other people in.

[David Spark] Yes.

[Geoff Belknap] But it can be very intimidating if you’re new to it, and we need to make things more accessible, more inclusive, and invite more people into the secret society.

[David Spark] I agree wholeheartedly. Thank you so much. And I want to thank you, too, Ed, as well. Any last thoughts you want to throw in on this topic? I’ll let you have the last word.

[Ed Covert] Oh, I appreciate that. I want to echo both of what you guys said about widening the aperture a little bit. There’s a lot of great organizations like Women in Cyber Security that are doing just that very thing. Just getting more people exposed to what we can do.

[Geoff Belknap] Great. Well, thank you very much, Geoff. And I want to thank my guest, Ed Covert, who is the head of cyber risk engineering for Bowhead Specialty. I also want to thank our sponsor for today’s episode. That is Orca Security. Remember, quickly discover, identify, and remediate…can’t stress how important that last one is…remediate Cloud risk to keep your business secure. Go ahead and visit them for your Cloud security needs. That’s orca like the whale, orca.security. Thank you very much for sponsoring this episode of the show and to our audience, as always. Whether they be on Reddit, LinkedIn, Twitter, wherever you may like to have your social presence or not. We appreciate you listening and contributing to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, cisoseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to Defense in Depth.