SPECIAL WITH KIP AND JASON
About this episode
We’re celebrating the 100th episode of Your Cyber Path podcast with a special edition episode. It’s going to be a little different this time.
We are going to sit back and reflect on all our 100 previous episodes and take in the things that we learned, so basically welcome to the highlight reel of the Your Cyber Path podcast!
Our hosts are Kip Boyle, a cybersecurity hiring manager who started in the Air Force, and Jason Dion, who has over 20 years of experience in the defense industry, including positions at the Navy and NSA.
Ayub Yusuf, also known as the WhiteCyberDuck, stresses the significance of tailoring your resume to align with the specific job requirements you are interested in. Doing so will enhance your prospects of advancing through the initial stage of the recruitment process.
With the help of ChatGPT and Bard, you can take advantage of the latest AI technologies to effortlessly create resumes and streamline the task of resume making.
Our next tip comes from Episode 45, with experienced hiring manager, Glenn Sorensen.
Demonstrate enthusiasm and interest in your job applications. This is what hiring managers seek. Also, connect your previous roles and present a complete picture of your experience.
Clip three features Ed Skipka, a favorite guest on the show, discussing how he entered cybersecurity without a background in IT. He emphasizes the importance of networking and showing a desire to learn to excel in your career.
John Strand, owner of Black Hills Information Security, discusses the pay-what-you-can model in the fourth clip. He emphasizes how this model contributes to the expansion of diversity within the cybersecurity sector and how diversity, in turn, enhances the growth of cybersecurity. Ultimately, this fosters higher quality problem-solving abilities within our cybersecurity teams.
After that we discuss a clip from Episode 74, Top Five Mistakes People Make When Negotiating. Negotiating for the right package can be difficult, but having more information can give you an advantage.
Kip suggests that it would be a smart strategy to not disclose your salary history. Instead, you should inquire with your potential employer about the job’s market value. This will equip you with valuable knowledge and give you a stronger stance to discuss your salary.
The next clip discusses how to succeed in your first 90 days of a job, specifically in cybersecurity. It emphasizes the importance of programming skills in this field. Some jobs require high-end coding skills, while others do not require any coding skills at all. To determine the requirements for the positions you are interested in, research the specific roles.
Our guest in the last video, Arthurine Brown, talked about her daily routine and shared some of the lessons she learned while working as a business information security officer at Altria Client Services. Arthurine works in a unique role that combines being an information security analyst with understanding how this information is used to accomplish tasks. This shows how the way we add value to businesses is changing due to fast technological advancements.
In conclusion, it is crucial to create a tailor-made resume for the role you are seeking to achieve success in your job application. You also must gain practical experience whether through a job, volunteering, or home lab work. Always aim to embrace diversity no matter where you come from as productivity and diversity go hand in hand. Lastly, negotiate and make sure you get the best salary and package you can when you get that role you have been looking for!
What you’ll learn
- Who are our Hosts, Kip and Jason?
- What do hiring managers look for in a resume? And how to relate your previous experience to Cybersecurity?
- How do I get experience If I can’t get hired?
- What is the role of Certification, Degrees, and Experience?
- How can diversity help Cybersecurity grow
- How can you approach salary negotiations?
- Is programming important in Cybersecurity?
- How can we add business value as cybersecurity practitioners?
- What are some things to keep in mind during your career as a cybersecurity practitioner?
Other Relevant Episodes
- Episode 93 – Cyber WIDE Panel – Level Up Series – InfoSec Certification Soup
- Episode 89 – Getting My First Job in Cybersecurity with Ayub Yusuf
- Episode 74 -Top Five Mistakes People Make When Negotiating
- Episode 61 – Skills-based Certification and Training with John Strand
- Episode 58 – How to Get Hired with No Experience
- Episode 46 – ATS Secrets–Boost your Resume with these Clever Tips
- Episode 45 – Live Resume Review
Hi everybody. Welcome. This is the 100th episode of Your Cyber Path podcast, which is really exciting. Jason and I are just, I don’t know, I could use all kinds of words, but we’re excited that we’ve reached episode 100, we’ve got something special planned for you. I’m Kip Boyle, I’m your host, and with me is my partner in cybercrime. I can say that because it’s a cyber topic episode or podcast. Okay. So it’s Jason Dion, he’s here. And whether you are seasoned, job seeker, or maybe you’re just starting your cyber career, maybe you’ve already worked in another career and you’re crossing over, doesn’t matter. This special episode will provide you with some really great strategies and what we want is for you to stand out and we want you to get your dream cybersecurity job. So Jason and I, we’ve planned this special edition 100th episode to be different than what we’ve done in the past. And since you had the vision for this episode, Jason and I completely bought into it hook, line, and sinker. Why don’t you tell everyone how this one’s going to work?
So this is going to be a little different than what we normally do. Normally here on Your Cyber Path as you know, Kip, we highlight the things that people need to know to land their dream cybersecurity position, to excel in that new position as they continue to grow in their career and all the different things, whether it’s resumes and how to write them, where to find jobs, what type of certifications are important and all that stuff. But since this is our hundredth episode, we decided we wanted to have a time to sit back and reflect on some of the big ideas that we’ve covered throughout those first 100 episodes. Now don’t worry, we’re not going to go through all 100 episodes, but essentially I picked my favorite bits and parts out of it so that we can talk about those things, see if they’re still relevant today, because one of the things is we’ve been going for a hundred episodes, which means this podcast is about three years old at this point.
So sometimes things change and we want to talk about that and call those things out. So as we go back and look at some of these clips, what we’re going to do is Kip and I are going to introduce what we’re going to be talking about in that particular clip. We’ll listen to the clip together with you as well. And then we’re going to talk about what we heard in the clip, what’s still relevant, what’s not, and the things that really need us to dive a little bit deeper in and get the takeaways.
Now, a lot of times when we do our podcasts, there’s guests that are involved as well, and you’re going to see that in these clips as well. About half these clips are me and Kip talking. The other half are us and a guest talking. And in this case, we’d like to bring in experts in other areas because Kip has his background. I have my background and we compliment each other really well, but there’s other people who know things that we don’t know and we like to bring them in as well. So you’ll see a lot of our special guests coming through some of these clips as we do it.
So in today’s episode, what we’re going to be doing is basically a highlight reel of sorts, and we’re going to introduce a topic, we’re going to play a short clip from it. And then Kip and I are going to discuss what we just heard and provide any updates or challenges or changes to the content we discussed with those guests at that time versus what it is today. And I’ve selected essentially seven different clips and we’re going to cover all of them in this special 100th episode edition. And we’re going to be focusing on things like finding and applying for jobs, the question of experience, certifications and degrees, how you should be writing your resume, how to kill your interviews, how to negotiate for higher levels of compensation, how to succeed and strive during your first 90 days on the job and things like that.
So now before we do all that, I think it’s really important, especially if we have new listeners, because the way I look at episode 100 is if you’re brand new to the podcast, this is a great place to pick up and start. Well, we have a lot of great content in the last 100 episodes. It’s a lot to go through. The back catalog, it’s 40, 50, 60 hours worth. And yes, they’re all wonderful, but it’s hard if you’re just getting with us to start at episode one and then work your way all the way forward to a hundred. So this becomes our new starting point.
So I think it’s important for us to introduce who is Kip and who is Jason, so you know who we are and where our background is because it does influence what comes out of our mouth. And you’ll see that as Kip and I talk about certain things, there’s things that he doesn’t agree with me on and I don’t agree with him on because of the backgrounds we have. So first, because this was originally KIPP’s podcast by himself, I’m going to let him introduce himself and has gone through some revisions over time, and I joined him back in episode 55. So Kip, tell us a little bit about yourself and why you started this podcast.
Sure thing. All right. So I believe that what’s most important to know about me in the context of this podcast is first of all, I’m an experienced cybersecurity hiring manager in the private sector. Now I’ve been building teams for well over 20 years at this point. And along the way I’ve interviewed hundreds and hired dozens of cybersecurity professionals. But I think also what you need to know about me is that I got my start when I was on active duty in the US Air Force. And the reason why I got into this is because I was assigned to provide tech support for several highly classified weapons systems development projects. So while I didn’t study data and system security in school or anything like that, I had to learn it on the job just to be able to do my work. So just being around it all the time, I picked it up, it was required, everybody had to do this.
But what I figured out pretty quickly is that I enjoyed doing these data and systems protection tasks and everybody else hated doing it. So they just gave it all to me and I was having a great time. So after I separated from the military, I thought, well, I wonder if I can find a job doing this all the time, which turned out not to be hard. And eventually in 2003 I became chief information security officer of an insurance company. And then in 2015 I launched my own small business and it’s called Cyber Risk Opportunities.
And the reason I started this podcast is because, well, folks asked me for all the time, I would get these random queries from people about, “Hey, my son or my daughter are graduating from college, they’re thinking about cybersecurity. Do you have any advice for them?” Or if somebody was saying, “I don’t like my career, I want to do something different, can I get into cybersecurity?” And I just didn’t feel like I was really answering their questions because they showed up with no notice and I was only giving them 62nd answers. So I wanted to help. I wanted to give back to the community because it’s been very good to me and I wanted to help people get into cybersecurity and to grow their careers. So that that’s where I come from. That’s my motivation for being here. So let’s hear from you Jason. Why did you agree to be my podcast?
Yeah. So my name is Jason Dion, as we’ve said earlier. And I actually come from the defense industry and I worked for about 20 years with the United States Navy. Its military members, its government civilians and its contractors. I worked in lots of different positions and I was lots of different locations around the world. All during my 20 years, I did roles like network engineering, IT director, SOC director, chief information officer. I was one of the directors of information assurance operations at the National Security Agency for about two years. I did global defensive cyber operations for US Cyber Command for two years and many, many other jobs. Throughout my 20 years working in and around the government. In a lot of these various roles, I was involved in a lot of the hiring things just like you were as a hiring manager. And I’d made a lot of other personal decisions.
And back in 2017, I actually started my own little training company called Dion Training named after myself because I’m very creative that way. And we focus on things like cybersecurity training. So if you’re looking for a CompTIA certification, everything from A plus through security plus to pen test, plus to CAS plus, we’ve got all that. We’ve got all the ITIL stuff, we’ve got all the Linux stuff, we’ve got all the project management stuff. And to date, in that last six or seven years that I’ve had that company, we’ve helped over 1 million students across 190 countries be able to take and pass their certification exams. Now the reason I bring that up is not just to tell everybody in the audience, “Hey, you should come to me and get your training,” because we have great training because obviously we do.
But the reason I bring that up is a lot of my students, they would get certified and then go, “I got my certification but nobody will hire me. I got my certification. Where do I find a job? Or I apply for all these jobs, nobody’s calling me back.” And what we were finding is that they were having problems in the resumes interviews and negotiation stages of this hiring process. So I started looking around at people to partner with who are really good in the civilian sector because I came from the government side and I could help people all day long get into the defense industry either as a contractor or civilian or whatever, but I had no idea in the banking sector, the finance sector, sports teams, movie theaters, whatever you want to call it. And that’s where I came across you as I was looking around, I found several experts and you were one of them.
And I saw your podcast, I saw what you were doing, and the timing actually worked out really well because I was thinking about doing my own podcast. Your previous co-host had just got a new job and he didn’t have time to do the podcast with Go anymore. So we worked together for a while, we did a course together and then from there we decided to do the podcast together. And that’s when I joined you back in episode 55 to current. So we’ve done 45 episodes together and this is now episode 100 that we’re doing together.
And what I really love about our partnership is the fact that we bring two very different perspectives and really the majority of cyber jobs, or I would say at least up to five years ago, the majority of cyber jobs were in and around the defense industry. It was probably a 70/30 split. Now that is changing, I think it’s probably more of a 50/50 split, but back when I was first starting to teach, most of the people were trying to get a job as a government contractor or a government civilian doing cyber stuff, which required they have a clearance, requires them to be American citizens and all those other challenges.
And when people were asking me, “Well hey, I’ve got a criminal record, I can’t get a job with the government or I’m not an American citizen, I can’t get a job with the government, what do I do?” And I’m like, “I don’t know. I don’t have that background or experience, but you do.” And that’s one of the things I think is really interesting is as we go and take these answers and talk about them, we do come from it with two sides of the same coin looking at the commercial sector side and the defense side. And between the two of them, we get to the right answer for whoever the person is. And like you, you have million students, I didn’t have time to answer everybody’s individual questions, but by doing the podcast and doing the courses we’ve done together, we’re able to help a lot of people in a one to many environment.
And that really is where I think the power of this show comes in is that this isn’t just one man’s opinion, it’s not just Jason’s thought you’re getting, my opinion, you’re getting Kip’s opinion. And the experts and guests that we bring in who appear on our show from time to time, they bring their opinions too. And what you’ll find is that things are different depending on where you live and what job you want and what sector you want to work in and all those different things. So we really talk about all that over the show as we go through. So that’s the quick background on who Kip is, who I am and how we got to working together. So with that said, Kip, will you introduce our first clip for us and we’ll get started with episode 100.
Absolutely. I’ll do it. Just a quick little comment. I just want to say that yes, Jason and I are bringing two different perspectives, but valid perspectives. The other thing that we try to do too is focus on so many things are variable. Jason, you said depending on who you are, where you’re at, blah blah blah, there’s all the variability there. Well, there’s also variability on the employer side. We try to focus on what doesn’t change and more principles. Things that anybody can use wherever they are, wherever they’re going to. That’s what we try to do is surface that stuff. And I think that’s what you’re going to see as we go through these clips is that we’re going to really focus on the stuff that seems to endure. And I think that’s super valuable.
Our first clip is going to be from a fairly recent episode, which is called Getting my First Job in Cybersecurity. And I want to say Jason, getting people’s names is so important to me because I want people to feel respected. And I think the way you pronounce our guest’s name is Ayub Yusuf. Does that sound right to you?
I think it is. And he actually has a nickname that he goes by because he has a difficult to pronounce name for us Americans. And he is American as well, but he has a immigrant name I guess is the best way to put it. So he goes by the White Cyber Duck and that’s actually his Twitter handle if you want to connect with him. And if you listen to episode 89, which is where he was featured, which is yourcyberpath.com/89, you can listen to the entire episode and he actually introduces himself as the White Cyber Duck. And that’s a way to use it because for my Anglo accent, that is a lot easier for me to say.
Yeah. I mean I’ve got the same issue. I’ve got into this American ear and it gets really tough sometimes for me. But again, we try to be very respectful. But the White Cyber Duck was our guest and he helped us out. He shared his experience about what it was like for him to break into the industry and to get his first job. And now we know that this is a very common problem that many folks struggle with is getting that first opportunity. And our guest was no exception. And what he told us was that it took him 134 job applications before his persistence really paid off and he got that first job. So let’s listen to what he shared in the interview in terms of how tailoring your resume can really help make a difference when you are applying for a new position.
And then the other thing you had mentioned previously to me was that as you were applying for all these jobs, as you said, 134 jobs, one of the things I’m curious about is when you were applying for those jobs, were you using the same resume? Were you modifying it for each job? What was your technique and tactic there?
So usually since I’ve taken so many courses and done so many different ETFs, I would remove certain things that are more relevant to the job posting. For example, if it was more of a blue team role, I would include some malware versus engineering courses I’ve taken. But if it was more of a red team role, I would include some web app to courses I’ve taken. So it was the same template, but there were just a few points changed. I think yeah, one of my biggest problems were probably my resume. Looking back in hindsight, I think I should have gotten more revisions. I had one person say it was great, which was great, but if you’re applying 10 places and you haven’t heard anything back and you qualify for those roles, I think you need to go back and get someone else’s opinion, have them weigh in on it and then make changes until you start getting some feedback back.
Yeah. I think that’s a great point because when you’re looking at your resume, if you’re using the same one each time, it’s not going to land with that particular hiring major. They want to feel like you’re the only person in the world for them. They want to feel like you wrote this specifically for them. Now does that mean you have to write 134 different resumes? Well, no. What I usually recommend is you create one master resume and then based on that, like you said, you delete things that don’t matter. So my master resume might be five or 10 pages, but the resume I’m going to submit is only going to be one, maybe two pages. So I do want to make sure I’m highlighting things that are relevant to that particular position.
So if I look at the job description, it says, must be familiar with Fortinet firewalls and must understand Juniper routing and blah blah blah. I’d want to make sure I have those keywords based on my experience highlighted and showing. Whereas if they’re talking more about this is a reconnaissance based penetration testing role, must know open source intelligence, I would want to talk more about things like Maltego and Show DAM and maybe even Nmap if I’m going to do a little bit of active reconnaissance and all my reconnaissance stuff as opposed to my attack stuff. But having that long list of everything makes it very quick to be able to do 134 resumes just by deleting out the things that aren’t relevant and then applying.
So Kip, you obviously heard my advice there on how to tailor your resume to match the specific job requirements by highlighting relevant skills and experiences based on that exact job description being posted by the hiring manager. And that’s so critical because of the applicant tracking system and the machine learning and AI that’s being used in this filtering process. These days, it’s not uncommon to see 1,000 applicants for one job. And for me as a hiring manager, I don’t have time to look through 1,000 applicants. So I need those filtering systems to get it down to something like 20 or 50 that I can look through to figure out the five people I’m going to interview. And then from those five people I will hire somebody.
And now I thought it was really interesting how he was emphasizing the value of seeking feedback and doing multiple versions to optimize his resume’s effectiveness. Because he had done that, he probably could have gotten down to 25 or 50 job applications instead of 134. Now I know for myself as a hiring manager and you as well, I know we have advice for the team here that’s listening to us. And one of the things that you probably heard in the clip that I was talking about is the fact that I have this master resume.
And this is something that we in the DOD side and the military side often do because I mentioned earlier I used to work for the National Security Agency. There are things I’m allowed to talk about that I work there and things that I’m not allowed to talk about when I work there. So before you leave that type of a job, you actually write up a resume of everything you did there. And it goes through a process where they review it to make sure there is no top secret information or secret information in there. And these are things that the classification officer can look at and say, yes, Jason, these are all things you could talk about publicly, whether you’re writing it in print or whether you’re doing it on a job resume or something like that, because these are the unclassified things we have approved you to talk about.
So that’s why I talked about the fact that I have this five or 10 page resume, even though we always talk about your resume should be one to two pages. So having the fully pre-approved list, now I can highlight and take the things I need, copied into that one or two page resume and I don’t have to go back and get reviewed every single time I apply for a job. Otherwise, I would never get hired because it would take forever to do it.
So what advice do you have on the commercial sector side and how does that relate to what you think when you think about as a hiring manager and what advice you give to people as they’re working on the resume? Because I know the resume is just a really hard thing for a lot of people.
It really is. Listening to White Cyber Duck talk about 134 applications. I think you were right when you said that if he had done some additional customization, he probably wouldn’t have had to apply for that many jobs. So when I listened to him talk, I just think to myself, “Well, he pursued a brute force job search process where he just kept slamming basically the same resume over,” and small tweaks. But over and over and over again he just brute forced his way through it and that’s not a really great strategy here. I know I’ve heard people talk about how they hate to customize resumes for the specific jobs. They think it’s so time consuming, they want to get back to playing their video games or whatever it is that they are doing with their time while they’re searching for the next job.
But over and over and over again, it just comes up that if you take the time to really craft that resume, you’re going to get that job faster. You’re not going to have to apply for as many. And one of the blockers for doing this too, is you have to get those key words out, like you said. What are those key words? And that’s tedious analysis to go in there and like, okay, let me just word count. How many times does the word cyber show up? How many times does word analysis show up? So it’s tedious, but what I would say today is we’ve got now this generative AI based on these large language models. And what I’m able to do these days is just copy and paste the job description into these chat interfaces and just ask the LLM, what are the top five keywords? What are the top three themes? Boom, just comes right back. So it really, really decreases the amount of effort to do it. So I’m really encouraging people like, “Hey, it’s easier now and it’s the better way to go.” So do that.
Yeah, most definitely. And there’s really two big points I want to point out there in exactly what you just said. When you’re talking about generative AI, a lot of people, we always just say ChatGPT. But there are other ones out there like Bard and others that are out there. But even ChatGPT is an awesome tool for this. And if I was going to be applying for a job today, I would take my long resume and list of accomplishments and say, “Hey, ChatGPT, I’m going to tell you about myself. Here’s my resume. Now here is a job post that I want to apply for, rewrite my resume in one to two pages to meet this.” And it will go and do that for you and pull out what it thinks is most relevant. And it will rewrite things based on the keywords to get it through there.
And the reason that this becomes so heavy and so important is the second point that I want to bring up, which is most hiring doesn’t happen by people, at least in the first parts of the phases. And I mentioned this earlier, 1,000 applicants. We might as hiring managers get 20 to 50 of them to actually look at their resumes. All the other ones, the other 950 to 970 of them or 980 of them are all going to be going through the AI model itself. And it’s going to decide what it’s going to use and what it’s not. And that’s based on keywords, that’s based on frequency, it’s based on with the new AI, it’s actually does a much better job of reading it like a real human would and things like that. But if you can’t make it through that model, you’re never getting in front of a human.
And that is one of the things that holds so many people back when it comes to getting that first job. Because if you don’t have the experience, you don’t have the degree, you don’t have the certifications, it’s automatically going to say, “Well, this job said you must have security, plus you don’t have security plus, your resume’s gone and we’re not even going to consider it.” And I, as a human, even if you’re the best candidate and you have an equivalency like SSP, if it doesn’t match the keyword, you’re not going to get flagged by the system and it’s going to throw you right out. So those are the things you have to think about.
All right. Yeah. And just one more comment. Yeah. So by using generative AI, you’re actually upping your game because the employers have already had algorithms. You should get an algorithm of your own so you can level the playing field.
Definitely. And if you are a scripter or a coder, for instance, my CTO at Dion Training, he loves to automate anything he can. He has written a script that he has used himself. If he was looking to apply for a job that can literally go out and scrape the web and go, “Here is a hundred different jobs I want to apply for. Here’s my master resume.” And he goes in chat gpt using the API call, and he calls and says, “Here’s a job, here’s my resume. Give me a response.” And it gives him a response and he can post it automatically. So he can apply to a thousand jobs in a day and it wouldn’t be really hard for him. Now, he may not even know what jobs he’s applying for because the system is doing it for him and he starts getting random calls, people going, “Hey, we’re looking for a job.” He’s like, “Who are you?”
But the capability exists these days even with some really basic scripting in something like Python, to be able to scrape the web for these different job postings, create Google alerts so that when you see a job that’s posting with this particular title in this particular area that you care about, then it can scrape that and then apply for you. So there’s ways to do that. But even as a manual process, I mean you can spend three minutes per application this way using ChatGPT and having a custom resume that’s going to do a lot better work for you. So definitely recommend you guys take a look at that.
All right. Let’s go ahead and continue our cybersecurity journey by considering how to create impactful resumes. Now this clip is actually an oldie but a goodie. And it comes from the days before I actually joined your podcast Kip. And this is back when I looked in the way, way back machine. I saw that back in episode 45. You had a special guest on whose name is Glenn Sorenson, and he is an experienced hiring manager as well. So are you. And the full interview is at yourcyberpath.com/45. But in your interview with him, you both took a real resume and then you made suggestions on how it could be improved. And in this episode, which you guys aptly called the live resume review, you and Glenn shed light on the key elements of a killer resume. So if you’re having problems with resumes, this is a great episode for you to check out yourcyberpath.com/45.
Now in the clip you’re going to hear, we are going to hear how they highlight the significance of conveying enthusiasm and passion for the field of cybersecurity along with your ability to be able to tie together various roles and experiences that the people are going to be interested in. And now Glenn here is going to emphasize the importance of showcasing your technical skills and continuous learning through things like certifications and personal projects as well. And with that introduction in mind, let’s go ahead and listen to the clip and then we’ll come back and talk about it.
Before we show these real resumes that have been anonymized, I would like to ask you first, Glenn, when you are screening resumes, what are you looking for? What is a killer resume? When you’re going through the stack and you come across one, what are some of the things that cause it to stick out for you?
The first thing on my list is that enthusiasm and passion shine through. I want somebody that is the self-starter sort, but is really just coming from a place of, I’m really passionate about cybersecurity or about whatever specialization within cybersecurity that they’re interested in and after. That’s the biggest thing on my list. Some of the other things I look for are that there’s a higher level, big picture view that the person can tie things together from various roles they may have had before, even if they’re not in cybersecurity. I like the synthesis job roles of information and bringing a holistic person to bear on a job or on a job role. I also want to look for technical skills if I’m hiring in a technical role or that the language presents itself that you might speak in AGRC role, for example. You’ve got to know that this person is capable of doing the job and someone that you can work with. So those are the things that I look for typically.
Great. When you were first talking about you’re looking for passion, I mean, what’s the example of a way that somebody can demonstrate that they have passion for the job that they’re applying for on the resume? Can you give me a couple of examples of what kinds of things on a resume actually says, “Hey, I’m a passionate candidate.” How do you do that on a resume?
I like energetic language. I like to see that a person has taken some time to craft a resume and the attention to detail that goes into this. It’s only one piece of it. The other things I’d like to see are, have you gone and pursued education, certifications, home labs? Have you done things without somebody making you do it as part of your job? That to me demonstrates that there’s enough interest and passion that it doesn’t take some external force to get you to go…
PART 1 OF 4 ENDS [00:26:04]
… that it doesn’t take some external force to get you to go.
Jason, that was a great clip. Now, after listening to that one again, what really stood out to you from what you heard?
Yeah, there’s a couple of things that he brought up that I think are really important and that people struggle with. And so one of them is synthesizing the role in your own previous experience. And this is something that you and I have talked about and we use the term transferable skills a lot, right? Or the two-step. And that’s where I find that people who are in a field that’s not already in cybersecurity and they’re trying to get into cybersecurity, they sometimes struggle because they look at something and go, “Oh, I don’t have the experience for that, I can’t get that role.” It’s like, well, maybe, but you may already have experience or something that is similar or close that can get you in the door with the company in some position. And then based on you being there over time, you’re going to be able to move into the actual position you want.
For instance, we had somebody in one of our previous courses that we had that was a marketing background person and she was trying to get into the job of being a pen tester, but unfortunately she didn’t have enough experience to be a pen tester, but she had a really strong marketing background and ultimately she ended up finding a job with a pen testing firm by doing client engagements and doing training and things like that, which used her marketing skills. And then over the years she was there, she’s gained skill in the technical side to move into the pen testing and the analyst roles and things like that as well.
So I think that’s an important one, is synthesizing your previous experience and figuring out what do I do that’s important that can be carried over into the cyber world? For example, I know a lot of people who got into the cyber world that come from a bookkeeping or accounting background, which has nothing to do with cybersecurity, but it’s really good when you go and become an IT auditor because you’re used to checklists and accounting and processes and procedures and counting all these things up and all that stuff. And so those type of transferable skills I think are really important. And it’s one of the things you want to highlight on your resume because I think the other thing that people think is that your resume has to be a hundred percent fit for the job post that you’re applying for, and that’s not true. If you’re 50%, 60% of the way there, you’re close enough and you may get a shot at getting the interview and then it becomes yours to lose. So that was one of the big things I saw.
The other thing that I’d like that Glenn brought up was the idea of he’s looking for somebody who’s, for lack of a better term, a self-starter that will go out and do things on their own without being told to, and ways that he brought up that people can demonstrate this is getting your degree, getting your certifications, having home labs, doing volunteering, things like that. All of these things are showing that you’re dedicated to the field of cybersecurity and you’re investing your time, your money and your energy into it.
And going back to the idea of a degree, a lot of people think you just go get a degree and everyone’s going to give you a job. And I will tell you that’s not the way it works. In our field, degrees are not as important as they used to be, and they’re definitely not as important as they are in a career like a doctor, a lawyer or an accountant where it’s a requirement and you can’t be those things unless you have a degree. In our world. You can have a certification and experience and get a job with no problem. You don’t need a degree. Degree generally tends to be reserved for upper management levels or to establish your pay band if you’re in a government or contracting role. So that’s kind of the way I look at those things.
And then this also brings up the other thing I wanted to talk about, which was demonstrating passion, and the other thing you brought up was certifications and language. When you’re in an interview and you’re trying to show your technical skills and language, if you can’t speak the language of our industry, people are going to know immediately that you don’t belong and you don’t know what’s going on. And what I mean by that, I don’t mean language like English, Spanish, French, Japanese, that’s not what I’m referring to, I’m referring to the keywords and the terminology that we use all the time because there are things that we talk about that you won’t know if you’re a layperson. But this is one of the things that’s great about going through a certification course, when you go through a course like Security Plus, you’re going to get introduced to all of the terms that we use in the cybersecurity industry.
Now, you may not know exactly what an SQL injection is or how to perform one, but at least you’ll have known that term and if somebody asks you an interview, “What is an SQL injection?” After going through security Plus, you should be able to explain that in one or two sentences. And that is sufficient to be get able to get a entry level job because now we’re at least all speaking the same language. Now, if you want to be a pen tester, you better be able to perform that SQL injection. But as an analyst, you just to be able to identify it and be able to speak about what it is and what that threat is.
So I think those are some of the things I thought about. I’m interested to hear your thoughts, especially in passion because I know there’s another episode that I didn’t bring up here in our clips, but we added a whole episode on, can you be too passionate? And I know you brought up a couple of things that could be too passionate, so maybe we should talk about those as well, unless you have something else you want to talk about, Kip.
Well, thanks for the segue. I forgot about the episode about, can you be too passionate? It doesn’t come up that often, but I’ve seen people in interview situations just go right up to that line and sometimes they actually crossed it and I was just like, “Whoa, whoa, whoa, whoa, whoa.” You’re like, “No, you’re being so passionate. You’re being unethical, immoral, or illegal. Now, that’s not your intent, but you need to stop, right?” Don’t come and tell me about how early this morning before you came to the interview that you did a thorough pen test of our website and here’s the report. Wait a minute.
We didn’t ask you to hack our site now, come on now.
No, you don’t have permission. That’s the issue, right? So you’re just handed over to me evidence of your unlawful activity. Don’t do that, right? The way we say it in the Air Force is you’re all thrust and no vector, right? Stop.
You’re going really fast, but in the wrong direction, my friend.
You’re not controlling yourself, you’re spiraling in the sky. Stop.
Now, one thing that I’ve learned since we recorded that episode that I want to mention is I’ve talked with a lot of people who are people of our age, which is to say older than 40, and they’ve said that word when hiring managers say, “I’m looking for somebody with passion,” that sometimes comes off as a euphemism for, “We don’t hire old people.” So it’s something to be careful about. And I didn’t realize that until you and I started a course that we did, we don’t do it anymore, but it was a high touch course that we did together and we really got to have deep conversations with people who were looking to get into cybersecurity. And that started coming up as a theme, which I didn’t expect.
So ageism is real. And so just if you’re over 40 years old, you’re in a protected class here in the United States, it’s illegal to discriminate based on age. Does it still happen? Yes. Is it difficult to prove? Yes. So you just have to be really careful and cautious about that. So when somebody says, “I want passion,” here’s the thing, what I think they’re really saying, and as I listened to Glenn talk just now, I was like, “Man, I wish I had a better developed ear when we did that episode because I would’ve said this,” what Glenn’s really saying is he’s looking for people who have certain skills that cannot be taught like curiosity.
When he says passion and he was defining it as certifications, home lab, self-study, right? These are all signs of somebody who’s highly curious and they’re scratching this itch that they feel to know more about something than they were taught as part of formal education. And so really I think it’s curiosity. And Jason, I have no idea how to teach curiosity, but I know it’s a critical success factor in our work. So if you don’t show up as being naturally curious, I’m going to detect that. And some people might say, “Well, you don’t have passion,” what they’re really saying is, “You’re not showing me that you have curiosity and that you’re not afraid to use it.”
So I think it really comes back to skills that can’t be taught. I want to talk about one other skill that can’t be taught that I value and I think most cybersecurity hiring managers value, which is grit is one word that I’ve heard people say, perseverance is another word that means roughly the same thing. And so we want people who are going to tear into a problem and not stop until they either get to the bottom of it or in their professional judgment, realize that this can’t be solved with the methods and tools and know-how that we possess and we need to cut our losses and I need to go tell the boss, “Hey, if you really want me to continue working on this, okay, but it’s going to cost another 40 hours just to make an incremental improvement here and it’s probably not worth it.” Anyway, so those are the things that I’m thinking about as I listen to Glenn talk again.
I think that’s a really good point. And you brought up the idea of curiosity. And I think this is also what Glenn was trying to get at was he’s looking for somebody, if you’re trying to break into cybersecurity and you don’t have a job yet, you don’t have the experience, then what you’re able to substitute is passion, drive, grit, determination, persistence, whatever you want to call it, right?
And I have a good example of this in my own company. About a year ago, we had gotten somebody who applied for one of our jobs as a developer for our web development team, and we looked at his resume. He’s never held a web development job in his life. He’s never had a programming job in his life. He never went to college for programming, right? In fact, he came from the US Navy and he was a master at arms, which is a military police officer. And that’s what he had been doing for the last six or eight years. And he was now getting out of the Navy and he was looking for a job and nobody was willing to give him a chance because they’re like, “Well, you don’t have a degree, you don’t have anything to show. You don’t have a big portfolio,” blah, blah, blah.
Well, my CTO met with the guy and was really impressed by his determination, his curiosity, his passion, his grit, his persistence, whatever you want to call it and he found that this guy, basically when he was getting home from work after being a policeman all day, he would go and code for 4, 5, 6 hours. And he just was passionate and loved it. And so when he showed us some of the things he had done we’re like, “Well, you’re not there yet to be a senior developer, but we can hire you on as a junior developer and we’ll mentor you and we’ll give you training and we’ll help you.” And now he’s been on my team for a year, he’s one of my better programmers now, and he is often running on his own, but nobody was willing to give this guy a chance. And we’re like, “We’ll give you a chance because we see the determination and passion there,” and I will take five of those guys over somebody who has all the skill and none of the drive because I don’t want to have to kick you to get you to go to work every day, I want somebody who’s beating down the door like, “Oh, it’s eight o’clock, I’m ready to get to work. This is exciting. It’s another fun day of programming,” right? And that was like what we saw there with passion.
And then this brings up the other idea, which is experience, right? And this is going to segue into our next clip because one of the things we talked about is experience. And if you don’t have experience, this can be a big blocker in the cybersecurity industry because it’s one of those really hard areas when you’re looking for a job. Nobody wants to hire somebody who doesn’t already have experience because it’s a huge risk. And when I hire somebody, it costs me a lot of time, a lot of energy, a lot of money, a lot of political capital in my organization if I’m using somebody else’s budget to do it and all those kinds of things. And so this brings up the biggest question I get from students all the time, which is, “If I have no experience and no one will hire me, how do I get experience?”
It’s a paradox.
It is. It’s that catch 22 that happens all of the time. We want somebody with experience, but there’s not enough people with experience out there. Well, to get more people with experience, we need people to hire them, but nobody wants to hire somebody if they don’t have experience. And so we have this big infinite loop of nobody getting any better, right? And at some point companies are going to step up and say, “You know what?” Like I did with this programmer, “We’ll take a chance on you. If it doesn’t work out… We’ll give you six months, we’ll try to train you. If you’re running still and you’re doing great, we’ll promote you from within and all that works out great.”
The flip side of that is, as a candidate, you have to realize that if you’re coming with less experience, we as employers are taking a chance on you, you are not going to command the same salary as somebody who has more experience than you, right? And so if I’m hiring somebody who has five years of experience or three years of experience and they’re making $100,000 a year, you as somebody with zero experience, may make 50 or 60,000 a year because I have to discount your pay because you’re not going to be as valuable to me as the person who knows what they’re doing. And it’s going to take me time to build you up to there. And when you get to there, then you’ll be making that money too. So keep that in mind too as listeners when you’re thinking about this. If I don’t have experience and somebody’s willing to give me a shot, just realize that offer is probably going to be a low ball offer because they’re taking a huge risk on you right now, right?
Now, we talked a little bit more about this idea of experience back in episode 58, and we interviewed somebody whose name is Ed Skipka, and he’s actually been on the podcast I think three times at this point because his career has just been on a rocket fire trail. And every time he’s like, “Hey, this now happened,” we’re like, “Come on back and talk about it again.”
Yeah, he’s a star student.
He’s awesome. And episode 58 was the first time he was on the podcast, and this was actually titled How to Get Hired With No Experience. And this is how he broke into the cybersecurity industry and why I think it was really interesting, spoiler alert here, is that Ed doesn’t come from an IT background. He actually has a degree in music, which has really nothing to do with it at all, right? But he found some transferable skills, he used his networking, he used his soft skills, and he was able to get himself a job in this industry. So if you want to listen to the full episode, it’s a great episode, it’s over at yourcyberpath.com/58 or 58. But for right now, let’s take a quick listen to what Ed shared with us and then we’ll come back and talk about it. Here we go.
Would you tell us a little bit about your first IT job, how you got that position, and if you didn’t have any experience in your first IT job, how did you get over that hurdle?
So my first IT job was a tier two job for the government. So anybody’s got a problem, you’re there replacing software, hardware. The big catch 22, like you said, I had a friend and I count myself incredibly lucky, living on Oahu, there’s a lot of contracts around and I knew a few people, but they gave me a chance, that’s what they said. And you look for that one person to give you a chance and to endear yourself to that person that will give you a chance. I got an interview and they said, “Hey, you have a background. You already have a bachelor’s, you have no IT experience whatsoever, but we can tell you can learn things, you can pick things up quickly. And if you could find a subcontractor to our contract, hey, we’ll give you a chance, but you got to do that and you got to get your SEC plus.”
So they knew I was a straight and narrow guy who could learn, they liked me in the room. That’s always generally good. But they said, “Find a subcontractor, get your SEC plus and we’ll give you a shot. You have a 90-day probationary period. You’re going to do what you’re going to do with that.” So I talked to some people, I found a subcontractor, we went through my resume. I was coming from an educational background, I actually went to Berkeley College of Music for music education. So I had a bachelor’s but no certs whatsoever. I didn’t have a SEC plus, but I had a degree and a passion for it. So talked to that person, they said, “Hey, we’ll get you on the path for whatever you need for the backend of government work, and you got to get that SEC plus.” So that’s when I started.
And Jason’s classes really helped me a lot, “You got to get that SEC plus by this date,” and I did that and they gave us a chance. And you quickly find out that Googling is one of the skills that you have to learn very quickly. But that’s how I got that first job, I had someone that gave me a chance and I had a little bit of a background and I could show that I could learn, I could pick things up quickly and that I was willing to do not, “Hey, I want this job. This is what I’m looking to get paid to do.” It’s, “I have an ability to learn. I want to learn. I’m here, I’m a sponge and I’m ready for it.” That’s how it all started.
So there’s that word again, Kip. As I was listening to Ed, I heard him use that word passion. I heard it right in the middle of his clip, about halfway through he said, “I showed that passion, they saw that passion and they gave me a chance.” And so really what I was hearing when Ed was sharing his journey of breaking into cybersecurity without having prior IT experience is how he landed that first job through in-person networking and showcasing his ability to learn quickly. Ed’s story really to me underscores the significance of finding somebody who’s willing to give you a chance and demonstrates this general passion for learning and growth.
The other thing I thought was really interesting was how his degree really didn’t make a difference for him because his degree was in music and not computers as I said before, right? And so his being willing to go out and get certifications and demonstrate that passion and meet the minimum contractual requirements for the position he was going into was really important. And you probably heard him say several times, “Security plus, security plus, security plus,” why did he mention it so often? Well, he even mentioned he’s in Hawaii, he’s on the island of Oahu, which is where Honolulu is, and there is numerous military facilities there. The job he was being hired into was as a field service technician, which is a level two job, and a field service technician job is the one who goes out and touches the computers when things break, right? They’ll replace your keyboard, they’ll replace your monitor, they’ll make sure you get back on the network, and that way the remote engineers can log in again and fix whatever needs to be fixed. So it’s a very low level IT job.
But the great thing about that position is he did it for about six to nine months, and while he was out there working in that position, he was using his soft skills and his networking skills, and he ended up finding a cybersecurity analyst role. And that’s why he came back on the show back in episode 70 some odd to tell us about how he moved from this field service role into a cyber role because he was able to make that two-step into that technical role and then into a cyber role. And he was leveraging his in-person network, he was leveraging his relationships, he was leveraging his friends and people who were willing to take a chance. And so really his success was due to soft skills and people liking him in the room and giving him potential as a future employee. What do you think? As you were listening to that, what came to your mind?
Yeah, first of all, it sounded like an echo of the previous clip in the sense that I thought about skills that cannot be taught was a big part of what Ed was mentioning, right? So he demonstrated that he has learned how to learn. I can’t teach that. I cannot teach somebody to learn how to learn. You’ve got to show up with that because I just don’t know I need that because everything is changing, cybersecurity’s changing all the time. Every time a new technology shows up, we have to change, we got to figure out how do you secure this thing? Is it like anything we’ve ever seen before? If it isn’t, what do we do here? And so there’s much self-learning, another crucial skill that I cannot teach.
There’s another skill that he talked about too, which you said soft skills, but I want to put a finer point on that. He showed empathy for what the hiring manager needed. He really listened to them and figured out what this person really wanted a successful person in the job to do and he either was able to show them that he had that now or that he could get that quickly. And I think that was a big part of why they were willing to give him a chance is because they said, “This guy gets us. He understands what it is we’re trying to do here.” And that empathy, I can’t teach empathy, I have no idea how to do that. But if you show up with empathy, I can tell and I like it. And this translates into something else that we say a lot, which is people like to work with people that they know, like and trust.
All right. Empathy is going to get you so far down the road of being known, liked and trusted by hiring managers. And I think that’s another thing Ed was just really good at was showing up and doing it in a way that he made himself a little bit vulnerable and people like that and so that got him to be known to trust it enough to be able to be given that break.
Now, I also want to say that this is rare. It’s rare for you to find somebody who will give you a break like that. And why is that? Well, it’s because most employers are so risk averse to a mishire that they won’t even risk it. And a mishire is an awful, awful thing, not just for the employer, but for the employee. If you’ve never been mishired as an employee, count yourself lucky, because I can’t imagine very many situations that are worse than starting a new job, I’m all freshly scrubbed and ready to go, and 60 days into it, they go, “This just isn’t working out, we’re going to have to let you go.” How do I explain that? Right? That is an awful thing, now it’s a little black cloud following me around as I try to get a new job. Oh my gosh. I wouldn’t say it’s the kiss of death, but it’s awful to try to explain that, you don’t want that.
Well, especially in the government contracting world too, right? Because let’s say I wasn’t in Hawaii, but I took that job, now I moved me and my family out to Hawaii for this job, and 60 days later, you fire me. Oh, crap. Now what am I going to do? I moved out here for that job. I was all the way in Florida, I moved halfway around the world, and that becomes a big issue too.
And then the other thing I wanted to point out is Ed was very lucky they were willing to take a chance on him, and they were willing to make him an offer before he had his security plus. And the reason this is so critical is because in the government contracting world, when the government writes the contract, it says, “Okay, I need 50 people to do this job and here’s the requirements,” and one of those requirements is what certifications they’re required to have. Security plus meets about 70% of the DOD 8570 requirements, which means about 70% of the positions require that certification. So if you don’t have it and they hire you in as a contractor and you can’t get it within six months, they are required to fire you. They cannot keep you on past six months because you’re no longer authorized to do the job.
And so most government contractors will not even hire you if you don’t already have your certification because they’re afraid that you either won’t get around to it, you’ll be too busy, you might not be smart enough, and you’ll fail the exam, whatever the reason. If you don’t get it, they now have a mishire because even if you’re doing great work, they legally cannot keep you on the contract and they’ve got to fire you.
This becomes really important when you go into those other 30%, which is where you have to get the cybersecurity analyst type certifications like CYSA plus, PenTest+ or CEH, which are harder than security plus, or if you’re in an IAM, which is an information assurance manager, level two or level three, which requires a CISSP. The CISSP is a certification that only about 15 to 20% of the test takers who take it will pass on their first time. And so I’ve seen many, many more people who have gotten fired from their jobs because they couldn’t get that CISSP done in six months. The average study time to get a CISSP is anywhere from three to nine months. So six months is a pretty tight window on that, and most people who take it, even those who pass will tell you it’s probably one of the hardest exams there are in IT and so if you’re going to apply for jobs that require it, I will tell you, most employers will not take a chance on you unless you already have it.
So study and get those certifications first because it does de-risk it for the employer. And now they’re just worried about, are you a good cultural fit and can you learn the job, not can you pass the test or I’m going to be required to fire you?
Right, right. Now on this topic, let’s go on to the next clip that we want to play. So what we want to do now is focus a little bit more on, what is the role that certifications, degrees and experience plays? And we want to do this by playing you a part of the discussion that we had with John Strand. If you don’t know who John is, he’s the owner of a small business called Black Hills Information Security, and his company specializes in penetration testing, active defense and threat hunting team services.
Now, John’s an amazing leader of people in the information security industry. He’s an experienced trainer. He’s taught for the SANS Institute and also for FBI, NASA, NSA, and he does webcast, he does pay-what-you-can training. I mean, he’s amazing. And during our interview with him, which happened in episode 61, so just like all of our episodes, if you know the episode number, you can just type in yourcyberpath.com/ and the episode number, so put 61 in there, and you can check out the whole episode. But we talked about what is the relative importance of degrees, certifications and experience in the hiring process because he is an experienced hiring manager as well.
And John, as I said, has this unique training system where for a lot of the courses that they offer, they have what they call a pay-what-you-can model, which is super cool because it’s helping to change the game because they provide super high quality hands-on live training, but they’re doing it at an extremely affordable price point, which is his way of saying, “I’m going to give you a chance, I’m not going to charge you $2,000, $5,000, $8,000, I’m going to cut that down to zero if you need to, and I’m still going to share with you what is valuable for you to know practical things.”
So in the episode that we’re going to clip for you, he says that while he believes formal education and certifications are valuable, they’re not the sole determining factor for success in our field. He thinks the emphasis is on practical skills, problem solving abilities, and a holistic understanding of cybersecurity. I really love this episode. Let’s take a quick listen to what John shared about his pay-what-you-can model, and how it helps to increase diversity and why diversity is so important.
PART 2 OF 4 ENDS [00:52:04]
… Diversity, and why diversity is so important in our career field.
I am actually really surprised that you guys started out with live, being that you’re doing a pay-as-you-can model. Normally, the whole goal with a pay-as-you-can is try to get your cost as low as possible, so you can put this out and scale it to as many people as possible. Doing that live is really hard, because you got to pay for that instructor. And these guys are expensive, because they’re qualified and they know what they’re doing.
That’s one of the fun facts. We have former SANS instructors that are doing this. My big brother, Chris Brenton, who taught the firewall perimeter protection class at SANS and was a fellow, he does his class pay-what-you-can. Josh Thayer, who taught all kinds of classes in Python for SANS and myself are doing it. Couple other things, one, guys, the energy of teaching 3000 people, and they’re all on Discord, and then they go onto this, it’s this weird thing where “We’re going to make John laugh with SpongeBob SquarePants memes,” while I’m teaching. I’m getting choked up thinking about it. It’s magic.
And when we started the pay-what-you-can, we started it and it had a lot to do with scholarships. It had a lot to do with diversity. So we’re always fighting this thing in the industry of how do we get more diverse people, different race, religions, sexuality, color, whatever, because diversity of thought is important.
And no one ever really talks about why. Everyone’s like, “Diversity is important.” Why? And they’re like, “Because I saw it on a bumper sticker.”
But the reason why diversity is so important is because, I’m just going to use some examples. Look at music. If you look at pop music, it sucks. It’s bad. If you look at any huge explosion in music, it’s always a fusion of different things. You’ll take Celtic music and you’ll fuse it with African blues and you start coming out with harder rock and roll, or you do a lot of acid and you come out with Pink Floyd.
But the point is, whenever you have diversity in art, whenever you have diversity in music, you come up with things that you didn’t even know could exist and you can solve problems. So with diversity, everyone’s like scholarships, and that’s great for the people that get the scholarships. Doesn’t change the damn game at all.
You give a few scholarships to people of a certain group or whatever, and then you do the photo op, look at us, we’re diverse. Doesn’t change the game.
But when you do pay-what-you-can, wherever you’re coming from, wherever, socioeconomic status, whatever, race, religion, creed, sexuality, whether you’re coming out from the mountains of South Dakota and you haven’t taken a bath in weeks, or you’re coming from the inner city in Chicago-
And haven’t bathed in weeks.
It’s always about money. Always. The gate is money. We remove that gate and dammit, let’s change the game. But the weird thing is, getting to your point with this long-winded round thing, and I had a point, I’m sorry, I just kind of forgot it for a second, but the point of all of it is, when we did that and we got those thousands of people, I made more in four days than I did in an entire year of teaching for SANS.
Which is no small ticket item.
No. There’s a big difference between what you pay and when instructors get paid.
Let’s not get into that. But the point of it is, we found by doing that we were actually still able to make money. But like you said, it’s a scale game. How many people can you get in and what’s the average per seat? And honestly, we started, it was like, I think it was averaging like $20 or something like that per student. And what happened is we had a whole bunch of people that took it and they’re like, “I feel really bad because I didn’t pay you anything. Can I come back and pay?” And I’m like, “Yeah, absolutely not a problem.” And now we’re averaging about a hundred to $150 per student is what we’re making on some of our classes. And that’s not huge money, but dude, if it changes their life and it helps keep the lights on, let’s keep doing it. That rocks.
All right. Jason, I know that you have a lot of opinions about this clip because you are someone who runs a training company, so you’re on the same thought pattern as John. So what do you think about this pay-what-you-can model that John is operating?
Yeah, I really love his pay-what-you-can model, and I really do resonate with his comments on by doing a pay-what-you-can or a very low cost model, you can really increase the diversity in the workforce because it is such a big problem that money becomes the barrier. And that was one of the problems, if you go back about 10 years ago, I think back when I got into cybersecurity back in the late nineties, degrees weren’t required at all. And then from around 2010 to like 2020, everyone had to have a degree to be in cybersecurity. And that really priced a lot of people out because you had to go to college to go get a four-year degree that’s going to cost you 50 to $250,000 to go get a job that’s starting out, going to pay you 50 or maybe a hundred thousand dollars.
And it becomes this huge burden. And if you don’t make it through school and you can’t get a job or you do make it through school and you can’t get a job, you still have a quarter million dollars in student loan debt. And so that becomes a huge issue and is like he said, there are scholarships out there for LGBT, there are scholarships out there for people of color, there’s all sorts of things out there, but that only helps the five or 10 or 15 people who get it. It doesn’t help everyone and it doesn’t make a huge change in the industry. I saw this myself in my time in the military as we tried to institute diversity programs over the last 20 years that I was in, and even the 20 years before that, which was the big diversity push. If you go back to the seventies, there weren’t a lot of people of color, or a lot of women even, in the senior ranks of the military.
And so when it came time to promote, they were promoting people who looked and sounded like them. And so you saw a lot more white guys being the leaders. And it took about 40 years to make that shift. And a lot of it was there was quotas put in place, there was things to help give an advantage to more of a diversity thing to increase that. And what we saw was after that was done for about 10 or 20 years, they were able to stop those programs and diversity kept going naturally because now there were people that looked like them in these higher places of leadership. And that’s one of the problems we have in our field. When I first started doing teaching in cybersecurity, I was working with an organization called Women’s Cyber Jujitsu, which is a nonprofit out of the Washington DC area.
And their whole goal was to get more women into cybersecurity. And oddly enough, they hired me to come in and teach some classes to help get women certified and get them into cybersecurity. And so I’m the only guy around the entire place when there’s a bunch of women students and a bunch of other women instructors, which was kind of strange for me being the minority in the place. But the reason that I was interested in helping that is I have women in my own family, including my daughter and things like that, and I want to see them have a chance to succeed as well. And one of the big problems is when we looked at it when we started in 2014 doing that, when I worked with them, only 9% or 11% of our field was women. So it was like basically if you looked around the room, nine out of 10 people were white guys and old middle-aged white guys too, to be quite honest, that looked like me and Kip, balding white guys and stuff like that.
And so that was one of the things. And now in just the last nine years that they’ve been around, that number has gone from nine to 11% to something more like 20%. So I’ve almost doubled the amount of women, but women are still a very large minority in our space, and so are people of color and other things like that. So anything we can do to bring that diversity really does help. And I’m a big proponent of diversity because of my time in the military and working with people of all different races, nationalities, creeds, sex, religion. And I do see that when you come from different backgrounds and you have different life experiences, you bring different solutions to a problem. And having that diversity of thought, especially if you’re working in a cyber analysis unit or you’re working with an instant responder or a malware analysis or a pen tester, being able to think outside the box and having that different background really does make a big difference.
So I’m a big proponent of it. And speaking specifically to the pay-what-you-can model, we’re comparing John’s training to something like SANS, the average SANS course costs about $8,000 for a three to five-day course. Now it is world-class amazing training, but it’s stupid expensive. I’ll tell you personally, I’ve never gone to a sans course because I just can’t justify it to myself to spend $8,000 on it when I can go on Udemy for 20 bucks, when I can go on YouTube for free, when I can get a textbook for 15 or $20, even though they have world-class training. Now, John’s stuff, as he said, is pay-what-you-can, so I might go in there and pay a thousand dollars. Kip might go in there and pay $5. Somebody else might go in there and pay $3. It depends on where you’re coming from and what you can afford.
But if we all are chipping in something overall, as he said, his average was $20 per student or now he’s up to $150 per student, or as he’s done this for a while, and I don’t know what it is now, but we talked to him probably six months, nine months ago. But as long as they’re able to make money and still be able to afford the instructors, they can then provide this training out there. Now, my training business, I do it on a different model. We don’t do pay-what-you-can. We do charge a price for everybody, but we charge a very low price for everybody. And we essentially have two different products that we do. One is on Udemy, which is usually 10 to $20 on sale. And if you want to get your security plus you can go on Udemy and get my course and for 20 bucks you’ll have everything you need to pass.
Or on my site, we have a premium, more expensive version that’s about 350 to $400. And it’s essentially the same videos and practice exams you’d get on Udemy for that $20 per course, but we put them together and we add a textbook and we add 40 hours of hands-on labs and we give you a pass guarantee. So on our site, if you fail the exam, we’ll buy your voucher to retake the exam, which is $392. So it makes that three 3$400 course a little more reasonable when you’re getting that kind of a backup and that guarantee. But the real difference is we’re giving you the hands-on live training in there, whereas we aren’t on Udemy. Udemy is just a scale thing because I’ll be honest, we make a couple of dollars per student on Udemy.
That’s the way that business model works. But if you do that a hundred thousand times, you’re helping a hundred thousand people and adds up. And that’s kind of the way that that model works. So my whole goal with training is as cheap as possible, as good of quality as possible so people can get what they need. And I don’t think you need to sit in a classroom for five days to get live training and pay $8,000. You could probably do it with an online program for less than a hundred dollars and still get great training. And that’s what John’s doing, and that’s why I really love what he’s been doing. My long diatribe, sorry, back to you, Kip. Yes.
No, listen, it’s great to hear your perspective because I don’t run a training company. I can’t give that perspective. But the perspective that I can give and want to give right now is around diversity. Now, let me tell you what the hiring manager perspective on diversity is. You’ve kind of talked about it, but I want to, again, put a real fine point on this. Diversity of thought in my world means higher quality problem solving ability for my team. That’s the true value. What’s the business value of diversity? I believe that is the business value of diversity. Now, other people can come along and say that there are social community benefits for diversity. That’s fine. I got nothing against any of that. But I think that there’s a real business value piece here, and I just want to make sure that y’all understand what it is because that’s the part that’s really not talked about that much.
But that that’s I think where most hiring managers, that’s where their heads are. Now, there’s another thing about diversity of thought on a team that I also have to mention because this is something, again, I don’t hear people talking about this, this is really, really important. The reason why people who are hiring managers tend to build teams that contain people that look and think exactly the way they do is because it takes no emotional immaturity to build a team like that. In other words, there’ll never be any conflict. We’ll never disagree with each other. It’s the easiest experience in the world. It’s like going to the clubhouse every day where everybody thinks the same way. We’re never going to clash, there’s never going to be disagreements, and we’re just going to have a fun time being around each other. When you’re on a highly diverse team, it’s not like that.
There will be clash. There is going to be conflict. We’re not always going to agree. And if we don’t have a sufficient amount of emotional maturity to be in a conversation like that, the team is going to fly apart and it’s not going to last. So as a hiring manager, I can tell you that when I’m building diverse teams, I’m not just looking for diversity, I’m looking for emotional maturity. People who can stand to be challenged on something as important as a core value because we’re trying to have high quality problem solving inaction. And if you get your feelings hurt over that, well, you’re not going to do well on a diverse team. So I want you to think about that before you get the opportunity to join a diverse team. Ask yourself, “Can I handle this? What’s it going to take for me to handle this?” Because if you get in there and you can’t handle it, that’s a mis-hire. You’re not going to have fun. No one’s going to have fun if that happens.
And I’ll tell you, I’m 43 years old now, and when I first got in this industry, and I started doing this 25 years ago, I was in a lot of teams where everybody looked like me. They were all, well at least looked like me now, middle age white guy.
And they thought like you.
And they all thought like me because they came from that type of middle class upbringing. And it was about 10 years ago, I was in a course when I was working for the government and I was going through National Defense University and I was in a class and we were talking about why diversity is important and I was like, “I don’t agree with you guys. I think it’s not important. It doesn’t matter. We should just pick the best person for the job.” And we were having the discussion about colleges and scholarships and why should we have a scholarship for LGBT?
Why should we have a scholarship for left-handed people? Why should we have a scholarship for people of color, whatever it is. And again, being that I was brought up in a middle class white home, to me, I felt like this is something we don’t need. It should just be whoever’s got the best score, they should get the job. And after working with people of other backgrounds and colors and nationalities, they helped me see why it was important. Because yes, I understand the way you think and you feel like by giving an advantage to a person of color, you’re now disadvantaging you the white guy. But that’s not really the case because you have now had a couple of hundred year headstart because of all the things that have happened throughout US history, and there’s lots of badness that’s happened to both the indigenous people of color, black folks, African-Americans, even Hispanics and immigrants nowadays. We see this all the time.
And so a lot of people would bring up, and again, I was a [inaudible] middle-aged white guy thinking, “Well, why should we give an advantage to somebody because of the color of their skin or because of their sexuality?” And the reason is because we need those people to get up into the hiring manager levels so they can hire other people who look like them as well and increase this diversity. And that’s what we’re starting to see happen now over the last 10 years or so that I’ve really been paying attention to the industry, it is getting more and more diverse. And that is a good thing because of diversity of thought. And just because somebody has a lower test score doesn’t mean they’re going to be a worse employee. It just means they may not be a good test taker because they’re not used to it.
And you think about getting into college, I know you’ve got kids in school that will one day be going to college, you have another child who’s already gone through college. Same with me. My kids are now out of high school on their way to college and they have to take the SAT and the ACT. My kids are going to do better than the average kid because I can afford to put them in SAT prep courses, for instance. And so they have that leg up and that advantage. And so somebody else who may be even smarter than them might score less on the exam because they haven’t gotten those materials and they haven’t had that chance. So that’s one of the things that when I started getting into it really kind of changed my thought process. And I will tell you, my company, Dion Training, we are a very, very diverse company.
The funny thing is, most of the videos, you see me on screen, I am one of three white men in the company and we have 25 people in the company. My leadership team, the coo, the CEO, both of them are people of color and they both happen to be women. My whole team is.
And they’re excellent.
And they’re both amazing. And honestly, the CEO that I’ve replaced myself with, she is 10 times the CEO I’ll ever be and so I’m very glad to have her on board. And things like that, I look around and if you look at my instructor pool even, there’s five of us as instructors, there’s two white guys, everybody else has people of color, whether black Arab or whatever else we have. And I think it’s important because it allows our students to relate. It allows them to have better content. And honestly, as a small company, I can’t compete with the big guys. And if the big guys are going to overlook the diverse talent, I’ll pick them up because I can afford them.
And they’re willing to take a chance with me.
And so those are the things, as a hiring manager, that I look as well is this is a talent pool that a lot of people will overlook. And I think you find great talent there. Anyway.
So let me just say one more thing about diversity. So cyber risk opportunities, we’re a small company and one of the dimensions of diversity that we’ve put into place is intergenerational. So if you look at the cross section of my company, I have a baby boomer, I have a Gen X, which is me, I have a millennial, I have Gen Z, I’ve got representatives for all those generations, and they all bring completely different value systems into work. I’ll never forget one time when I had somebody in my Gen Z cohort talk about the importance of not working on a particular day. They didn’t want to work that day. And my boomer freaked out.
What do you mean you lazy Gen Xers? Get back to [inaudible].
It was kind of like that. And I was just sitting there listening to this clash, and I had to play mediator a little bit. Look, just because it doesn’t match your value system doesn’t mean it’s wrong. You got to be more tolerant than that. And it’s gone back the other way too, but it’s okay because sometimes the boomer says stuff that it’s exactly what we needed to hear. So I just wanted to say that it’s more than just what color are you or whatever, these surface things. Sometimes it’s just, hey, you come from a different time and you can share things that people that are younger would have never experienced.
Yeah, same thing on our team. Like I said, we have about 25 people right now, and we age from 16 to 56, I think is our oldest employee right now. We have men, we have women, we have trans folks, we have LGBT folks, we have white, black, Hispanic, Asian, anything you can think of is pretty much represented in our company. It’s not like I had a quota. I said, “Okay, now I need to hire a person of color and now I need to hire a female, and now I have to hire a gay person.” They naturally were the best candidates and we chose the best candidates and we didn’t care and they’re all comfortable there because we all don’t care. And we’re like, we just want you to work and do a great job.
You also have time zone diversity.
Language diversity. Culture diversity. I think you can ring every single bell that anybody can think of.
About half my staff is in the US and half my staff is outside the US. We’re spanned across six different countries right now. And we do that specifically for lots of different benefits, including the diversity of thought as well as diversity of timezone because it allows my people who are in their daytime in the Philippines, for instance, if you send an email at three o’clock in the morning my time, I’m not answering it, but there’s somebody in the Philippines who will, and when they’re sleeping, my team in the US is answering those questions. And so we have the ability to follow the sun and things like that because we have a large user base and we need to be able to support them all. So all those things go into diversity. It’s things to think about. And when you’re talking with a hiring manager, diversity is important and it’s not just a talking point or a bumper sticker. It is something that we really do need to get our arms around as an industry.
right. I think I’ve beaten that horse. Sorry, that’s one I can talk on for hours, but I’m going to keep us moving because I know we’ve got a couple more clips to get through.
And I apologize for this being a really long episode, but hopefully you guys are finding value in this. All right, the next thing I want to talk about here is really as we talk about that, the bottom line is really for us to find ways to break down those barriers to entry. And one of those is use these pay-what-you-can models using diversity and removing the financial barriers for individuals who are trying to get into cybersecurity, whether that’s through certifications, degrees, experience, or whatever. And by embracing this diversity, we’re going to be able to foster innovation and approach problem solving from unique perspectives that result in better outcomes.
Now the next clip we’re going to talk about, we’re going to talk about money, which is everyone’s favorite subject, and more specifically negotiations. Now this comes from an episode, episode 74, so yourcyberpath.com/74, and the episode is called The Top Five Mistakes People Make When Negotiating. And in this episode, we didn’t have any guests. It was just me and Kip talking about our top five things that we see people do that cost them money. And the really bad thing about negotiations is when you screw this up and you get yourself $10,000 a year less, it’s not just a one-time hit, but it’s every year for the rest of the time you’re at that company. Because most of the time your raises are going to be based off your base salary plus 3%, plus 5%, whatever. And so if I’m paying you a hundred thousand plus 5% per raise, you’re now making 105,000.
But if I was only paying you 90 and I gave you a 5% raise, you’re now only getting $4,500 extra instead of 5,000. It just cost you an extra $500 per year when you got that raise next year. So that’s why negotiations have become so critically important. And so in this episode, Kip and I were covering the top five mistakes that we see people make all the time. And so if you’re getting ready to negotiate, definitely go back and listen to this episode. But for this clip, we’re really going to talk about the fact of how negotiating for a job can be really challenging. And we really try to bring up ways to help you earn more over time by coming up with the right compensation package. So let’s listen to some advice that I actually gave in this episode, and then we’ll come back and hear what Kip thinks about what I said.
Just like to think about when it comes to negotiation, whether you’re negotiating a salary or you’re trying to buy a car or a house or something like that, the person who has the most information wins. That’s what it is. It really comes down to that. So as we said, number one, the employer already knows what their pay band is. They already know what they want to pay. They already know what other people in your industry are paying. And now it becomes a matter of figuring out what are you willing to accept to do that job if they like you? And usually we talk about this in our course as well, when you get to the negotiation phase, generally the job is yours unless you are just so unreasonable in your negotiations and you guys just can’t find common ground, if they come in and say, “I’m going to pay you $20,000 a year to be a cybersecurity analyst,” you’re going to say, “Nah, thanks. I’m going to go elsewhere.”
Because if they’re saying 20 and you’re saying a hundred, there’s no way you guys are going to meet in the middle, you’re just too far off. But if you said a hundred or they said a hundred, you said 120, you guys can probably find some middle ground and make it work. And if not, you’ll go find another job somewhere else. But generally that’s what you see. So when it comes to putting out a number, you don’t want to be the first one to speak. I’ve had a lot of people, I’ve been talking the last couple podcasts, we just hired a bunch of people in our company. We’re up to 19 people, and most of the people that we’ve interviewed with have done a really good job of when I say, “What would you like to make for this position?” Of not throwing out a number first.
As an employer I hate that because it makes my job harder. But for them, it’s great because if they throw out a number, it could be significantly lower than what I’m thinking. And so you just never know what their number is. I always like to go in with, let them give you the number first. It’d be great if the job position actually set a salary range, but that is very rare and very uncommon. I’m seeing a big movement in the HR community and from the employees’ community pushing on HR to say, “Look, if you’re going to post a job out there, you really should give us a pay ban. I should know when I’m going to apply for this job if this is a hundred to $150,000 job or a 25 to $50,000 job because if it’s 25 to 50, you’re wasting my time and your time having me apply for it because I’m not going to take that job. From a hundred to 150, then that’s in the range that I’m willing to accept and I’ll take that job.”
And so as we make this change in HR, I think it’s slowly happening, but still today, if you go on LinkedIn, most jobs are not going to tell you what the pay range is.
All right, Kip, so what stood out to you in that clip? With my little diatribe?
It was a great diatribe. I really liked the things that you emphasized. Information, that there can be unequal information in the parties that are in this negotiation, and the one with the more information is going to win. And so guess what? Employers almost always are winning at who has more information, who has better information because as a candidate, you can go out to Glassdoor, you can go to all these places and try to gather some salary information. It’s rubbish compared to what employers have. Employers have very high quality salary information because they, actually most of them, buy a subscription. They’re the bigger employers now, but they subscribe to salary surveys. And the reason why they’re accurate is because if you buy a subscription, you’re obligated to upload to the salary survey company all the money that you’re paying to your workforce, and it’s got to be sliced and diced in a way that they could add it to their massive database. And then you’ll get a report back that shows averages and regionality and all that stuff.
So employers are killing it when it comes to information asymmetry, is kind of what we call it. They’re always going to have more information. So what you have to do, what we tell people is don’t say the number first. Get them to say the number. And the way that I tell people to do that, we’ve said this before, is you need to ask the employer, what is the market rate for this position? What is the range that you’ve established for this job? And they know that because again, they’re subscribed to this pay information and it lets them have that advantage. So you just need to ask them for that. Now, a lot of times they will say, “Hey, what did you make at your last job?” As a way…
PART 3 OF 4 ENDS [01:18:04]
…they’ll say, “Hey, what did you make at your last job?” As a way of anchoring the conversation about what they’re going to offer you for the job that you’re interviewing for. And as an applicant, never fall into that trap. In fact, that is such an unequal situation that in many cities, counties, states in the United States, it’s illegal for an employer to ask you about your pay history, including your current pay. So never go there, even if it’s not illegal where you live, don’t ever tell an employer where your current salary is or your history. Just focus on the market rate and that is going to help you deal with this information asymmetry. That’s what really stuck out to me, Jason. Now that you’ve listened to yourself again, anything new?
I was just going to say, based on what you just said, one of the things I wanted to bring up was the fact of when we talk about this pay range, and the fact that sometimes they’ll try to get you to say what your current salary is. Here’s why you really don’t want to do that, right? Again, I’m coming from the government contract world, but a lot of times we have the same contractors fighting over the exact same employees. And so there is five different contract companies out there, and they all want you if you already have your clearance and your experience and all that kind of stuff. And so if I said, “Oh, Kip, I want to hire you. What are you making now?” And you’re like, “Oh, I’m making a hundred thousand.” I’ll go, “Okay, well I’ll pay you 105. I’ll give you a 5% bump if you come to me.”
And you’re like, “Oh, that sounds great.,” And you come over to my company, now you’re at Dion Consulting. And then somebody else comes over and says, “Oh, would you come work at Boyle Consulting? What are you making now?” “I’m making 105.” “Okay, I’ll give you a 5% raise and you can come over here and you’ll make 111,000.” And you may have been with me for a year now you went back over there and so you’ve been making these 5% bumps, which sounds great. And generally what I see is if people stay with the same company, they’re going to get about three to 5% per year. But I will tell you in the DOD contracting world, I’ve seen some people that jump jobs and they will go up 20% or 30% or even 40% in pay because they’re using the techniques you just mentioned, which is don’t tell them what your salary is.
Because it doesn’t matter if you’re making a hundred right now, if the position they’re hiring for is going to hire at 140. Because you may have been the same company for the last three years and you’ve only been getting 3% pay raises, but I could tell you the last three years, inflation’s been higher than 3%, and I know at my company we gave everybody a 10% raise the last year because of inflation was being so high. And so if you’ve only got 3% per year, which is what most employers were doing, you’ve actually fallen behind over the last three years significantly versus what market rates are for new employees. And so by throwing out that number first, you’re going to end up shooting yourself in the foot. So don’t do that. Second thing is when they talk about ranges, ranges are a dangerous thing. People love to throw out ranges, but when people throw out ranges, they throw them out differently. Okay?
Let me make an example of this. Kip is the hiring manager. He tells me the range for his position that he’s budgeted is 120 to 150. I’m the applicant. What did I just hear? I just heard that this company is willing to pay 150. What did Kip hear? He said, “I’m willing to pay 120.” Because we have a different thing. I’m hearing the highest number that I’m going to get, he’s hearing the lowest number he just offered. If I went into Costco to go buy a jug of milk and they go, “Well, this jug of milk is anywhere from five to $7.” I go, “Well, which is it?” And they go, “Well, we want $7.” I said, “Well, I only want to pay five.” And I want the lowest, they want the highest. And so we then have to negotiate and get into the middle. And that’s what happens with the pay range. If they tell you 120 to 150, you’ll probably end up somewhere around 130 to 140. It’s going to be really hard if they tell you 120 to 150 that they’ll actually pay you 150. At least that’s been my experience.
Yeah. And it’s unreasonable. And it’s unreasonable for you to expect that for a bunch of different reasons. We don’t have time to unpack right now, but I’ll just say the shortcut is, you want to aim for the 50 to 70 percentile of that range. So whatever they tell you, just calculate what’s 50%, what’s 70%? That’s your goal then. And yeah, we can unpack why later on. Trust me, there’s great reasons for that. You probably don’t even know, but there you go.
So we just said that range, if you know the range is 120 to 150, then you should be expecting somewhere between 130 to 140. That’s probably realistic. You shouldn’t be at the bottom of the range, you shouldn’t be at the top of the range, but it’ll be somewhere in the middle. And some of that doesn’t apply if you start going into government positions because they have a whole pay scale and contracts and all that stuff that tells you what rate you are and all that kind of stuff. But that’s another story for another day, and I think we’ll do is we’ll move on to the next clip because otherwise we will beat this dead horse forever. But that’s definitely a great topic for another show in the future. All right, let’s move on to our next clip. On this clip, we’re going to be focusing on succeeding in your first 90 days on the job.
And back in episode 93, you and I were actually guests on a webinar for the cyber wide panel as part of their LevelUp Series with ISACA. This is actually located at yourcyberpath.com/93. It’s another longer episode, it’s about an hour and a half because it was a live session that we had. And then we did a bunch of open Q and A. And this clip we’re going to play is actually from that open Q and A. During the webinar, we discussed all the different things you could do to stand out to your new employers during your first 90 days of the job and really level up your career.
Now, this clip though isn’t actually focused on the generic things you can do during the first 90 days, but instead, it was a question that was asked about, “Is programming important in cybersecurity?” Because a lot of people here, you got to be a programmer, if you’re not a programmer, if you don’t know Java, you don’t know Python, you’ll never get a job in cybersecurity. And a lot of people are like, “Well, cybersecurity is not for me then.” Because they are afraid of learning how to code. And so here, I want you to be able to hear what Kip and I said in reference to this question, and then we’re going to come back and talk about it. So here we go.
Shifting gears a little bit, what about programming? Should I be worried about programming in addition to these search the hand theory? And where does that fit into all of this when I’m trying to break in?
So that depends on-
So I can tell you I don’t do a lot of programming these days. I really haven’t in the last 10 or 15 years with the exception of I oversee my development team at my company. But I will tell you the only role that really digs into programming a lot is a pen tester. Security analysts don’t really do it as much. Maybe a little python scripting here and there to help you go through logs. But most of these things now have such good single pane of glass tools that the front end interface, you could just query what you want, things like Splunk and maybe Elasticsearch and stuff like that. So it’s not as important as it used to be. You don’t have to be a computer science major to be a cybersecurity person. You don’t have to be a math wizard to be a cybersecurity person. It’s not like that.
Most of the stuff that we do as cybersecurity people, especially at the entry and mid-level, is using tools and knowing how to operate those tools properly. You’re not being asked to create the tools and define your own thing. The exception of that might be a pen tester where you might be asked to print your own exploits and then you need to be able to code. Or if you’re a web application security person, yeah, you’re going to need to understand Java script because if you’re reviewing somebody else’s code, you have to know what you’re reading to be able to figure out how to break it. So there are rules where for me is important, but it’s not as important as people break it out to be quite honest. Kip, what are your thoughts? You look like you disagree.
Well, so I just want to share a couple of things. One is that you will hear a lot of very militant. Highly technical cybersecurity people say that Jason’s as wrong as he can be. He couldn’t be more wrong. And if you can’t program, you suck and you don’t belong. Don’t buy into that. Okay? Having said that, I will tell you that if you go to work at a company that uses infrastructure as a service and they’re using Terraform or anything like that, then you’re going to have to get comfortable scripting at the very least. Because that’s how you’re going to actually implement your controls, is by scripting different parts of the infrastructure to be built. And so I think scripting at a minimum is likely if you’re going to work on a blue team in a heavy IT role. You can work in a GRC role or you can work in a people management role, or you can work in a cybersecurity project manager or program manager role, and you won’t have to deal with programming or scripting at all.
All right, we are back. So the question was, is programming really that important in cybersecurity? And it sounds like we both kind of agreed that some level of programming is okay, at least at a scripting level, but honestly, it’s not the end all be all. And if you’re not getting scripting and you’re not getting coding, that’s okay. Just don’t become a pen tester, go become a auditor or something else. And there’s things you can do in this field that don’t require you to become a programmer. And that’s why I talked to high school students like, “Oh, I’m going to go to get a computer science degree because I want to become a cybersecurity analyst.” And I’m like, “Well, those two things are not the same. A cybersecurity degree is different than a computer science degree because computer science is all about programming. And the guy or gal who’s going to be building these tools, not the one using the tools.” And that’s why I see the big distinction between the two. What about you, Kip?
Well, I think we said this, but I want to get the language as precise as possible. It’s job specific. So you have to read the job postings to find out how much the employer wants programming or scripting experience. And really, I think that’s kind of the bottom line is, what does the employer define for that position? So don’t listen to anybody more than you are paying attention to what the job posting actually says. And then the other thing is, I talked about infrastructure as code in this clip, and I just want to say that I’m just seeing more of it.
As we’re working with customers, we just see more and more and more infrastructure as code, and that’s a trend I don’t see slowing down or abating in any way. So if you don’t understand infrastructure is code, you need to get out there and mess around with it a little bit. At the very least, you need to be able to talk about it because it’s just going to be so pervasive in everything we do.
Most definitely. Yeah. And I think what you said there is probably the most critical thing we probably covered the entire episode, and that is read the job description because it will tell you what is required. People say, “What certification should I go for next?” And I say, “What job do you want?” “Oh, I don’t know.” Or “Where do you live?” Well, that depends. Because for instance, I teach project management. And if you’re in the United States, you should be getting PMP if you want to be a project manager. If you’re in Europe, you shouldn’t, you should be getting PRINCE2. And so it really does depend on which location you’re in based on what jobs you’re going to be asking for. Because European employers want PRINCE2, American employers want PMP as an example.
And there’s other things like that all the time across our industry where if I’m going to work for a company that’s running old IBM mainframes, they’re going to be really important that I know how to code old IBM mainframes or Java because Java’s being used to recode a lot of those old IBM mainframes. I only know that from my time working at certain places over my career. But most people will go, “What the heck does Java have to do with an old 1970s IBM mainframe?” Well, we had to recode all the language-
In certain places.
And so we’re replacing it with Java, right? Yes, certain places. And we’ve had to recode a lot of that stuff. Now in my company, I couldn’t care less if you program in Java because we don’t do anything in Java. We use a lot of Java script, we use a lot of Python, we use a lot of other languages, but we don’t do anything in Java, so it doesn’t matter to us. And so it really depends on where you live, where you want to work and what job you want to do. So look at those job postings, see the common elements, and they’ll tell you what certifications to get, what degrees to get, what experience to get, what languages to learn if you’re coding, all those kind of things.
Now our final clip comes from an interview that I did with a very smart woman. Her name’s Arthureen Brown. She works for Altria Client Services, and you’ll learn a little bit more about that when you hear the clip. But during this episode, which was episode 46, if you go to yourcyberpath.com/46, she shares what lessons that she’s learned, what she does on a daily basis and how she got into her role. Let’s listen to what she had to say, and then let’s talk about it. Would you mind sharing with the audience what your current job is and anything else about the work that you’re doing now? Just so people can get a really strong understanding of the kind of things you do on a daily basis and the kinds of conversations that you’re having, the kinds of problems that you’re solving.
For the past seven years, I’ve worked for Altria Client Services and I work in the IT risk department. I started initially doing identity and access management. And after about two years, so for the past five years, I’ve been directly being a business information security officer. So what that means is I’m aligned to two business areas, including one, is our IT risk management team. And my role is to help them take safe risks. So through projects, suppliers, doing risk assessments, advising on projects, weighing in on governance and compliance, what should we be looking out for, what’s next in our roadmap, and just giving them strategic direction in one way or another.
I think that’s a very valuable service that you’re performing. And I think it really strikes to the heart of what good cyber risk management can do for an organization. And you said you’re a business information security officer, that’s of a newer title, isn’t it? I’ve noticed that’s come up only in the last few years or so. But what’s your experience with that job title been?
Most people don’t know what it is. Even within the cybersecurity world, it’s kind of this unknown role. It is emerging, some of the organizations I belong to, I’ll introduce myself as a business information security officer, and others who technically have this role will ping me and say, “Hey, that’s kind of my title too. But I just say I’m a information security manager because no one ever knows what a BISO actually is.” But I would say it’s just we’re more focused on providing security governance to a particular business area versus a security program or to the organization as a whole. It’s just very narrowly focused. So that’s kind of how you can look at it. Other BISOs I’ve met their roles kind of align the same way. They concentrate on maybe the accounting area of their business and finance or the media side of their organization. So it’s usually focused so that you understand a business and its needs and its security challenges.
All right, Kip. So listening to that clip, I thought it was really interesting because I’ve been in this business for a really long time, and personally, I’ve never worked with somebody who has been a “Business information security officer.” I’ve worked with a lot of information security officers, but never a business information security officer. And so listening to her highlight the role of a business information security officer and the importance of providing that security governance and the specific advice to their specific business areas, and that focus down I think is really important.
And I don’t know Altria Client Services myself in depth, but I’m assuming they’re probably a fairly medium to large size organization that they can dedicate the resources to having somebody doing this specific role as opposed to being the overall information security officer. And I think the idea of being able to emphasize that need of understanding the business needs, to understand their risk, their strategic direction and help them navigate those security challenges is really important. And I’ve had that role many times, but always at an organizational level, not at a business unit level. What are your thoughts? Have you seen a lot of this in, because I know this was probably about two years ago when you did this interview. Have you seen more and more of this over the last couple of years in the industry?
Absolutely. The role that she was describing is newer, however, I’m seeing it become more and more established. And for me personally, if I was earlier in my career, I would be aiming for that role. I think it’s absolutely fascinating because it’s the cross section between the essence of being a security analyst with understanding how information security is actually being used at the desk level to actually get things done. So for example, if we were going to implement… Let’s say the CSO of that organization says “We’re going to implement two-factor authentication.” It would be the BISOs job to go to their business unit and to find out what would be the impact of turning on two-factor authentication at the desktop level, and how can we roll this out in a way that’s going to minimize disruption and kill people’s productivity? Because that’s what the business unit is very, very focused on, very concerned about.
And so there’s an opportunity to use just tons of empathy. And the other thing I want to say about this is, it really shows how nascent our career field is that significant roles, this just kind of pop up and can make such a huge difference. And so it’s not just that technology’s changing, it’s also that the way that we add value to the business is changing. And I think this is a wonderful turn of events for our ability to add business value. And by the way, your question about what kinds of organizations would I see a BISO? Well, first of all, Altria is an interesting company name because you didn’t know something, which is Altria is the new name of Philip Morris.
I bet you know that name.
I know that name. Yes. I didn’t realize that was their name. Okay.
And so that means their mission is accomplished as to why they have a different name now. So [inaudible].
You just spilled the beans, now everybody knows.
And now you know it’s an enormous organization. And I only find the BISO role at the very larger organizations because they can afford it. And quite frankly, you really need it in these larger organizations. I saw that when the BISO role first came out, people were calling it a virtual CISO as an internal role, but that didn’t take off. And so they went with this BISO designation, which I think is better. So anyway, that’s what I know about it and I think it’s a good thing.
Yeah. So when I worked with the military, we had a similar role it sounds like, which was the departmental information security officer. So we would have the overall information security officers responsible for the entire command unit, whatever you want to call it. And one of the larger ones I was at, we had about 3000 people underneath the single command. And I was the information security officer for that area. But underneath each of the 10 departments, which each had three to 500 people each, those also had their own departmental information security officer.
So they would report up to me and they would then be responsible for, if I was going to say, “We’re going to do two-factor authentication, how how’s that going to affect you?” They would all go out, talk to all their bosses in the operational space, gather that information, come back to us, work with us, and then we’d figure out, “Okay, we’re going to be able to roll it out, but we can’t roll it out to the fifth department because they have something that will break if we do it, let’s do it to everybody but them and then we’ll figure out a workaround for them.” And so I’m familiar with that kind of an idea, I’ve just never heard that term of a BISO before. And again, this is must be commercial [inaudible].
Welcome to the private sector.
Yeah, absolutely. And I wouldn’t be surprised if it was inspired by what you described was going on in the defense industry. I wouldn’t be surprised by that at all. Anyway, I think it’s a wonderful turn of events, and also want to observe at this point that this is the longest podcast episode I’ve ever made in my life.
No, it’s good. It’s good, but I just want to acknowledge that if you’re in the audience and you’re still listening, God bless you, you’ve made it.
Thank you for staying with us. Yeah, we’re going to wrap it up here because I know it’s been a really long podcast for you. I was thinking we were going to talk for two minutes on each one and we went much longer than that, but hopefully you found value in it.
We don’t know ourselves very well.
Yeah, and the last thing I wanted to say on that last clip though is the other thing that I see is that being a great thing is it really does show that businesses are starting to identify cyber as a business risk, not as an IT or technological problem. And I know that’s something that’s huge in your world at cyber risk opportunities. And that is really what you guys focus on is working with the CFOs and the CEOs and the CEOs on managing their cyber risk as a business risk and not just, this is a tech problem, let’s just slap on a patch and move on. And that is a great thing about seeing people who like Altria doing that where they are having this business risk management function as part of this cyber risk. So that being said, I know we have covered a ton of stuff in this episode, and it was a really long episode, but to wrap it up, I think it’s really important for us to point out that as the cybersecurity industry continues to evolve, it’s going to present numerous opportunities for aspiring professionals like our audience.
And I think by applying the insights shared in this podcast as well as our other a hundred episodes we’ve had up to this point, you as our listeners are going to be able to enhance your chances of securing a rewarding career in cybersecurity. And that’s what we want for you. We want you to be a part of this industry, we want you to help build this industry, and we want you to help have a long and prosperous career. Now remember, success really lies in crafting your tailored resume individual to the job posting you’re going for. Otherwise, you’re going to get filtered out. It also means you have to gain practical experience. And if you can’t do that by getting hired, there’s other ways you have to think about doing this, whether that’s volunteering, building home labs, doing other projects, taking a lower level position, whatever it is, you have to get that experience because it’s so hard to get in the door without the experience unless you can really use networking like Ed Suka did to be able to get in through the back door.
Another thing is I want to encourage you to embrace diversity. Whether you are a diverse person yourself or if you’re somebody who looks like me, we should be embracing diversity and not because it’s a great platitude or a wonderful bumper sticker, but I can tell you from 20 years of working with the military in a very diverse environment as well as seven years now at Deon Training with a extremely diverse team, I get such better productivity and work product and diversity of thought from that diversity. It is just critical to your business success. And if everyone looks the same, everyone thinks the same, you’re going to run right into a wall because everyone is still going in the same direction. You need people to pull you and go, “Whoa, whoa, maybe we shouldn’t do that.” And that’s where diversity comes into play. And then the other thing we talked about was negotiation skills.
We don’t want you to leave money on the floor. If you’re in the point where you’re starting to talk price and negotiation, you’re already down to the final cut and that company wants you, and now it’s really your job to lose. So don’t lose it in the negotiation, but also don’t be so greedy that you lose it, but don’t be so willing to accept it that you’re giving up tens of thousands of dollars, because it will affect you four years to come. All of that is stuff we talked about as we went through this episode, we really hope these discussions and the highlights help to empower you as you pursue your cybersecurity aspirations and excel in the dynamic world of cybersecurity. As we said throughout this episode, we have a lot of different episodes out there. If you go to yourcyberpath.com/and the number, that will get you to any of our hundred episodes we already have out.
In addition to that, there’s a great search tool there for every episode. We have a full transcription of everything we said, and I can only imagine how long that’s going to be for this episode. But we do have a transcription of everything we say as well as links to anything we’ve covered or downloadable documents, if we have something that’s an image or a resume template, those are also there. And to find any of that, you can just go over to yourcyberpath.com, go to the search tool, type in a keyword like “Negotiations” or “Resumes” or whatever, and you’ll see every episode we have on that topic. It’s a wonderful resource for you. We spent a lot of time and a lot of money building it up there, and it is at the great low, low price of free. There is no charge at yourcyberpath.com. This is something we do out of the passion that we have in the industry and trying to give back and help others be able to come in.
And we’re not looking to make money off you here, we are just here to help you get into this field. So please check out yourcyberpath.com. The last thing I want to ask you to do is go over to yourcyberpath.com. On the homepage, there’s a place you could put in your name and your email address. If you do that, you’ll be registering for what we call our mentor notes. Now, every time we have an episode come out, we also put out a mentor note that includes information that is not in the podcast. It’s our best tips and tricks, it’s information about the industry, it’s new attacks that have come out, new zero days that we found out about. Things Kip is seeing in his consulting work that’s a big trend in the industry. All those things are things we cover in those mentor notes and Kip writes them every two weeks for you, and again, absolutely free. We’re not there trying to sell you anything, we’re just trying to give you great information.
And Kip does a great job of keeping those short and to the point, unlike this episode. And those are usually about 500 words or less, a very quick read, and it’ll keep you up to date with what’s going on in the industry. So I definitely recommend doing that today at yourcyberpath.com. Go down and entering your name and email and you’ll be subscribed to our mentor notes. All that to say thank you again for helping us get here to the hundredth episode. We’re really excited. We’re glad you stuck it out with us for the hour and a half plus episode that we had here. And we hope to see you again next time on Your Cyber Path.
Cyber Risk Opportunities