GET INTO THE TALENT PIPELINE WITH MAX SHUFTAN AND WINNIE YUNG

Kip Boyle:
Hi, everyone. Welcome to Your Cyber Path. My name is Kip Boyle. I’m here with Jason Dion. Hey, Jason.

Jason Dion:
Hey, Kip. Great to be here again.

Kip Boyle:
It’s great to be with you. Listen, I am about to enjoy the wonderful summertime experience in Orlando. I was looking at the weather app the other day and it was 55 degrees in my house. It was 95 degrees at your house. I was just like, “Oh my gosh, I don’t know if I’m ready for this,” but I’m going to do it anyway.

Jason Dion:
Yeah. We broke 101 last week. I thought to myself, Kip is really going to be in for it when he goes to Disney with the little kids. Enjoy.

Kip Boyle:
I think I’m going to melt.

Jason Dion:
Enjoy.

Kip Boyle:
I’m just going to melt. Well, anyway, so listen, today is Episode 76. It’s called, Get Into the Talent Pipeline. What we’re going to do today is, we’re going to welcome two guests to speak with us. I’m going to let them introduce themselves here in just a moment, but what we really want to talk about today, first of all, is that we want to give our listeners the thought about what is a talent pipeline and why do hiring managers want a talent pipeline. Once you understand what a talent pipeline is, then what I would like to do is turn the conversation towards some examples of a talent pipeline. We’ve got some guests who are going to talk with us about what a talent pipeline looks like and how training providers play a role in that. We’re going to talk with somebody who was actually recently gone through some training and upskilling with cybersecurity and who, now, is in a talent pipeline. I think this is going to be a great episode. Let’s go ahead and kick it off. I want to introduce our guests first, Max Shuftan. Hey, Max.

Max Shuftan:
Hey, Kip. Hey, Jason. Thanks for having us on the podcast today. I am the Director of Mission Programs and Partnerships at the SANS Institute, which is a cybersecurity training and certification organization. Been around since 1989, but the programs that I help oversee at SANS have really been focused, for the last seven years, on closing the cybersecurity talent pipeline and bringing more people into the field.

Kip Boyle:
Fantastic. Thanks, Max, for being here. I want to make just a comment about SANS. I’ve been involved with SANS either as a student or as an instructor for quite some time now. In fact, my first SANS conference was NETSEC ’98 in Monterey, California, if you can believe that. I think SANS has some of the most fantastic instructors, some of the best content that you can get when you are a security practitioner. I think it’s really great that, today, we’re going to hear about how SANS is helping to get people into the profession, not just helping to train people who are already in the profession. Winnie, hi. You’re our guest as well. Winnie, is it Yung? Is that the right way for me to say your last name?

Winnie Yung:
Winnie Yung.

Kip Boyle:
Winnie Yung. Hi, Winnie.

Winnie Yung:
Hi.

Kip Boyle:
Please introduce yourself.

Winnie Yung:
Sure. I graduated from the SANS Institute’s Diversity Cyber Academy back in 2021. Now, I’m working my first cybersecurity role. I work at a large hospital based in New York City.

Kip Boyle:
Excellent. Thank you. Okay. Yeah. Let’s talk about talent pipeline. Jason, you’re a hiring manager, I’m a hiring manager, what do you think about when you hear the word talent pipeline? What does that say to you?

Jason Dion:
Yes. When I think about a talent pipeline, I’m thinking about the way we take somebody, either off the street or with little to lower skill level, developing them up for a particular position and then they are able to go in that position moving forward. A lot of times, that’s done either in that single organization or it’s done across organizations. There are some organizations that focus on preparing people as part of the talent pipeline to then get them hired into a role with some other company. There are some organizations that do the internal talent pipeline to build it up for themselves based on their own process and practices.

Jason Dion:
In my company, right now, we have eight people as of Monday that are in our talent pipeline from local high schools and colleges here in Florida that we’re working through, developing them, getting them the skills so that some of them will stay with us afterwards, but most of them are going to go somewhere else and go to some other company. We’re giving them the skills to be able to do that as part of that talent pipeline and being able to start building them up to start filling some of these cybersecurity skills gap jobs that are out there. What do you think, Kip?

Kip Boyle:
I think that’s absolutely correct. I also want to add that talent pipeline is something I’ve been thinking about a lot lately, not just for my own company. Because I’m also a small business owner and I’ve got a team of people, and I’m having to pay attention to talent pipelines a lot, but also because I lead a open source project called, The Cybersecurity Hiring Manager Handbook. I’ll put a link to that in the show notes, but the whole handbook was designed and written by about 50 hiring managers that are working in cybersecurity. We really took a talent pipeline approach. Everything from how do you design a program or a culture for your team that is going to attract people who are going to want to work for you even though they’re talented enough, possibly, to work for anybody that they wanted to, but why you, right? Why would they opt into your program? What is it about your talent pipeline and your working environment that would attract people?

Kip Boyle:
The handbook talks about how do you think through those things, how do you prepare to go out into the market and find people, whether they’re maybe folks who are starting out like, we’re going to talk about Winnie’s situation here in a few minutes or even if it’s a mid-career or a senior career person, a hiring manager has to think about all aspects of their talent needs retention and then, eventually, departure. Like you said, sooner or later, people are going to want to leave. Maybe that’s because like, “Hey, I’m ready to retire. I don’t want to work for anybody anymore,” right? It could be that or it just could be like, “I don’t find this environment challenging enough” or “I just want new challenges,” whatever it is. Yeah. When you think about a talent pipeline, you got to think all the way from the beginning of the pipeline all the way through the day when somebody leaves.

Kip Boyle:
Anyway, I invite people who really want to dig deep into this idea of a talent pipeline and all the little details in it to go check out the hiring manager handbook. That’s like reading the secret manual to hiring if you are looking for a job, right? You should be reading this handbook so you understand what’s going on on the other side of that table.

Jason Dion:
Yeah, most certainly. I think the other big thing when it comes to talent pipelines is, it’s really difficult for an organization to forecast their needs for particular skillset, especially with the rapid change in innovation and digital disruption that’s been happening. We see this right now as we’re filming this, it’s the summer of ’22. There is a massive shortage of people to fill key roles. Some of that is because there’s been growth in those key roles. A lot of it has been the great resignation we’ve heard about over the last two years of people going, “Hey, I don’t want to go sit in an office from 9:00 to 5:00 every day and do the recording thing for $10 an hour. I want to do something more exciting.” We’re seeing this big gap between what is needed and what we have.

Jason Dion:
As an organization, especially large organizations, I come from the military background, they’re trying to plan out what are they going to need in five years, 10 years, 15 years. It’s really hard to read the tea leaves and do that guessing that far out. If I need somebody who has 15 years of experience as a E-8 in the Navy, for instance, I can’t hire them yesterday. I have to hire them 15 years ago and do all that talent and development to get them to that 15-year point. In the civilian world, it’s a little bit easier because you could say, “Oh, there’s this 15-year guy who’s getting out of the Navy. Let me hire him.” Now, I’ve got this 15-year experience person, but those are some of the things that you think about when you start thinking about how does your organization attack talent management. Are you doing it from a pipeline where somebody’s going to start out at the mail room and work their way up to CEO or are we going to let people jump in at the middle with certain skill sets?

Kip Boyle:
Right.

Jason Dion:
You can do that a lot based on the training divisions you’re working with.

Kip Boyle:
Yeah. Or are we going to partner with an organization like SANS, right?

Jason Dion:
Yeah.

Kip Boyle:
Max, let’s talk about how your organization plays a role in the talent pipeline, like the bigger picture talent pipeline, right? Because you’re not just thinking about one employer for your programs, are you? Talk to us about how do you guys think about your role in the talent pipeline?

Max Shuftan:
Yeah. We see SANS as part of the solution to helping close the talent pipeline. It’s not the end LBL solution, nor should it be, but we see SANS as a conduit by which people can gain the skills they need to be able to perform jobs on day one, whether that’s at an entry level or more advanced level or an intermediate level. For these types of programs, it’s typically at that entry level. About seven years ago, our founder had been talking with some folks in the U.S. Air Force who had communicated a lot of individuals who had a military occupation and communications, but couldn’t translate that into a civilian job in cyber. They came up with the idea of this program about success where using an aptitude test, using some interviews to gauge people’s passion and dedication. If we found folks with high aptitude, problem solving ability, things like that as well as the dedication, they could go through several industry training courses, starting at the entry level and maybe going into incident handling or security operations, get the associated certifications to prove they’d mastered those skills to employers and get jobs in security.

Max Shuftan:
We tried that out in 2015 as an idea. We had about 80 applicants from the U.S Air Force who were transitioning out. 18 folks got selected for the program and all 18 got certification, but more importantly, all 18 ended up with jobs in cybersecurity. Typically, security analyst, stock analyst type roles, 70 to 100 case salaries, a few a little higher, a few a little lower, but generally, we saw that this model could… We were on to something. If you can find people with that mindset and with that passion, train them up. You can bring them into the field. Over the last six years, since ’15, we’ve really focused on adding more programs focused on diversity, equity, inclusion, some in SANS name, some with partners where they wanted to start their own programs using this model.

Max Shuftan:
Sometimes they’re using SANS training. Sometimes SANS training and other training providers as well, but the whole idea of, to fill the gap, we can’t just have employers hire from each other. We need to bring net new folks into the field. If you can find them with aptitude and find them a passion they’re likely going to do well.

Kip Boyle:
Yeah. You guys have a number of likes. First of all, you have a number of programs. First of all, is it called, VetSuccess? Is that right?

Max Shuftan:
That was the first academy program we started, yeah, back in 2015.

Kip Boyle:
Right. Okay. Just so you know, you’re on a podcast now with at least two other veterans. I don’t know if you’re… Are you a veteran?

Max Shuftan:
I am not. No.

Kip Boyle:
Okay. Well, Jason and I were in the military. We were on active duty. We definitely pay attention to all these different programs to help military members transitioning, right? Jason, what’s the name of the… Is it Skills Bridge? Is that one of the other ones?

Jason Dion:
Yeah. There’s two new programs out there. The newest one is SkillBridge, DoD SkillBridge. In fact, I have four people on my team right now that are on DoD SkillBridge. This is a program that, for the last six months somebody is in the military, they can go work at a civilian company to start closing that talent gap, right? I’ve got two air force, one army and I think one Navy guy on our staff that are currently on the SkillBridge program. They come to work just like any of our other employees. They get training. They get certifications. We help them learn how to be developers or cybersecurity analysts. At the end of the six months, we can either hire them on or help them get placed into another role. That’s one of the big programs out there now.

Jason Dion:
It’s a really great program for anybody who’s an employer out there. You should definitely look into it because it’s a great way to help service members as well as help your own company because you’re not paying their salary for that six months. The military is. They’re still active duty folks getting their active duty entitlements and pay, but they’re working for you every day. That’s their job for that last six months. The other program that’s out there right now, which probably stands and I’m guessing it’s probably a part of it is called, VET TEC, which is through the veterans affairs association. That’s for people who have already separated out of the military and are either disabled or honorably discharged veterans. That helps them go through different talent pipelines to gain certifications, industry credentials, degrees and things like that in a technical role so they can get one of these cybersecurity type jobs that are out there.

Kip Boyle:
Yeah. Thank you for mentioning that. Max, if you don’t know about VET TEC… Have you heard of that before?

Max Shuftan:
I have, yeah. I won’t get into the minutia. We are not part of the VET TEC program. We’ve collaborated with VET TEC. With SkillBridge and TAP, we have also collaborated and we’ve formally partnered with individual installations. Partnering with that program nationally is a little trickier because there are certain types of standardization you have to have and whether it’s online or in person training, and we like to have flexibility there. What we’ve ended up doing is partnering formally with certain bases and then doing more of cross promotional activities that the two programs were at large.

Kip Boyle:
Well, yeah, that’s fantastic. I’m glad to see that you’re involved somehow that SANS is playing a role in there. Anyway, if you’re listening to this podcast and you are a veteran, whether you are wanting to prepare yourself for your separation from service or maybe you are already separated and you’re just trying to figure out how to get into your next thing, the big takeaway for you is, there’s a talent pipeline and there’s lots of programs to help you get into a talent pipeline. Let’s talk about some of the other SANS programs, Max. You were mentioning to me before, one of the very basic things you guys offer is called, Cyber Aces. Is that right?

Max Shuftan:
Yeah. This actually even predates the academies. We have a free open course or a massive open online course that they often call the MOOC, for short, called, Cyber Aces Online. I think it’s at sans.org/cyberacesnow. It’s really just about 25 to 30, depending on your pace, hours of free training and networking, sysadmin and operating systems. The core building blocks and IT that relate to cybersecurity. Years ago, that was part of various competitions and state based initiatives, but around 2014, we decided that it was just going to be an open library. Anyone who wanted to access this training could. You don’t have to have a SANS account to access it. You can just watch the videos on YouTube, download PDFs that go with it, do labs at home and start to make your way toward this field. We see that as a great tool to bring people toward the field and encourage them to pursue further training education or careers.

Kip Boyle:
Yeah. Jason and I talk with people who are trying to move into cybersecurity all the time. There’s this great catch-22 where it’s like, in order to get a job, you have to have experience, but in order to get experience, you have to have a job. We’re always looking for programs that we can recommend to people on a self-study basis or whatever. One of the things that I tell people is, there’s a lot of virtual internships out there. Cyber Aces isn’t an internship, but it is a program where you’re going to learn some practical things. I encourage people to put these accomplishments on their LinkedIn profile, right, just to help make it clear to potential employers that, “Hey, I’m serious. I’m highly engaged. I’m passionate.” Because I think that’s one of the really key ingredients for a great person that you want in your talent pipeline. Winnie, would you remind me, when you went through SANS, you went through a diversity, equity and inclusion program. Is that right?

Winnie Yung:
Yeah, the Diversity Cyber Academy.

Kip Boyle:
All right. Diversity Cyber Academy. Great. Could you tell us a little bit about what that was like for you?

Winnie Yung:
Sure. The cyber academy include… I think it’s about… You got six months to take three SANS courses and its corresponding certifications. The first two courses are prerequisite courses. I believe the first one was security essentials. The second one was, I forgot the title, but it’s the SANS incident handling course. The third one was an elective. I had a hard time choosing one, but I went with the web app penetration testing course.

Kip Boyle:
Excellent. Okay.

Winnie Yung:
Yeah.

Kip Boyle:
It took you… You said that’s six months of work. Is that right?

Winnie Yung:
Yeah. Two months for each course, two months to actually get all the material done and take the certification exam, but of course, if you needed more time for whatever reason, the program would give it to you.

Kip Boyle:
Were you moving through the program in more of a cohort or on your own?

Winnie Yung:
This was the SANS, I believe, it’s the on demand course. It’s basically all self-study. You had a cohort, but everybody is doing things on their own time. It’s not like you’re studying together or watching the videos together. I do recall-

Kip Boyle:
Okay. Were you working full-time while you were doing that?

Winnie Yung:
No. I was actually laid off from my job pre-pandemic. During that time, I took some time to evaluate where I wanted to go next in my career. I have a friend whose uncle works in cybersecurity. He was joking that him and his team were literally picking people off the streets because there was such a shortage of talent. I was like, “Oh, cybersecurity. That sounds interesting.” That’s how I started getting into it.

Kip Boyle:
Fantastic. Well, congratulations for getting through. I’m interested to know after you finished the academy. You said, you’re working now. Could you tell us about the job that you have now? You said that you’re employed in a medical center or hospital. Is that right?

Winnie Yung:
Yeah. I’m a cybersecurity analyst. As you might know, that title is going to vary so much across companies, but what I do is mostly like security operations. That would be checking out alerts, responding or investigating fishing emails and dabbling in other projects as needed. I feel like our team is more… On the scrappier side, nothing is super bureaucratic. I think I like it that way.

Kip Boyle:
That’s cool. Jason, it’s so funny that Winnie would say that about the job title, right? Didn’t we just record an episode about that?

Jason Dion:
We did within the last couple weeks and if it’s not out yet, it’s coming out the next week or two, but yeah, we did, talking about what does the job title mean? It means everything and it means nothing, right? Because this really depends on where you work and the same job title. We actually used cybersecurity analyst as an example. We pulled up, I think it was three different cybersecurity job posting on LinkedIn. We went through like, “Hey, these are three different companies and this is what they think cybersecurity analysts means. They all had the exact same job title, but they meant vastly different things.” It’s interesting you brought that up.

Kip Boyle:
Yeah.

Jason Dion:
The person I had for you when he was… What was the process for you to get into this SANS program? Was it like an application process? Was there cost involved? Or how did that work from your perspective as a student?

Winnie Yung:
The application process, it started with answering a series of questions. Getting through that. I think that taking a short assessment that had to do with probably problem solving and critical thinking skills, there also might have been… it’s been a while. I don’t remember exactly. I think there was also a short cybersecurity focus like assessment. After that, there was also a pre-recorded video interview and then a phone interview with somebody at SANS.

Jason Dion:
From the SANS side, Max, is there a cost associated with that program or is this a scholarship thing where you’re going through the 100 people who apply and picking out the 20 best applicants to fill those seeds?

Max Shuftan:
It’s the latter. These programs are scholarship based. This one, the diversity cyber academy, is funded by SANS. There are other programs you’ll see out there like the WiCyS Security Training Scholarship where various private companies help fund them as well, but yeah, they are all scholarship based. The big cost to the participant is their time, because as what he said, doing three courses and three certs in six months is no easy feat. The average standard commercial employer would give a student four months to just do one cert. It’s called the immersion academy for a reason. It’s definitely an intensive process.

Jason Dion:
You just mentioned WiCyS and some people may know what that is, some people may not.

Max Shuftan:
I’m sorry.

Jason Dion:
You’re referring to women in cybersecurity, right?

Max Shuftan:
Yeah, women in cybersecurity of the nonprofit org.

Jason Dion:
Yeah. I just wanted make sure.

Kip Boyle:
Yeah. We’ve had somebody from WiCyS on our podcast, right?

Jason Dion:
We did. About two, three months ago it was.

Max Shuftan:
I’m guessing Lynn maybe or Ambareen.

Kip Boyle:
No. Actually, her name’s Nancy Hunter. This was Episode 69. Nancy is the vice president and chief information security and privacy officer at the Federal Reserve Bank of Philadelphia. She’s really inspiring. If anybody wants to listen to Episode 69, just go to your cyberpath.com/podcast/69. You’ll be able to listen to the podcast and read a transcript of the podcast if you’d rather do that, but yeah, Nancy was super inspiring. I thought she had a lot of really fantastic advice and was just a very open person about, “Hey, we want to help women succeed in cybersecurity. Please reach out to WiCyS chapter, right, in your area and get involved.

Jason Dion:
The-

Max Shuftan:
Yeah, we-

Jason Dion:
I’m sorry. Go ahead.

Max Shuftan:
I was going to say, WiCyS is a great org. The way that program came about is, we’ve worked with WiCyS for a while to just promote our standard SANS women’s academy and diversity academies. The leadership of WiCyS came to us and said, “We want to start a different program. We do want some of the top performers with aptitude to get advanced training, and that can be a group of 20 or 30 people, but we want to have something where 1,000 people can sign up and all get something out of it.” This program called, The WiCyS security training scholarship made possible by Google, Bloomberg and Facebook, which is a mouthful. I just call it the WiCyS program for short. It’s a multi-stage program. Everyone who signs up gets to play a CTF, very beginner level in nature. The first half of the CTF, you don’t even need a virtual machine. You’re using developer tools in your browser, trying to find anomalies in the page code and things like that, using and doing Caesar cipher, using external websites.

Max Shuftan:
Everyone gets to that stage and then various stages later, students get to play more games, some get to take some foundations training. At the end, they do have the academy model where those who do the best in those previous ages get to take three or four training courses.

Jason Dion:
Awesome. The program, for instance, that Winnie went through, she went through the application process. She was selected through the scholarship program. She got to go through and do those three courses. After they finish the three courses, is there some support or help from SANS to help them find a job or Winnie, did you just have to find this hospital on your own? Or how did that work for you? How are you able to land that job? Because I hear often, it sounds like when you didn’t have any prior cybersecurity experience, you just got this SANS training for three to six months. I hear a lot from different students and listeners that, “Hey, I got the certs, but I can’t get a job. Nobody wants to hire me because I have no experience.” How did you overcome that?

Winnie Yung:
Well, I should also say that I was also attending another bootcamp at the same time. that’s additional resources and additional opportunities for networking. I did have the careers at SANS to help me and also, at the other bootcamp. A lot of the job searching, I did myself and then if I had more specific questions about how to handle interviews or if I needed interview practice, that’s when I would reach out to the SANS career center.

Jason Dion:
Okay. From the SANS career center, Max, can you speak a little bit about that? What does that provide a candidate?

Max Shuftan:
Yeah. For all these programs, the different academies, different name scholarships, we aren’t able to guarantee a job, right, because we’re not an employer, but what we’ll say is, over nine and 10 of our graduates do get jobs in cybersecurity. Sometimes that’s working on their own. Sometimes that’s working through the SANS career center. Sometimes it’s using other education they’re going through to do networking, but what the career center is really focused on is helping position the students the best they can to get a job. Resume review, practice interviews sometimes with the career center professionals. Sometimes we’ll bring on past program graduates who could do a mock interview. The groups going through the program though they are pretty asynchronous. They do have an assigned mentor who’s a current professional in the field who can help out with that a bit as well.

Max Shuftan:
The last thing, and this might have come after Winnie had graduated, we added a platform called, Handshake to the Program, which is a really cool tool for connecting students with employers looking for entry level technology talent.

Jason Dion:
This career center is only available to those who are taking SANS courses or is in one of those SANS programs, right?

Max Shuftan:
For the academies, yes, and then we also… SANS.edu recently launched some undergraduate programs. They have access to the same career center. The biggest benefit of that, at the end of the day, is we went from a team of one career services professional to three with some more platforms available. We’ve got these undergraduate students on the EDU side and then the sales.org side. The academy students all using the same team and platforms.

Jason Dion:
Awesome.

Kip Boyle:
Okay. Excellent. Winnie, you’ve been in your job now as a cybersecurity analyst for how long?

Winnie Yung:
For about three months.

Kip Boyle:
Three months. You’re fresh. 90 days is a good amount of time to really get a feel, right, for what’s going on. What do you find the most challenging?

Winnie Yung:
For sure, understanding the environment. Especially because I’m new to healthcare also. There are a lot of things in that space that I haven’t quite gotten a grip on yet. Also, working remotely has… It’s great. I’m never going to complain about it. The only downside is, it does make that more challenging. Not seeing what other people and other teams are doing, et cetera. Not seeing the medical equipment even.

Kip Boyle:
Right. Right.

Winnie Yung:
Yeah.

Kip Boyle:
Yeah. Cybersecurity and healthcare is really challenging these days. For a lot of different reasons, I won’t try to unpack, but I want to roll back for a moment about, since you’ve been there for 90 days, I want to ask you about the job hunt. You mentioned different things that you did on the job hunt. How did you find this one particular opportunity? What was it like going through the interview process?

Winnie Yung:
I found that job through LinkedIn. The interview process was… It’s funny because the week prior to the interview for the job that I had now, I had another interview that went pretty badly. When this interview came out, I was like, “Oh,” but then, I actually was much more comfortable. I guess that experience had primed me. I think, honestly, the best practice for that stuff is just to do it, make mistakes and learn from it.

Kip Boyle:
Definitely. Yeah. I think getting a job involves a lot of experiential learning, because there’s just no substitute for getting out there and just trying. Failure is not fun, but it’s a wonderful teacher, right? You’ll pay attention to the lessons that failure teaches you more than you’ll pay attention to any other lessons that come at you. On the networking piece, Jason and I talk to people all the time about how important it is to meet people and to get yourself out there, ideally meet hiring managers or meet people who work for hiring managers. Were you able to make connections like that?

Winnie Yung:
Yeah. One of the other boot camp that I attended, I reached out to somebody who I graduated from that program. I was like, “Hey, what was your experience like? What are you doing now?” That’s how we became friends. She’s not officially my mentor or anything, but I definitely do look up to her. I think if you’re not part of a community like that, I think it’s even more important for you to take initiative and find people like that. I don’t mean, standing alone and finding someone whose career you are specifically interested in and having specific questions for them. You’re not just like, “Hey, how do I get a job?”

Kip Boyle:
Yeah. That’s a little-

Jason Dion:
I know we’ve talked about this one before too, but what’s your favorite way to ask somebody if they’ll be your mentor or to answer some questions for you?

Kip Boyle:
You’re asking me, Jason?

Jason Dion:
Yeah. I know you’ve covered this before.

Kip Boyle:
Yeah, yeah, yeah. Well, like when he says, what you don’t want to do is walk up to them and say, “Hi, will you be my mentor?” I think that’s just too transactional. You don’t want to do that. It’s awkward and uncomfortable for everybody. If you think you felt you would feel awkward and uncomfortable doing it that way, imagine what it would sound like if you heard that from somebody, but just think of it as any relationship, anybody that you’d like to get to know, right? Look for common interest. That’s the first step. Look at their LinkedIn profile. If this is somebody who has spoken publicly, if they have YouTube videos or if they have a blog, watch the videos, read the blog, find something in common.

Kip Boyle:
It could be something like having gone to the same school or having read the same book. It really doesn’t matter, but just find something that you have in common and then reach out to them and talk with them about that thing that you have in common and just see if there’s a fit. If there is a fit, the conversation will go from there. Don’t ask them flat out for, will you give me a job? That’s her question or rather, what you would say is, “Hey, I’m looking for a position. This is the position that I would like to get. Do you know anybody who is trying to hire somebody with my skillset?” Or you could say, “This is the job that I want to get. What advice do you have for me so that I can become an irresistible candidate to a hiring manager,” right? That’s the way you want to do it. It’s really what I would call a soft ask. You’re going to be way more successful with that. Would you add anything, Jason?

Jason Dion:
Yes. I was going to say, the only other thing I would add is that what I’ve seen work really well is, people like to talk about themselves. If you find somebody who is… What I was looking for a mentor is somebody who is one to two steps ahead, doing the thing that I want to do. I would find somebody like that. I would say, “Hey, I see that you are in X, Y, Z position. I’m hoping one day to be in that position too. Can you tell me about how you got there? I’d love to buy you coffee for 15 minutes and just hear your story,” right? Invariably, when you do that, they’re going to talk for about 10 to 15 minutes during that thing, because people love telling their own stories. They love talking and hearing their own voice. That’s why we do this podcast, right, Kip, because we love to talk.

Kip Boyle:
Right now, I’m outed. I can’t do this podcast anymore with you. Yeah.

Jason Dion:
Over those cups of coffee and stuff, you can build that relationship and that could turn into where they go, “Oh, you know what, I heard my buddy over at X, Y, Z firm is hiring. Maybe it’d be good fit for that.” By doing that in a real natural, I really want to hear about what you did because that way, I can emulate it myself. I found that to be very effective. I know, for me, I get asked at least five times a day, “Hey, tell me how I can get into cybersecurity,” right? Or “Will you review my resume?” It’s like, “No, I don’t have time. I can’t do that for everybody.” Every resume interview I do is 30 to 60 minutes-

Kip Boyle:
Right.

Jason Dion:
… and five people a day. I would get nothing else done.

Kip Boyle:
Yeah.

Jason Dion:
The resumes that-

Kip Boyle:
Go call Kip, Jason says, right?

Jason Dion:
Don’t call Jason. Don’t call Jason. If you had called me up and said, “Hey, I’d really like to hear how you got your first cybersecurity job.” I’d probably be like, “Yeah, I have to grab a coffee anyway. Let’s just go down the street and grab some coffee.”

Kip Boyle:
Yeah.

Jason Dion:
Right?

Kip Boyle:
Yeah.

Jason Dion:
I find those, if you can get them out of the business sense and do it over lunch, do it over coffee, tea, whatever your favorite choice is that tends to bring the guard down a little bit. You’re going to be able to ask questions along the way and they start saying, “Well, I got my first job because I got this cert.” Well, do you think that cert is still important these days? No, that was 20 years ago. Nobody cares about that cert anymore, right? Now, they all care about this cert, right? Or whatever it is. As you’re going through hearing their story, you can ask those questions and gain the information you need.

Kip Boyle:
That’s fantastic. Actually, I don’t know if you realize that you probably do, but you’ve actually pulled a chapter out or at least once you’re out of world, How to Win Friends and Influence People by Dale Carnegie. I recommend that book to people who are just struggling with this idea, right? How do I even begin? There’s a lot of people that have social anxiety and they just don’t know how to do this. Thank you for adding that. I really appreciate. We’re coming to the end of our time here on the episode. I would like to give Winnie and Max an opportunity for a last word. Winnie, for somebody who’s listening to this episode right now and is trying to break into cybersecurity and they don’t know what the next step is, what would be a good next step for them?

Winnie Yung:
Well, I would tell them that cybersecurity as a field still bothers. There’s a place for everyone. If you don’t come from a technical background, you don’t need to feel intimidated. These are things that you can learn. Maybe you just haven’t had the chance to learn. Maybe the way that you have learned that that was effective you, but there is definitely a way. Even if you don’t know what the next step is, just don’t overthink it. Just keep doing things. Because after year passes, you’ll be able to go back and progress and everything will make much more sense. Yeah, just keep going at it, keep learning things, keep talking to people. Don’t be too hard on yourself.

Kip Boyle:
Thanks, Winnie. Max, one of the people do is connect with SANS, right, if they would like to get some training, to get some skills. Max, same question to you. If somebody is listening and they don’t know what their next step is, what’s your suggestion?

Max Shuftan:
Yeah. My, my suggestion would be (a) be persistent. What I mean by that is, echoing a little of what he said, find different avenues for learning whether it’s applying to one of these SANS scholarship programs, whether it’s doing something like try hack me or learning on YouTube, using Cyber Aces which you talked about. All of the different dev or will help you gain some knowledge. Employers, whether you go through a SANS training program or another vendor certification, at the end of the day, they’re going to not just ask you about your certifications. They’re going to want to know what you’ve been doing to try to get in the field, how long have you been spending your time, what new are you keeping up with, books or podcasts are you following, what open course learning are you doing online?

Max Shuftan:
If you take that action and you’re persistent and you’re tenacious, you’ll find the pathway into this field. Because hopefully, we can get to the point at one day where I don’t know if it was with uncle’s friend who said, they were just hiring people off the street. Hopefully, at one point, we won’t be doing that. There’ll be enough graduates coming through reskilling and talent pipeline initiatives to fill the open roles.

Kip Boyle:
Yeah. This is a time in this career field’s history where not only is the demand high, it’s been high for years, but I’ve never seen so many organizations and so many resources being made available to help people, whether it’s scholarships or specific programs. Winnie, I think, did a wonderful job of availing herself of scholarships and programs, but there’s just so much out there for people. Yeah, definitely go see what’s available and take full advantage of it. I’ve talked enough. Jason, do you have a last word for us?

Jason Dion:
No. I mean, I think we’ve covered it all. I just wanted to thank Max and Winnie for joining us today on the podcast. I think they showed us some great programs that are available and some great alternative ways to get into the industry. If you are starting out and you’re like, “Hey, I’ve got no experience. I don’t know where to start.” There are some great places you can start and going through some of these programs that have these career or services to help you land that first job is helpful, but just remember, as Max said and Winnie even said, SANS Career Institute is great, but they’re not going to place 100% in the cans. That’s not their role. Their role is to help people get trained up. You’re going to have to do a lot of that work, just like Winnie did to find those open positions, apply for those open positions and then get hired into those open positions.

Jason Dion:
Good news is, here in 2022, there’s a huge demand. There is a lot of open positions available. You’ll probably hear, no, 10, 50, 100 times before you hear yes, but there’s a position for you. Keep applying and keep working towards that. That said, as with every episode, you could check all of the episode notes@35.167.158.44/ and the episode number. You can also go to yourcyberpath.com to sign up for Kip’s mentor notes. Kip’s mentor notes are a great email resource that comes out every other week. It gives you different information on different news events that are going on. They’re very short. They’re very practical. They’ll keep you in the loop of what’s going on in the cybersecurity industry. I recommend going to yourcyberpath.com and signing up for those mentor notes today. Other than that, we will see you next time on Your Cyber Path.

Kip Boyle:
Thanks, everybody. Bye.

Jason Dion:
Thank you.

Winnie Yung:
Thank you.