The Cybersecurity Skills Gap: Finding the Unicorn | Cybrary Limited Series

podcast default

How do you get the job you want in an efficient way? Renee Small (Cybersecurity Recruiter), Will Carlson (Director of Content Ops at Cybrary), Jon Brickey (SVP of Cybersecurity at Mastercard), and Ryan Corey (CEO at Cybrary) talk about one of the most controversial topics in Cybersecurity - breaking into the cybersecurity industry.

In this episode of the Cybrary Podcast, our panelists discuss everything from assessing your skills to why it's near impossible to get hired in cybersecurity despite the millions of open jobs. As current recruiter and co-host of the Breaking into Cybersecurity Podcast, Renee offers a hiring manager and recruiter perspective to why skills are a critical element for professionals today. Plus, Jon Brickey and Will Carlson weigh in on the Skills Gap vs. Talent Gap debate - Are they the same thing, and are there really not enough qualified people to fill all the jobs needed?

From misconceptions and the continuous search for industry "unicorns", this episode uncovers the secrets to why people can't get past the interview process, and what organizations need to do to keep up with the evolution of technology today. Here's a hint, it's based on aptitude and potential..."You can't train someone to be more curious or passionate, but you can develop their technical and soft skills." With technology engrained in everything we do, playing catch up won't sustain this industry. Tune into the discussion and get a copy of data points mentioned throughout the podcast from Cybrary's 2020 Skill Gap Research Report:

Hosted by: Ryan Corey, Renee Small, Will Carlson , Jon Brickey
Length: 49 minutes
Released on: September 23rd, 2020
podcast default

Listen to the Audio

Watch the Video

Enjoyed this podcast?
Share it with friends now!


Ryan: Welcome everybody to the Cybrary podcast, really, really excited for today's show. We've got some special guests with deep industry expertise and knowledge and so we're going to go around the horn here and introduce those guests. I'll start off by saying that I'm Ryan. I am the cofounder and CEO of Cybrary, and have been doing this for five and a half years now and excited to be here, having this podcast with these special guests. So Renee, would you like to start us off with a brief introduction on yourself?

Renee: Absolutely. Hi, and thank you so much for inviting me. I'm really, really excited to be here. Cybrary is one of my favorite places so super excited to have this conversation with you today. I am Renee Small, Cybersecurity super recruiter, helping amazing cybersecurity talent get into opportunities and helping cybersecurity leaders hire great talent. I am also the author of a book called Magnetic Hiring, which has focused on cybersecurity hiring as well as the cohost of the podcast, Breaking into Cybersecurity.

Ryan: Awesome, awesome and Colonel Jon Brickey. How about yourself?

Jon: Oh, thanks Ryan. Just like Renee said very pleased to be here. I'm always happy to work with you guys. Jon Brickty, Senior Vice President in Cybersecurity, Vangelis at MasterCard and in that role, I also have the responsibility for Education, Training and Awareness.

Ryan: Fantastic. Thanks, Jon and Will I know who you are, but why don't you tell the rest of the world who you are?

Will: Yeah, thanks so much, Ryan. Thanks for having me on today. Really appreciate the opportunity to represent both you know, my 15 years in industry and IT and cyber security, helping secure workloads that industries of all sizes, particularly in financial services sectors have been involved here at Cybrary for a number of years at a number of different ways all across the stack, coming in as a, you know, a learner early on, coming into a mentor role, into an instructor role and now here finally realizing the dream and getting to come on full time as the Director of Content Operations here for cyber.

Ryan: Yep. That is you. That's the guy that I know for sure. Thanks Will and thanks again, everybody for being here. So we're obviously here today to talk about the big research report that Cybrary is releasing or when this podcast airs, it'll probably be released, The cybersecurity skills gap research report, which was a report based on roughly about a thousand different survey respondents from the Cybrary community. Cybrary's community is largely IT and cybersecurity pros and so it's about 70% IT and cybersecurity professionals that already work in this space and Cybrary has, as you know, roughly around 3 million registered users. So we have good reach and we got some really cool data on this and so again, the topic is the Cybersecurity skills gap. I want to start the conversation off guys by kind of posing the question of, you know, in your own words, in your own terms what does the cybersecurity skills gap actually mean to you? So Renee, I'll start with you if that's okay.

Renee: Sure, the Cybersecurity skills gap to me means truly a skills gap and not a talent gap and I think that those two words, think seem to be interchanged and from what I've seen and from the people who've come on our podcast and the numerous cybersecurity folks and folks who want to break into the industry. The question is really about the actual skills. I believe the talent is there. I believe it's not a talent gap, truly a skills gap, getting people to bridge that which I know Cybrary is doing, getting people to continue, be continuous learners, to get the specific skills that are needed, that leaders are looking for. So that's what it is and my words, like the real true skills that people, that leaders are looking for when they're looking to hire talent

Ryan: We're going to have a fun conversation today, Renee, cause you brought up some very provocative and I don't disagree with any other provocative stuff. I think it's super neat that you brought that point up so early on. So we're going to jump back into that because I'm gonna pull that thread for sure but Jon I'll turn it over to you. Cybersecurity skills gap, from your perspective,

Jon: Yeah.

Ryan: What does it look like? How does it manifest itself? That kind of thing?

Jon: Yea well, you know, it's, it should be expected cause this is a pretty new field and that's, you can just tell that by talking to people who are in the field and find out that very few, if hardly any of them came into this field knowing everything they needed for the job, it's not stagnant at all, it's constantly changing. It also means we're not going to find unicorns. You know, so you can say, oh, I really want this and you could have a whole list of all the qualifications they need all the knowledge. You're not going to find that. So we have to hire based on aptitude or potential that we see in folks and I think looking for people who are lifelong learners is a requirement. You have to find people who don't think they know everything and they're willing to learn as they used to say in the movie Stripes. You've got to find folks who have the motivation and are willing to continue learning.

Ryan: Really interesting point on that one, too, Jon. We're going to jump back into that as well, because that whole topic of finding unicorns versus developing people is a hot topic right now and I'm sure Renee over there kind of smiling and nodding her head.

Renee: Absolutely.

Ryan: You probably deal with that every day.

Renee: That's ridiculous, I mean.

Jon: I gotta change my views so I can, I'm Sorry, I got to my view so I can see you nodding your head Helen. Now I can see everybody.

Renee: Yes.

Ryan: Yeah let's hear it Renee go ahead. Let's just jump into that. That's great.

Renee: Yeah, you know, it's crazy because I see it all the time. I'm a recruiter. You know I have a cybersecurity recruitment company. We get, we see wrecks out there. We see job postings. We see laundry lists of requirements, some of them, one of the funniest things that I saw recently is, and I think it was a play on this, on LinkedIn. Someone had posted a job, a cool, a fake job description, but they said they were looking for, you know, AWS skills from 30, 30 years of AWS, you know, two or three PhDs, you know, Dev Sec Ops from, you know, 25 years. Just things that we know are not, it's unrealistic because it wasn't around. Where was Amazon, 25, 30 years ago? There was no AWS, you know, like all of these various things and one of the commenters and it really made me laugh out loud when the commenters said, Do lifetimes Matt, do lifetimes count, like if you have two or three or four lifetimes with the two or three or four PhDs that you're looking for in the unicorns and, you know, trolls and what have you, it's kind of ridiculous.

Ryan: Yea

Renee: and I get it well from what I've, you know, by doing, we've done over a hundred podcasts right now, I've spoken to so many leaders and then my people, my clients, the leaders speak to, they've talked about having this really tight budget and wanting to kind of squeeze everything into one, you know, or squeeze so many skill sets into one role, but what ends up happening is it turns candidates off because they either looking at it like, Hey, this person wants four people in one, or, you know, what do they really have going on in this environment that they're asking for all these different things or the leader doesn't know what they want? You know, it comes off the, I don't think that leaders fully understand what it looks like to the candidate. It looks really, really poor and it makes candidates question what exactly is going on out there. So, you know, I see it every day and have these conversations with leaders all the time around what are your top three skills that you're looking for? What can you train for? I'm a huge proponent for training for the skills, you know, kind of to the points that Jon made earlier, the continuous learning, you can't these new tools and technologies come up so often you need to have people who know how to learn.

Will: It's really interesting to hear you say that Renee. I know when I think about the skills gap, is a term that runs around you. There's some things that come to mind for me as polarizing and disappointing. I know from being in social media and, you know, somebody will mention the skills gap component and boy, it swings wide in opinion, right? Whether it, Oh, it doesn't even exist. It's all a joke. It's all and I think that's particularly disappointing to me because it speaks to a bit of a lack of understanding to your point, Renee, on the, this is really a skills gap scenario and then the employer side of that is it's exacerbated by employers sometimes in HR departments that really are looking for that unicorn candidate that just does not exist. So it's just really frustrating on both sides, right? So this business has workloads that they need to secure our data, our data, all of us on the call have businesses with our data that they need to secure and those businesses, the reality is they're struggling to find people to sit in the seats, to do the work of securing that data yet there are candidates that are so frustrated that they cannot seem to find a way to get into those seats so it waters down the discussion I think of the skills gap concept, and it makes it harder to advance filling that gap because we have very disparate views of what this skill gap really is and what it means that we can't seem to coalesce around the simple idea that businesses have workloads that they need to secure, and they can't seem to find people with the skills to secure them.

Renee: Absolutely, 100%.

Ryan: Yea

Renee: There's I hear it all the time, especially from the candidate side. I mean, we started the breaking into cybersecurity podcasts because Chris Follon and I had received so many requests for mentorship, for trying to break into the industry, for people who had Masters in Cybersecurity and quite frankly, I didn't even fully understand a few years ago when we started this. You know, my business is very, we're focused on, the, usually folks call us when they're looking for somebody that's really seasoned. You know, they have 10 years of experience or what have you and, you know, we're pretty seasoned folks and so when all of these entry-level or career changers started showing up in my LinkedIn inbox saying, can you please help me? And I was, I said to myself, what's the issue business big talent gaps/skills gap at the time, it was called by, you know, learning, hearing more about the talent gap and you have this degree from a relatively reputable university. Why aren't you getting at what, I was confused. And then connecting with Chris and Chris was getting the same exact info, my podcast co-host and we said, we want to create something where people can share what they've been doing and how they've been breaking in and Cybrary is, I mean, I keep saying this over and over, we would talk about you guy, you're, you know, you talk about Cybrary, like almost at what point every single time, because people kept talking about the training and how they would be breaking into the industry and how difficult it was and what have you, which was mind boggling to me. So we're seeing these numbers, these 3 million open positions and all this stuff and then I got this frustrating group of people, mostly young people saying I went, I spent this money on this master's and I can't get a job, what's going on with the entry level roles and it's it makes my skin crawl. Like I think it's the most ridiculous thing out there, so yeah.

Ryan: Yeah. I totally agree. I want to have Jon expand on that then Renee, because good points in there. I'm really curious, Jon as to this whole finding unicorns concept that you kind of threw out there, how does that tend to manifest itself? And then what does that, in MasterCard, in particular? And then what does that do? What are the downstream effects of that across the Org?

Jon: Yeah, so we're pretty fortunate because our main tech hub is in the St. Louis area and MasterCard's one of the larger brands in the area. So we can oftentimes poach from other companies and find somebody like, for example, as we get into more clouds, like, Hey, there are people in the area who've been doing cloud for other companies you know, we're able to do that for the most part but I personally experienced this when I hired, some security researchers in the past. I was asking for, you know, hands on keyboard. I wanted someone who worked in government operating against, foreign governments and I, you know, I just, these ideas, they need all these things in my, some of the members of my team gave me a list of all these skills and I struggled with it, I was reaching out to friends, friends of friends, friends, and family saying, Hey, do you know anybody? And in the DCRs specifically, you know, the answer was well yeah, but you've got to pay them a lot more. I was like, well, that's not, that's not in my budget to pay them this and the challenge I saw at the time was that a lot of the talent, for example, that exists in government, they are some unicorns but they're in that bubble of defense and that's fine with me because I came from that world. I want them doing what they do, but at the same time, they don't know what's out in industry. They don't know of the opportunities out there. So it's like we want unicorns, there may be some close to that, but they're not really interested in, they want to hold onto that clearance. They want to stay in that defense world and then one thing related that I was going to say is we almost create some of the problem ourselves too, because we have this You know, tool sprawl. So we've got tools that we use to defend our enterprises and we keep adding, adding, adding, adding, and we start off say you're going to buy a new firewall or a new deception capability and you're like, Oh, I'll just use you know, existing people to do this and then you realize that, wow, shoot, I need someone with knowledge in this and like, maybe I need somebody full time to do this and you've got to go find someone, you know, you want someone with three years experience in this and it's, sometimes these capabilities are really new and it's just, it's really hard to get people who have the right experience so you have to compromise, you have to say, okay, I'm willing to do this and part of that compromise is okay, what do they absolutely need? And what can we develop them in, how can we bring them on, I'm doing this right now with another position where I'm like, okay, I really want this, but they gotta have some of this. So they're going to have to use Cybrary, for example, to get up to speed in these other areas that I need them to, you know, to catch up on.

Will: Jon, do you think, I wonder the velocity of change with tooling and industry shouldn't, that be driving employers to be looking for candidates with skills over tool experience.

Jon: It should you're right but, I think, and I can't speak from a lot of experience on this from my current position, but I think the people who need, they get fixated on, I really need someone to make that thing hum, like if it's a new orchestration tool, like I don't have time for, to train somebody and I don't have anyone to train this person like if you're just now implementing an orchestration tool, you kind of want someone to step in on day one and, you know, be well oiled and running. You don't want them to come in on day one and then crawl, walk, run.

Ryan: Yeah. Jon insights to that point in some earlier research that we performed or that we did we found that most managers believe that it takes about 6 to 12 months to get somebody operationally efficient in their work role, in this field, in cybersecurity space. but then the average turnaround time of a cybersecurity professional is 18 months because they're so highly sought after it's like terribly inefficient, which I think is neat for the Cybrary product is to be an onboarding tool for organizations, but I do want to, and I know we've kind of ignored some of the stats from the reports. I promise we'll get there, but this other neat topic here of talent versus skills gap, right? So we've heard the anywhere from 2 to 4 million unfilled jobs in cybersecurity, we've heard those statistics for years now. We've been talking about it for years and years. That's one thing, skills gap is a very different thing on its own. Skills gap, being more of an existing team and where do the holes lie? Is that kinda how you define it, Renee? In terms of that whole talent versus skills, and you also said that you don't necessarily believe that we have a talent gap. I'd love to get your opinions on that.

Renee: Yeah, for sure and I do, you know, skills are very specific, so it's what a leader needs, what the team needs, you know, so yes, there will be skills gaps in pretty much any team across any industry and that's another thing that I could go down a rabbit hole on with cyber security people thinking that they are God's gift to, you know, humanity and I love us all. I love you all, but just like we can train all other types of people. We can train people into the right cyber security professionals. so from a talent perspective, yeah you have people who are bringing their talents. They are. And I could give a number of examples of people who I've been actually talking to who, leaders that I've spoken with that have had people, and they've transitioned them into new roles and that's one of the things that we're focusing on right now, but when it comes to talent, you know, one of the, I spoke with a CSO probably about a year ago and I met multiple of them and asked them questions around who. Tell me about people who you've transitioned into security. So talk to me about folks that you put through some kind of training program and then on the other side, they came out as security professionals and what types of people were they, did they have degrees? Did they have, you know, like their educational backgrounds and things like that? One of the, the, probably the two most common that I've heard of were help desk professionals who typically do not have College backgrounds and college degrees and admin of administrative assistants, executive assistant secretaries, folks that fall into that administrative space that have been trained into becoming cyber security analysts and this is obviously at the, you know, the more entry level and it all goes these are talented people. They were doing great jobs at what they did. They were very attentive. They had attention to detail. They knew how to respond quickly. They were calm at their roles. They understood how to make their leaders look great. All of these different things that people already have, and they brought to the table and a leader saw that in these people and said, Hey, you might be a great analyst or the person, you know, reached out to the leader and lo and behold, they can be trained for the skills that were needed and then transition into these other roles. So I definitely see a difference when it comes to talent versus skill, skills is very specific. It's like, what do you need? What can I train you on? And leaders say this to me all the time and Jon Paul is going to chime in and say something as well, they're like, we want passion. We want, you know, you can't train for that. You can't train a person to be passionate. You can't train a person to have like this instinctive curiosity. They want to dig in and find out what's going on. Those types of things. Those are talents that people bring to the table, the skills, you know, learning AWS or learning, whatever new hot thing comes out that can be taught. So those are the two, you know the, where I see where people say talent, because again, so many people are out there. They've gotten degrees, they do all these different things and quite frankly, the constant reskilling or upskilling and taking training and which we saw in your report. There's so many people who have just gone and they do it on their own because they want to stay ahead of the curve. They want to be relevant, stay relevant. Stay ahead when it comes to security. So that's my take on skills versus talent.

Ryan: Jon,

Jon: Yeah.

Ryan: any thoughts there or anything on how it applies in your organization?

Jon: Yeah, well, I have one more kind of area or job specialty to add to that. So the MasterCard we used to have separate physical security and cyber security. Organizations and workforce and a few years ago, when my CSO, Ron Green took over, he came from a physical and cyber background with the army secret service and financial sector. So, he combined those and we had several people and we still to this day have this happen where we have people come over from the physical security side into cybersecurity and of course there's a technical hurdle there, but they already have, you know, some of the competencies, they already have some of the qualities of like being aware of things and being suspicious and some of the things that are already going to set them up to be successful in cybersecurity, investigative skills, for example. So that's just one area where I'd say people haven't thought about that or if there are people listening who are in the physical security field today, you've already got a leg up towards the cybersecurity world as well?

Renee: 100%. I wanted to add that to Jon's point. That's exactly what I've seen to physical security. I've talked to someone who was a private investigator in the past. Easily transferable, because you're already thinking about, you know, one of the bad guys looking for, how did they get into a building? How do you do these, all of those types of that background already is, so transferable to cyber.

Jon: Yeah. Dealing with evidence, questioning, you know, all those there's insider threat in forensics investigations there's a huge in even audit compliance. There's a lot of skills that are directly transferable.

Renee: I mean, I can talk about

Will: Sorry Renee, go ahead.

Renee: Yeah, the insider threat piece. That's one of my favorite areas because I was actually brought into security from HR and as soon as I got to talk to, I was in a threat vulnerability management space and as soon as I got there, my CSO at the time, you know, had me doing these threat briefs and every time I did research and presented it back, it was about these insider threats and I would go back to him and say, why aren't you all connecting with HR? Why aren't you doing investigations? You know, what's going on with HR, and no one else there even remotely thought about it but yeah, I was thinking, I know the disgruntled employees, I know where some of the bones are buried. You know, like what's going on here, you know? And it's so it brought that different diversity of thought, which we talk about again, a lot on our podcast, but diversity of thought where you're bringing in people to your point with the physical security people already having their hat on that physical security hat on, the HR person come in thinking, Oh, these investigations are this or, you know, we see stuff that may not, you know, might not trigger a thought from another engineer or something like that. So it just goes to show there's so much talent. There is a lot of talent.

Will: It's interesting to me when to talk about the difference between the talent and the skills gap and that so many folks that I talk with as a mentor in industry, they think that it's the same thing. They think that I went to a university, I got my master's degree, I'm talented, I'm capable. Why can't I get hired? And I think some of the connective tissue is oftentimes missing and that they don't realize that just because I've done those things doesn't necessarily mean that I offer an employer any skills whatsoever and notwithstanding the finding a unicorn, but just having somebody that, you know, Jon can bring in on day one that can actually sit down to a keyboard and not know alot about a lot of things, but operationally do something for the organization that they're joining today. That to me is a skill and that's, I get it. There's a lot of frustration because there's a lot of ways that we sink in this space that we can learn and earn those skills. you know, I, again, I have this master's degree, I'm ready to go, right? Well, Maybe,

Renee: No.

Will: Maybe not. What have you done? What can you do for an employer today? And to me, those are skills and that's really where the gap is at. We have a lot of people that know a lot of things, but the skill is where the rubber meets the road and where you apply that knowledge that you have in your head to actually operationally accomplishing something in your workplace.

Renee: I agree 100%.

Ryan: Good, yeah, good discussion there for sure guys, it's something that we think a lot about here on the cybrary team but I want to throw in here. You know, this skills gap that exists in organizations, it manifested itself on, from the research that we did where 65% of IT and Security Managers agree or strongly agree that these skills gaps have a negative impact on their team's effectiveness. 65% seems like a pretty big number. Jon, does that shock you at all? Or is it something that you've seen? Thoughts?

Jon: From my personal experience, it doesn't shock me but I mean, just to give you examples, I mean, sometimes like we're looking for someone for a certain role and we may be create, like when I created our security research team, I created that role from scratch and you can't go to the NICE workforce framework and find a security researcher there. I tried, there's security. There's a research developer, which is somewhat related, but you know, a lot of people would say security researcher is a unicorn. So I knew going in there that there would be some gaps, but another area that you often times find gaps is like, internal, like cybersecurity training. You know, you may be looking for a teacher or someone who's been in education or training in the back, in the past, but what are the chances they actually actually know the technology? What are the chances they'd know about phishing campaigns and how do you put together effective training for you know, cybersecurity experts so it doesn't surprise me at all. I think that there's just, there's so much breadth and depth to this field that, you know, managers should expect there to be skills gaps.

Ryan: Yeah. When I think of skills gap, I go, you mentioned it there, Jon. I go to the NICE framework. In mind because the NICE framework has done a pretty good job, a really good job of identifying like the different roles across the technical organization and then what should those people in those different roles have from a cyber security skill set standpoint? I think that you know, the Cybrary business product is one that's designed around that because we want to make it easy for people to be able to assess the skills that they have on the team and then sort of help to fill those where, you know, where the voids are.

Jon: Yea your right too.

Ryan: You, you're involved in the nice framework too, right?

Jon: Yeah, yeah, I should say I didn't mean to disparage the framework at all. I'm the industry chair for the NICE working group, the nice workforce framework and those number of roles, workloads have been expanding. There are 52 work roles there, where we're changing the futures, we're focusing more on competencies. We're also making it easier to use. There are tools out there from DHS, and there's a Cyber Austria website as well. That helps you just plug in a work role and it takes the nice workforce framework and it gives you like two pages that really spell out what are the knowledge, skills, abilities, and tasks that I need for this role and obviously 52 work roles, you can't cover every possible work role, you know, there's all kinds of statistics out there saying that our youth today will be working in jobs that don't even exist today. So one day in the future, there'll be, well, we'll be adding new work roles and that's constantly a changing document, but it is a great common lexicon and you had you and I've been taught about this for probably more than three years now. I was, before I was even working with NICE. I said we've got to come around a common framework so that we can talk the same language and I think the NICE workforce framework is that common lexicon.

Ryan: Yeah. Yeah, absolutely so Renee, do you use, do you think about the NICE framework at all when you're assessing a candidate and then also second part to that is how much is assessment? How much does assessment play a role in the job that you do?

Renee: So I do look at it and I encourage a lot of leaders to look at it because what I've learned is that they don't know. They're not looking at the NICE framework as much as you know, it would be nice to do so or for them to do so and what was the other part of your question? I'm sorry.

Ryan: Do you use assessment at all?

Renee: Oh!

Ryan: In your process

Renee: Yeah so

Ryan: How much of a challenge is it or, yeah, that kind of thing?

Renee: Yeah, for sure. So it depends, it really depends on the organization that I partner with. I have seen assessments go one way or the other so sometimes they're ruling folks out, especially some of the psychological ones of roles that I don't know if they should be used as so much of, I love assessments. I think they should be a part, a component, but sometimes some leaders who not be as well versed, will use them to rule people out, which isn't, you know I'm not really a fan of, but when it comes to technical assessments, yes, you utilizing those in some roles is definitely something as used and I think it would be nice to use more of them and more organizations to be able to use more of them, just to see where people kind of fall on the spectrum and again, When the person doesn't come with, you know, the known, you know what Will talked about earlier when he said a leader, having someone that needs to do the thing. That's what I think about when it comes to assessments, being able to, and I tell the people that too who tend to be frustrated and say they have this degree and what have you, every lead I've ever spoken to experienced Trump's degree every day of the week, because they want someone that could come in and hit the ground running and do the thing that they need done. Not necessarily know about it, theorize about it or whatever. It's like, we need, we need fingers to the keyboard to be able to do it and I think assessment and using more assessments would be able to assess more people for that.

Will: I think it's interesting to hear you say that Renee and that, you know, assessments to exclude people because where my, my head tends to go when I think of assessments in regards to skill gap is I have this team, but I don't know necessarily how operationally ready we are to do all the things before us. So in a team growth perspective of, there's it's totally possible to have a skill gap on my existing seated team. I may be completely staffed out and still have a skill gap that puts my organization at risk that I might not have visibility to. So being able to assess those things as a manager, I mean, Jon I'm sure, how much time do you have to really sit down and think of, well, you know, I wonder what my strong suits of the team are and where I need to shore up and that's a really interesting when we talk about skill gap, we tend to talk so much about all these vacant seats, but there's a skill gap most likely within organizations that are seated that put all of our PII at risk every day.

Jon: Oh, totally, totally agree with that and I've got firsthand experience with that as well and it covers all sorts of areas. So it's not just some of the technical skills, but some of the softer skills like business writing and communication presentations, those sorts of things and I think it's probably more common in cybersecurity to find a lack of some of the soft skills but yeah, definitely you could have all of your positions filled and still realize that there, you're missing and I think we don't use assessments enough. I would like to use it more for as Renee said, kind of assessing people as they apply for certain positions but also understanding that not everyone tests well, I'm a good example of that. I won't mention my SAT scores, but also once you're in the position Will, as you're talking about, getting assessed and we do it in all sorts of areas, we assess risk all the time. We assess a lot of other competencies across the enterprise. I don't see why we shouldn't assess risk. Now. I will tell you what the HR response, at least what I've heard in the past from some HR folks is that they are concerned about how the assessments are used for bonuses, for compensation and other things. So that is an area of concern for some HR folks. I would love to find a way around that to figure out a way to make it work for us, because I think it's important for developing our staff.

Ryan: Yeah, no doubt and I think that, you know, the future, the past is kinda been like certifications, get this certification and boom, you're ready for this job and that kind of thing and that's always been to me just so inadequate, just completely inadequate and the opportunity to assess one's skills and then to provide them with a pathway that shows them what their next level of self can be, it's, you know, Cybrary is working every day to make that a reality and the product kind of does that. Obviously we'll be better at it in the future, but that's the real way to kind of get people where they need to go is just to show them a path and show them, show you where your, the holes that may need to be filled for you to get there.

Renee: I think.

Ryan: We also know that our, go ahead, go ahead Renee.

Renee: No, I'd like to add that I think that specifically assessing people internally, because from my perspective or the ones that I get mostly on the hiring side, not on the internal side and Jon made a good point about internally where me, I used to work internal in HR so I totally get what he means with the HR potential pushback but it could be so useful, like looking, taking an assessment and I've done a ton of assessments because in HR, we tend to do a assessments with each, on each other a lot and just like, you know, things like Myers-Briggs, the soft skill ones, and what have you and it really tends to give you a glimpse of where you are best suited and so, you know, if you're trying to be, for example, a generalist but your skills or what's assessed really shows you as an individual. Like, I should probably more be a specialist like I have this knack for this one thing. I think it's important for it, employees themselves, not only for the leadership and you know, the skills and things like that but to, for self reflection so you can see like, okay, instead of going this path of being a pen tester for example, Oh, I might be better off being a researcher. Like I might be, you know, that may be the better fit for me. So using assessments just as a whole, especially internally and relatively frequently would be a great thing to do.

Will: Now, Ryan, you mentioned giving people a path and I think one of the words you use to describe it was efficiency and I know for me having been a mentor on the platform for so long, that's really something that people in the market wanting to break in, or even in the industry are looking for, is, how do I go about accomplishing my goal, whatever it may be, the next position, the next promotion breaking into the industry. But how do I do that as efficiently as possible? So how do I get efficiently to the point that I'm yielding the results that I want and I have the skills that I need to go forward and I just think that efficiency is such a big component of this that not only is good for people breaking into the industry, but it's also good for industry as well. So everything that we can do to shore up people's efficiency to go from where they're at today to filling a seat operationally and doing a skill for an organization is, I mean, those things are huge and there's a number of ways to do that and we talked about today, right? I mean, assessments is one of those that makes me more efficient. Where do I need to spend my time and efforts? Give me a path, help me see where I need to go. Give me an industry awareness and help me efficiently get from where I am to where I want to go so I think paths are so important and efficiency is a huge component of this as we look to address the skills gap is, we can't wait for this to take 10 years to begin chipping away at it. I mean, the pace of change is just so fast when we look back and think how old is the internet, yet how many people in the workforce today have ever had a job where there was not a computer on their desk? I think. When we look at our own lives, technology is so ingrained in everything that we do. It's in our cars, it's in our homes, it's in our pockets yet we're playing catch up because the pace of development in velocity and feature set was the important metric for so long. Now as organizations, right, MasterCard's trying to facilitate all these transactions worldwide yet we're doing it over infrastructure that was not ever really designed to be doing it, and we're having to find ways to secure it. So it's no mystery that we're playing catch up, but I think we've got to find ways to play catch up as efficiently as possible or it's just going to take way too long.

Ryan: Yeah, yeah. Okay. So I'm going to do a, get a final statement on the table here and keep in mind that I can't answer this because I'm completely training biased, given where I work and what I do, and Will's probably same way but our research found that in this post COVID world, 22% of organizations are cutting their training budgets, 16% of these of organizations have no training budget at all, is that irresponsible?

Renee: Absolutely

Ryan: Renee.

Renee: 100% I mean, in this environment, right now when there's an uptake in job postings, there's an uptake in people needing cybersecurity talent, there's an uptake in hacking. There's so many things going on with zoom bombing, and schools and so many people who have not been traditionally remote and working from home and having computers and laptops and their children getting on their work laptops. So many different things happening. It is irresponsible to not be training your staff, to be training your cybersecurity staff, your non cybersecurity staff. It is ridiculous and to be frank, like you're just opening yourself up for more potential vulnerabilities by not having all of these humans that are sitting at home with laptops and little children and people who don't have, just overall it is, it's irresponsible.

Ryan: Renee, I'll send you an endorsement check later okay.

Jon: I agree. I was just going to say I hear on so many different meetings these days, not necessarily within my company, but across companies. I was in one yesterday with about 40 CSOs and people who work for CSOs, talking about, asking what hobby have you taken up during the Coronavirus? I don't have time to think about hobby. However, a lot of people apparently do, and I think it would be irresponsible to not take advantage of this opportunity to upskill and to, you know, jump on to Cybrary or use other resources to get up to speed. So I think that, this is you know, with all the downside to what's been going on, I think a lot of people have had more time to think about, well, what do I do with this time? Now we during normal times in the office, like to give people time during the week for training, they can train on whatever they want. We want it to be, you know, of course, related to their jobs, but they can look at new areas of cybersecurity and it can be tough when you're in an office environment and people are constantly stopping by your desk and you just can't free yourself, but maybe now people have more opportunities to block off time. I guess they can just not answer their calls for a couple of hours and go do those kinds of things. So for companies to not maintain investments or to even to not increase investments, I think is irresponsible and we owe it to our employees, but to our organizations, we, I mean the adversaries aren't cutting back so we gotta, we gotta keep up.

Jon: Yep. Yeah and Jon, that doesn't surprise me that you guys do that. I didn't know that about MasterCard, but it doesn't surprise me cause I know that you guys are pioneers and out in front of the cybersecurity landscape, so that, that's good. Good on you guys. It does go against the trend so you're aware 48% of respondents in our survey said that they have to get their training on their own personal time, so that's the thing and only I believe it was 25% of the respondents yeah, only 25% of respondents get training on the job so against the trend there, that's really cool.

Renee: It's unfortunate because what I hear from candidates all the time and it aligns directly to the survey, is that what makes then wants to stay at a company and, or leave a company? One of them, and I believe it's number one is training, staying up to date. It typically isn't salary,it typically is, it has something to do with gaining new skills, gaining more training. The company being supportive, sending them to conferences, all of that. That's like such a huge component with employees as a whole, wanting to either move to a new company where they're getting more of a training budget or stay at their current company. So it would behoove leaders, leadership, the companies, whoever overall to encourage more of it, give people time the way Jon is doing with his team. It's just, it works for retention purposes. I mean,

Jon: I take that even further. So right now, so I know this is not possible with a lot of companies. There's still a lot of uncertainty when it comes to balance sheets, but you know, a lot of companies have eliminated or significantly reduced travel budgets to cover other areas or just to cut back in general, but I've encouraged my team to do virtual conferences. So if there's a conference fee, okay, great. We're going to spend still a 10th of what we would normally spend. I just had four of us just that attended a big conference this week, and I was really glad for them to have that opportunity because I know I've heard the gripes, I've heard people talk about how they don't get development. They don't get opportunities to train and go to conferences. They don't get to you know engage in training. So I personally tried to make that available and we try to find opportunities across the enterprise as well.

Renee: And I think it's more so in the security space. So I've recruited for technology for almost 20 years in all different capacities, in security, more so than people who are in, you know, project managers and developers and all this other stuff, in security more so than ever going to those virtual conferences and you know pre-COVID, non virtual conferences being a part of the community, being a part of the group who knows what's upcoming, you know, it's always like what's next, what's next. They always, the security professionals, everyone I've spoken to it's always about forward-looking so having that training and having that consistent you know, what, you all have done, Jon, having that consistent training budget and being able to look at, like you said, your budget and say, okay, well we, you know, we'll take them the potential funds that we would have sent two people and now we can send some people because it's now now virtual. Things like that are just so very important.

Will: Now the cybersecurity professionals that I talk to are by and large, exceptionally mission minded people that have a high sense of altruism and just wanting to accomplish the goal. So being able to pour back into them, keeps them committed to the goal and let's be frank, I mean, everybody on the call, this is not, CyberSecurity is not easy work. This is not something that you stick with if you pick it up tomorrow out of the blue and go, you know what I think I want to do cybersecurity. I mean, there's the people that really go far and do so well in this area are brought in. They are pouring themselves into this so for them to have an organization that pours back into them and gives them the training that they're looking for and the community that they're looking for to improve themselves. I think that's a big part of the reason that's so appealing to a cyber security professional is because of their mission minded approach to so many things at a task that seems almost Herculean and so difficult to accomplish day to day.

Ryan: Yeah, yeah well said and all of the great points here. This has been fantastic content today, guys. So, I appreciate you doing this Renee. Where can interested parties get in touch with you?

Renee: The easiest place where I'm at probably more often than not is LinkedIn so you can reach out to me on LinkedIn. Renee Brown-Small is my LinkedIn address and we're on there doing live streams and helping cybersecurity people connect so.

Ryan: And then the name of the podcast, again was?

Renee: It's called Breaking into Cyber Security.

Ryan: And you can find that anywhere? You can find it

Renee: You can find it on iTunes, YouTube, LinkedIn, we do a LinkedIn live and then we stream to YouTube and we stream to and then we download it. It's on iTunes. It's anywhere you can find podcasts.

Ryan: Perfect, perfect and Jon, where can people find out more or great candidates apply?

Jon: Yeah, fantastic. I was going to say, we're always looking for talent, even if you don't have all the skills and we of course have Cybrary as a partner, so we have a plan to help bring people up to the skill level. So, I would go to to find our available positions, we've been hiring throughout the pandemic and we're looking forward to recovery and to hiring more in the future. People can always look for me. Uh, Jon Brickey PhD on LinkedIn.

Ryan: Awesome, awesome, very cool. Alright, well, Renee Small, thank you very much for your time, Colonel Jon Brickey appreciate your time as well and then Will Carlson, you as well. So this has been really awesome guys. I really appreciate it.

Jon: Thanks.

Renee: Thank you.

Trevor: Take care of yourself.

Ryan: Cybrary out.