The Cybersecurity Skills Gap: Is it Real? | Cybrary Limited Series

podcast default

"There's not enough cyber talent." "If I train my employees, they'll leave for better jobs." "We need to find a unicorn - only candidates with 30 years of AWS experience should apply." This episode of the Cybrary Podcast is packed with long-debated and controversial topics, from skill gaps in organizations, to upskilling employees, and even misconceptions from management on who should be hired.

Cybrary's Chief Product Officer, Trevor Halstead, and CEO, Ryan Corey sit down with Naomi Buckwalter, Director of Information Security & Privacy at Energage and Ron Gula, President and Co-Founder at Gula Tech Adventures to bring into view mind-blowing stats from Cybrary's newest survey report. Some big hitters touched on by our panelists are diversity (or the lack of it) in cybersecurity, having a skills growth mindset, using cybersecurity as a business enabler, and in a current/post-pandemic world, the criticality of IT and it's role in cybersecurity.

There is so much to unpack in this episode, so jump into the discussion. Download Cybrary's 2020 Skill Gap Research Report here:

Hosted by: Ryan Corey, Naomi Buckwalter, Ron Gula, Trevor Halstead
Length: 41 minutes
Released on: September 23rd, 2020
podcast default
Listen to the Audio
Watch the Video
Enjoyed this podcast?
Share it with friends now!

Ryan: Welcome to the Cybrary podcast. I'm Ryan, I'm the CEO and Co-founder of Cybrary and I'd like to go around the horn and introduce the team that's going to be joining us in this skills gap report podcast that we're doing today so why don't we start with you, Naomi.

Naomi: Alright, hey guys, I'm Naomi Buckwalter. I'm from Philly. I apologize in advance for any sports issues that we might have here. I've been in cyber since 2006. I am a 12 year veteran of Vanguard and I swear, I started learning all things cyber and I fell in love with it way back in the day. Right now I'm the Director of Information Security and Privacy for a midsize firm called Energage. We do HR technology and I lead all things security and privacy and compliance, all the fun things.

Ryan: Awesome. Really glad to have you, Naomi. Thank you. Ron.

Ron: Hey, how's it going? Glad to be here. My name's Ron Gula. I'm the President and Co-founder of Gula Tech Adventures. We invest in great cyber companies like Cybrary. I had to buy my way into this podcast, right but you guys are awesome. Doing a great service to the country and folks who want to get into cybersecurity. I also spend a lot of time with nonprofits, other cyber companies and before that I ran tenable network security so I know a little bit about vulnerability scanning and managing risk.

Ryan: Awesome Ron, thank you, Trevor.

Trevor: Hi there everyone, Trevor Halstead. I'm the Chief Product Officer at Cybrary. I've been with Cybrary for about five years now and have been working with Brian and Ralph to really help grow the business and today we oversee product content and marketing holistically and building a comprehensive solution to take to market to both consumers and enterprise organizations.

Ryan: Thanks Trevor, so guys today we're here to talk about the report that we recently ran and just the general topic of the cybersecurity skills gap. It's a topic that's obviously widely talked about. Cybrary's mission is to actually help to close the cybersecurity skills gap. We don't think that that's something that is necessarily ever completely closable but there are ways in which the skills gap can be filled and that's what our mission is as a company. So we in speaking out that mission, Cybrary did a great job of putting together a really interesting report called the cybersecurity skills gap research report and we had a lot of very interesting findings, some of which we'll talk about today, but I want to start kind of just more broadly by defining what we kind of think of as the cybersecurity skills gap. So Ron, I'll start with you when it comes to cybersecurity skills gap, what does that mean to you in your world and where you work and the people that you talk to?

Ron: So I come at it from two different angles. So, you know, one, you know, I spent a lot of time with policy makers in DC and just, you know, folks who are trying to think about how can I, you know, hire my team and they always throw on big numbers, millions and millions of people out there of jobs that go unfilled and it's kind of hard to put some truth to that but you guys surveyed about 800 people, you know, we can call it a thousand in marketing speak right. And it, but this is real data so I'm looking forward to talking about those but then the second thing of course is, yeah, there's this perception that I don't have enough cyber talent, both maybe at my board level or my senior management level and also people working in IT so I think this report does a really good job throwing light on both ends of that spectrum.

Ryan: Great, thank you. Naomi, how about you when it comes to cybersecurity skills gap, what does that look like? How does it manifest itself in your world and the people that you work with?

Naomi: Well, I'm in a mentoring space in my current role. I actually talk with quite a few people who are looking for jobs. I've talked to you about three or four dozen just within this pandemic few months, and I'm hearing the same thing over and over again. It's the saddest thing where they're applying to, I want to say dozens of jobs, hundreds of jobs and they're not getting interviews and these are people from all over the world, all over different parts of the different industries you know, manufacturing then we have software, education, everyone's saying the same thing. They feel like the job openings are fake or they're just looking for unicorns that people, just, these people don't exist. The, just couple issues where the skills don't match what the hiring manager is asking for or looking for or on the other hand, they really just don't even know, you know, what they're even doing wrong so they're doing these, they're trying to get these interviews, but they're not even getting feedback so there's kind of like that mismatch where I don't even know if I'm getting interviews or not interviews because I don't know if I'm not filling in the right gaps that you're looking for so it's, you know what I mean? It's like, it's definitely kind of a two way street where the person looking for the job isn't possibly filling the role, but also the hiring manager doesn't really know what they want so it's kind of all over the place. It's a mess.

Ryan: There's a lot of roots in this problem here for sure. That's what that sounds like and Trevor, how about when it comes to like our customers? What does cybersecurity skills gap kind of mean to you?

Trevor: Yeah. One of the things that I think we're really finding is it means that these teams aren't operating as efficiently, effectively, or confidently as they really should be, as they need to operate and it, as we talked to a lot of customers, one of the things we continue to hear is that the skills gap is leading to a lot of organizations having blind spots and really understanding what skills they are strong in and where they're weakened and oftentimes it's leaving them open and vulnerable and putting their business at risk and it continues to be a really challenging thing as they want to look for unicorns. They have team members, but they're not investing in filling the skills gap with the team members on their own team as it is so it's just a really interesting challenge that it doesn't seem is being tackled or solved in the traditional way very well.

Ryan: Yeah. Good points there. I think, you know, from us too like, skills gap really exists on both sides of the table. Naomi made the point about how, you know, the hiring managers aren't necessarily finding the unicorns that they're looking for and so the jobs aren't getting filled, but then you know, it's also that the skills gap exists on their current team as well so you have people, you hired people hopefully they're good folks and being productive for you, but even in an individual skill set, how are you sure that they have all of the skills they need to be most properly defending the organization or most effectively defending the organization so, and that actually manifested itself pretty well. Those problems manifested itself pretty well from the survey that we ran where 65% of IT and security managers agree, strongly agree that these skills gaps have a negative impact on their team's effectiveness. So I found that to be pretty surprising, cause that's a high number and that means that there's a lot of lack of competence out there, but Naomi, does that shock you at all? Do you think it would be higher? Is it normal? What do you think?

Naomi: Yeah, that doesn't shock me. That's a pretty high number already and just anecdotally, that's what I'm hearing in the fields where I'm having people from all over their career path, either junior or senior, mid-level, they're all running into the same issues is, they're just not getting interviews and, everyone's talking about the cybersecurity shortage and you know, if that is true, why aren't people hiring? Why aren't people getting interviews? So it is indeed frustrating. Those numbers definitely don't surprise me.

Ryan: Ron, how about you?

Ron: and the numbers?

Ryan: and the numbers circle. You run in.

Ron: Yeah, the numbers don't surprise me at all and I mean, we've invested probably directly in about 25 different, you know, cyber product companies and a lot of times you can just see this reflective in their, the people who are testing and implementing the products, right? Basically you can see delays, you can see projects get canceled, and you can see that and for simple things like waiting on spam ports, waiting for permission to install something. So I really feel that this industry is under invested and I think from an HR point of view, this reflects that, you know, very, very accurately.

Ryan: Gotcha, Trevor, you clearly listened to a lot of customer pain from phone calls, user interviews, and so on. How did that sort of statistic take you.

Trevor: It's an interesting challenge as we talked to a lot of customers and they talk about, as Naomi mentioned, not wanting to hire, that we continue to run into organizations that also don't want to invest in their people, which we find as a big head-scratcher. They will admit that they have skill gaps that it's hurting the organization, but they are also nervous to train their own people at risk of them leaving and so we sort of have this vicious cycle that seems to be in motion here that we just seemingly can't get out of and so not, did not shock me too much.

Ryan: Naomi, How do you think about that and Trevor's response to that interesting point of train your people and they might leave because I've heard that on several customer phone calls and interviews and so on.

Naomi: Yeah.

Ryan: What are your thoughts on that?

Naomi: Yeah, it's a real risk, I mean, but that's, you want to work with people that are great and excellent and if you train the people into the person you want to be there's always that risk that they're going to leave, but if you treat them well, right, there's that quote by I want to say it's like, not bill Gates, but the other one, Steve Jobs, maybe, maybe not Steve Jobs, but if you treat them well, they're not going to want to leave, train them so they can leave, but treat them so they don't and that's so true that axiom is so true. Pe, be nice, be kind.

Ryan: So, I guess we just took away the fact that we, if we ever need a job, Naomi is a good person to work for. That's good. You're in the right camp there.

Naomi: I think I'm a good manager, yeah I think so.

Ryan: Okay, good, good, okay. So nearly half of the respondents in this survey said that they train on their own personal time and that's the only time that they train also only 25% said that on the job training exists for them. So there's a void somewhere in there. So Naomi you're in the roll now does that surprise you? And you know if so, how does it look in your organization and how do you tend to treat the sort of training and addressing people's skills, growing people's skills?

Naomi: Yeah, 25%. Honestly, it was a little high for me just hearing that number because we don't have the time. 25% of my time. Is that, was that what the number was? I have 20% of my time. 25% of that. What was that number?

Ryan: No, it was 25% of the respondents only gets, they act, only 25% get on the job training.

Naomi: Okay. That makes a lot more sense because I was thinking I'm like, I don't have that much time. Yeah, I mean, it, it depends on the size of your team, right? So if it's just you or three other people there's not going to be enough time for you guys to take a day off or take a week off, just go to Sam's training or whatever that looks like now in the pandemic, but the issue still exists. We just don't have enough resources. We don't have the time, money or people to do what we need to do on our day to day lives, where you know, other than just going out to do training when we can, if you do do training, it's gonna look like on your own time, on the weekends, definitely reading books at night. So you know, that's, I feel like that's the struggle that we've always had as an industry and it really hasn't changed, unfortunately, under-invested who said that?

Ryan: Ron.

Naomi: Yeah.

Ryan: So yeah.

Ron: Yeah. So when I got into this industry, you know, 20, 20 plus some odd years ago, I mean, we had to train ourselves. You know, there were no books on pen testing. You had to go read books on SNMP and Novel networks and kind of figure it out, you know from there. Now, you know, the issue is there's so much published, you know, just watching the videos of the conferences that are out there, watching a great podcast like this, listening to it, reading everything. It's very, very disheartening. There's definitely this huge concept of a fear of missing out, you know, what am I missing out? So the really, really good people tend to self teach. They teach all the time, they never stop and you know, the good ones don't burn out, the ones that burn out, you know, kind of stop trying and trying to play catch up with everybody and in many ways you can never catch up with everybody. There's not enough time in the day to do that and then the other aspect of this is that a lot of organizations that do cybersecurity are very technical and stereotypically, they're not great managers like Naomi. I mean, they are maybe just managing by numbers. They're not thinking about constantly recruiting, constantly working on budgets, constantly leadership development. There's a lot of other soft skills that come to managing a cybersecurity organization and if they're failing it, that it's not a great place to work. As we said before, you're probably going to not be able to recruit, not be able to grow your team so that's definitely very much again, reflected in the statistics, I think.

Ryan: Yep. Great point. Trevor, anything to add there.

Trevor: No I think just looking at that statistic at least about nearly half saying they train on their personal time. At least it's apparent that the professionals are, we're dealing with professionals that are clearly motivated and willing to invest on their own time, which is good, obviously good to see. We'd love to see that number higher and it's to Naomi's point, it's disappointing that more organizations can't invest more time to make that happen, but very aware that the teams are extremely busy and that can be a struggle and so yeah.

Ron: Along those lines, Trevor, I spoke with the CISO just today and I was asking him about this and he basically said, look, I don't know when I get worried more, one of my cyber, you know, people take some courses in an MBA or they take a course in a technology that we don't use here, You know, either one could be like the signal that they're leaving or they're going to be totally committed to like, you know, the next generation stuff at this organization.

Trevor: I do remember speak, we spoke to a SOC team a little while back and one of the things that I thought was extremely compelling about how the SOC manager was thinking about this was he expected that his team was going to matriculate and he was excited and happy for them to do it and so his mindset was how do I create a scalable repeatable program so that as I get new people in, I can get them baseline leveled up and continue to put people through this cycle so that I can be happy to see somebody leave and I'll get another talented person in and I know I can get them trained up and so I think there are these people out there that are starting to think about this problem in a different way and come up with more creative solutions to really embrace what the problem is and start thinking of solutions that can really solve for it.

Ryan: Good point, good point. We've seen a lot of that really from the SOC managers and directors of IT and so on for sure. So 62% of the respondents guys in this survey said that they prefer online which Naomi brought this up earlier, but, if I can get you to elaborate Naomi, on what you mentioned about you just kind of briefly mentioned it. You said, you know, if that exists SANS training, classroom training if that exists in this world, How do you think about the future there for that? Like what can that possibly look like? It doesn't need to be online. Is classroom dead? What do you think?

Naomi: Oh man, well, I've taken Sam's training, I've taken several courses and I, it was a slog even before the pandemic, just to sit there for that long but I think being, you know, doing a course like Cybrary on your own time where you can pace yourself in a comfortable environment and have all the alcoholic beverages next to you, if you need. I find like that is probably the future of cyber education and it's always been trending that way. It's the way that technology is moving. It's absolutely the best way to learn for a lot of people. Some people just don't do well in group settings or in classroom settings and so to have this, the flexibility of having that very, almost personal way of learning and self paced, is definitely right up people's alleys and it's just the way they love, they love to learn. So 62%, if that's the number, I think that's definitely what I'm thinking too.

Ryan: Gotcha. Ron, are you hearing from a kind of a leadership level, any buzz about this? What are they saying? What's going to happen to the classroom?

Ron: So the, at your leisure you know the on-demand at your own pace is so real good for folks who are professionals and they're busy. For folks who are overwhelmed, they don't know what they should do, you know, it creates more of a problem like I feel this burden I've got to take every course at Cybrary, that can be disheartening, even though there's so much great content out there. So where I can see an organisation, you know, coming in as being able to say, you need to take these courses and demonstrate this type of competence, you know, over a certain time, I think it's really, really important. It's the same thing that pilots do. It's the same thing that doctors do. It's the same thing that lawyers do. It's the same thing a lot of professionals do and for every reason, you know, the cyber industry really kind of thinks that we're all brainstorming when we really should be, you know, in the mix with everybody else and being, you know, right there working side by side with these other very important key parts of our society.

Ryan: Good points, good points, Trevor.

Trevor: I don't know if I have any comments on it. I think I'm a little biased in this perspective, but,

Ryan: Yeah, you would be.

Trevor: I've always viewed that classroom training won't survive in the long term, that being said, I think one of the more interesting things I'd love to bring up to the group is does online allow for us to really tackle this problem more holistically. I've heard that the classroom model has actually could, some people actually view that as an exclusion for a lot of demographics getting into cybersecurity, whether that's people who are economically less fortunate, for folks who look to go into classrooms and realize that they're the only ones that in that classroom that may look or sound like them and so it can be very disheartening to feel that you're, you can get comfortable in that learning environment and so, I'm really interested to see as more people embrace this online model, what that does to increase the diversity in this space and, open up more opportunities for people who may not have had the chance to get into cyber security several years ago, because of all those other extenuating circumstances.

Naomi: Yeah, I'd agree with you, Trevor there, we haven't even talked about costs being you know, kind of what those walls for people. It's the same thing as college. People who can't afford college. It's like the coming out of money that you're putting into college is insane. It creates wage slaves for the rest of your life. You've just got this debt. So, you know, even shout out to Sans that cost like what, $5,000 a week or whatever. You just don't get that ROI that you can get in an online training, like Cybrary

Ron: And it's something I really like the Cybrary does. It's not just taking the courses, right? Like a podcast like this kind of, it makes things personal. I can see people up close. You've been featuring a lot of great instructors like Naomi, and it really gives people a vision of leaders that they want to aspire to be and I think that's important cause you never know what student is going to resonate with, which instructor or which type of career to go into in cybersecurity.

Ryan: Right, right. So we mentioned kind of diversity there, and that's clearly an issue in this industry, in this market, I think it's like 8% women cybersecurity is, so Naomi, you got yourself in the field, got yourself a great role. What do you think we can do to kind of increase or improve rather the diversity, sort of issue in the space?

Naomi: This is so funny, cause I was just musing on a post that I wanted to write about. You know, now that you've hired a woman, what do you do? Like what, what do I do with this female that's on my team.

Ryan: Run, yeah.

Naomi: Yeah. I mean, it's almost a running joke now that there's no lines at cybersecurity conferences in the women's room. I mean, it's, if you think about other industries who kind of went through this evolution, you know, think about the teaching profession, you know, way back in the day, right before the civil rights movement for women, the suffrage movement, you know, a lot of men were the professors and the teachers in the schools in higher education, especially, but now it's closer to 50:)50. Right. Maybe not in every single science or engineering or top or any mind of major, but there's a lot more parity there and what I'm hoping to see in cyber, it's kind of that same path where we start to realize it's an industry that we all, we can only succeed with each other with diversity of thought, with neurodiversity, with background diversity, amd not just skin color or gender, but it's really where you come from, from your experiences and your belief, everything like that and, and your way of communication and talking with each other and teamwork team building, all of that is put together. You really need that diversity to have a successful team and it's so true for cyber too.

Ryan: Ron you and Cindy work a lot on, especially like, you know, exposing cybersecurity in the K through 12 space. What are you guys seeing with from a diversity perspective? Is it going to get better anytime?

Ron: So I definitely think it's going to get better just because you take 10 years or so to kind of get competent. So even if we started today with, you know, the freshmen in every college out there, it's going to take a while for them to become competent to do a pen test, to be a CISO, you know, to be an instant responder, those, you can't just learn those skills you know, that quickly, you gotta practice them right? So cyber is a great base for that, but it takes a while to be proficient, you know, with that. So having said that, you know, there's a lot of great programs out there that are targeting minorities who are not, you know, kind of represented in our field. You've got, you know, programs like year up and, and power that really target, I'm just gonna call it Inner city, African-American you know different types of populations, to expose them to like two years of community college of a cyber IT certification, which is great. You've got a lot of folks trying to bring cyber into the classroom, which is really, really difficult and very political because we just went through a big STEM enhancement, right? Like we're really proud that we've have Math and English now and Science and English and you know, and that that's great. Don't get me wrong but we kind of missed this whole other domain of cyber security and then lastly, something that Cindy and I, I think you guys talked about this the last time you guys had Cindy on the podcast was this concept of kind of expanding cybersecurity into something called data care. Cyber security in many ways says you have to be an expert in everything, right? Photography, authentication, procurement supply chain, and it goes on and on and on and on but you know, somehow if you're not doing all that, you're not in cyber. If we call it data care, we make it a lot easier to appeal to folks who are perhaps intimidated by that cybersecurity field, so where they can come in and I don't want to say this in a bad way, but like just do help desk, just do procurement, just do secure web host and just do secure, you know, whatever and it doesn't, it's not like the whole world's on our shoulders. We've actually found that that message is very appealing to people who have no clue about cyber security and that's probably one of the big things we can do to help there.

Ryan: Intimidation factor gets lowered there, right?

Ron: Intimidation

Ryan: It's intimidation and the mystique or mystery.

Ron: Yeah and the industry does this every day. I mean, the c,the conferences that are out there, the podcasts that are out there, we do such a good job of elevating our leaders and giving them airtime but that creates this like, Oh, I could never be in the NBA. I can never be in the NFL. You know, the average person just doesn't think they can, they can offer anything but the reality is we need everybody cause the ultimate reality is we're all going to be fighting China here pretty soon and we need everybody kind of all hands on deck to make sure our democracy survives.

Ryan: Yep, yep. Makes sense. Trevor, any thoughts, anything that Cybrary has done on diversity or anything that you want to comment on there?

Trevor: Yeah. I think we I'm a very big proponent of what online education enables for groups from different backgrounds and what that can do for folks there. I think as an organization we've always looked to, sort of lend a helping hand to where we can, to various different groups, different nonprofits, different charities. I think we've even from the very early days when, if I think when I first started we had that our first announcement of joining, I think it was the Women in Tech group to help bring Cybrary to them and so, yeah, I think it's been really fulfilling to see what Cybrary's done to kind of give back to those different, those various organizations and

Ryan: Yeah, I think the future for us is bright when it comes to being able to help address sort of diversity and, getting everyone, getting more people into the field because what we're working on right now is, and we have it actually, the product is capable of doing it, but we have the ability to sort of assess one skills and if you think about that, you can actually assess the skills across your entire team and then the future of Cybrary becomes this much more Merit-based sort of, it enables a merit based hiring system, show somebody a path of what they need to know in order to get a certain job and then assess their skills and show a manager that their skills are on par with, or even greater than the skills that, that manager has on their current team and so it really enables a merit based hiring system, as opposed to just, you have this picture of whomever, it is that you're going to want to hire in your head and you're looking for that so you're not responding to the majority of resumes that are coming through so that, that's pretty exciting

Ron: and it's pretty easy to have experience in cyber and not have relevant experience in a specific job. You might, you might be the great intrusion detection person on Linux, and you don't know that that's a Windows job until you show up. So Cybrary can really help having more efficient interviews and placement like that.

Ryan: Yep. Yep. So one of the recommendations from the report says that a skills, growth mindset needs to be adopted by these security leaders and then ingrained into an organization's culture and like largely to date, we have been, well, we haven't really been skills-based. We were kind of, you know, we look at a resume, we think we know what you know, and that's like a knowledge thing. That's not necessarily a skill but this is a trade. Cybersecurity is a trade it's much more closely related to plumbing and heating than it is to, you know, finance or something like that. So the skills, growth mindset. Do you guys think that you could see that being adopted? Cause it just shifts the way that we've traditionally thought you should look at certifications. You look at what they list on their LinkedIn. Naomi, can you see that being adopted in like an organization like yours?

Naomi: Yeah, I could totally see that. It is more like a trade. Actually, somebody told me once that cybersecurity is not like a trade. It's more like being a doctor or a surgeon. I was like, wow, we, no, I don't know where you got that from, but we are, we are taking ourselves too seriously if we think that we're some sort of doctor, if anything, we're trying to improve the you know, the health of security within an organization, improve security postures, but we're not here to perform surgery on anyone now. We're not that smart, you know, some of us are, but maybe not me, but yeah, I can see it being more trade base, you know, it's welcoming to everyone. Obviously you're going to have different levels within the trade, but, in general, the floor is so low, anyone can get in. It's very easy to learn. You know, I, I have success stories from all different people that I've talked to and they've transitioned from anything from, you know, marketing from legal, from finance, they've chopped, they've transitioned from all over and you know, really anyone can do it, stay at home moms, people who haven't worked in 10 years, they jumped right into you, a class like Cybrary or a bootcamp and within six months they got a job. I have a couple of those stories and it's amazing just to hear them and if they can do it, anyone can do it and that's what I'm thinking is one thing that's holding us back is that level of elitism that we tell ourselves that we kind of have sometimes where we won't welcome you unless you have a certain pedigree and unfortunately, it's just a false narrative that we tell ourselves and once we get past that, maybe we can start welcoming different kinds of people, different backgrounds, different ethnicities, different anything.

Ryan: That's where the skills based kind of thinking comes from too, because it's, it makes it a meritocracy

Naomi: Meritocracy

Ryan: Versus anything else.

Trevor: I mean, do you think that that is, just kind of go off script here a little bit? Do you think that is, there is in part, an issue with how upper management is budgeting for different types of roles and what they, as they think about building out the security team? If I can only have five people then I'm thinking around, how do I maximize those five people and is there really a disconnect between how management is thinking about from a staffing perspective that causes some of these issues of helping people get in kind of these early roles?

Naomi: Yeah, I'm shaking my head, yes. Because yeah, I agree with all of that, it's both actually, you know, like the management are looking for those unicorns because they don't have the head count. They have five new roles they can fill in a whole year, maybe that's not enough. Maybe they need 20, and maybe they can spread around that work to different levels of workers like junior level and mid senior. You don't always have to hire the unicorn. You can spread the work there's junior level work in Cybrary trust me. There are some things I do not like to do, and I'd rather give that to my intern. I do that. So, sorry, Joshua, a year of graduate by the way, yup, great you're at Philadelphia, awesome, awesome program. So yeah, here's the deal like it's an issue that has a source, the problem, from all different angles. So you've got the supply issue where not, maybe not, everyone's wanting to get into cyber, because they don't really know it. They're a little intimidating and then you have a demand side from the organizations that are hiring, who really don't know what they need or they're looking for the unicorns. So, there's work to be done at all angles. I'm not sure if I answered your question there.

Trevor: No it did, and sort of follow along for the group here and again, Ryan, I apologize for going off script, I've heard a pretty strict divide from individuals who view sort of these security operations as a, the difference between being a business enabler and a cost center and so we'd love to hear from you and Ron and how you think about how cyber security can be viewed much more as a business enabler that as the business then thinks about investing in the positions, investing in developing their people, that it can actually, increase the ROI and increase the ability for that organization to win new business and generate more revenue for ultimately for it.

Ron: You raise a really good point, this concept of how does your cyber team enable your business? Well, I would argue that the smaller you are, the more likely you're outsourcing all of your IT and this is one of the reasons I like to talk about the data care that you just think cyber security is somebody else's problem at that level but when you're really, really big, if you're a large enterprise, yeah, you might be thinking about, okay, I've got a red team and a blue team and a purple team, do I need to have, like, I don't know, you know, yet another color team to handle, you know, something else and there's just at that case, your teams are so big, 500, you know, a thousand people you hear like working at Citibank, working at JP Morgan and, you know, so how do you make these decisions and articulate this value from there? So I like the skills base thing because it teaches the cyber leaders to be strategic and not only be strategic and just about hiring, but doing the technology shifts, there's still technology, there's still companies out there who are not going to cloud. I actually spoke to some sisters this week, they're moving off of Amazon and they're running Kubernetes in their own data center. You know, that's, that's a completely different skillset, you know, so you need to know the strategic direction of your company so you can enable that. We shouldn't just go do it for the sake of doing it, but I think you gotta be in sync with the business of your organization.

Ryan: Naomi, drop me any thoughts for you on that one?

Naomi: Oh my gosh. Yeah. Security as a business neighbor. Yeah, I'm right there with you, so there's a whole bunch of ways of doing this, but I feel as long as you're building trust and relationships within the business, the business will trust you to make decisions that are in their best interests but if say you're a business detractor, like say you're the opposite, you're the department of no, say security is no longer a business enabler, but now as a detractor, what does that look like? Well, that currently looks like, people saying no to things and then also the, you know, helping you're putting walls in front of teams that need to do their jobs, not turning on tools or installing things that they need to do their jobs, making it harder for them to do email, you know, it's kind of simple stuff like that, where instead of helping the team achieve its goals and being part of the business and saying, trust me to do the right thing with you because I'm on your team. We're on the same team. We are hashtag one team. Why don't you trust me to do the right decision, make the right decisions on from the security side for the business and that's what we're fortunately, unfortunately maybe, not seeing quite so much, it is kind of this, a new way of thinking about security, keep moving my headphones but hopefully we are evolving and getting better. That's my hope.

Ron: One of the things that's helping this problem has been, I hate to talk about a benefit of this, but if you look at the current Covid crisis,you know IT security has basically enabled everybody to work from home and you know, IT in general has been perceived as a much more important thing. I mean, it is the connectivity of our education system now, of our business system now, it's how we get all of our news and communicate and, you know, so I think people realize that this is a much more strategic enabler, but if you look at what happened in some of those areas, cybersecurity was some of the first things that got sacrificed, right? The hospitals that got flooded with all the patients, one of the first things they did is suspended HIPAA requirements, you know, and that's made things a lot more efficient, but that kind of tells you something that people are willing to sacrifice a few things to be in line with the business. Every cyber security person should be realizing when that line is being crossed, when they can gain a business thing by not being the VP of no, or the person who says, no, we can't do that cause it's not secure because you'll get steamrolled. So you have to part of the conversation.

Ryan: Good point, good point. Trevor, was that the response that you were looking for there.

Trevor: Yeah, that's great.

Ryan: Cool, cool, great guys. Well, I think we can wrap up here with kind of a final round of final thoughts, Naomi, is there anything else that you'd like to cover that you think we might've missed today, or just eager to see that the skills gap, survey

Naomi: Yeah, sure.

Ryan: Results

Naomi: For anyone who's listening. Thank you for spending the time with us today. If you are applying for those jobs and you're finding yourself hitting a wall, don't give up, you really need to just keep pushing through that wall. You apply to all the jobs that you can. Network and reach out to anybody that you can, all the people that you can, hit me up. I'm on LinkedIn, all my cohort here is on LinkedIn. Reach out to people. If they say, no, I don't have the time with you right now at least you've made an introduction. You know, people will say yes to you eventually just reach out and keep trying. Don't give up, keep on, keeping on. Good things will come.

Ryan: Perfect, perfect, you, yup. Ron, any final thoughts?

Ron: Yeah. If the folks who are watching this are trying to inspire other people, when you're talking about careers, make sure you mention cyber security, data care, IT as a career field, right along being an architect, being a lawyer, being a doctor, being a chemist it's something that's much more important going forward because if we don't have a set of cyber warriors in the next decade or so, we're going to be outgunned and outnumbered and it's gonna hurt the country.

Ryan: Very true. Very important. Yep. Trevor.

Trevor: I would say for those that are listening out there that do sit in positions at their company from a managerial level role or senior level role, that you are, you can be a part of the solution here. You can start to challenge the old way of thinking and thinking about ways for us to solve this problem, more holistically, thinking about ways that you can invest in your team and do it in a way that can, it can be a benefit to the organization that can enable you to achieve more within that organization. So, really it's a call out to you all as well to be the leaders of change here.

Ryan: Awesome. The one thing that I'll throw into the, to the ring here is, the power of networking goes a long way in trying to get yourself into this space. We've seen that in the cyber insider pro community, a lot of people get jobs just because you make friends with somebody online and then that person ends up recommending you. So networking is huge for this as well, but if you haven't you can get the Cybrary skills gap report from our website, and hopefully our marketing team Tatiana will do a good enough job of getting people getting the word out to people about the report. I'm sure they will. So Naomi, Ron, Trevor, I really appreciate your time today and thanks for doing thanks.

Naomi: Thanks.

Ron: Thanks for the opportunity.

Trevor: Thanks so much

Ryan: Cybrary out.