CyberWire Daily - But what do you really want? [CISOP]
Episode Date: March 24, 2026Despite being adopted and prioritized by many organizations, cybersecurity still faces a significant challenge where leaders still cannot articulate their needs, and find and develop talent. Rather, o...rganizations oftentimes follow the same strategy many others are utilizing, which involves poaching talent with enticing salaries. In this episode of CISO Perspectives, host Kim Jones sits down with Ed Vasko, the CEO at High Wire Networks, to discuss this approach and the impacts it is having on the cyber talent ecosystem. Throughout the conversation, Ed and Kim discuss their experience when assessing talent and some of the mistakes made by the industry, and what can be done to begin correcting this approach. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by design, and scalable connectivity without the frustration, friction, complexity, and calm.
of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack,
secure wired, wireless, and cellular
in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's METER.com slash CISOP.
Welcome back to CISO Perspectives.
I'm Kim Jones, and I'm thrilled that you're here for this season's journey.
This past season, we've pulled the deep conversations out of the conference bar
to tackle these complex issues from every conceivable angle.
And throughout the season, we've examined many of the challenges surrounding the cyber talent ecosystem.
Today, we ask the question, but what do you really want?
Let's get into it.
On today's episode, I'm excited to sit down with Ed Vascoe.
Ed is the CEO at High Wire Networks
and has been a serial entrepreneur and successful CEO
in the cybersecurity space for years.
Today's conversation centers around
examining what business leaders want
from prospective cyber talent.
As someone who has both hired security professionals
and advised leadership on how to address talent needs,
It is uniquely positioned to help us answer the question of what do you really want?
Tim, it's a pleasure to be here looking forward to the conversation.
Likewise.
So, you know, you and I have known each other for over two decades now, but my audience hasn't had the privilege.
So take a few moments and tell them about Ed Vasco, if you would, please.
Sure, sure.
I'm the CEO of Five Wire Overwap.
We are a nationally focused MFSP, about a thousand customers around the country.
I've spent for the past 33 years as both a practitioner and five-time CEO of different
cybersecurity company.
I've worked across 12 of the 14 critical infrastructure sectors, or critical sectors of the U.S. economy.
and
you really have a wonderful career
talking to and working with people
such as yourself in throughout
the country
and finding ultimately
I'd like to describe it to keep the bad guys you say.
Amen, amen.
It's that
CEO experience
and you've done some other things
that I will probably bring up
as we just have a conversation,
but is that CEO experience,
said that I want to hone in on a little bit for this conversation.
You know, we've been talking a lot about the cyber talent ecosystem this season.
In fact, this entire season is about the cyber talent ecosystem.
And we've been looking at it from various angles, from certification to do we need college
or not.
But the one group that we haven't talked to yet are hiring executives.
and given what you have done,
you have seen lots of resumes across your desk
from entry level to mid-tier
to even senior executive to work for you.
And you've supported CSOs in various sectors
as hiring managers in helping them,
among other things,
solve some of their talent issues, etc.
So what I really want to get into
is let's cut
all the noise out, what do you really want or looking for in talent?
And let's start that from the entry-level position, a brand-new person who this is their
first job or they've only been in cyber for a year and are coming over, et cetera,
and they put a resume in front of you.
What do you want to see?
What do you want to know to consider even giving them half a minute of your day to take an interview?
Talk to me.
Yeah, I know.
It's a great question.
and it's a great segue.
And I purposely
didn't talk about
one avenue of my career track
because I think it was going to be very useful
as kind of a story.
My last business that I exhibit
I sold to private equity in 2018.
And, you know,
we were a national NSP,
you know, one of the top in the country.
And, you know,
constantly looking for
new fresh cyber talent.
And this was back in 2018
where I sold the business,
but as we were building the business
from about 2008 to 2018,
we were constantly looking for
new avenues, new pipelines,
the pathways of entering
with a student,
or entry level workers.
And we were challenged.
You know,
especially in that decade,
we have challenged because many of these
colleges and universities at that timeframe
did not have what I would call robust cyber programs.
And so we were headquartered in Arizona,
and I took the initiative at that time
to go reach out to universities and colleges
throughout state and try to enable both internship pathways,
apprenticeship pathways,
and really tried to lend a hand
as it relates to curriculum,
industry-focused curriculum, so that ultimately, not only my business, but the ecosystem within
Arizona, at least, could be bolstering. We've got that kind of outreach and that kind of, I think,
the relationship. And what we kept finding consistently was that we would bring in the best and brightest,
most passionate, cyber-related talent throughout the state. And consistent,
found that these students who wanted to get into this career path at an entry level,
they'll lack critical experience, critical training, critical understanding of the what and how
to be successful. And so like many of my competition, like many operational socks and service
providers, such as my fellow business, we went through the process of actually establishing
an internal university of sorts.
So we would take in fresh college grads,
fresh interns, convert them to workers,
casual level workers,
and still put them through a six-month training cycle
and enable them to get certifications,
enable them to get the necessary baseline training,
that they simply just weren't getting in their college experience
or even just normal, you know,
non-college experience.
After the acquisition of my lap business, that got me thinking.
And that kept running through my mind with a passion for me.
It was like, how can we ever expect as a country to really fight the fight that we need to
and defend the nation the way we need to if we didn't and couldn't get the workers
out of our key education partners
or even key education pathways,
we couldn't simply gift those workers
to come in ready to fight.
And if I use a military analogy,
and you'll correct me
because I didn't ever have a chance to serve.
I chose not to serve, and you did,
so you're going to correct you here.
But effectively, this would be like,
if we relied upon basic training,
to give infantry, infantry soldiers an understanding of how to shoot a gun, how to crawl through muck,
and how to do certain kinds of basic things.
And basic training was failing to produce the type of infantry we needed on the battlefield.
And that's effectively what we have.
And had in 2018, and I would still kind of continue to have the nation.
I want to inject here before I lose this point or to ask a question of you.
That is an absolutely fabulous analogy.
And so well done on your military analogy.
So let me take it to the next step.
It seems to me, though, we've had guests here, and you know Dr. Laura Ferry,
who is one of my guests as well, that part of the challenge here for those institutions,
in terms of providing what we supposedly want
is an understanding of what we want.
I know that at basic training,
I need them to be able to shoot
this standard array of weapons out here,
and if they can do that
and understand what a salute report is
and what now training is, etc.,
and the acronyms don't matter,
that that will meet the needs.
Yep.
Part of the challenge that, you know,
we seem to see now is you ask,
15 CSOs what we need, and you get 457 different answers.
And it seems that if I don't meet the answer that exactly what this particular individual
wants, then the value proposition is considered limited.
And you and I have been in rooms where people have said that, and I've talked to, you
know, senior executives in security consulting firms who have said, you know,
they leave college and they don't know how to do anything.
Right.
And therefore we don't, yet won't define what it is you want them to do
other than to run your specific tool.
And we all understand that universities can't focus on running your specific tool
versus understanding both the theory and being able to have the grounding to do that.
Right.
So I love the analogy, but how do we solve that, you know, even in an academic setting,
when we don't seem to know what the hell we want.
Yeah, it's a great, it's a great question and great piece to kind of the next half of the story and I think the outcomes that were achieved.
Please.
So as I mentioned, you know, I had this thesis.
How do we improve the type of worker we're getting into a career half and into an entry-level pathway?
And so I had the opportunity to depart the business after the acquisition and take on a different thesis.
And that was, again, how can we improve the pipeline of cyber workers coming into this career with a partnership with academia?
And so I had a chance to go work with Boise State University in Boise, Idaho.
So, you know, they've traditionally been known for their belief in the field.
And I was brought in to run an institute that focused on working with faculty, working with industry,
most importantly, working with our students to build out experiential pathways.
What do I mean by that?
Well, what it comes down to, and my thesis is straightforward, I think.
And that is at the entry level, we've seen.
a real strong focus on both the degree pathway and on indebted certifications.
So a student comes out with, say, an associate's or a bachelor's degree, and they've got,
you know, three to five's industry certs, you know, security plus, net plus, B.EH, so forth and so on.
They got this, you know, alphabet soup after the name.
and they would come in and they would they would conduct interviews they'd go through the process of
interviewing with my team with myself with other my peers and your peers Kim across the country
and inevitably what's lacking the one thing that's lacking in that process is the third leg
of the stool and the third leg of the stool is experience it's actual understanding and operational
awareness of what needs to be done and how it needs to be done. Not lab, these aren't,
these aren't skills and knowledge and experience you gain in a lab. It's not real world.
A lab doesn't allow, a lab allows you to reset the button, you know, press the reset button
and reset the lab and get it right. Real world consequential experience is what's been missing,
I would contend, in our career pipeline.
So let's double click on that then.
A real-world consequential experience.
So there are a couple of things that that seems to indicate.
Well, one, we need to talk about the definition of consequential
and how that can vary amongst folks,
because in some cases,
consequential tends to mean focused experience within the particular area of cyber that I'm hiring you for.
But there's also the piece that says it seems that what that is saying is, since the idea behind an educational pathway is to get the job to get the experience,
that are we saying that there is no such thing as an entry-level position in something?
because we expect that everyone comes in with some level of experience.
And if we're saying that, then that's fine.
Yeah, yeah.
Well, talk to me.
The sector metaphor and the workforce metaphor that I have aligned to is the medical program, medical pathways.
Okay.
You know, we anticipate and expect our medical professionals to not only get lab,
you know, and skill development through classrooms, skill development through labs,
where they're able to press that reset button and get the procedure correct.
But their third year is basically all working practical application.
That's exactly it. That's exactly right.
And so ultimately what we're lacking in our academic structures throughout the country
is a focus or have been lacking, let me say it that way, have been lacking,
is a focus on that experiential pathway, that experiential learning so that they can apply the practical
experience that they've received in lab and the knowledge that they've received through classes
in a real-world situation. Let's double-click on that, not just on the academic side,
but it's also worth remembering that that works because it is an expectation of the profession
such that the hospitals that are looking to receive these new doctors
understand that part of this process is you're going to take on an individual
and put them to work doing real work.
I have seen a reluctance.
I'm wondering if you've seen the same reluctance amongst our cyber brethren.
We still have Fortune 500 companies who it's too hard.
we don't want to take on the liability.
If they do something wrong,
then we're going to take the blame, et cetera.
It don't want to do that.
So is it just the academic side?
Or if what you're saying conforms to what we collectively believe,
why the hell aren't we doing it as a profession?
Well, and that's a great question.
And that actually was one of the challenges
of bringing experiential learning into the programs at Boydons State.
But the realization of epiphany for me was that just like in medical space, we have training hospitals.
We have training programs that so not all medical, not all hospital, not all doctor's offices, except residents.
You know, except residencies.
There are a select number and it's by that selection process that the industry within the medical program gets,
gets moved forward.
And so there's this self-selection.
Most of these teaching hospitals are attached to a university.
They are attached to, you know, they combine the academic program and the experiential learning program.
So I took the same kind of metaphor, you know, same sort of alignment and said, well, the benefit I have here is that I'm attached to a university.
they've given me the opportunity
to build these kinds of platform.
Let's say, you know, in your experience
as an operational cyber leader,
you know, would you be willing to allow
early career professionals
that opportunity to come in
into a commercial sock
or into an operational sock like you've run
and has confidence?
You know, I doubt you would.
And I really, I really,
you know, you're the exception, but everybody else we've ever talked to across the country
would typically say, I'm not about to have entry level, you know, not even level one angles,
things are like level zero to level 0.5 angles into my sock, you know, could drive consequences.
Have you ever imagined how you'd redesign and secure your network infrastructure if you could start
from scratch? What if you could build the hardware, firmware, and software with a vision of
frictionless integration, resilience, and scalability.
What if you could turn complexity into simplicity?
Forget about constant patching, streamline the number of vendors you use,
reduce those ever-expanding costs, and instead spend your time focusing on helping your
business and customers thrive.
Meet Meter, the company building full-stack zero-trust networks from the ground up,
with security at the core, at the edge, and everywhere in between.
Mead of designs, deploys, and manages everything in enterprise needs for fast, reliable, and secure connectivity.
They eliminate the hidden costs and maintenance burdens, patching risks, and reduce the inefficiencies of traditional infrastructure.
From wired, wireless, and cellular to routing, switching, firewalls, DNS security, and VPN, every layer is integrated, segmented, and continuously protected to a single unified platform.
And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles.
Meter even buys back your old infrastructure to make switching that much easier.
Go to meter.com slash CISOP today to learn more about the future of secure networking and book your demo.
That's M-E-T-E-R dot com slash C-I-S-O-P.
You as a CEO are breaking on experience, not just knowledge, not just search, but just, you know, real-world, tangible, hardcore constructive experience.
You've created a model, and at least created one example of a model, where academia can create an environment to provide that experience a la the medical model or analogy.
that you used earlier, and do it in a way that serves underserved communities within cyber
by creating real-world socks, providing information to smaller communities within the environment,
and that provides real defense with real consequence within the environment.
So there are a handful of questions that come up from that model.
The first question is that model seems to indicate that,
the pathway for doing this is through some type, not even for you, but some type of
academic, Institute of Higher Learning within the environment, which can fly in the face of
some of the things that our community has supported, again, starting back in the 20 teens,
in terms of migrating out of other job families into cyber boot camps within the
the environment, spot training within the environment to gain the skills that you need.
So let's set the academic piece in terms of this model aside, but I'm going to push on the
point and say, you know, based upon your model, do you believe that these other things that
the profession, the industry has been pushing on in the early days of, oh my God, we have a
we have a talent shortage are viable methods to transition to cyber.
So, you know, at the heart of your question that leads to, are we at technical field or the
depression?
Oh, yeah.
And I'm going to, I'm going to make the CEO decision and not waffle.
I lean towards the idea that I lean.
I expect that we are a profession that has technical representation.
We have an opportunity to ensure that the pathways we create allow for people of not just diverse background, but diverse skills.
to engage in this field and achieve certain kinds of milestones at a career level.
Is that to say that anybody should have a degree?
No, but in the same fashion that not every single baseball, basketball, volleyball, pick the sport, player, plays at a professional level,
you have to recognize those professional players that do play at the professional level,
where is it that a high school orientation is going to take you to the profession?
Okay.
And so if we kind of align both of those aspects,
and I will not just lean on the,
I'll be solidly be in the camp that says we're a profession.
if we don't treat ourselves in a profession that has technical orientation,
then we'll ultimately be relegated into a position that doesn't have business orientation,
that doesn't have all the other things that Kim, you know,
I know you've talked about in other podcasts we talked about for years.
The interesting thing that we had when we set up the experiential sock in Boise State
and throughout Idaho was served all of Idaho,
was that we engaged not just Boise State students,
but we engaged two-year community college students.
We engaged master's degree students.
We engaged other institutions of higher learning.
So it wasn't just Boise State,
but our community colleges,
our other four-year institutions across the state,
were able to join into this program.
And we ultimately then had,
of, you know, nonprofits that aligned to different communities,
service members that were military service members
that were transitioning back into the civilian sphere
that didn't necessarily have degrees,
but they had experience, wanted to come in and volunteer
so that they could put on their resume
that they had experience working in this particular environment.
We welcomed them with open arm.
Okay.
Fantastic.
Yeah. And I think that gets to, you've answered one of my follow-on questions, which would be, if I don't necessarily have the opportunity to go to an institute of higher learning, how do I get that meaningful experience?
And reflecting back on what I think you're saying is you've created something that was beyond just supporting Boise State.
and by creating this entity,
it created opportunities for other entities,
academic or otherwise,
to bring people in to give them that level of experience.
Am I reflecting that back correctly?
Yeah.
I mean, again, if I forgive the simple CEO metaphor,
because I'm the picketed CEO,
you might, and if you think about Dilbert,
on the point of your boss,
on the point of yours, point you
a year boss. So
not only do I have an etch-a-sketch,
you know, I have a rock and a,
I have a rock and a piece of chalk, you know.
So with that mindset,
mind, you know, I look at it and say,
the simple metaphor is the best possible
worker that we can get to
enjoy this career path
as to have the necessary knowledge
from classroom,
has to have the necessary skills
and certifications,
the classroom being, you know,
a degree pathway,
has to have the necessary skills
for achieved through different labs
or different certifications or whatever the case may be.
And then ultimately,
the third leg of that stool is experience.
They have to be able to have a place
where they can apply that,
that knowledge and skill development
in a way that help
industry hiring managers,
myself, yourself,
you know,
are listeners across the country,
in jail, gain the awareness that this person in front of them actually can do the work that
they're asking them to do.
So let me shift tax a little bit.
And given the model that you have implemented around the thesis that you have proposed, I have
two challenges that I would love for you to address.
one is the purple unicorn theory we still have a lot of of hiring managers and i know you've run into
this when you were at boise i ran into it at arizona state in other words that in other places
where you have hiring managers who will bluntly come out and say well what we're really looking
for is a purple unicorn and those aren't exceptions within our environment so
how do we as the profession we are break purple unicorn theory that's one question the other question
is academia is slowly operative term being slowly beginning to look at the model that you have laid out
and you know as well as i do there are only a handful of schools that have even begun to embrace the model
that you've put forth.
And your success in that model was after three tries in other institutions to implement
same in me being one of them.
Yeah.
How do we as a profession persuade academia to adopt this model?
And the caveat being the, and we've both seen this, Ed, the model that exists in terms, the model
that exist in terms of reward and compensation in academia seems to differ from the one we're laying
out. And by the way, as a profession, we're hiring these graduates without them doing anything
differently. Yeah, no, great. So I would say enabling collaboration on a multi-state wide base of
taking the banner into different academic programs like academic accreditation and programs like the NSA's Center for Academic Excellence program.
The good part, the good news out of all that and all this effort is that there is change occurring within the academic accreditation programs.
that the NSA is pointing forward.
There is now a need for showing our degree program,
you know, accredited degree programs from the NSA
actually do have an experiential alignment
that the work being done in the classroom can be shown
to potential employers,
that this is, the work that's being done
can apply to your job or your job means in the following.
fashion and more importantly enabling these our students to be able to communicate that
in an effective fashion.
So there is this kind of change occurring.
And that's great news for us as an industry.
The functional challenge that we have is that industry and the hiring managers and
hiring executives across the country tend to look for those purple unicorn.
Like you said.
And the real unfortunate challenge we face as a result of that is that there's not enough communication
because cyber, unlike medical, unlike the medical profession,
cyber has yet to codify itself.
I would contend that I would argue that we've yet to codify ourselves in a way that
that the medical program, medical degree, and even like legal and accounting now.
And the scenario and the metaphor, I would use the question I'd ask is, you know,
would any solid hiring manager or C-suite executive across the country that work they're solved
go and simply go out on the suite and say to somebody passing by,
hey, I've got this contract issue.
Can you take a look at it for me and give me a professional legal opinion?
And the answer, I know collectively the VIII, know that they wouldn't do that.
Subsequently, the next question I'd ask is, would you turn around and go walk along the street and say, hey, a person I'm passing by at random, I have this bleeding head wound, let's say.
Can you help me fix it?
and the answer is probably, you know, maybe you'd get the right person, you know, in both cases.
Maybe you'd get a, maybe you'd get a trained attorney where you'd get a paralegal that could look at that contract.
Maybe you'd get a medical professional that would help you with a gaping head wound.
But more likely than not, you know, you're trying to engage somebody who doesn't have the necessary experience training and complication of skills necessary to give you a, when you're a professional.
qualified perspective and therein lies the challenge.
Because we don't have that confocation and that professionalization,
again, this concept back and forth,
are we a technical field there, we have profession?
That's why I lean so hard on the fact that we need to be
and will be and have to be a profession first.
that by doing that
and knowing that in this profession
there are efforts,
there are structures,
there are methods that are now being undertaken
at a national level for accreditation
that aligns to
the type of professional that can be developed
at an entry level
and come into this field and through his career track
in an entry level
with the experience mapping
that it's on it's on us as an industry,
it's on our hiring organizations to demand
that there's qualification of the people being hired
and that the people being hired have appropriate experience.
So why don't we want to?
Because I would contend that I, you know,
I agree with you on this one.
Yes.
And I understand the history behind it
because I'm an old fart.
But I would contend that there is still a very loud hue and cry within our big air quotes profession that doesn't want to do that.
Why?
We're still young.
We've got to recognize the fact that even at 40 or 50 years old, we're still young in comparison to the medical field.
And I got to push back a bit.
Is it youth or is it youth or fear?
because remember, from a historical standpoint, you and I've had this conversation, the fear is that if we put requirements on because we didn't know what we needed, we would close off potential avenues for access and talent.
Now, yes, we are still young in comparison, but we're not making aggressive moves as a profession, even amongst the 500 Fortune 500 Csers out there to actually standardize within the environment.
and where standardization is created,
everyone wants to tell or talk about how what they're doing is so different
and so special,
despite the fact that we're still solving different variations
of the same problem that you and I have been fighting for over three decades.
So there's a point here where I have to push as the cantankerous old fart and say,
youth makes a great excuse.
I'm not sure it's a full reason anymore.
Talk to me.
Well, well, I would.
Probably as a contiguous old part myself, I would probably say that youth is a larger than 50% reason.
And I mean, youth of industry.
You know, when you do the comparative analysis to medical, legal, accounting, you know, we're talking 15 years versus multiple, in some cases, multiple centuries.
you know, going so far back is, you know, hypocrite and so forth, so you could, you know, millennia.
Yeah.
The reality is that we have and are embedded in this aspect of uniqueness.
Every single business is unique.
The only issue is that the level of impact has begun to increase.
And why haven't we solved this problem?
So, that's a fair, that's a fair observation.
And you get the last word.
What's the one thing you want to double down on or the one thing that you want to make sure our listeners hear from you or discussed that we haven't discussed yet?
Well, first and foremost, Kim, I can't thank you and your team enough.
It's been a real pleasure.
I hope what the conversation has been helpful to your audience.
I hope it invigorates some conversation across the country.
And this is a huge, huge thank you for the chance of this and chat.
if I can wave a wand, if I could truly wave a magic wand and have structural impact,
it'd be to actually create a key baby stuff that we need at a national level to achieve what
that metaphor I've talked about, about the three-legged stool.
And it's a recognition of the state across all 50 states and all U.S. territories that at the
statewide level, there's a huge opportunity in front of us to start tackling the workforce
that we have.
And that is through these kinds of experiential learning opportunities.
The creation of statewide, whole of state stocks that can actually employ and engage
interested learners and do so in a way that those learners gain experience become
solid workers and solid career practitioners.
that if we start there
and we start creating success there
that are commercial and employer communities
and commercial socks
and commercial pathways
and operational pathways
will start to recognize that this has success
and has value
and start turning this pie eventually
in the war that we're affected to be using
and have been losing for decades.
Yep. Ed, I really appreciate you giving us the time and the opportunity and your wisdom.
Always good to talk to you, brother.
And that's a wrap for today's episode.
Thanks so much for tuning in and for your support as N2K Pro subscribers.
Your continued support enables us to keep making shows like this one.
If you enjoyed today's conversation and are interested in learning more,
please visit the CISO Perspectives page to read our accompanying blog post,
which provides you with additional resources and analysis on today's topic.
There's a link in the show notes.
Tune in next week for more expert insights and meaningful discussions from CISO perspectives.
This episode was edited by Ethan Cook, with content strategy provided by MyOn Plot,
produced by Liz Stokes, executive produced by Jennifer Ibin,
and mixing sound design and original music by Elliot Pelsman.
I'm Kim Jones, and thank you for listening.
Securing and managing enterprise networks shouldn't mean juggling vendors,
patching hardware, or managing endless complexity.
Meter builds full-stack zero-trust networks from the ground up,
secure by design, and automatically kept up to date.
Every layer, from wired and wireless to firewalls, DNS security, and VPN
is integrated, segmented, and continuously protected through one unified platform.
With meter security is built in, not being.
bolted on.
Learn more and book your demo at meter.com slash CISOP.
That's METER.com slash CISOP.
And we thank Meeter for their support in unlocking this N2K Pro episode for all CyberWire listeners.