CyberWire Daily - Cyber Talent Insights: Charting your path in cybersecurity. (Part 2 of 3) [Special Edition]
Episode Date: April 19, 2024Join us for this special three-part series where the N2K Cyber Talent Insights team guides you through effective strategies to develop your cybersecurity team, helping you stay ahead in the constantly... changing cybersecurity landscape. In this episode, we shift our point of view to provide guidance for an individual's first career or perhaps considering a career change transitioning into the field. We discuss a market-driven approach to career development. We also explore how to discover one’s niche in cybersecurity, including how to stand out in this competitive market and align personal interests with career goals. Lastly, we examine the role certifications play when navigating your path throughout the talent acquisition, development, and retention of the cybersecurity workforce management lifecycle.  Explore Cyber Talent Insights N2K’s Cyber Talent Insights provides security leaders measurable and actionable insights on your organization’s current cyber roles and capabilities to maximize your talent investments and build a business case for better hiring, developing, maintaining, and retaining your technical talent pools. Learn how at n2k.com/talent-insights. Connect with the N2K Cyber Workforce team on Linkedin: Dr. Sasha Vanterpool, Cyber Workforce Consultant Dr. Heather Monthie, Cybersecurity Workforce Consultant Jeff Welgan, Chief Learning Officer Resources for developing your cybersecurity teams: N2K Cyber Workforce Strategy Guide Workforce Media Resources Cyber Talent Acquisition Woes for Enterprises Workforce Intelligence: What it is and why you need it for cyber teams webinar Setting Better Cyber Job Expectations to Attract & Retain Talent webinar Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more. Hello, and welcome back to Cyber Talent Insights on MTK's Cyber Wire Network.
Insights on N2K's CyberWire network. I'm Dr. Sasha Van Der Poel, joined again by my colleague,
Cyber Workforce Consultant Dr. Heather Monty, and N2K's Chief Learning Officer, Jeff Weldon,
with a special three-part series sharing our insight on the current state of the cybersecurity Cyber Talent Insights from N2K Cyber Wire will be right back after this.
In today's episode, we're going to shift our point of view to provide guidance for those individuals who are entering the field of cybersecurity or perhaps making a transition from one career to another. We will discuss what a market-driven approach to career development means and how professionals can focus on identifying and staying abreast on in-demand and transferable
skills to stay relevant in the market. We will also explore how to discover one's niche in
cybersecurity, including how to stand out in this competitive market and align personal interests with career goals.
Lastly, we'll examine the role certifications play when navigating the career path throughout the cybersecurity workforce management lifecycle.
All right, let's dive in by exploring what it means to take a market-driven approach to career development.
In a conversation with Chief Strategy Officer Caroline Wong, she touched on this by explaining the following.
Let's play a sound clip.
The advice that I give to folks in this type of a situation is to use a market-driven approach. So a common
question that I get asked is, Caroline, I'm really interested in getting into cybersecurity.
What certifications should I get? And I'll say to that individual, hey, I think there's actually
an alternate way of looking at this problem, which is instead of
asking what certifications should I get, you should ask, what does the world need right now?
And you can actually do that in an extremely data-driven way. You simply go on LinkedIn or
Indeed or whatever job posting website there is, and you begin to familiarize yourself
with the security roles that are open
and on the market right now.
And if you look at 50 or 100 different roles
that are at the level that you're interested in getting into,
that data is going to be able to tell you
far better than me or I think anyone else in the
field about what certifications you should go after and what sort of skills you should try and
develop. I think that using a market-driven approach to identifying what skills you want
to develop next is always going to be in someone's best interest. Heather, can you elaborate on
Caroline's point
and explain what a market-driven approach
to cybersecurity career development means
in today's context?
Absolutely.
I think that when you are working on transitioning
into the cybersecurity field,
or maybe you already work in the cybersecurity profession
and you want to advance your career,
it's really important to go and just take a look
at what it is that employers are looking for. What is it that
you need to have? What skills do you need for a particular role? So I always suggest going on
websites like Indeed, go on LinkedIn, look at current jobs that are out there. Maybe they're
jobs that you're not yet qualified for, but they're jobs that interest you. They pique your
interest. You can go in there and you can look at them and see what are the requirements that the employers are looking
for and say, okay, I need to get these skills, I need to know how to do this, use this piece
of software, do this particular thing, and you can start creating a career pathway for
yourself.
You can also go on LinkedIn and look at other people that are already in that particular
role and just sort of reverse engineer what they did to get into that position. Oftentimes people don't have degrees in cybersecurity,
so you can go back and you can take a look and see, well, how did that person get into this
particular role? So it's really just looking at what is it that the market is looking for and how
do you align your skills, which you already have, and the skills that you will obtain and to create that pathway
for yourself into a particular cybersecurity role. Oh, that's a really great point and a good idea,
especially for those who are looking to break into the field. So Jeff, for those who are like
brand new to the field, how would you recommend these early professionals identify what are the in-demand skills that are needed
in cybersecurity? Well, I think one thing I just kind of want to re-emphasize from Caroline and
then also Heather just mentioned this as well, related to like going to Indeed or LinkedIn,
you can also go to cyberseek.org. If you're looking at certification specifically,
they've done a really good job looking across all the job descriptions or job postings and then listing out what certifications are in demand.
So, you know, not every organization is focused on certifications, but certifications certainly do have weight in this industry for a number of other professions or specific companies or agencies you might be looking for a position. So that kind of gives you a good idea of what's kind of in most demand.
In addition to that, though, I think one thing that's really important for especially someone kind of coming into the field,
one, yeah, you want to understand what is being required of those positions and what's being asked.
So what is in demand right now?
And I think Heather really had a really good approach to getting information on that. But I
would add to that and say that you also want to think about what else can you add to the mix?
If you think about it like a job being a cocktail, what else, what ingredients can you add to that
job description or that position that make you a
little bit more unique? So think about how can you combine some elements of one job description or a
high-demand skill set and add that to the position to make yourself stand out just a little bit more
from other candidates. Sure, I think that's a great point.
And I think definitely, you know, for those who are making that transition, maybe this is their
second or third or fourth career, you know, coming into cybersecurity, whether it's from a completely
different professional background or just that non-traditional kind of route, they can, you know,
take advantage of some of the things that you guys mentioned
by identifying those skills. But then how would you guys say that once they've identified what
the in-demand skills are, the certifications, or kind of what those requirements are when you're
looking at the job description, how are they able to identify, okay, these are the skills that I
already have and what's transferable? And how do they kind of
make that distinction between, okay, let me focus on what I already have and then how do I prioritize
what skills do I need to get further education and training on, you know, to make sure that I'm
qualified for the position I'm looking for? I think it's important to recognize that you all have
transferable skills. If you have done anything in this world, you have skills. So it doesn't
necessarily need to be something that you are paid to do. What I always suggest is just sit
down with a notebook, an app on your phone, whatever, and start making a list of things
that you already know how to do.
And make 50 or 100 items on that list because you really start getting into that nitty gritty.
So do you have project management skills? You have time management skills? Have you led a group of people from point A to point Z? It doesn't necessarily have to be within
cybersecurity or even within tech, but you've done other things in your career.
You've done other things through volunteering.
You've done other things in this world that are really going to be valuable
on the cybersecurity side.
And then we add the cybersecurity skills
on top of that as sort of the frosting.
And I think that if you really sit down
and get clear on what it is
that you already know how to do,
the things that you're good at,
and maybe even asking other people around you,
because sometimes you don't always see,
sometimes you take your own skills for granted
and you can start to see
where you might be able to really stand out
in the cybersecurity profession
that you're just, you're really good at this thing.
And now let's add that cybersecurity layer on top of that.
And that can really help you figure out
where you might fall within this industry. I think I'll just kind of add to that. Heather, you were sharing with us
just the other day about a really cool story about a yoga instructor that was looking to get in the
field and how you were advising her on how she could think about her skill sets to make it more
relevant to the cybersecurity industry. And I think you kind of alluded to some of that in your response just now. But
I think one of the things that's really important maybe for someone like that, who's kind of
making a really hard shift or transition from like what seems like a pretty unrelated field
into this more technical field, good advice would be also
talk to someone in that field to talk about your experiences and work with them on how do you frame
that in a way that starts communicating in the lens or the perspective of cybersecurity, like
those leadership skills, those professional skills, those communication skills. How can you
talk about it in a way when you're kind of coming from what seems like a pretty unrelated field and make it more relevant context for a cyber position?
I think that was really cool advice that you shared with us the other day.
I think that just to give the audience some clarity on that.
So the conversation that we had was around, you know, I've worked with a lot of people over the years that are transitioning their career into some sort of tech industry.
In this case, specifically cybersecurity.
This woman was a yoga instructor and she was trying to transition into a cybersecurity career.
And she really needed some guidance on that.
And she felt like she didn't necessarily have any sort of related background at all because she didn't have the tech experience
that we oftentimes hear that people need to have to get into cybersecurity. And so what I said to
her was just what I said earlier is the same thing. Just sit down and think about all the things that
you've done in your role as a yoga instructor and think about how you have worked with people of all
different kinds of abilities, all different kinds of backgrounds. You're able to lead a large group of people to an end goal. Being a yoga instructor,
sometimes you work with people that are in an emotional state, that you've got a lot of really
good people skills that are very much needed in the cybersecurity profession. So that can be
something that she can use to really make
herself stand out from other candidates is that she's got this really great experience working
with all different kinds of people and all different backgrounds and all different, you know,
points in their lives that she can bring that into cybersecurity. So I think that it's just,
it's, you know, we often hear times that everybody needs to have a tech background to get into
cybersecurity. And while I do agree with that, mostly, I do know that there are many roles within cybersecurity that you can sort of pivot into them from something completely unrelated.
You might do this complete 180 in your career.
sort of that path of least resistance into that career in cyber is taking that thing that you already know how to do, that industry you've already got some experience in, and adding
cybersecurity on top of it. And I talk about that too with, you know, if you're a nurse or,
you know, you're working in some other highly regulated industry, you've already got that
experience understanding things like HIPAA and some of the compliance things and, you know,
all the things that go into the
healthcare setting. If you're a nurse, it's very easy to make that transition then into healthcare
cybersecurity because you've already got that industry knowledge. You understand how things
are supposed to work. You understand some of the compliance things. There's a lot of really good
skills that people have that they might not recognize are very relevant towards a career in cybersecurity.
Yeah, I think those are really great points. And I think that, you know, a lot of the times we'll
see somebody who, like you said, kind of chooses that path of neutral systems and is like, okay,
I'm going to stay in an environment that's familiar to me and that's totally fine,
or I'm going to do something completely different. That's okay, too. I think a lot of the times,
or I'm going to do something completely different.
That's okay too.
I think a lot of the times, you know,
we do think about like those power skills,
people skills, employability skills.
It goes by so many different terms.
Some of those soft skills.
A lot of times that's what's hard to teach. So if you are having like strengths in that
and you have experience in that,
like really hone in on that
because I think the hard skills, the technical stuff, you can always learn. You can, you know, study and practice and get some
experience, take certifications for, but it's a lot harder to find things when it comes to
the more people side of stuff. So really great points. And I think that kind of goes into,
you know, for those who are already in the field, if they've been working in the field for a while, how do they know when is it time to kind of reassess the skills that they have, the knowledge and looking to get a promotion?
Is there like a typical timeframe?
Is it any guidance or advice on those who are already kind of working in this field?
How do they make sure that they are on top of their skills and looking for additional
training and education?
Yeah, I think that the people who choose cybersecurity as a profession, generally speaking, they love learning.
This is not a field that it's you go to school and you complete a degree, you complete a boot
camp, you complete a certification and you're done and you go and you work. This is something
that you've always got to be learning. There's always new things happening. And so you've got
to stay on top of those things. So I think just generally speaking, people that are attracted to
the cybersecurity profession certainly love learning. And that is something that employers
can take into consideration too when they're trying to recruit and retain top cybersecurity
talent is making sure that they have those opportunities for additional training, that
they've got clearly established career pathways so that if they're in their role and they're ready
for something new, that you've got
something established for them to help them make that transition into a new role, whether it's a
lateral shift in the cybersecurity profession, or do they want to move up into becoming more of a
technical leader? Do they want to lead people, lead teams of people? And so if you've got those
things in place, that's really going to help make your
cybersecurity team happy and want to stick around. Like I said earlier, we're a group of people that
just love learning. And so if I'm looking at this from the individual perspective, if I'm somebody
who's in a role and I just kind of feel like I'm ready for something new, you kind of feel like
you got a good handle on what it is that you're doing now, is to just... I'm one of feel like I'm ready for something new. You kind of feel like you got a good handle on what it is that you're doing now. I'm one of those, I listen to podcasts like this one,
listen, get on YouTube, social media, look at some of the people, what people are saying about
where the industry is going and try to find something that really kind of piques your
interest that maybe you can combine it with a hobby or something. And I'll
give you an example. I'm very into aviation and drone security is a hot topic right now. So I've
really just been digging deep into learning all about drone security. So I think that if you've
been in this profession for any length of time, you know that you've got to keep your skills up
to date. Try to figure out what are some things that really pique your interest. You can also go, like Jeff mentioned earlier,
go to CyberSeek and you can see the different certifications, the different job postings,
and it'll show you sort of what's in high demand for a particular employer. So you can go and look
and say, oh, I didn't even know that that certification existed. And you can go and you can start working towards that particular certification.
So I really think it's just recognizing from an individual's perspective that
you want to be learning things that are interesting to you, that you feel are contributing to helping
to solve problems in society, that you're contributing to a larger vision.
And then from the employer perspective is, you know,
recognizing that in cybersecurity professionals that, you know,
we don't necessarily want to stay in the same role for three, five, seven years.
We want those growth opportunities. So making sure that you have those in place for your team.
I'll just put it this way.
I mean, I like analogies. So I find that a lot of people
in this industry like analogies. So I'll use analogy to try to describe my answer to how
often you should be like evaluating yourself. If you're in this profession, you should kind of
view it as though you're driving a car. And when you're driving a car, you're constantly scanning
the environment. You're looking for, you know, other cars around you, or is there going to be a deer that runs across the road?
And that constant scanning is what needs to be done.
I wouldn't say there's any set time that you need to reassess yourself.
You're just constantly assessing the environment and yourself to making sure that you're heading the you're heading the right direction and doing it in the the best way you can um there are however mile markers or exits along the line that that are
are key indicators for more formal review of your skill sets and those could be if you hold a
certification keeping up to date with that certification is key. Those certifications, you know, SEC+, CISB, etc., they go through regular iterations or versions. So things change in the exam, but you should also look at the topics that are being added or taken away from those credentials as a sign for,
you know, are you still in line with where you want to go? And then the other point I would add
is just, and Heather kind of made this, is you have to make a decision. Do you really want to be
a specific, focused subject matter expert, or do you need to kind of be more versatile
um which way do you want to kind of go with your career um do you does your your road take you down
a space where you're going to need to wear a lot of different kind of hats and have a lot of
different skills to bring to the table or are you are you really interested in really being
very focused on something that's really challenging and unique from a technical or other perspective for your organization.
Yeah, I think that's a really great point.
And I think that, you know, we're talking about, you know, sometimes it comes down to making that decision of do you want to specialize in something and find a niche when it comes to cybersecurity?
Or do you want to kind of be a jack-of-all-trades and kind of have a general knowledge? We had a great conversation
with CEO of NovaShield, Bat El Azarod, who was talking about this, but more from a product
perspective. But I want to play that sound right now, as I think it really appeals to this. It is very difficult to explain your cybersecurity product
in a way that you will, like in one sentence,
differentiate it from the competition that everybody else knows.
I would definitely recommend to focus on a niche
because I think it's going to be much easier to market,
much easier to present it, and most importantly, to make people understand what you're doing.
Because not everyone understands what cybersecurity is.
If I'm speaking about the individual, I'm turning to the individuals.
And when somebody is reading something about a new product,
he wants to understand what exactly you are doing.
The first thought that an individual or a business will have or an investor,
oh, they're probably doing what XYZ are doing. So you have to be very focused and to find the right niche to bring something new to the table.
Because the competition in this industry and the level of innovation is great.
I don't think there is any other industry
with such advanced innovation and new products every day.
So Heather, can you share some of what are the emerging niches
in cybersecurity that professionals should be aware of?
Yes, I think that if you take any sort of emerging technology and then add
cybersecurity to the end of it, those are any great new up-and-coming areas to get into within
cybersecurity. I think that if we look back five years, cloud security was a very small but fast
growing niche within cybersecurity.
And then once the pandemic happened, there was this rush to work from home.
There were a lot of organizations that weren't set up to have remote workers.
And so there was this massive push to the cloud where things were not done,
things were not necessarily configured correctly, just in this mad rush.
And things were not necessarily configured correctly just in this mad rush.
And so as a result, I think we're seeing now that cloud security is a much quicker growing cybersecurity niche within this industry.
There's a huge need for people that understand cloud security. We need people who understand cloud architecture and how to set the cloud, how to deploy the cloud, things like this.
architecture, and how to set the cloud, how to deploy the cloud, things like this. But then there's also this other side of it is that when we're setting things up, when we're having things
up and running and operational, what are the security components that need to go into that as
well? So I think that just we've really seen this explosion of the need for cloud security experts
in the last five, six, seven years. You can take any other emerging technology and add security on top
of that as well. So there's obviously been a lot of conversation around AI right now. And I think
that it's sort of a normal reaction. I think it's becoming much more ubiquitous. A lot more people
have access to being able to use AI. It's not new. It's been around. It's just becoming more and more
widely used by companies.
So I think if you think about it from this perspective of how can we use AI in cybersecurity,
but then also what are some of the cybersecurity concerns that we have around AI? So there's two different schools of thought there. So what you can do is take any one of these emerging
technologies that are out there, something that you might be interested in, something that you
see is really coming up as a hot topic, and then add that cybersecurity layer
on top of it. I talk about the cybersecurity frosting layer, right? But just really adding
that cybersecurity component onto any one of these emerging technologies that are out there.
So with that, I want to ask, if I'm new in the field, would you recommend, is there a choice that has to be made as far as, okay, this is what's hot right now, this is what's emerging, and so I should do AI?
Or to your point earlier, I love aviation, and that's my passion, and that's my career goal.
That's what I want to specialize in.
Do you have any advice on these new practitioners?
How do they make that decision?
Do I go with what's my passion?
Do I just go with how I can new?
Can I find a way to combine the two?
How do you navigate that?
Sure.
I think that, you know, it's very important to follow your passion and to do things that
are aligned with your interests and how you want to spend, you know, 8, 10 or 12 hours
of your day, right?
You just got to think about how do you want to spend your time. There's a lot of people that come into the cybersecurity industry because they want to spend, you know, eight, 10 or 12 hours of your day, right? You just got to think about how do you want to spend your time.
There's a lot of people that come
into the cybersecurity industry
because they want to become a pen tester.
They want to become an ethical hacker.
There's certainly a need for people
who have those particular skills.
But I think that that's a great opportunity
as people are coming in to the industry
because that is something that they're interested in.
They think is, you know, is a really cool job.
At that point, it's a really great opportunity
to start helping them see all of the different opportunities
that are available in the cybersecurity field,
that there's a lot of in-demand cybersecurity skills
that they can get some good paying jobs.
And they can still certainly combine their passions
and doing some of the things that they love,
but you also want to look at, you know,
what does the market need?
It's like any business is you want to take a look at,
you know, what is it that the market needs?
What is it that they're going to pay for?
You want to look at that from yourself
is that you're marketing yourself to an employer
and saying, I have these skills.
These are in-demand skills that you need.
You know, let's work together.
So I really think it's a combination
of figuring out what it is that you like.
And, you know, you got to spend 8, 10, 12 hours of your day doing this.
But also making sure that you're getting into a profession or a niche within cybersecurity where there's, you know, there's demand for it.
There's positions open for it.
Cyber Talent Insights from N2K Cyber Wire will be right back after this.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks. Yes!
Yes! Yes! With savings of up to 40% on Transat South
packages, it's easy to say
so long to winter. Visit Transat.com
or contact your Marlin travel professional
for details. Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive
data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see
how a default deny approach can keep your company safe and compliant.
Sure. Jeff, please chime in. I definitely want to hear your perspective on, you know, going the both are important and it's on us as individuals
to kind of figure out what we want to do and what's needed in the market um and kind of make
those decisions for for ourselves i i think one thing i would like to kind of just maybe add in
to the conversation around you know additive value to your your own profession. And how do you do that? I think the
solution is pretty straightforward. It's the self-discovery that's the hard part, right? I
think the solution really is to find things that you're passionate about, things that you can
contribute to in unique ways. The challenge, of course, is understanding what that is for you. But I think we need to kind
of expand our mindsets a little bit because it doesn't always have to be directly related to
cybersecurity in whatever field you're in. I think it could be related skill sets that you bring into
it. Maybe you're really good at PowerPoint presentations. I like PowerPoint presentations.
I feel like I'm pretty good at it.
There's a need there that you have a talent that you can kind of contribute. You could also,
maybe you're just a, you slay at Excel, and you're like, I can do it all day long.
So find the things that you're really good at and you enjoy doing, and then go out and find people who need help doing those things and make yourself known
for the person who can really help someone else in that thing. And I think that helps you in any
career field you're in, you know, really become more in demand for yourself. And you'll find
new avenues and new ways into other careers or opportunities that you might want to explore,
whether it's, hey, now there's an opportunity to be a chief of staff in cyber because I have really
great project management skills and I can kind of oversee some things really well. And I kind of
like doing that. So it may open up a door for you that it was unexpected if you kind of explore
those passions and those unique skill sets that you might have. Yeah, I think that's a really
great point. And I think, you know, with that, I think that's a really great point.
And I think, you know, with that,
there are going to be opportunities where you can really just hone in
on the things that you know are your strengths,
but there's going to be an opportunity also
for you to identify something that you're interested in,
you want to kind of specialize or have this mission,
but you're going to need extra training and education for.
And I think that's where we really see
the opportunity for certifications to play a role.
So I want to think about, you know, these certifications and somebody who's, you know,
entering into the field and they're looking at job descriptions and perhaps they're seeing,
you know, there's required certifications or maybe the certifications aren't required
and they just want to make sure
that they can stand out. It is a very competitive market. What are the role that certifications play
specifically in the HAL process and the talent acquisition phase of the life cycle
that we're seeing nowadays? Yeah, I'll touch on this quick. I know Heather's going to have
lots of thoughts here as well. And honestly, we probably could do a whole episode on certs.
So I'll try to be kind of quick on this point, knowing that there's a lot to unpack later.
I think first off, one has to recognize that some organizations value certifications and others don't.
And it may come down to the job manager themselves.
come down to the job manager themselves. So it's really on the organization and the hiring manager who make a determination on whether that's important to put into a job description as a
requirement or not. Then you have other organizations where it's actually required.
If you're going to DOD or you're working for the government, they have requirements that you have
to hold certain certifications to be qualified for those positions. At the end of the day, as an individual, it's not going to hurt you to have certification.
So I would say go get a few if you can. I think the thing I would recommend to folks, though,
is like, look and see what's in demand. Look and see what your skill set is. Find those two where
it's not going to, you know, cost you a year of your life trying to achieve a really high certification if it's not worth the effort for you.
If it is, great, go for it.
But I would say combine certifications in a unique way.
You don't want to have too many from too many different cert bodies.
I think that will be overtaxing for you to keep up with credits over time.
for you to keep up with credits over time.
But I think it may be smart to combine certain technical
cybersecurity-related certifications
with other non-cyber-related certifications.
And I would just kind of say as an example,
like if you want to go for your CISM
or CISP or SEC+,
combine it with a PMP
or some other project management certification.
This rounds you out in a different way
that differentiates you from the market.
Yeah, I would love to add to that.
So I think that when I think about certifications,
I like to talk about them in this sense,
that I do think that they serve a value.
If you think back, I come from academia.
I spent over 20 years in education.
And if you think back, let's go way back to the 1900s.
There really weren't degrees in cybersecurity, IT.
I mean, there were a few, but not many.
For example, my degrees in computer science,
people that even 70s and 80s, they got degrees in something like data processing, something like this.
So the certification industry really started as this way to show that people that have some of these technical skills, it was really a way to show employers that you had a specific skill set that wasn't necessarily showed through whatever degree you had.
So that's where we saw the birth of some of these project management certifications,
IT certifications, et cetera. And then you've got the vendor-specific certifications,
which is really a good way for you to show an employer that you know how to use X, Y, and Z's
product, that you get it, you know it in and out, you can come in and start work in day one.
product that you get it, you know it in and out, you can come in and start working day one.
So I think that there's value in showing that you've got certain skill sets. But I think that if you are somebody who doesn't have any sort of technical background, you don't have a degree
in some sort of technology-related field, you can certainly do what Jeff was talking about is sort of stacking these certs to
really kind of show this sort of well-rounded skill set that you have in IT, in cybersecurity,
in project management, things like that. So I do think that certifications do hold a lot of value.
I was a hiring manager for over 16 years, and I've seen plenty of resumes in my
time where they've got 27, 30 different certifications. And my question to them is,
how are you keeping up with all the CEUs that are required for all those certifications?
So you don't want to go overboard with it, but you really want to make sure that you're
getting these certifications to really make you more valuable
to an employer. So I think that they do serve a really good, they do a good service to the
industry, but you want to make sure that you're picking and choosing the ones that are right for
you in your career. Yeah, great point. Great point. I think it can be a little tricky as far
as there's so many certifying bodies out there, so many different options. So it can be overwhelming.
But I do think that there are different ways that you can, you know, find out what makes the most
sense based on your previous experience or lack thereof. And then, of course, thinking about,
you know, where you've worn a syllabus and what particular roles that you're interested in and looking to apply for. And so any other
additional thoughts on maybe how certifications can complement the hands-on skills when it comes
to cybersecurity, especially for those who don't have as much of the background. You don't want to just have them have all these certifications
and just have a list of, oh, I can take this exam and I've gotten this knowledge.
But how do I show that I have some hands-on training and experience?
Or what do I do to complement the certifications that I have
to really make me well-rounded in that way?
I'll just say, I think it's important for candidates
who are looking to get hired for positions in the field
to demonstrate their skills in a variety of ways.
So yeah, certifications will play a role.
But when you have the opportunity,
say you land an interview,
don't be afraid to show them a DISC assessment
if you went through one,
or an aptitude assessment, results from something else, a skills-based lab that maybe you went
through, and show them results there that demonstrate other parts of who you are,
whether that's on the skill side or whether that's on the personality side. I think it's important to
kind of give that whole picture because sometimes
the hiring decision just doesn't come down to, yeah, you can do this job. It's, can you do this
job? And do I want to work with you? Do you contribute to our team? Are you an added value
to our organization? So think about those parts of the thought process behind a hiring manager and their decision when you're talking with them.
One other thing that I would add to that is really working on building your personal brand.
I think we hear about this a lot on the internet and social media right now.
It's all about personal branding.
But I think that it is valuable for people who are really trying to get noticed in
a particular field. So I always would suggest to students, whether you're 18 or you're 55,
create a LinkedIn page and start posting on there. Start posting articles that you find that you
think are interesting and add your commentary to it. Share some of these things that you're
learning. Create a blog and start writing about some of the things that you're learning. Create a blog and start writing about
some of the things that you've done in your classes, in your training, in the stuff that
you're doing on your own to help supplement your own learning. Creating videos and showing,
this is what I did. And then when you come to an interview, like Jeff said, I really like his point
about bringing the results from a disc assessment or some sort of aptitude test, but then also bring some of these things that you've been doing and show an employer
saying, here's a project that I did, whether it was in school or something that you did on your
own, or maybe you volunteered for a nonprofit that's near and dear to your heart. This is a
thing that you did. And you can really show that you're doing sort of the theoretical learning, but you're also doing the hands-on learning as well.
So I think that there's an opportunity there for you to, especially if it's your first job, oftentimes it's hard to get that first job to get that hands-on experience.
But if you're doing some of these things outside of an employer, you can use these as sort of artifacts to bring with you to job interviews.
Absolutely. I think that's really great advice for new and early practitioners. And I think it
kind of really ties in and does a good job concluding kind of all that we touched upon.
Because just as you mentioned, kind of building that personal brand, you can do so by utilizing
market-driven skill development know, skill development,
how to identify what niche you want to focus on
and how to strategically take certifications
to make sure that they are a qualified candidate
trying to enter into the field.
So I think that that is really great advice.
Any other, you know, insights, guidance
that Jeff or Heather, you would like to provide to our listeners as we wrap up?
I think just one that I really would like to kind of emphasize.
You know, on our first episode, we talked about the importance of employers and the enterprise level getting what we call cyber talent insights correct.
what we call cyber talent insights correct, right?
And making sure that they really understand what the skills are for the roles that they're hiring
because it kind of affects this life cycle of,
you know, management, the management life cycle.
And as we're looking at the individuals here
in this discussion,
I think I just want to reemphasize,
this is why it's important, right?
This is why it's really important
for those enterprise organizations to do that right. Because when you're trying to match up a person to an organization, if that organization miscommunicates their need or miscommunicates what's expected out of a position, then you're not going to find the right candidate.
Find the right candidate.
And it's the same on the inverse, right?
If you're, I don't want to say misrepresenting, I don't think that's kind of a fair term,
but if you're not fully capturing who you are and what you bring to the table for the organization, then it's a potential mismatch.
So I think really, it's really important to not only know what you want as a company,
but really know who you are as a person too, and how those two marry up.
who you are as a person too and how those two marry up. Yeah. And I would add that if you are somebody coming in new to the industry, that if you see a job that you should apply for it, send
in the resume, send in the application. There are a lot of job descriptions out there that are,
you know, not written the best. And as a result, sometimes what we see, and it's documented in the literature,
that we see that a lot of people will self-select out of a recruiting process because they'll read
a job description, a job posting online, indeed, LinkedIn, doesn't matter. They'll read it and go,
no, I don't meet all of these requirements. So they self-select out and don't even bother
applying for the job. So my message here is apply for the job. And then on the flip side of that is that I think a lot of
employers know that there's some opportunities to improve their recruiting process. And one
piece to that is writing well-defined job descriptions that really accurately show what is needed for that particular
position. And it's not just a laundry list of 20 different pieces of technology that we hope
you have experience with. So my message here is really just to people who are trying to break
into this industry, keep applying to the jobs. And that the people that are working in this
industry and really working hard to bring more people into the industry is to really take a look at your pathways and how you're bringing people in and how you're helping them to accelerate their own careers as well.
Can I just like ride on Heather's coattails just for just like two seconds?
Because those are really great points.
I agree.
Apply to the job.
Just like two seconds, because those are really great points.
I agree.
Apply to the job.
The next thing we need to start working on is on the employer side, though, around the applicant tracking systems or software to circumvent or override or eliminate the barriers
related to some of those automatic checkboxes it's looking for in the resume, because they
might be excluding really good candidates just from the application. So in addition to what Heather said, apply network as well. Find somebody who knows somebody at the
organization you're looking to go to or work your networking channels to land you the position you
want because sometimes that'll actually get you around the ATS compliance box checking process
that happens on the back end before human eyes actually set eyes on your resume. So definitely
do that. Yes, I actually have a friend who she's an IT consultant and she applied for two jobs she's
well more than qualified for and within 30 seconds she got an auto decline. So she called me and said,
what can I do to get around this?
And that's exactly the advice I gave her
was get on LinkedIn,
see if you can find the recruiter,
start doing some networking,
try to find those actual people
because she's well more than qualified
for those positions and was declined within 30 seconds.
So crazy.
And I think that, you know, to that point also,
and mentioned it earlier too,
but while you're kind of, you know, browsing on
LinkedIn, you know, and not focusing so much on just the job descriptions, because, you know,
they kind of stink, but making sure that when you're looking for those people to network,
really take a look at, you know, their career path and exploring their profile and seeing,
you know, what skills, certifications, and even what
organizations they might be a part of that they have highlighted on their page. With the caveat
that, you know, there are a lot of cybersecurity professionals who don't put a lot of their
information online because of security reasons. So we do get that. But if you can find those to
really do some research that way, because not only does it point you in the right direction on, OK, is this somebody I should know or try and get in contact with?
Or they might know somebody that knows somebody else who can help me get this job.
But it helps you understand what path did they take to get to where they are today?
And a lot of times it's not a traditional path. It's not the traditional, you know, I got this degree and then I got this job.
It's because they know people because they met somebody. But also you can kind of get an
idea. Okay, well, I see they started specializing in this and it took them here and then trying to
just put those points together. So I think that that's also something really important to do and
can help you as you build your brand. So I definitely want to encourage all of our listeners to do that,
but to also connect with us on LinkedIn as well. And we want to just, you know, thank you all for
listening today. And we hope you enjoyed this episode. We want to make sure that you stay tuned
for our last one for this three-part series for our Cyber Talent Insight special series
that we have here.
But I wanted to thank you again, Jeff and Heather,
for your time and your insight today.
And hope everybody has a great rest of your day.
We'd love to know more
of what you think about this podcast.
You can email us at cyberwire at n2k.com.
Your feedback helps us ensure we're delivering the information and insights that keep you a step ahead in the rapidly changing world of cybersecurity.
We're privileged that N2K and podcasts like the Cyber Wire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector,
as well as the critical security teams supporting the Fortune 500 and many
of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce
Intelligence optimizes the value of your biggest investment, people. We make you smarter about your
team while making your team smarter. Learn more at n2k.com. We hope you enjoyed this episode and
will tune into others in the series. This episode was produced by Liz Stokes, mixing by Elliot Peltzman and Trey Hester,
with original music and sound design by Elliot Peltzman.
Our executive producer is Jen Iben.
Our VP is Brandon Karp.
Our co-hosts are Dr. Heather Monty, Dr. Sasha Vanderpool, and I'm Jeff Welgen.
Thanks for listening.