CyberWire Daily - How do you gain “experience” in cyber without a job in cyber? [CISO Persepctives]
Episode Date: May 1, 2025We're sharing a episode from another N2K show we thought you might like. It's the third episode of the new season of the show CISO Perspectives with Kim Jones. Enjoy! Show Notes: While the cybersec...urity industry has expanded and grown in recent years, newcomers still struggle to gain relevant "experience" before officially beginning their cyber careers. In this episode of CISO Perspectives, host Kim Jones sits down with Kathleen Smith, the Chief Outreach Officer at clearedjobs.net and the co-host of Security Cleared Jobs: Who’s Hiring & How, to discuss this dilemma and what new entrants can do to account for these difficulties. Throughout the conversation, Kathleen and Kim will discuss the challenges associated with entry-level cyber positions, how to gain meaningful experience, and how the industry as a whole contributes to this problem. Want more CISO Perspectives?: Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Welcome to CISO Perspectives.
My name is Kim Jones and I am thrilled to be your host for this season's journey.
Here we provide in-depth conversations and analysis of the complex issues and challenges,
technological and otherwise, that the average CSO faces.
We're bringing the deep conversations out of the conference, or more realistically,
the conference bar, and tackling a single complex issue from every conceivable angle
across a multi-episode arc.
For our inaugural season, we're examining the challenges surrounding the cyber-talent
ecosystem.
We've been complaining about talent issues for the better part of a decade, but our piecemeal
solutions don't seem to be solving the problem.
Today we explore the question, how do you gain experience in cyber without a job in
cyber?
As a reminder, this is the last episode of the season we're making available to everyone.
Future CISO Perspectives episodes will be available only to CyberWire Pro subscribers.
We're sharing insights, conversations, and additional resources for every question we're
exploring this season with our subscribers.
If you haven't done so already, please head on over to the cyberwire.com slash pro if
you want to keep diving deep with us.
And now on to the show. As a child, I remember watching an armed forces recruiting ad.
A young man walked out of an office building after being rejected for a position at some
company. When asked why he was turned down, he said,
I didn't have any experience. His friend responded with the obvious question,
how are you supposed to get experience when no one will give you a job?
Over half a century later, it's ironic that my profession is struggling with the same problem.
So stop me if you've heard this before.
Many professionals acknowledge that there are shortages within the talent ecosystem.
Some of the ways we address these shortages are to create multiple pathways for entry such as boot camps, entry-level certifications,
training programs, associate and bachelor's
degree programs, etc.
Candidates who graduate from these programs apply for entry-level positions within cybersecurity
only to be rejected because they don't meet the quote-unquote experience requirements.
Excuse me?
I've spoken with dozens of hiring managers about this issue, and the answers I've received
are truly disheartening.
Seems that hiring managers are more concerned about what you can do versus what you know.
And the best way to prove the former is to have already done it.
In their minds, the concept of a zero-experience entry-level role is an oxymoron.
Adding insult to injury, there is no agreement on what type of experience and what duration
is sufficient to make employers comfortable with new workers.
All of this leaves new candidates struggling to determine what is relevant or meaningful
to employers.
If they're lucky, they'll guess right and have an opportunity.
If not, then they join the growing legions of folks who are disillusioned with the cyber
profession.
They believe us to be unfocused at best about what we are looking for, or disingenuous at
worst. While I am a strong advocate for zero-experience entry-level positions, I also advocate embracing
market realities, and the market is deciding based upon experience.
Fair enough.
Therefore, the professionals who have defined this market need to add clarity around a. What types and quantity of experience are required?
And b.
What roles should be considered entry-level?
What approach would be to acknowledge that any entry-level cyber professional, regardless
of role, must be extremely well-versed in the technology stack?
Even a governance and risk professional must
understand this context to be effective in their role. One way to support this approach would be
to require two to three years of demonstrated IT experience before moving into an entry-level
security position. This would mean adjusting the hiring requirements and the associated pay scales.
It would also situate cybersecurity
to be placed back under the CIO,
which might bring its own challenges and concerns.
A second approach would involve eliminating the egoism
about real-world experience.
One example centers around collegiate experiences.
There's so much rhetoric and debate
around the role of academia that we've ignored
how many institutions have implemented
notable instances of realism into their curricula.
Some examples.
There are degree programs that offer courses
on security operations where students use real world
open source tools to identify, respond to,
and manage incidents for local municipalities.
I teach Governance, Risk, and Compliance in another degree program.
The student's final project is to analyze a past breach using the NIST cybersecurity
framework.
Students must identify the control failures, map the control failings to the framework,
recommend solutions, and, and here's the
fun part, brief their findings to a board of directors consisting of current and former
CSOs.
Lastly, many degree programs require at least one semester of real-world cybersecurity work,
such as through an internship, to meet graduation requirements.
How are these use cases less real
than independently hacking?
Who knows?
In addition to those examples I mentioned,
I remind folks that there are opportunities
for volunteerism that can become additional experiences.
Church groups, social clubs, volunteer organizations,
and many small businesses would welcome someone
who would be willing to do things like check and update the antivirus software on their machines,
update and review firewall settings, or ensure their network routers are configured to be
secure.
These experiences add up.
Even better, they help raise all boats by making some of the most vulnerable targets
just slightly harder.
Finally, we need to be realistic in our expectations around the amount of entry-level experience
we should expect someone to have.
If the probability of getting hired without experience is zero, then the experience obtained
will be in somebody's free time as they are engaged in other activities.
If in college, this may mean internships.
But what about students working to put themselves through college?
I once asked a hiring manager how they expected a 30-year-old career transitioning woman with
two kids to take eight weeks off for a non-paying internship.
Needless to say, I didn't get an answer.
I would suggest that having one or more years of experience is equally unreasonable for
a first gig.
Amassing a total of, say, three to six months of combined real-world experience seems like
a fair approach.
We can no longer afford our jury-rigged approach to hiring.
We're losing qualified, valuable candidates who have become disenchanted with the cyber
profession and are making their displeasure known.
With disparate hiring requirements and unreasonable demands for experience for entry-level positions,
or facing a potential shortfall within the next generation of cyber professionals, a
time when security has never been more critical.
We need to come together as a profession to standardize hiring requirements,
and the sooner we do it, the better off we'll be.
Bye, TwoSats. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground, and attackers are exploiting stolen identities to infiltrate
your organization.
Traditional defenses can't keep up.
Spy Cloud's Holistic Identity Threat Protection
helps security teams uncover and automatically remediate hidden exposures
across your users from breaches, malware, and phishing
to neutralize identity-based threats like account takeover, fraud, and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.
Spring is here and you can now get almost anything you need delivered with Uber Eats. What do we mean by almost? on the next episode.
On today's episode, I'm joined by Kathleen Smith, Chief Outreach Officer at clearedjobs.net
and co-host of the podcast, Security Cleared Jobs, Who's Hiring and How.
Kathleen's all about helping job seekers connect with opportunities.
And today we're tackling a big question.
How do you gain experience in cyber without a job in cyber?
If you tell my audience a bit about yourself in terms of what you do, et cetera, I would
love to hear.
Well, you know, it depends on which one of my backgrounds you want to hear about.
So very excited to be invited to your table here to have a little discussion about one
of my favorite topics.
So for the last, I'd say, 22 years, I have worked for a company called clearedjobs.net.
We are a job board, job fair company in the security cleared community.
We are also veteran-owned.
Most of our staff are either veterans, military spouses, and we are very fortunate to have
several who are both male spouses and veterans.
As a West Point grad who spent over 10 years in, married to a vet himself, I thank you
and all of yours for all that you do.
Well, thank you.
I'm very honored to work among my colleagues.
And in addition to running the events, the marketing, the content creation, the candidate engagement,
the employer-customer engagement,
I always believe in giving back to the community.
I've done a variety of things in the community.
One was I'm one of
the co-founders of an organization called Recruit DC.
I then went on to help
the Defcon Career Village do something very similar.
I spent about five years supporting 10 different B-sides across the country doing their career
tracks and career villages. I've been part of ISC Squared running their career track for three years,
so excuse me, two years. So I might know a little bit about this topic,
but as I said, I like to-
Been around for about two days.
You get it.
Just a tad, just a tad.
So I really love that we believe
we have a workforce challenge.
And I really want to sort of push back on your white paper
by doing a little bit of background.
So, you know, we talk about this being a really big gap.
And when you look at all the numbers,
and I just looked at CyberSec about two minutes
before we got on here,
in the US, we supposedly have 450,000 open jobs
in cybersecurity.
How many jobs do you think we have open in healthcare?
In the US, we have 2.1 million jobs open in healthcare.
So I want to put that into perspective because all we see in
the media is all about
this cybersecurity workforce challenge in
security, which is very important.
But there are the same challenges in any other industry.
Manufacturing.
So I would push back on that a little bit.
My cautionary tale, though I agree partially with what you're saying, is I get back to
what Mark Twain says, three types of lies, lies, damn lies, it's statistics.
So in terms of raw number, I'm curious as to what is that a percentage of all of the
healthcare positions that are available as compared to what the percentages are?
Because at the end of the day, I don't know which percentage is higher or lower.
You're right, the raw numbers aren't as big.
And then there's also question as to whether those jobs are being repeated through CyberSeq
because of how they pull the data.
I am prepared to agree that the top track and the advertising track around the depth or breadth of the challenge within the talent
ecosystem may be overblown.
I wouldn't even go so far as to say it is probably overblown.
My counterpoint tends to be if it's 700,000 jobs or 70,000 jobs.
The fact remains is we're not being consistent regarding what our requirements are and what
we want for those jobs.
So my challenge is less the how do I fill these numbers, but how do we create a level
of consistency in terms of what we're communicating to people who want to get here in terms of
what we want and what we will accept in terms of getting it.
So I'm going to take your same, you know,
foundation there and push back on you in the sense that when we look at the Department of Labor
Statistics, there is no category for cybersecurity in the Department of Labor Statistics. It includes pen testers, information systems,
security managers, security architects, security analysts.
So when you're asking me about what do we have as far as ground level,
what is the experience,
we don't even know which categories you're talking about.
So that is what I'm just saying that we can't have a,
we have CyberSeek, we have the NICE framework,
we have all of these frameworks.
And they've been around for almost eight, nine years
and no one's using them by the way.
So, we know that there is experiences needed.
To use the healthcare example again,
we require people have residencies,
we have them be interns,
we do a lot to make sure that someone
who's gonna operate on a body has experience.
Why are we not having that same thinking
when we have people going in
and looking at holistic security systems
for our hospitals,
for our government agencies forever. I totally get that people want to have entry-level positions,
but this beating of the drum that we need to have them and why hiring managers or program managers
or companies are awful because they don't have entry-level positions.
We have to remember program managers and hiring managers
are responsible to their customers, their shareholders,
their legal teams, they're responsible to all of that.
If you can give them sort of a pass,
like, hey, you can hire some entry-level people
if you'll give us a pass on being able to maybe mess up every now and
then.
We talk about this beating of the drum, and I'm going to paraphrase you, with this beating
of the drum regarding entry-level positions.
My point is this, if we don't believe that entry-level positions are a thing, I can be absolutely okay with that.
But we haven't said that collectively as a profession.
In point of fact, we as a profession are the ones
a decade ago who were kicking and screaming and railing
that looking at the projections we don't have a path in
that we need to do this.
If we've recognized that that is not the case, that's fine.
Then one, let's say so, and let's say so clearly and let these other pathways that we helped
create die on the vine, and then two, say, okay, if we believe that, what is the pathway
for someone interested in cyber to enter cyber?
And if that pathway is, go back under IT.
If that pathway is, like many of the cleared positions that I assume that you're looking
for, that's fine. But our say-do, as we used to say in one of the companies I worked with, is disconnected.
So if I'm unpacking your statement correctly, if your statement is that there shouldn't
be entry-level positions or that there is no place for entry level positions, I'm okay with that.
But then we have to answer the other questions.
So I guess my first question is, is that what you are saying?
And if that is what you were saying, what are the pathways in?
The say do quotient is very low, as you said.
And I really love-
And you're being generous.
It's very low. It's very low.
And I think that we came up with entry-level positions
as a band-aid, and everyone sort of built their ship
on that band-aid.
And not only did organizations who created frameworks
build their ship on that band-aid,
many certifying organizations have built their ship on that Band-Aid. Many certifying organizations have built their ship
on that Band-Aid.
I believe we need to have a certain percentage
be entry level.
I think that that is a great place,
but I don't think that we need to have this be
the entire solution.
Absolutely.
Yeah.
What percentage, what positions, what industries?
I think we have about 10 to 15% be entry level,
just like we do for many other industries.
I think internships are great.
I think that people going in and working
at the military reserves is absolutely one
of the best ways to go through.
I think that there are a few solutions out there
that are finally coming to
the forefront, but I'm going to leave that for dessert rather than now. And I think that
as far as entry-level positions are concerned, we don't have the right training within many
companies on how to evaluate people's ability to fulfill those entry-level positions.
Because when I flip this over to those candidates that I talked to going into those positions,
they've been sold a bill of goods that they can make six-figure salary if they got a cybersecurity
job.
And there are so many training programs and workshops out there that say, if you do my
program, you'll be able to make six figures.
I've gone to several collegiate programs asking people, so what do you want for your career?
I want to go into cybersecurity.
Okay, what part of cybersecurity are you passionate about?
Cybersecurity.
Okay, and first, I absolutely, positively, categorically agree, but I'm still going to press.
You've restated the problem with the level of generica that we continue to do within
cyber.
As someone with your experience and knowledge base, I want your opinion.
So what types of gigs for someone entering cyber should we be looking at as potential entry level gigs?
And then understanding the nature where we are right now, how would you solve it if you
were keen for a day?
What things would we drop?
What things would we do as sitting CISOs within the environment?
Because again, one of the things I'm trying to bring
through the forefront with this season is everything,
Kathleen, everything you've said is absolutely correct,
but I wanna try and peel back on pieces of these to say,
okay, let's frame solutions.
So part of what you framed is one,
we're talking, we are still talking to students and the public
of cyber security as this monolithic thing.
I agree with you it's not.
Two, we're talking to people that just want to get in cyber
who don't understand what cyber is
and haven't broken it down to those pieces.
I have four of those conversations every single week
with people coming in within the environment.
Absolutely agree with it.
So what I'm trying to get to is to say,
okay, if you truly want to be entry level,
what type of gigs are you looking at?
Where should those 10% to 15% sit?
Is there truly a path for career transition within the environment,
you know, excluding the military path that's in the environment?
And what should we be doing to my fellow CSIS in the environment
in terms of figuring out, okay, what are we doing to exacerbate this problem?
And what types of training, education, experience,
other than sticking up your hand
for Uncle Sam, should we be pointing them to?
So I'm again going to reframe the question in a different way, because I saw some wonderful
examples of what people were doing, and I think that they should be replicated, which is, we were presenting,
and I was presenting on entry-level jobs for cybersecurity,
and someone in the back of the room said,
I've been in the finance industry for 27 years.
And I said, wonderful.
I've reached the end of my career.
My management came to me and asked me
if I wanted to get involved in
cybersecurity. And I wanted to get down and kiss his feet because he knew finance, he
knew the business, he knew the regulations. And they said, we will pay for your entire
certification. So I'm not trying to say I don't want to talk about entry level, we can
do it. And I'm just giving dessert before we've had salad. I'm just trying to say I don't want to talk about entry level. We can do it and I'm just giving dessert before we've had salad.
I'm just going to say that why are we not asking people who really love healthcare,
who really love nuclear energy,
who really love physical energy,
who love any of these and then asking them,
do they want to move into the tech world?
Do they want to take that knowledge,
that passion
of supporting these various different industries and then that back, one of the solutions we should be looking
for for creating cyber professionals,
if we're talking about transition, is transitioning people who already understand the business
or the profession that they are already in and taking those resources and reframing them.
Am I reading that correctly?
Yes.
The one thing, just to put the cherry on top on that one. If you're going to take a look at career development
within the United States, within our industries,
we have no definitive way of making someone move
from one aspect of their career to the next,
unless they move to another company,
unless they move to another title, another salary.
Why are we not saying, let's keep our employees who love
working for us right now and giving them career
opportunities in tech and cybersecurity right now,
and provide the training for them?
It's a much lower cost ratio than trying to find new people.
So we started with pen testing as one potential entry-level
pathway.
And what we should be telling people to do if your son, daughter, someone came up and
said, I want to entry-level the cyber, suggest pen testing, and we suggest to them the attendance to some of the active events out there, the CTFs, the science training, et cetera,
within the environment.
Correct.
Okay, fantastic.
Many of those have a high cost to them
and have a time commitment.
I was about ready to say that there are also several of them
that are online.
There are several of them that are virtual. There are several of them that are virtual.
There are over 1,100 B-sides worldwide, and they always have at least one kind of CTF
or another.
So those are things you can look at.
And I just want to put a finer point on it.
You know, we don't write that summer vacation report or that book report when we come back
from a conference.
I used to always do this whenever I would go to any strategic marketing conference.
Before I got on the plane, when I was sitting in the airport lobby, I got my notebook out and I
wrote down what I learned, what changed my mind, what really challenged my thought, who did I meet,
how am I going to follow up with them? And I really think that doing that
as, you know, a job seeker, as a professional, it is a really strong way to showcase to any future
employer that you're really part of that experience, that you didn't just go there to go to the parties,
that you went there to learn cutting edge technology,
and that you went there to gain experience.
And I would recommend that to any real-time worker at now.
If your employer is sending you to DEF CON
or sending you to RSA or one of the conferences,
they're not gonna ask for a report,
but the next time that the budget comes through,
they're gonna look to cut that.
So I would tell you to get that report out, walk in, say, you know what, I know you may
not have time, but these are the five key things that I learned at this conference.
And then you keep a copy of that the next time you're up for your employee review.
Because you say, I went to these six conferences, these are the things that I learned.
And oh, by the way, I had four employee referrals for that.
So yeah, I refer to what you're talking about, Kathleen, as portfolio management.
We're saying the same thing in terms of I tell people who are in the profession, as
well as people coming into the profession, that report becomes part of your portfolio.
It becomes, in addition to just what you put on the resume, that's the equivalent, I hate to use the terminology,
but my wife is an artist and a writer.
So she's familiar with is the equivalent of that artist or writer's portfolio to say,
this is the type of stuff that I have done, which is great.
So again, how do we educate my peers to understand that?
How do we fix that?
And if that strays into companies need to train again,
let's just start in general from a, okay,
I've got this kid who can't afford
to go to a four-year college yet is self-teaching,
going to the CTFs, doing the volunteer work,
building their portfolio, and comes in and says, I got all this stuff,
I'm serious, and can't get an interview.
How do we fix that?
Well, you and I both know that you can tell 100 people
the silver bullet, and 99 of them will not take it.
Amen.
So, I think we need to understand that we can, you know, I've been giving advice to employers
and candidates for over 20 years.
I can probably count on a few hands.
How many have really followed that?
So I think we have to be really comfortable with the fact that not everyone's going to
listen and they're probably going to go hire a consultant or heaven bid,
you know, hire one of those staffing firms that loves to beat up a recruiter's
program managers and talent acquisition professionals.
And that's their business model.
That's what they sell. They sell fear. They sell anger. They sell revenge.
So what do we do? I think that we find two or three people who are willing to do this
hard work and change the thinking methodology. I think it's going to be by example. It really
is. And it's finding two or three people who are going to do it. I mean, we can go on the
comfort circuit and tell everyone how to do this, and they're not going to follow us.
And I am going to ask for as close to a yes or no as you're comfortable giving.
Given the scenario that you've set and given the things you've talked about, it almost
sounds like what we're saying is other than within a particular company, the ability for a mid-career transition for someone
coming from X into cyber should be considered at best an anomaly, at worst a myth.
I think it's a rarity and I think once it becomes more acceptable by CISOs and by the
C suites that they can retrain their own professionals to be their cybersecurity workforce, that
will grow exponentially.
And as I said, I saw this one company do it six months ago within the clear community
and now that I know of at least three or four others.
We have to realize that we're already doing this.
I mean, you already know professionals who started at
pen testers and then went on to other aspects of their career.
I go back to what is your passion?
I mean, one thing that I love about
cybersecurity is a passionate industry.
It is not this boring, but everyone has a different passion.
But if you have a passion for something and then you want to put another layer on it with
cybersecurity, well, we are going to have one fulfilled, one happy workforce.
But we need to facilitate that.
And to facilitate that, it is a retraining not only on the professional side, but also on the management side.
And we do realize you and I have many friends within the industry who have absolutely no problem hiring people.
Yeah.
We know tons of them.
Yeah.
And so, we need to look at that example.
They've got charismatic teams.
They've got teams that are out in the community.
They're doing cool stuff.
They're giving back by doing reports.
The question that I would ask is the companies that are not having a problem recruiting,
are they growing or are they stealing?
Oh, they're growing.
They're growing.
They're not stealing.
So they're growing their own cyber professionals internally.
They're bringing in people who do not have past experience within the area and growing
them accordingly.
They're creating pipelines of talent that people can continue to grow and stay within
the community, and they're below the size of Global 1000 or Defense.
Which, by the way, statistically, most companies are.
Right.
Right. Yeah, yeah.
So.
You and I both tripped over the growing,
so you were using growing as my solution
that I had stated for the cybersecurity workforce,
and I was using growing, that these are growing companies.
Oh, oh, okay, yeah.
Versus were they stealing from other companies,
and what I'm trying to clarify is
that these are growing companies.
They're not actively recruiting
and stealing people from other companies.
People are walking to them and saying,
we much rather work for you than work for our own company.
As far as growing internally, yeah,
it's just something that I've heard
and I know it's gonna take off.
What is the one thing that we haven't talked about
that you would like to talk about relating to this topic?
I think that the one thing that we touched on,
but I would like to just reiterate,
is career development.
I think that, as I said, we've seen it across industries in the United States,
because I know in Europe they're very different as far as their career development strategies.
Yes.
From the CISO suite, if you're looking to build your workforce, really sit down and
try to think within your own company, what would be the development, what would be the career track from your entry-level
person to your seat or to a seat that sits next to you at the executive table?
And how can you craft that within your organization?
Because that is the way you can solve the problem.
Put your own knowledge, your own experience, your own education, and then walk the floor. I bet you'll find at least
two or three people who would be really interested in having a cup of coffee with you to say,
hey, if you wanted to stay at this company for the next five to eight years, which is
forever, in American terminology as far as careers, ask them what they want to do next.
Help them to map it through, and then talk to their manager and talk to your recruiting
team to make sure that those steps are put in place.
And I'll bet you within the end of the year, you will have 10 new people in your cybersecurity
team.
Been there, done that, believing it wholeheartedly.
Kathleen, it has been a joy to get to know you.
It has been a joy to have you here. Thank
you for sharing your insights. I really appreciate it. Thank you so much.
Thank you, Kim. And that concludes our episode for today.
Thank you all for tuning in and joining me and Kathleen as we talked about gaining experience
in our profession.
Before signing off, a reminder that this is the final episode of the season available
to everyone.
The rest of this season will be available exclusively to our N2K Pro subscribers.
If you'd like to continue following the conversation and access the full season as we continue
to explore the Cyber Talents ecosystem, head on over to the cyberwire.com slash pro to
learn more about becoming a Pro subscriber.
That's T-H-E-C-Y-B-E-R-w-i-r-e-all-one-word.com slash p-r-o.
There's a link in the show notes.
This episode was edited by Ethan Cook with content strategy provided by Myon Plout,
produced by Liz Stokes, executive produced by Jennifer Iben, and mixing sound design
and original music by Elliot Peltzman.
Tune in next week for more expert insights and meaningful discussions from CISO Perspectives.
Thanks for listening. And now a word from our sponsor, Spy Cloud.
Identity is the new battleground,
and attackers are exploiting stolen identities to infiltrate your organization.
Traditional defenses can't keep up. Spy Cloud's holistic identity threat
protection helps security teams uncover and automatically remediate hidden
exposures across your users from breaches, malware, and phishing to neutralize
identity-based threats
like account takeover, fraud and ransomware.
Don't let invisible threats compromise your business.
Get your free corporate darknet exposure report at spycloud.com slash cyberwire and see what
attackers already know.
That's spycloud.com slash cyberwire.