CyberWire Daily - Strategic approaches to talent: A practical guide. [CISOP]
Episode Date: March 20, 2026Even as cybersecurity has grown and become universially accepted, the field has continued to struggle when attempting to assess and aquire talent. Oftentimes, there is a disconnect between what organi...zations need and what they interview for leading vague job postings and ineffective hirings. In this episode of CISO Perspectives, host Kim Jones sits down with Jeff Welgan, the Chief Strategist and CEO at SkillRex, to discuss how we assess talent. Throughout the conversation, Jeff and Kim will discuss the problems associated with traditional workforce management and how modernizing this approach can provide a strategic advantage. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. It’s the perfect follow-up if you’re curious about the cyber talent crunch and how we can reshape the ecosystem for future professionals. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by design, and scalable connectivity without the frustration, friction, complexity, and cause.
of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack,
secure wired, wireless, and cellular in one integrated solution built for performance,
resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's METER.com slash CISOP.
Welcome back to CISOP.
So perspectives. I'm Kim Jones, and I'm thrilled that you're here for this season's journey.
This past season, we've pulled the deep conversations out of the conference bar to tackle these
conflicts issues from every conceivable angle. Throughout this season, we've examined many of
the challenges surrounding the cyber talent ecosystem. Today, we explore the question, how do we
address talent strategically? Let's get into it. In one of my last corporate
gigs, I was tasked with standardizing how we hired security talent. Specifically, I needed to answer the
question, how do we attract, integrate, train, and retain top-tier cyber talent in the company.
Despite being in business for over four decades, this was the first time the company had undertaken
a truly strategic approach to its cyber talent needs. As this is a passion point of mind,
shocking, I know, I dug into the challenge with zeal.
My first stop was our job descriptions.
We had recently done an overhaul of the security job family and associated descriptions,
but I was concerned that we had not normalized the knowledge, skill, ability, and experience,
or KSAE requirements against any of the standard frameworks out there, such as the nice framework.
For the better part of two months, I worked with an external firm to disqualify.
dissect the job description levels and requirements and mapped them to the nice framework.
I came away with some interesting conclusions.
Turns out that less than 70% of our brand-new job descriptions were mapped to existing nice KSAEs.
In at least one case, over 80% of the requirements for the position were skills and abilities not found within the technical cyber KSAEs.
As I said to my peers, I'm not advocating that you,
you change the job descriptions again.
But we as a corporation needed to understand the impact of having non-standard job descriptions
on our ability to recruit new talent and retain existing talent.
In the latter case, we would be advancing individuals along a growth path that would make
them viable for work only within our corporate ecosystem, which, for those savvy enough
to realize this, would impede their ability to be hired in.
to other organizations should their positions be eliminated here.
My next target was our marketing efforts,
specifically evangelizing within the cybersecurity community as subject matter experts.
This meant not only blogging and publishing white papers,
but also speaking at conferences and industry events.
While the company had mechanisms for accomplishing this for its technology and development teams,
it struggled to figure out how to support these activities for
security personnel in any organized fashion.
Marketing the efforts of key security engineers and other individuals seemed an anathema to the
organization.
Further, getting approval to speak at conferences was usually a months-long effort with the
legal and communications teams that would result in delays beyond the point of conference
submission and or acceptance dates.
Several of our team's senior personnel, myself included, found ourselves either leaving
the speaking circuit altogether, or speaking as non-affiliated experts working for our own LLCs.
It took another three months of pushing molasses uphill to get approval streamlined so we could
actually showcase our talent without making the legal team apoplectic. My last hurdle was
training. Surprisingly, the budget regarding training was the easy conversation at this time.
The executive for whom I work recognized that we needed to spend on training,
if we wanted to grow and improve our capabilities.
The challenge, of course, was how much to spend
and what to spend our budget on.
To me, this felt fairly straightforward.
I first needed to find a training provider
that all of my peers agreed provided quality training and education.
Next, I approached that provider with my job descriptions
and the KSAEs for them
and told the provider that they needed to map our KSAEs to their courses
so I could see which courses would allow our existing talent to grow their skills.
A month later, the detailed mapping was complete.
I then negotiated a bulk discount for the training that was most relevant to our needs
and put an enterprise contract in place.
Lastly, I distributed the course to KSEMAP to my peers
so they could plan their training for their respective teams accordingly.
The end result of the six-month labor of love was a focused, strategic approach,
to security talent. Everything I had done was simply a repeat of approaches I had taken as a
C-So in previous companies. Yet at every turn, from my peers to my boss, to the marketing teams,
to the training provider, I heard the same refrain. No one has ever asked us to do this before.
Most security organizations have a somewhat bipolar relationship with skills and training.
On the one hand, security leaders readily recognize the importance of a well-trained resource.
On the other hand, training is often viewed merely as a perk to reward individuals.
Training budgets are often the first thing sacrificed in times of fiscal belt tightening.
Leaders often do not understand what training is best suited to advance in employee's skills,
either in their current function or to prepare them for a future role.
and many leaders fear training in developing their team members past a certain point out of concern that they'll become more valuable targets for another corporation or organization to steal away.
Remember that the current cybersecurity paradigm is to steal talent rather than to grow it internally.
Benjamin Franklin said failing to plan is planning to fail.
This truism also applies to talent and training.
As security professionals, we need to start linking.
linking the pieces of the talent chain together if we ever wish to break out of the non-virtuous talent theft cycle we are currently in.
This means, one, getting serious about KSA-based job descriptions.
Two, making training and necessity, not just a perk.
Three, mapping training to planned advancement and skills and abilities.
Four, holding your teams accountable for demonstrating and executing a point.
these heightened skills and abilities after training.
And five, expending the resources, starting with our time to plan, to turn our teams into
talent creation engines.
My two cents.
On today's episode, I'm excited to sit down with Jeff Weldon.
Jeff is the CEO and founder of SkillRex and has been working for years to address how the industry
evaluates both prospective and existing talent.
Today's conversation revolves around examining how we as an industry evaluate talent and ask the question,
how do we address talent strategically?
Let's get into it.
Jeff, thanks for taking the time and welcome.
It's great to see you again, right?
It's an absolute pleasure to be talking with you again, Kim.
So thank you so much for having me on.
I appreciate that.
I appreciate that.
So let's take a few moments and tell my audience about,
Jeff, as well as tell us a little bit about SkillRex and what you're doing.
Awesome.
Yeah, I appreciate the opportunity.
So, yeah, my name is Jeff Welgin.
I'm chief strategist and CEO at SkillRex.
We are a cyber workforce intelligence consulting firm.
And fun fact, I used to work with N2K networks.
We used to do this at N2K networks, and I spun the capability out last fall.
So before spinning this out, I was the chief learning officer at N2K for several years.
when we launched that as originally Cyber Vista.
So I know you've had a couple of N2K folks on here,
including Ethan on the reversal interview the other day
and my former boss, Simone Petrella.
So it's an honor to be kind of amongst giants in this space.
When you talk about, you know, in talent and intelligence within understanding the talent,
of cool, et cetera, one would make an argument that this is kind of a unique,
niche out there with the market space.
So how the hell did you get involved in this, man?
Yeah, well, I think, you know, the evolution kind of came naturally over time, right?
So my background in cybersecurity, actually the predecessor to my jump into cybersecurity,
I was an intel analyst.
I was in the Navy for a number of years.
I was an intelligence specialist during the time of 9-11, so 2000, 2004.
I was on the USS George Washington aircraft.
carrier and I was also a search and rescue swimmer, a little fun fact. So my trade at the core is
analyzing information and putting the pieces of puzzles together and creating that picture. So fast forward,
moving out of a counterterrorism work and operational intelligence that you'd kind of do in any military
environment, I had an opportunity in 2010 to join Booz Allen Hamilton doing some contracting work for
the DIA, helping them out with their cyber threat intelligence capabilities. So that was really my
entry into it. And really my focus was really looking at national doctrines and strategic capabilities
of nation states, particularly some in the Middle East, to look at capabilities. So over time,
that is really the core foundation of an analytic mindset around problems and solving complex issues
for decision makers.
And I joined CyberVista, which became N2K,
and I was pulling together,
I originally started as a,
pulling together the cyber risk program for boards and executives.
And that's actually the first time I met you, Kim,
because we were out there in Camelback
and you came to one of our sessions there.
So that was a great opportunity to meet you
and kind of put some of our content out there.
But across that time, my role evolved and changed.
I ultimately became responsible for looking at cyber talent and using data analytics to start making more informed or smarter decisions about what to do for your workforce in this particular space.
With the idea that the data can actually point us to reasonable solutions or reasonable paths forward.
So let's double click on that a little bit within the environment.
Given that focus and given your history, I would look.
love for you to take a half step back and tell me, what are you seeing out there in the market
space? What are my peers as CSOs doing? What are organizations doing? What are we not doing? What is
the data showing you? The talent component is one segment. When we think about talent component,
like talent management, the training and all that, that is just one sliver of this entire ecosystem
that spans from a number of activities on the talent acquisition side with recruiting through that talent management,
which means, you know, understanding job roles, understanding skills, positioning, training, upskilling people, all the way through retention.
And there are a number of different stakeholders in that ecosystem that expand beyond just the cyber security professionals who are kind of looking at this ecosystem, right, or our component of it.
So I think my view is kind of zoomed out a little bit because I work closely with cybersecurity teams.
It's usually a CISO who's bringing us in to help them because the types of CISOs who really take a lot of value in this type of work are being very strategic about their workforce and how they're thinking about their workforce in two years.
They're not really thinking about them exactly at this moment today, but really planning for that strategic arc.
of positioning them for the future of the business.
But that said, I think once we kind of start working with clients,
the aperture expands kind of pretty drastically and quickly, right,
to see not just where the skills are in the workforce today
or where some of the challenges or opportunities are to, you know, empower professionals,
but what else is kind of broken in the process
or what else can be improved across that ecosystem
to make improvements for the business.
So let's also drill down in terms of looking at talent strategically, Jeff.
I'm going to bash my profession just a little bit,
and I'm going to do it hopefully from a more of a data-driven way.
Based upon your experience in the market space,
what, and I know this is a total swag,
what percentage of Cs are truly beginning to embrace
the concept that you have to think strategically about your talent.
Yeah, I can't give you a percentage, but I can say not enough.
Not enough.
Would it be fair to say that it's a significant minority?
I don't know if I'd say it's a significant minority, or even if maybe that's an unfair
judgment to say not enough.
Because sometimes I think there are a lot of sisters who are thinking about it.
Actually, I think you're being generous, but you're gone.
But, you know, sometimes your hands are tied.
And I think sometimes, you know, hands are tied by budget, right?
Or, you know, looking at your talent and what you're able to provide that talent from a training or development.
So I got to push back just a little bit.
You know, there's a, if we're truly looking at a problem strategically, and we're talking about linking into the business and showing value, then we should be able to.
And we all understand that, you know, none of us prints money so that budgets are always.
a consideration. But what we get end up is in a situation to say, if I want more budget,
I need to show the value proposition associated with the training. And the end result associated
with the business in terms of spending this money training saves me dollars in recruitment,
saves me having to find a new body, creates a level of loyalty within the organization,
increases morale, allows me to automate other things, although the human capital model
that's out there.
You know, tons of things we can do.
So when I hear that my hands are tied, you know, my counterpoint is my hands are tied
because you really aren't thinking about the problem strategically because you want
the training, but you're not articulating the value of training, which therefore means
you're really looking at it at best operationally instead of strategically.
Yeah.
So are we just tying our own hands because we are failing to truly look at this from a value
proposition standpoint or other other factors out there and I'm the one being unfair to my colleagues
who sit the chair. No, I think you're right. I think you're right. And I think it's a value prop issue,
mostly, right? You know, I think it's hard to communicate up to the executive suite and to the board
why that investment has dividends, right? And you say training, but it is training. That's a component
of a, but it's also other areas too. And I think that's, you know, one of our-
Such as?
So that's one of our goals at SkillRex is really to broaden the scope of this problem set,
so people see beyond just the training component, because that is-
And fair, and that tends to be the most visible one and the most budget-heavy one.
But when we talk other areas and components, such as?
Yeah, so let me kind of, I don't go on a story here.
Your predecessor, Rick Howard.
of CSO perspectives.
You know, we used to be colleagues at N2K and Simone as well.
And when Simone and I were kind of pulling together a lot of this like cyber talent insights component
around how do we baseline skills and compare that to job role expectations to identify skill gaps,
it was really around to position training, right?
Maximize return on an investment by focusing on the training areas where there's the most skill
gap in relation to the job role expectations for where the team's at today.
So when we brought that up, when Simone had a conversation with Rick, you know, he made this really, you know, brilliant analogy of like, oh, it's the moneyball approach to cybersecurity talent. And he was right about that, right? So I think when what I'm looking at is kind of this combination of that concept of money ball, but expanded beyond just the individual and the team to look more at the department, the business units, and the
industry or company at whole. So I'm positioning that we really need a Sabre metrics,
like a cyber metrics for workforce across the board, which includes, you know,
talent and training information, right? Like when Bill James kind of created cyber,
or I'm sorry, Sabre metrics, they were really looking at different kinds of metrics for,
you know, on-base percentages and things beyond just batting averages, right? And I think
cyber as a profession or cyber workforce as a profession, more broadly speaking, needs to kind of take a
different statistical approach to the entire ecosystem, not just on skill gap data, although that's
kind of the easiest place to start. But you said such as. So like we can take data and metrics
from, you know, applicant tracking systems, time to hire, and weave all that stuff. And how well are
your recruitings pulling in the right talent? All the way down to retention and culture.
culture issues. So there are data sets across that entire ecosystem that if we start to correlate
with your talent itself and skill gap data, then we can start to identify hot spots across that
ecosystem that need repairing. Sometimes that's going to be training. Sometimes that's going to be
on the talent acquisition side. Sometimes it's going to be a culture issue. And I think if we can get the
data in front of decision makers so we can have powerful conversations about how do we be smart
about the budget we have and focus our energy and time and investment in the most needed
areas across that ecosystem, then I think we'll start making some real progress against
our cyber workforce challenges.
Fair enough.
I'm going to push a little bit, and I'll caveat this mainly for our audience versus you,
because you and I have been down this path, and you know that much of what you're saying,
you have a lot of agreement with me because of some of the work we've done.
done in the past and the conversations we've had in the past. But let me play devil's advocate
out there. We're not the only technology field that's out there in the environment. We're not the
only group of folks that have hard skills that may be perishable that require training within the
environment. What makes us so unique that we have to go down this path when I'll pick on my IT
brethren? I'm not aware of my IT brethren having this problem or this challenge. So what is it about us
other than, you know, being prima dama's, you know,
and, you know, that forces us into this situation
when the vast majority of the folks out there in IT
and there are a lot more of them than us aren't needing to do this.
What makes us so unique that we have to go down this path?
I think, well, first I would say,
I think every profession should take an approach like this,
of what I'm suggesting.
I think that would only make us better, right?
They did it with baseball players for crying out loud.
So, you know, if they can do it with baseball players,
is they could do it with any other profession using that data to understand where to make improvements across that entire ecosystem.
But I think what's a little bit unique about cybersecurity as a profession is we're still young.
We're still a newer profession in the context of professions, especially if you compare it to the medical field.
So we are, I think, still earning our sea legs a little bit of like how do we do this and do it well, especially in a profession.
that technology changes really, really fast,
and as such, we need to kind of evolve
with those rapid changes on our skill sets
to keep up with those technological advancements.
So I think that's kind of a key part.
Yeah, and again, this is devil's advocate pushback here.
You know, I've been hearing about how young we are
for the 38 years that I've been doing this in the environment.
And while statistically is accurate compared to doctors, etc., it may not be as accurate in terms of just in general IT within the environment.
They are older, I understand, but not much older than we are.
And there's also an argument that says that an IT professional has the same rate of change that they have to deal with as we have to deal with in the environment.
And while what you are describing would be useful there, there's a difference between utility
and necessity.
Given the shortages that we're dealing with here, given the lack of understanding as to what it
takes to make a good cyber professional, we're in a situation where what you're describing
feels like a necessity for us.
And I'm not sure we can blame that all on the youth of our almost four-decade professional.
and within the environment.
What's making us so unique here before I shift gears and talk about strategic planning for talent a little bit?
You know, what's wrong with us?
So I think what's different about us, though, is that, you know, I think with other professions in corporate environments,
you have the corporate structures to support those professions.
And it's a little bit different with cybersecurity.
And I'm really kind of driving at HR here, you know, HR, L&D, specific.
That's where I was going next.
Right, great.
We're going to segue into it nicely.
You know, I think the lack of understanding of those supporting components of an enterprise,
the HR components and the learning and development team,
and around what the needs are for cybersecurity has kind of put the onus on cyber teams to figure this out by themselves.
sometimes that is out of necessity.
Sometimes that's out of maybe just our own prima domine nature
and, you know, alpha, you know, nature as well
of just kind of being in control of some of that.
But there has been for quite some time now
this distance between L&D, cyber, and HR.
And when we're working with customers,
it's nine and a half times out of 10
we're being brought in by the cyber team, not an HR team.
And when we have conversations with the HR team, they believe they've kind of got their hands around this.
But if you talk to the cyber team, they're like, nope, they don't because we're doing 95% of it, right?
So I think there's some despair, or maybe despair is not a great word, but also just like some overload.
Right?
Overload of responsibility.
You have to do your day job.
But then you have to figure out this workforce problem on your own, too.
And, you know, I think that creates a sense.
of urgency around the problem set,
combined with, you know, the open positions,
the supply and demand issues
and all the other things that we're seeing
across this entire ecosystem
and some of the pipeline opportunities
to come into this field,
which you've talked about
in some of your other episodes already.
Have you ever imagined
how you'd redesign and secure your network infrastructure
if you could start from scratch?
What if you could build the hardware
firmware and software with a vision of frictionless integration, resilience, and scalability.
What if you could turn complexity into simplicity?
Forget about constant patching, streamline the number of vendors you use,
reduce those ever-expanding costs,
and instead spend your time focusing on helping your business and customers thrive.
Meet Meter, the company building full-stack zero-trust networks from the ground up
with security at the core, at the edge, and everywhere in between.
METER designs, deploys, and manages everything in enterprise needs for fast, reliable, and secure connectivity.
They eliminate the hidden costs and maintenance burdens, patching risks, and reduce the inefficiencies of traditional infrastructure.
From wired, wireless, and cellular to routing, switching, firewalls, DNS security, and VPN, every layer is integrated,
segmented, and continuously protected through a single unified platform.
And because Meter provides networking as a service, enterprises avoid heavy capital expenses
and unpredictable upgrade cycles.
Meter even buys back your old infrastructure to make switching that much easier.
Go to meter.com slash CISOP today to learn more about the future of secure networking
and book your demo.
That's M-E-T-E-R.com slash C-I-S-O-P.
So let's poke at that a little bit because when we talk about thinking about talent strategically, collectively across the board,
and this great segue, as you began to mention, HR, there's an argument that says business has been thinking about talent holistically strategically,
because your human resources or chief people officer person is usually, in most organization,
a senior executive position directly reporting to the chief executive officer within the environment.
That indicates a business understanding the need to think about the problem strategically.
I love what you said, Jeff, in terms of that sense of HR feels it has a handle on it,
yet cyber feels it doesn't have a handle on it, indicates that level of disconnect between the two
entities.
So I've got a group of people whose job it is to think strategically about talent.
And I have a profession that is at least as old, if not older than mine, that has been doing
this thinking strategically about talent.
Yet for some reason, there remains a disconnect as they think of that.
about this new talent base here.
One has to argue or consider that that's not an HR problem as much as it is a security
problem in terms of us deciding and then communicating what's important to us and how we go
get those important skills or abilities within the environment.
You know, it gets back to the conversation that I've had in previous podcasting with you.
we've come up with these great KSAE frameworks that nobody seems to want to use within the environment
because every CISO thinks he or she is a special snowflake in terms of their needs for the job in the environment.
So are we perpetuating the problem regarding thinking about cyber talent strategically
because we won't converge on what good cyber talent looks like, feels like,
and how it comes to being?
I'm curious as to your opinions on that.
I think that's spot on.
That convergence is the problem.
You know, we do have different opinions, strong opinions, in some cases, around, you know, how or what kind of talent we need or what we're looking for in the talent.
You know, I'm thankful for the episodes you've had so far where we're talking about, you know, to cert or not to cert, right?
Like, those are, that's a one little tiny component of an opinion piece that, you know, thousands of SISOs.
share, right? Like, where do they fall on that? Are they kind of in the hybrid side? Are they kind of like,
I don't really care about certs or do I really put a lot of value in those? Or are they forced to
care about sorts? Because they need to follow like 8140 or something like that. The convergence is
a problem. And we're seeing that right now, too, in the space around workforce frameworks. You know,
I know you are familiar with the nice workforce framework. Oh, yeah. But there are more and more
skill frameworks popping up.
And right now, you know, coming fresh out of the Nice conference, you know, and as a team here
at SkillRex, we want to be able to pivot, you know, across any number of frameworks.
We want to be a Rosetta Stone across them so that if you're using the European Cybersecurity
Skills Framework or the Australian one or the Saudi Arabian version of the Nice Framework,
like we can make sense of it all, right?
So that is another problem set, too, is kind of like, well, what skill?
are important. How do you, what taxonomy are you using to articulate the skills needed for these
particular job roles? Do they align with the rest of the job family classifications and pay banding?
So, you know, that's why I say, like, this problem set is a bigger ecosystem issue because
it's connected to all these things. And if we don't have the data to kind of help us zone in and,
you know,
converge, as you mentioned,
on an approach that makes sense
for this particular profession
or set of professions,
then we, I think,
we will continue to spiral
and spin wheels,
you know,
in our own opinions
on how to manage it on our own.
I guess my next question would be,
and it again gets back to articulating the value.
So can we look at
other industries,
other,
talent mapping efforts, etc.
Outside a cyber, that can say, if you do this,
the value proposition is you'll save in time to recruit.
You'll save in, you know, cost and overhead for X.
You'll increase turnover for Y.
So while I can believe that doing these things will show that value,
putting in a couple of bodies, the more senior ones being paid probably in the low six figures,
to focus just on this problem, requires a level of commitment in terms of business value
that many organizations would be struggling with and asking why do I need that since I got this group here called HR within the environment.
So how would you go about articulating that business value?
to support, you know, your proposition to say that what you need is you need one to three people
doing this full time for a certain amount of time, if not forever.
Yeah.
I think it's, I'll forgive the analogy here.
We need to throw the pebble in the pond.
You know, when you throw a pebble on the pond, it has a ripple effect, right?
And the pebble for us starts with work-roll analyses, really understanding the core expectations
from skill sets perspective for any given job role at any given level.
That's like the step one.
And then the ripples out from there.
So once you have that data, you want to understand, like, well, now I know what I need.
What am I going to do with that data?
Well, I can go back to my job descriptions, as you mentioned, and update job descriptions
based on an analysis of the expectations.
But then, too, you're going to want to understand where are my people compared to my expectations.
So you're going to want to go through some sort of measurement, whether that is a self-
evaluation or through a diagnostic or using data from labs, whatever the data is that you have
to start getting baseline metrics of people's current skill sets in those roles. Then you have that.
You can overlay that to the skill expectations and find skill gaps. Now we're starting to get to a spot
where you have value prop, return on investment. You look at your training ecosystem. You say, well,
who in my training ecosystem can fill these critical gaps that I have on these teams?
or for these individuals on these teams, right?
Now you're positioning a better value for the organization
by using your training dollars, you know,
especially if it's by like being spent per head, right?
If you're looking at like a Sands model,
you're going to send somebody through a SANS training.
You're spending per person on that training and that voucher.
So who actually needs what kind of training?
Now we're, you know, improving our actual capital expenses
towards, you know, how do you utilize the training?
but also you're making improvements on the overhead costs by focusing on training that matters most to the individuals or to the teams, right?
You don't want to put them through a bunch of training.
If they're already proficient in those areas, let's focus on what most matters to the business where there are critical gaps.
So we're spending less time in training, or I should say, we're spending that valuable time on the training that matters most while not spending on time on training that doesn't matter, which means.
they're doing more of their job and hired to do.
And then the Ripples continue, right?
Now you can start to start looking at data saying,
well, let's start bringing in KPI data for the business.
Makes perfect sense.
So I'm going to give you the last word.
What is the one thing you would either like to double down on
or the one thing we haven't talked about
that you would want the audience to hear?
Yeah, I think it's kind of two things.
I would like to double down and add.
Sure.
So, you know, mentioned the Moneyball approach.
I think, you know, what I'm positioning is that we need a new model, a data model for cyber workforce.
We're trying to figure that out right now.
That expands beyond just skill gap data and training.
It goes into these different areas of the workforce ecosystem, including ATS, you know, applicant tracking system, data, business APIs, bring all that stuff into one.
So a model, right, and that's where Moneyball comes.
in. But I really, really have been latching on to big ag, big farming, and how they take approaches
to create better yields for their agriculture. So I love the concept that big farmers use when
they're using data-driven data science approaches to make their farms more sustainable. So I've been
using a lot of lexicon around the agriculture field of like sensors,
treatments, yields, and sustainability, and translating that back into the cyber context.
You know, so if we're thinking about big ag and sensors, they have a lot of sensors that
they use to improve crop harvest, right, and yields, like soil sensors, pH levels, humidity,
environmental centers, all this data that they kind of look at. We have that in cyber, too.
The ATSs, labor market data, HRIS systems, LMS systems, there are a whole bunch of
sensors we have that at our disposal that we haven't leveraged yet. If we're looking at treatments
in the farming concept, that could be like targeted fertilization or precision irrigation,
pesticide application. Same is true on the cyber side. There are lots of treatments that we can do,
including job architecture, standardization, or skills assessments, learning paths, career progressions,
mentorship programs, et cetera. So we have a lot of different treatments that we use in cyber
to make improvements to our harvest,
our harvest being our people, right?
And then the ultimate goal is to have better yields.
You know, you want, you know, in farming,
they're looking at crop yield per acre
or input efficiency, harvest quality, etc.
For us in the cyber profession,
it could be internal mobility rates,
skill proficiency increases,
roll readiness, retention rates,
the list goes on and on.
So I like that construct
that agriculture uses
when they're thinking about their yields and their farms
and applying that in the same way to the cyber profession
because I think it's pretty straightforward
when we think about it in these sensors, treatments, yields.
And what do you do sustainability-wise
across the program year over year
to make your cyber workforce programs
as efficient and effective as possible?
And Jeff, we're going to leave it with that.
Thank you so much for coming.
We appreciate your time
and then talking to our audience about this topic.
Appreciate you.
Absolutely pleasure.
Kim. Thanks for having me on.
And that's a wrap for today's episode.
Thanks so much for tuning in
and for your support as N2K Pro
subscribers. Your continued
support enables us to keep making shows
like this one. If you
enjoyed today's conversation and are
interested in learning more, please
visit the CISO Perspectives page to read
our accompanying blog post, which
provides you with additional resources
and analysis on today's topic.
There's a link in the show notes.
Tune in next
week for more expert insights and meaningful discussions from CISO perspectives.
This episode was edited by Ethan Cook, with content strategy provided by Myon Plot, produced by Liz Stopes,
executive produced by Jennifer Ivan, and mixing sound design and original music by Elliot Pelsman.
I'm Kim Jones, and thank you for listening.
Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware,
or managing endless complexity.
meter builds full-stack zero-trust networks from the ground up,
secure by design, and automatically kept up to date.
Every layer from wired and wireless to firewalls, DNS security, and VPN is integrated, segmented,
and continuously protected through one unified platform.
With meter security is built in, not bolted on.
Learn more and book your demo at meter.com slash CISOP.
that's M-E-T-E-R-com
slash C-I-S-O-P
and we thank Meeter for their support
in unlocking this N2K Pro episode
for all Cyberwire listeners