We often wonder why there is a lack of entry-level jobs in cybersecurity. But does that job category even apply to the field? Is there an argument that there are NO entry-level jobs in cybersecurity?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is Montez Fitzpatrick, CISO, Navvis.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Scrut Automation
Visit www.scrut.io to learn more or schedule a demo.
Full Transcript
Intro
0:00.000
[Rich Stroffolino] This is Rich Stroffolino, and I’m thrilled to be the host of our brand-new podcast, Security You Should Know. Each episode we bring you two security leaders that are looking at how a specific vendor solution is helping to solve persistent problems in the industry. It’s a focused 15-minute show with lots of questions to get you the answers you need.
So, add Security You Should Know to your podcast queue or head on over to CISOseries.com to check it out.
[David Spark] We often wonder why there is a lack of entry level jobs in cyber security, but does that job category even apply to the field? Is there an argument that there are no entry level jobs in cyber security?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series. And joining me, my cohost, none other than Steve Zalewski. Say hello to the audience, Steve.
[Steve Zalewski] Hello, audience.
[David Spark] By the way, Steve, I quoted you yet again on your famous very quotable line, “What does this have to do with me selling jeans?” Or, “How does this help me sell jeans?” That’s your line. “How does this help me sell jeans?” If those of you listening don’t know, Steve used to be the CISO over at Levi Strauss, and he boils that down… And that quote comes up so often and is so useful so many times.
Hence why you’ve said it all the time.
[Steve Zalewski] Thank you.
[David Spark] Do you have a second quote?
[Laughter]
[David Spark] That’s it. It’s going to be on your gravestone. “How does this help me sell jeans?”
[Steve Zalewski] That’s it. “How does this sell more jeans?” That just seems to be… I had no idea when I did that.
[David Spark] Then your birth and death date, and that’s it. Nothing else.
[Steve Zalewski] That’s all you need to know. That’s it, yeah.
[David Spark] And the kids will come to the cemetery with pieces of paper and crayon and then rub that and then have that hanging up. “How does that help me sell jeans?” All right. All right. Our sponsor for today’s episode is Scrut Automation. Stay aware, stay ahead, and stay compliant. Do it all with Scrut.
All right, let’s get to today’s topic, Steve. As a specialized subset of information technology, entry level doesn’t exist in cyber security, argued Tallis Jordan of 2K on LinkedIn. Now, just because a role is described as “junior,” most smaller teams want people that can come in and contribute right away rather than having to train them up before they can see any value.
Steve, can you really do it with no experience? And when I say it, cyber security. Can you do it with no experience and education, or are we redefining the term “entry level?” What do you think?
[Steve Zalewski] So, it’s no experience and education. That’s the part where I think we’re misunderstanding. Because you can educate yourself. What I’m thinking here is, look, if I’m selling jeans in retail, I can hire somebody off the street who doesn’t understand how to sell jeans, but I can train them on the fly.
In cyber security, I think you can have educated yourself on certain functions, and then you’re certainly capable of being hired right away. But there is an expectation of some nominal level of expertise in the field, but that doesn’t mean that you have to pay money to go take a course to do it.
[David Spark] We’re going to get into this discussion as to what entry level is in cyber security. That it does not have the same meaning and definition as others may think it is. And the person that’s going to help with this discussion is someone I just met in Dallas, Texas when we were doing a live show.
It is the CISO over at Navvis. None other than Montez Fitzpatrick. Montez, thank you so much for joining us.
[Montez Fitzpatrick] David, great to be here. Great to talk to you again. And, Steve, fantastic to meet you.
Why is everyone so confused?
3:57.314
[David Spark] Sev Obarian of SecurPro said, “If you do not have even a basic comfort with tech you will never be a solid InfoSec professional. If you are a junior trying to get in, my advice to you is go and work in an entry level IT job first. A call center or support desk would be a great start. After two to three years you will learn the fundamentals of tech.
And from there, you can more easily transition into cyber as you would only be two to three hops away from true technology.” And Heather Noggle of Missouri Cyber Security of Excellence said, “Companies are not training their staff, but I think that’s the same argument frustration point about why businesses don’t invest adequately in cyber security.” I will leave on Sev’s line.
I have heard this again, and again, and again. Cyber security loves people who work in tech support, on the help desk because they hear the problems frontlines. Steve?
[Steve Zalewski] So, why do we think that IT tech is not cyber security? You are a cyber security practitioner if you are working the help desk or you’re working the call centers. Yes, you’re running a playbook. Yes, you’re simply repeating what you’ve been trained. But that is part of being in cyber security, and that’s an incredibly valuable function.
Because your interpersonal skills at that point are way more valuable than your technical skills. So, that’s why I get back to how about if we just have a clear expectation that it’s not about being able to hack and know tech, that there are a lot of capabilities in cyber security similar to IT or similar to other domains, but we just have to be clear with everybody that that is part of cyber security.
[David Spark] Very good point. All right, Montez, I throw this to you. Your thoughts about working the help desk. And second, Heather brings up a really interesting point about the investment in training and cyber security. I quoted somebody a long time ago, I can’t remember who, but just talking about the military.
Military is security. They truly, truly bring in entry level, and they train them up. But that is truly part of the military is the training process. We don’t see this in other organizations definitely to the level of the military, and they can do it. Can we get even halfway there? What do you think, Montez?
[Montez Fitzpatrick] Well, first off, I would wholeheartedly agree with everything that Steve said. And it really is hard to argue against Heather’s point. The ability to have a very large workforce gives you some leverage whenever you can think about, “Okay, well, now I can think about having the next wave of individuals come in and learn.” Maybe it’s a two-fold perspective.
Businesses are asking their technology CoEs to be lean, which lowers their ability to have adequate bench strength, so that everyone can be properly trained and cross trained, and so I think that’s going to be a problem. Secondly, we might have to do it ourselves a bit. When a lot of us came up… Maybe you can think of like the old guard.
There was not really a manual or a playbook on how you got good. If you can make it through the gauntlet as the fittest to survive then you were sort of acknowledged as someone who was worthy of putting resources into. Early in my career, I believe that Sev’s statement was probably the only correct answer to get into the profession.
I still believe that a good practical way to consider approaching some of the operational security domains like infrastructure and engineering is to go through the information technology route. Really it’s a cyber security subset of information technology.
I won’t argue that it’s certainly got its start as an off shoot of information technology, and it’s often placed within that recording line. I don’t necessarily agree that cyber security is a subset of modern information technology. Perhaps this is why a lot of us in the industry still prefer the term “information security.” I believe a substantial portion of nonpractitioners believe that when they hear the term “cyber security,” it sort of conjures a very narrow definition of our responsibilities.
What kind of experience do you need?
8:14.711
[David Spark] Daniel Sullivan at Leidos said, “Anyone can learn a job. Cyber security isn’t this mystical, challenging world where nobody can learn it. Hell, most tools are automated and require very little input. Not every job is to be an engineer. I think if you have the work ethic and want to learn then anyone can enter the field and succeed.
I came from being a weatherman to a SOC analyst.” Michael Spanks Jr. of Mutual of Omaha Mortgage said, “Strongly disagree. I went from being a police officer to a SOC analyst within a year. I agree that no one is going to hand you a job but acting as if certain roles within cyber security where new hires can’t be trained is nonsense.
This is gatekeeping.” Russ Lein of Essendant said, “There are entry level positions in every IT discipline. You can teach anyone anything. The real question is do they have the aptitude and desire to learn something new.” And Jeff Nye said, “Disagree. The rest of the IT field is not some sort of minor leagues for cyber security, and I’m tired of people acting like it is.” All right.
I want to lean on that last line from Jeff because he’s got a good point there. It’s like this attitude of, “You do IT, and then the cool kids get to move to cyber security.” Which is kind of a slap in the face at IT. Montez? Do you feel that we’re kind of slapping IT in the face here?
[Montez Fitzpatrick] I think in some cases we are, but it’s more nuanced than that. If you can go with me on this journey a little bit, hopefully I can explain. So, when cyber security first spun off from information technology it was sort of billed as the pinnacle of the technology domains. Cyber security pioneers were sort of beset by those already established domains.
And to earn any respect, they had to be certain in their delivery and correct in their statements. And that’s what really defines success for us. New entrants and those who aspire to be in cyber security perhaps view it as the tyranny of the minority. The cyber security establishment sort of sees it as maintaining the standard.
So, you can see where we might have a little bit of at odds there. I think maybe the meta problem for cyber security has changed for those of us who consider ourselves part of the establishment. This is a bit of medicine that’s going to be hard to swallow. The fight for relevance of if cyber security should exist is over.
We won. Cyber security needs to fight to solve problems. Part of that solution is getting more minds in the discipline. What got us here won’t get us there.
[David Spark] Right. Steve, I throw this to you.
[Steve Zalewski] So, here’s the way I look at it is the IT field is not some sort of minor leagues for cyber security. I would say they’re not. I would say in my experience I looked at the entire company as the major leagues for me to be able to hire into cyber security. So, people that were really good in the business would be awesome for security awareness training.
To join my security awareness training team to build the materials, to understand how the business works. That’s major league. The legal team that was reading the contracts and looking at what the cyber security terms and conditions were, major league for me to be able to educate them and have them take care of the security side.
So, you can say those were all entry level jobs.
That I was using the major leagues of the business to be able to find people that wanted to get into cyber security whether they knew it or not or like project management. Another area where I was able to go into the PMO, and that’s not IT specific and find people that I thought had really good skills that would cross train in.
Or they would approach me and ask about cyber security, and I’d say, “You have some great skillsets. This is a major league opportunity for me to come to bring you across.” So, I would say I really like what Jeff was saying, but I think it’s not that it’s minor leagues. It’s major leagues across the business for you to be able to realize you have a whole set of latent skills that are awesome for cyber security.
You just need to know to ask.
Sponsor – Scrut Automation
12:40.276
[David Spark] Before I go on any further, let me tell you about today’s sponsor, and that would be Scrut Automation. So, they are the company helping businesses eliminate compliance debt and take control of risk without slowing down. So, look. Managing compliance and security shouldn’t be ae roadblock to growth.
Right? Scrut simplifies the process with automation, AI driven insights, and real-time monitoring so teams can streamline audits, track security controls, and, well, stay ahead of regulatory requirements without the manual workload. That’s kind of the way we’ve been doing it so far. So, with Scrut, security and risk professionals gain instant visibility into their compliance posture, automate evidence collection, and manage multiple frameworks effortlessly.
AI powered insights help teams focus on what truly matters – reducing risk, maintaining trust, and scaling with confidence. Don’t let compliance slow you down. Scrut helps you stay secure, audit ready, and focused on growth. That is the triumvirate that we all want, right? Okay, just go to their site.
Visit scurt.io. Go over there to schedule a demo or just learn more. Remember, the website is scrut.io. Go check them out.
Who’s losing out there?
14:03.745
[David Spark] Janet Gray of Optiv said, “The biggest problem I have are the ‘influencers.’ One guy promises 90K in 90 days. Says you can start cold from no IT experience to multiple certs and a job in 90 days.” These are also, I would say, the ones offering up certs, too, fall in this category. Jesse Johnson of Delta Health said, “I cannot agree more that influencers and media personalities grift on the desires of many to change careers.” Linda Dickinson of Caldwell University said, “Just because you have the money to take the test doesn’t mean you can do the job.
The other problem with classes I’ve taken is they don’t usually teach you the day to day stuff you need to know.”
And the Jose Vela of Cyderes said, “The goalposts move every day, and there’s no consistency. Best to just have a solid education base and adapt to whatever the job requires. We really give a lot away when we try to measure people by their time in cysec and not in computer/technical systems as a whole.” You know, people looking at new cyber security people do look at that.
But I will ask this of you, Steve. Given the landscape today and when you started in cyber security, do you think you could have started the same way, or would it have been a different ballgame today?
[Steve Zalewski] It’s a different ballgame today. But when I got into cyber security, cyber security was so nascent that people didn’t even know what it was.
[David Spark] So, there was no demand to get in at all?
[Steve Zalewski] There was no demand to get in because it wasn’t perceived as a great, high paying job. And so I go in the last 25 years, the cyber security practice has become a cyber security profession. And that maturity has opened up lots of different types of jobs, and that’s where we are today.
I want to expand on this, which was I’ve been having this conversation quite a bit about where’s the million jobs. Where’s the million jobs in cyber security that three or four years ago you heard all the politicians and all the educators saying is out there.
[David Spark] But analyst firms… Cisco I know posted about this. I mean everyone said there’s a million unfilled positions.
[Steve Zalewski] Right. And I go, yeah, but whether there’s a million, or whether there’s 50,000, or whether there’s 20,000, we got to stop staying that in order to be able to get a job in cyber security… It’s like being in medicine where you have to be a doctor. Oh, you want to get into medicine? You have to be a doctor, and you have to spend 12 years getting all the appropriate degrees.
[David Spark] But that’s also a regulated industry. And cyber has regulations as well but in sort of a different… Regulations on how you perform, not on the individuals. I guess that’s the difference with medicine.
[Steve Zalewski] And my point here is let’s think about it more like mechanics and plumbers. Where’s the vocational track to be able to get the experience you need to do something within the field, not that everybody has to be a SOC analyst, and therefore you have to have this deep four-year degree that costs you $100,000.
So, the education market is kind of biased to want us to spend a lot of money. The certification processes, the pundits. And we need to understand this is a profession now with a lot of skill sets, and introductory and vocational types of training programs that don’t cost a lot of money or you can do yourself have to be embraced.
[David Spark] And we’re getting to the point of like you don’t necessarily have to be a SOC analyst. Looking at the military. The military needs accountants, too. It’s not just everybody on the front line. Montez… But honestly, we are though focusing… And I don’t want the conversation to go off far left field in that direction, because we are focusing more on the technical aspects because those are what people have expressed here.
The concern here is there’s a lack of training within the organizations that the reason there’s frustration here is twofold. Is that there are “influencers” as these people call them, and there are also other firms that are educating. Which is great that you’re educating them. But the thing that a lot of us are concerned about is the promises that are being made that is, I think, where the frustration sets in.
Thrilled on the education, concerned about the promises. Montez?
[Montez Fitzpatrick] Well, there have been a lot of good things that have been said. I think that maybe this is a case of you need to follow the money when it comes to people, or entities, or organizations that are making promises about what could be for you and your cyber security career as an aspirant.
There are a lot with education and public perception completely agree with Steve that the breadth of what is cyber security or information security is quite wide. And I know that you mentioned that we wanted to focus on the technical aspects of it. But there is an awful lot that is there for people to come over from other disciplines to then learn how to apply what they know into cyber security.
There is a lot of hang ups or lynches in what might be getting those individuals over. Because when you talk about for the talent acquisition people and anyone who that is outside of cyber security who really don’t understand what cyber security is all about and the breadth of it, it’s going to be very difficult to get these entrants into cyber security who don’t meet or who don’t fit into this one particular mold.
And just like Steve said, there are a lot of different ways to have people who can then be trained into cyber security and really leverage their own talents. How do we basically get these individuals over from and find them and get them institutionalized into the cyber security? That’s a very difficult problem.
I don’t really have the answer for that.
[David Spark] Well, what would you say…? So, I run a meet up group here in San Diego. The San Diego Cyber Group. But a good percentage of the people who come to our meetings are eager to break in, and they kind of like look to us very wide eyed, and they’re saying, “I got this certificate. I’m working at the help desk, and I’m doing this.” Like, “I’m ready to jump wherever I need to jump to get that job.
What do I do?” And there’s this desire for the answer. Steve, you keep nodding your head here, and I’m sure you’ve had this conversation with young people, too. How do you respond to them? Saying like, “I’m trying to do the right thing. I just don’t know what the right thing is.”
[Steve Zalewski] Yeah. And this is where I get back to cyber security as a practice and cyber security as a profession. Which is there’s a lot of material out there now about the different types of jobs in cyber security, but everybody thinks like a SOC analyst or a pen tester. That it’s a highly technical set of expectations that you have to have.
And so if they can’t afford education or they just know it’s a great field to get into because people tell everybody there’s a million jobs, and it’s highly lucrative, and so therefore get in. My point here is, hey, folks, there is a lot of material out there now about the different types of jobs. The government has done it and everything else.
So, look at the hundred different job titles that exist and start to figure out where your natural experience or your natural inclinations align. And now you can help me help you. Because when you say, “I just want to do cyber security,” that’s just it.
Cyber security is not a thing. It’s a state of mind almost. And you have to understand what you want to do within the field. And I think there’s…a lot of the material is out there. But, again, nobody wants to kind of make it simple. They want it to be sophisticated and hard. So, bottom line is just go out there and look at the government.
Look at all the job specifications for cyber security. Break it down, figure out what it is that you’re interested in. And then I say then come to me and say, “Aw, I’ve looked at that. Thank you for telling me about that. I think I’m really good at this part, the security awareness, or GRC, or help desk.” And I’m like, “Awesome.” Because now we can make progress on how to be able to get you into the field.
Rather than, to your point, David, where they just come in wide eyed and bushy tailed, and they just simply say, “Help me.” And I’m like, “I can’t help you if you don’t take half the challenge with me.”
[David Spark] That also…I would also say is I think a lot of green people go in not realizing that hiring someone with lower levels of experience…I’m not going to say no experience but lower levels of experience is a risk to the company. And I think any way that you can present yourself as, “I’m going to be a benefit and not a risk,” will hugely benefit you.
And that’s kind of the role you have to play going in.
What’s the best way to grow your staff?
23:11.996
[David Spark] Reginald Fuller of Clairborne Parish School Board said, “While there are still many companies that require prior IT experience for cyber hiring, there is a growing trend of companies that don’t. What matters most to beginning a career in cyber is that you grasp the necessary fundamentals and can demonstrate that understanding in real world situations.
Nowadays you can gain entry level experience through online resources, home labbing, and independent field projects like bug bounties. Five to ten years ago, previous IT experience was your only option. There has to be an entry level talent pipeline of some sort to maintain a healthy industry.” So, that’s why I said while we don’t like the way these training programs are sold with the promises, we’re thrilled that they’re out there educating.
Yes, Montez?
[Montez Fitzpatrick] Absolutely. And I think a lot of the home labbing, the independent field projects, bug bounties, etc., those have always existed, and those have always been just good hygiene for anyone who’s trying to get into cyber security. But in my opinion, this is something of a multivariable problem that may be a little bit deeper than it appears at first glance.
If we sort of continue with the notion that information technology is a super set of information security, it becomes impossible or really very difficult to reach parity if the organizational leadership believes that information security’s budget and resources should be a percentage of information technology.
When it comes to having a tight budget, CISOs and their leadership teams, they’re trying to ensure that the team members are performing about the mean.
And so that doesn’t give us a lot of opportunity to have very many misses, unfortunately. You can potentially have misses with even a very good entry level pipeline. That is really what I think has been a benefit in the very much more established information technology domain or department. But cyber security is maturing, and job roles are becoming more specialized.
Maybe the journeyman cyber security practitioner, as many of us have come up, is sort of fading. The budgets of the security departments should grow. And as we align the security department with business goals, we can better articulate our controls. And as we approach parity budgetary wise with information technology, maybe we’ll be able to have that entry level talent pipeline.
[David Spark] Steve?
[Steve Zalewski] Oh, I’ve been waiting for this one. Okay, so here’s what we say. If you’ve got a big team, cyber security CISOs want to hire. We want people in. So, it’s not like we’re trying to raise the bar. We just realize if I’ve got ten people on my staff, to try to bring in a new hire, and let’s assume I do one, that’s ten percent of my staff.
So, we’re in this really awkward situation of if I have 50 or 100 people I can potentially take 1 or 2 open job recs a year and specifically target entry level to bring you up and train you where necessary. But for many security organizations, as CISOs, we have smaller teams. So, our ability to be able to support that pipeline means we are not in the situation of being able to dictate what we want.
What we have to do is beg, borrow, and steal. So, if you want to get into the industry, realize we as CISOs are begging, borrowing, and stealing resources anywhere we can to be able to create that opportunity then maybe convert you over.
And I was notorious for this. Which is going into other parts of the business and talking to people that I thought were good, or people coming to me. And I’d say, “Hey, look, how can I get you across into cyber security in some capacity? Maybe if you’re on the outside, I can bring you in, and I can’t pay you for 90 days.
But what I can do is bring you in as an intern or something like that to get you some experience and move across.” Or within the company when I’m out there with other members in the business, and I say, “Let me talk to your boss, and maybe I can do a 90-day cross train or something like that and then put security back into the field through you because your career is now going to be advanced because you have some cyber security experience.” So, in order to grow our staff think beg, borrow, and steal is what a lot of CISOs are doing.
So, help us beg, borrow, and steal.
Again, by you wanting to get into cyber security, make a friend in a CISO. Let them know you’re interested. Let them know where you are, and then let’s work together to figure out how we beg, borrow, and steal the resources in because it’s not necessarily a situation of we’re just sitting on eight recs, and how do you get hired.
[David Spark] Very good point.
Closing
28:10.220
[David Spark] All right, we’ve come to the point of the show, Montez, where I ask both of you, starting with you, which quote was your favorite and why. So, I’ll ask you, which quote was your favorite and why?
[Montez Fitzpatrick] I like Sev’s quote regarding the even if you do not have a basic comfort with tech you won’t be a solid InfoSec professional unless you start to work the entry level in IT. I like that quote because simply I think that is becoming less and less a have to have, but it’s still a very solid way to get into information security.
[David Spark] Yeah. I will second that, because I hear that again and again. This is the kind of thing… And it’s interesting. I remember this young man spoke to me about…saying, “Well…” He kind of was downplaying it. “I’m at help desk.” I go, “Oh, you have no idea. That’s what they love. They love help desk.
Don’t be down on that.” Steve, your favorite quote.
[Steve Zalewski] I was going back and forth, but this time what I’m going to say is I’m going to go with Jeff Nye, where he says, “The rest of the IT field is not some sort of minor league for cyber security.”
[David Spark] I do like that quote.
[Steve Zalewski] I like that quote because of the way I changed it, which was, “Hey, it’s beg, borrow, and steal.” And so therefore the rest of the industry is actually my major leagues for me to be able to pull from. You just have to know how you’re a major league player from my perspective. For security awareness training or help desk, like you said, David.
Which is they’re like, “Hey, I’m just a help desk guy.” I’m like, “But we need tons of those people that know how to empathize to work with others, not just the SOC analysts or the pen testers.” That’s a minority position more and more. So, I love that quote because what I want to say is it’s not about we’re stealing from others, but we’re beg, borrowing, and stealing from what we consider the major leagues.
We just need a way to make that bridge happen.
[David Spark] Very good. Well, a huge thanks to our sponsor, Scrut Automation. Remember, stay aware, stay ahead, stay compliant. Let them help you with your compliance needs and your risk management. Make things a lot easier for you in your environment. Check out what they’re doing over at scrut.io.
But I want to thank my cohost, Steve Zalewski, who you hear here often on this show. And also our guest, Montez Fitzpatrick, who is the CISO over at Navvis. Montez, thank you so much for coming. Any last words you’d like to say on our topic?
[Montez Fitzpatrick] This was great. I loved discussing this, and hopefully it’ll be meaningful for the listeners.
[David Spark] I hope so, too, as well. Thank you to our listeners, as always. We greatly appreciate your contributions. Remember, if you see a really good discussion on LinkedIn particularly, but we take other avenues as well, please let me know because we can turn it into an entire episode of Defense in Depth.
So, thank you for your contributions, and thank you for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cyber security. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site, CISOseries.com, where you’ll also see plenty of ways to participate including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at david@CISOseries.com. Thank you for listening to Defense in Depth.