Something is wrong with the math in the cybersecurity job market. If there are “millions” of unfilled jobs out there, why are so many job seekers struggling to even book an interview?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap. Joining us is Brett Conlon, CISO, American Century Investments.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Scanner
Full Transcript
Intro
0:00.000
[David Spark] Something is wrong with the math in the cybersecurity job market. If there are millions of unfilled jobs out there, why are so many job seekers struggling to even book an interview?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark. I am the producer of the CISO Series, and joining me as my co-host is none other than Geoff Belknap. Geoff, say hello to the nice audience.
[Geoff Belknap] Hey, everybody, it’s Geoff. I’m definitely not an AI.
[David Spark] You can learn more about all of our wonderful programming. We have five shows on our network. If you go to CISOSeries.com, wonderful place to go. I suggest people go there at least three to five times every day. We have bots going there thousands of times a day.
We, luckily, have no bots who listen to this show.
Our sponsor for today’s episode is Scanner, the security data layer for the era of agents. We will talk about just that a little bit later in the show. Let’s get to our topic at hand. This is a topic that comes back again and again and again, and that is the cybersecurity hiring process, and the so-called talent shortage, which we may or may not have.
It’s one of those myths that just keeps on kicking around. And Dr. Chase Cunningham made the case that as an industry, we’re lying to ourselves about the state of the market. If there are so many jobs out there, then post real jobs. There’s a sense that those people who are posting the jobs have no intention of filling them.
How did we get to this point, Geoff, and how do we start to improve it? Just give me the answer in 30 seconds so we can wrap up this show.
[Geoff Belknap] Computers.
[David Spark] There we go.
[Geoff Belknap] That’s it. That’s the problem, everybody. Computers. I think other than the fact that computers are a problem, which both necessitate computer security professionals, but also flummoxed us on a regular basis, the issue, honestly, from my point of view, is largely what we haven’t updated outside of our technology is how we hire people, how we recruit people, how the job description creation process works.
And it causes significant problems in the hiring process.
[David Spark] Yes. No one I know on any level here, by the way, at any point of this whole ecosystem says, “This is working out fine.” Nobody does.
[Geoff Belknap] Yeah, it’s awesome, except for all the parts that aren’t.
[David Spark] This is a return guest that we love having on the show. He’s extremely passionate about this subject. So we’re going to jump into it. It is the CISO for American Century Investments, none other than Brett Conlon. Brett, thank you so much for joining us.
[Brett Conlon] Super happy to be here. And if you like what I say, then it’s me. And if you don’t, then I am ChatGPT Model 3. I think, or 4 or something. Yeah.
Does anyone understand what’s going on?
2:53.396
[David Spark] Nick Chadwick of NT Concepts said, “I didn’t even get into cybersecurity roles until I was five to eight years deep in enterprise and edge IT. And then they were just additional duties on my normal job. That was 20 years ago. Fast forward to today, how can someone perform cybersecurity primary roles if they don’t have deep hands-on exposure to enterprise IT?
I mean, how could one get experience in enterprise IT when the help desk jobs that get them that experience were outsourced overseas? It’s a catch-22 problem, and higher education seems clueless.”
Rob Slade of (ISC)2 said, “45 years ago, when I joined the IT job market, there were articles from companies bemoaning the lack of IT talent. 40 years ago, when I joined the security job market, there were articles bemoaning the lack of security talent.
For the last 30 years, while I have been teaching the IT and security talent of the future, there have never been recruiters beating down the doors. And yet, the articles bemoaning the lack of talent have continued. Either the articles are lying, or the supply and demand thing that the economists seem to think is important is, in fact nonsense.”
Geoff, it is hard to tell what’s real and what’s not real. You can’t say with a wave of your hand, “It’s all BS,” or “It’s all valid.” I think there’s a wonderful mixture of both. Is there a way to tell what is real and what isn’t, and what is it that’s driving everybody nuts?
[Geoff Belknap] Well, I think the thing that is definitely real that I feel on a regular basis, and that other peers seem to also feel, is it is difficult to find the level of talent and the volume of talent to choose from, a pool of qualified candidates to choose from, that people want in any given moment.
Does that mean there are no people out there? Absolutely not. But it does mean that there’s a difficulty matching people with the skills and matching them to someone who needs those skills.
And that difficulty can both be the person looking to hire doesn’t know how to hire the right skill set, and doesn’t know what to look for, and it can be that there are some people that don’t have the right skills in the market. On top of that, there’s just a bazillion people that would like to get into this industry.
All of that complicates the issue.
[David Spark] Yeah, it’s a tad frustrating. Brett, what’s your concern of this dynamic of the article saying that we need talent, and then this frustration of what is and isn’t real out there?
[Brett Conlon] I don’t know how popular my opinion will be, but I don’t think that the issue is a talent shortage. I think our expectations are unrealistic. So what we are looking for is not clear. I think I see too many instances of companies hiring from outside versus cultivating the talent that they have within.
And then I’m not seeing strong pipelines when I talk about, like, the internship pipelines.
And then I am going to talk a little bit more about, I think it’s flawed in what our colleges are teaching kids today around the cybersecurity curriculum. I think we’re 15 to 20 years behind what we are looking for.
[David Spark] That’s a really good point. Okay, this is a question for both of you. What would you like to see students learning that you don’t think that they’re getting an education in, Geoff?
[Geoff Belknap] It’s a good point. I’ll say, been a while since I went to college. So I’m not entirely sure what that experience is like today, but I will tell you, you know, in contrast to Brett’s experience, my experience has been candidates coming directly out of college are usually equipped with the bare minimum skills, and I don’t mean that in a pejorative way.
I find that people who are new college hires are well-rounded, and they have that investigative mindset, and you can teach them what they need to know. Most of what I need people to know to do the job can’t be taught outside of doing the job in my environment.
But I do think there’s a fair amount of people that are coming out of training programs, maybe or specific cybersecurity training environments that are not teaching current practice. They’re teaching whatever it was 10 or 15 years ago, and it’s very rudimentary, and it’s not useful in the current practicum.
[David Spark] That’s a good point. Is there something that they could do in education, Brett, that would give them a real-world experience that they’re not learning now?
[Brett Conlon] I think Geoff hit on it. If I look at it, outside of internships, which I think are probably the most important. And want to stress to anyone listening here, especially if you’re in college, I don’t care what your degree is in. Critical thinking and continuous learning are probably the two most important attributes that I would look for because, as Geoff mentioned, he hasn’t been to college in a while.
I haven’t been to college in a while, and I can assure you that what we went to college for has nothing to do with what we deal with today.
[David Spark] Yes, that’s a good point.
[Brett Conlon] Right? It’s always changing.
[David Spark] I have some computer science knowledge from there. Fortran and BASIC has no value today.
[Geoff Belknap] Disagree. I think if you’re a Fortran expert, you’re probably in high demand.
[David Spark] Definitely not an expert, though.
[Brett Conlon] But you’re talking about a 1% versus if I look at the 99% and what we’re looking for. I want critical thinking and continuous learning because that’s the environment that we’re in. I need you to be able to take a step back and look at the bigger problem, and I want you to continuously learn about the threats that we’re facing and different ways to handle that.
There’s not a single person that is in our profession that six years ago was dealing with the AI threat. But that’s where we’re at now. The scale of which the attacks will come and the velocity that they will occur is not something that we are typically used to, but they’re there now.
And so we have to be prepared for that.
For me, I think that building that strong pipeline, I don’t care if you’re a cybersecurity major, honestly. I really just want, you have a passion for what we’re doing, you can critically think, and the continuous learning.
Everything else can be taught. And that’s my personal belief. And I would say my three strongest interns-turned employees did not go to school for cybersecurity, and they did not go to school for computer science. But yet, they were critical thinkers, they continuously learned, and they were willing to challenge themselves, and that is what made them great employees.
What are the complaints?
9:38.945
[David Spark] Laura Kenner of Bootstrapped Cyber Community said, “It’s the colleges and certification programs perpetuating this lie because it adds to their bottom line. So everyone wants the person with 10 years’ experience, pay them as an entry level, and expect them to be jack of all trades.
Companies in need of cyber talent need to onboard and train new hires precisely on their systems and processes.” Something you alluded to, Geoff. “Candidates are coming out of schools and cert programs in droves, ready to work. The next generation of cyber professionals will be built in the workplace.”
Andrew Robinson of Securiti said, “Companies try to reduce hiring costs, but many of their internal processes are broken or dysfunctional and not fit for purpose. We had one portfolio client that went pre-IPO, and the hiring process was two to three interviews max to the point where they had the offer, and we dealt with the C-suite directly.
When we got to $4 billion, it was deaths by interview. 15-plus interviews wasn’t uncommon, and the worst case, they had an 11-month process to hire.”
So these are two major complaints. Complaints about when companies get big, the process gets bogged down, and the schools are not training appropriately, something both of you have alluded to here. I want to go back to something you said about critical thinking.
Brett, how can or does a young person demonstrate critical thinking?
[Brett Conlon] I think in the questions that you asked them and how they answer it, but I’ll give you a great example. I had an intern or a prospective intern come in, and I will never forget this. They were doing international policy and governance, and they were applying to a cybersecurity internship.
And so the question to them was, “Well, what do you have or what that you are doing in school or your major has anything to do with cybersecurity, and how would you be a value add?”
And without hesitation, that person described, “Well, a lot of cybersecurity comes down to governance and controls. And so while I may not have specific experience with cybersecurity governance and controls, I do have an experience with governance, controls, and laying out the purpose of that mission.
And therefore, I think I would be a great fit because I do have experience with that, and this is how I could apply that.”
And to me, right there, that’s an example of critical thinking. You don’t have the one-for-one match, but you can take a correlation and say, “Here’s what my experience is in, and here’s how it relates to what you’re asking me about.” And without the hesitation, it was just an added bonus.
[David Spark] You know, that makes a really good point, because I remember actually hiring our production assistant, and we had three great candidates. It really came down to one question, and he answered it the best, and it was, “Just walk me through your thought process of how you would handle this.” And I think you can learn a lot by asking a question like that, Geoff.
I mean, have you done that with candidates? Just, I don’t need to know the answer. I just want to know how you think.
[Geoff Belknap] Yeah, I think the best interviews are the ones where you’re walking through real-world examples of what the job’s like. Okay, I really like scenarios. “Great. You have this scenario, an incident happens. Now what? Walk me through your thought process.
What do you do?”
“Someone’s going to come to you, especially if you’re a responder, and they’re going to say, ‘So-and-so got phished.’ And that’s it. That’s all you know. What are the questions you’re asking as a follow-up? ‘What kind of phishing? How do they know it’s a phish?
Walk me through where you go from there.”
And I think whether you are somebody that’s been an elite incident responder for 15 years or this is your first time ever doing the work, there are no… Well, there are wrong answers. But I’d say there’s no right answer. There are a bunch of different ways to get to, you know, what you’re trying to get to.
But I just want to hear how you think. I just want to hear how you approach those problems. And what I’m hearing is, “Great, here are things that are useful.” And if you have an unuseful approach where, like, “Well, I just won’t engage with it until somebody gives me all the information,” like, great, I’m learning a lot about you.
But I think the important thing is, you know, sort of double click into something Brett said, I don’t expect college or a training program to teach you how to do the job. I expect those programs to give you the skills you need so you can learn how to do the job.
Where I think the disconnect comes in is in the hiring place is where hiring managers, or HR teams, or recruiters, or whoever is representing the hiring side, are hoping to do zero work and just go, “If I find somebody that’s got all the experience, I don’t have to do anything.
They will just be plug and play, and I can be done and move on to the next thing.”
And the reality is, these jobs are much more art than science. There’s a lot of technology involved, there’s a lot of science involved, but you can’t checkbox your way into this process. And I think that is the worst part that people are experiencing right now.
[Brett Conlon] Can I just add on to that real quick? I think it’s so important, especially for anyone listening, especially the college kids, to reemphasize there is no right answer that we’re looking for. Because that, to me, summarizes a lot of our problem, that everyone’s expecting to have the right answer, and there is no right answer.
We just want to see the thought process behind it.
[David Spark] Let me challenge that. Would you say the right answer is knowing how to ask the right questions? Not to know the answers, but knowing enough that these are the questions I need to ask to get to the answer.
[Geoff Belknap] Sure, but even if you don’t know the exact right question to ask, I want to hear your thought process because then, on day one, I can tell you, “You’re 90% of the way there. Here’s the person to ask or the website to go to or whatever.”
[David Spark] Right. You won’t necessarily know, but, you know, “I’m going to have to start asking questions about this subject. I’d start with this one, this one,” and given the answers to that, would lead me to my next questions, you know, like, “This and this and this.” I can see that.
Sponsor – Scanner
15:32.379
[David Spark] Before I go any further, let me tell you about our great sponsor, and that is Scanner. Now, here’s a question for you. How much of your security data can you actually run detections on right now? I mean, all your security logs end up in cloud storage like AWS S3, but only maybe 10% also goes to your SIEM.
Splunk and Datadog are just too expensive for the rest. So your detections only cover a slice of what’s actually happening.
Scanner changes that. It’s a security data lake that indexes your logs directly in cloud storage and runs real-time detections on all of it. No pipelines, no re-ingestion, no scheme work, hundreds of detection rules on 100% of your data, not just a small subset that fits in your SIEM.
And when you need to investigate, searches come back in seconds, not hours.
Teams at Ramp, Benchling, and Lemonade use Scanner for detections, threat hunting, and incident response. And because queries come back fast enough to iterate on, most of the query volume and Scanner now comes from AI agents. They do the log diving. Analysts, they make the decisions.
It’s 100 times faster than traditional data lakes, 10 times cheaper than traditional SIEMs, and it’s loved by analysts and it’s built for AI agents. You can check it all out at Scanner.dev. That’s spelled scanner.dev. Go check them out, and let them know you heard about them from the CISO Series.
Why does this still happen?
17:11.505
[David Spark] Arun Acharya said, “With thousands of highly experienced folks suddenly kicked to the curb, employers know that they can ask for whatever they want under whatever title they want to use for their vacancy and pay less than they ever thought they could get away with paying.
So not so long ago, there was the phenomenon of the ‘kitchen sink’ resume. Now there is the new phenomenon of the ‘kitchen sink’ job posting.” I don’t think either of those are new. I’ve seen both to tell you all that’s truth.
Ronald Sweatland, of Orcannus Cyber Security, said, “One of the key challenges in today’s cybersecurity job market is the prevalence of unrealistic and overly demanding job descriptions. It’s not uncommon to see job postings requiring a PhD in cybersecurity, along with every certificate imaginable.
While these credentials may look impressive on paper, such expectations are often impractical. Organizations would benefit far more from professionals with hands-on experience and real-world problem-solving skills, individuals who faced and mitigated threats in live environments, rather than those who have only communicated theoretical knowledge and certifications.
Practical experience should be valued just as highly as academic achievements when building effective cybersecurity teams.”
I hear the following, Geoff. You can get three things out of a candidate: education, certifications, and experience. At most, and they talk about really the young people, I get two out of three. What’s been your experience?
[Geoff Belknap] I guess I turn the premise of the question on, like, look, when you’re hiring somebody, the fundamental things that interviewers are looking for, not a job description, but interviewers are looking for, like, “Can I tolerate this person?
Do I think this person can do the job, and can I tolerate them while they’re doing it? Are they going to be a good add to the team?”
Everything else is like a screening tactic. And that’s why I say it’s entirely possible you get to the hiring manager, and you find out they don’t really know what they’re looking for. They just know they need a security person. And that’s unfortunate, but that isn’t necessarily a bad job.
You can help them learn sometimes.
But the stuff in between you, a person on the internet who’s looking for a job, and the person in a chair someplace who’s looking to hire you can sometimes really make it look like the company has no idea what they’re doing. And sometimes that’s not wrong.
But the reality is this is why building a network, getting to know people, understanding, you know, who’s working at what place, what jobs are open, and avoiding the broad marketplace is a really important approach to this problem.
If you can avoid going through the front door in any way, shape, or form, always do that. If you have to go on the front door, I think you have to kind of fight fire with fire, and like, great, throw the kitchen sink into your resume or whatever they make you put in as well, because it’s all getting read by a computer and not by a human.
And as long as there’s a link to your LinkedIn or a real resume, I think you’ll be fine. But it really is a numbers game right on the internet.
[David Spark] This whole post and everyone’s comments was just varying levels of frustration. And everyone’s feeling it. It goes back to my point is nobody’s happy with this. My feeling, though, when you’re interviewing, Brett, is it not just, “Who’s going to solve this problem?” But, “Who will be someone who can run with this that I don’t have to expend so much of my own energy to get them up to speed?
Like, yeah, sure, I’ll help and guide, but I only have so much bandwidth that I can handle to get this person to operate.” I mean, aren’t you looking at that candidate to that level?
[Brett Conlon] I think it depends on the candidate I’m looking for. So if I’m looking for an entry-level person, I’m not looking for that. If I’m looking for a more senior-level person, then I want to have a conversation around their experiences. And really, I’m interested in how they nurture a team, because that becomes very important.
And I’m also interested in how they approach problems and their experiences.
But I would say to everyone out there that thinks that the expectations are unrealistic, that they’re not alone. I can talk to experiences where I interviewed with a Fortune 500, went through 6 rounds of interviews, and I will never forget, my last round, they were asking me how to configure a firewall.
And I just sat there and looked at them and said, “Look, if you are looking for a CISO who knows how to configure firewalls, and you want that CISO to be configuring firewalls, this is not the right position for me. It’s not that I can’t do it. It’s that I shouldn’t be doing it.” And so if that’s the experience they’re looking for, then they’re going to find out the hard way that that’s the wrong experience.
And a footnote to that would be, within five years, I think they went through six different CISOs. To me, right there is an example of, “Sure, there’s people who want the kitchen sink. There’s people who are going to take the kitchen sink job, and I don’t think it’s going to work out very well.” But I think if you’re honest with, “Here are my capabilities and here’s the value I can bring…”
I’ve also been in a position where you could tell the company didn’t exactly know what they were looking for. They needed cybersecurity expertise; they needed leadership in that position. I don’t even think that they needed a CISO.
However, there was a partnership with the executive team, there was a partnership with me. There was an understanding of what they were trying to bring, and from there, we were able to build that partnership and move forward. And that turned out to be a great relationship, even though they didn’t know the exact qualifications they were looking for at the time.
I didn’t think of these options
22:54.238
[David Spark] Steve Pangborn, of Onsite Logic, said, “I think there’s a disconnect here. Cybersecurity isn’t a single discipline. It’s a whole ecosystem of roles. Architecture, forensics, governance, detection, policy, data protection, and more. We often refer to a generic cyber talent gap as if one person could fit all of that.
The truth is, we need to start defining what kind of talent is missing and where before we can effectively address the issue.”
Brett, I’m going to you on this. This is the frustration with the kitchen sink. If you put all of those things in, you’re looking for Superman in cyber. And while some people may be able to dabble in all of those, there’s nobody who has expertise in all of those.
Let me ask you, when you put together a job description, what are you asking yourselves in your team?
[Brett Conlon] I’m going to play a little bit of devil’s advocate, even though the kitchen sink is absolutely a problem. I think that it really depends on the size of the company. Larger companies can be very specific around their needs and their roles and what they’re looking for, but medium-sized companies, small enterprises, they’re going to have to combine roles.
So I just think that being articulate around what you’re looking for, and going back to, “What are the necessary skills that you can work with versus grow?” becomes very important.
So when you’re out there, and you’re building that job req, I think what I look for is, “What are the things I absolutely need, and I’m very specific about those qualifications?” And then everything else, if it’s something that I feel I can grow, I try to remove that from the job posting so that I don’t deter people from applying for the job.
[David Spark] But do you create a two-tier system? Because like I’ve done this before, where like, “It’s a non-starter if you don’t have these. But wonderful if you have these six.” Yes?
[Brett Conlon] Yes. But I think that even when you put there as nice to have, some people look at that and go, “Well, that’s what they really want, and I’m not going to apply.” So I try to look at that and just remove it, and then when I’m talking to them, I ask them about, “Well, here’s some additional responsibilities that we might be looking for.
Do you feel comfortable with that?”
And then they feel pretty comfortable during the interview process of saying, “Well, you know, my strength isn’t policy, but I could learn that.” Or, “I’m not opposed to it, but I would need a little bit of help with that.” And then I know what I’m dealing with, but I still have my criteria that I really want.
I think the problem today is I’m asking for a incident response expert as well as a policy and governance expert and a vulnerability management expert, and those are all three different things.
[David Spark] Geoff, what is your thought process when putting a job listing together?
[Geoff Belknap] I think the first step is really thinking about what I want, right, to avoid this problem that Brett’s talked about, which is, “I don’t want…” I’m trying to think of the word. A recruiter friend of mine called it purple squirrel, right, or a rainbow unicorn, which I think is even better.
It’s like not only a unicorn, which doesn’t exist, but one that’s coated in rainbow colors.
[David Spark] But purple squirrel, just in the recruiting world, that is the term.
[Geoff Belknap] Ah, okay, great. So, you know, purple for everybody else, purple squirrel is like somebody who doesn’t exist, right? This is somebody who has a set of skills that would be amazing, but like, that’s not realistic. And the thing to avoid is asking for a purple squirrel, you know, to Brett’s point, going like, “We need a CISO that also configures firewalls and goes on customer calls.”
[David Spark] And can water ski.
[Geoff Belknap] “And can water ski while setting a table,” or something like that. And first of all, there are people that will try to do all those things. What they will not be is somebody who’s been a CISO for 10 years. What they will be is somebody who’s looking for the opportunity to upskill and to take on a bigger title and bigger scope.
That is not an unreasonable thing to look for somebody that’s ready to do that. But if you mix it with like, “What I want is somebody that’s been a public company CISO over 25 years to configure firewalls, do API threat models, and GRC audit sessions.”
What you really need to focus on is like, “What does your organization really need? And if you hire somebody, what can they get really good at? What can they specialize in, and how is that going to add value to your organization? And what are the likelihood that someone is out there honing that skill set for the dollar amount you want to pay, for the skills and minimum requirements that you’ve set?”
And I think it seems insane to some people, because I’ve read some of these job descriptions do that, but like it is really easy. You can write a job description that just describes a job people want to do or that people do today, and you can find candidates for that role.
Now, will you get a million, billion people applying just because one keyword matched your role? Yes. But you know what? You’re hiring, this is part of the deal; you have to weed out candidates. You have to do the hard work. The hard work cannot be skipped by going, “I want a perfect candidate that has everything I’d ever wanted.”
And I think as long as you’re realistic about it and you understand that you’re not just hiring somebody, but you’re building a relationship with somebody you’re going to work with over the years. If you’re unrealistic about it at the outset, like it’s not going to turn out great for you on the long term.
[David Spark] I think a lot of them do that because their theory is, “Well, if 500 resumes come in, my odds are someone’s going to be that purple squirrel.” I’m not defending that, but this is my theory of why that happens. What do you think?
[Geoff Belknap] I think the flaw in that is the reality is the purple squirrel is going to read that and be like, “This person doesn’t know what they’re hiring for. I’m not even going to bother.”
[David Spark] Right. There could be really talented people that look at those job listings and goes… Because those become red flags for the companies.
[Geoff Belknap] Absolutely. Now, I know this doesn’t always feel this way, but it is a seller’s market for talent. And there are some companies that are out there not doing themselves any favor, trying to get good talent.
But if you’re trying to land really good talent, and I don’t just mean people that are making a million dollars a year or something like that, I mean like really great people that will work hard and be smart and do great things together with you, those people are being selective about who they work for.
If you put out a crazy job description, you’re not even going to get interest from them.
[David Spark] I want to quote something you said on a previous episode we did about hiring, Geoff. And I love that. It said, “Where people are frustrated to find jobs,” you said, “Hack the process. Don’t go through the traditional method.” And I couldn’t agree with that more.
It’s a great suggestion.
Closing
29:14.886
[David Spark] All right. This brings us to the portion of the show where I ask both of you, your favorite quote, and why. And I’m going to start with you, Brett. Which quote is your favorite and why?
[Brett Conlon] I’m going to go with Nick Chadwick’s quote.
[David Spark] The first quote I read here. This was talking about; he’s got decades and decades of experience.
[Brett Conlon] Correct. And so, how can one get experience in enterprise IT when the help desk jobs have been outsourced? So I’m just going to sit there and say, I have a little bit of a twist on it, but I do agree that if you’re looking for all of this experience in enterprise IT, and again, not looking for the critical thinking and not looking for that continuous learning, then you’re setting yourself up for failure.
I’m not so sure I agree with the outsourcing of the jobs, but I do agree that the job descriptions are unrealistic. And if you’re looking for all this experience with IT, when maybe that’s not available to people, then you’re setting yourself up for failure.
It goes back to that purple squirrel comment.
[David Spark] Geoff, your favorite quote and why. I like that.
[Geoff Belknap] I’m going to go with Steve Pangborn here from Onsight Logic, who said, “I think there’s a disconnect here. Cybersecurity isn’t a single discipline,” and goes on from there. And I think it’s really important to remember this. Like, you may consider yourself a security person, but really, you are a specialist in some discipline and a generalist maybe in many disciplines.
And on the flip side, hiring managers need to understand that too. And I think not just hiring managers, because they might understand it, but HR recruiters, anybody who’s involved in the hiring process, really needs to take a minute and remember, like, “A, hey, it’s 2025, we are not hiring specialized IT people.
We are hiring security professionals. It is a discipline now. It’s a real career path.”
And that’s not to say if you have IT experience, you’re not qualified. But it’s just like, “We’re not looking for a person who is fixing a printer that now wants to fix firewalls. We’re looking for people with specialized skill sets. And we need to be realistic about the skill sets that we want to hire for.”
[David Spark] Very good. Well, thank you both. And I want to thank our sponsor, Scanner. Remember, it’s a security data lake that indexes your logs directly in cloud storage and runs real-time detections on all of it. Check them all out at Scanner.dev.
That’s scanner.dev, and let them know you heard about them from the CISO Series.
I want to thank Brett Conlon, one of our favorites, CISO of American Century Investments, and Geoff Belknap, the wonderful co-host of Defense in Depth. Thank you, gentlemen. We greatly appreciate it. And you, our audience, as much as I like Brett and Geoff, I like you a lot more, way more.
We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another topic in cybersecurity. This show thrives on your contributions. Please write a review. Leave a comment on LinkedIn or on our site, CISOSeries.com, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.
If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com. Thank you for listening to Defense in Depth.