The Hacker Mind: Hackers Wanted: Filling the Cybersecurity Skills Gap

Should infosec now be considered vocational training just like becoming an electrician or a plumber? How else should we address the skills gap in infosec?

In this episode, Sonny Sandelius, Assistant Director of the SANS workforce programs, talks about programs that recruit people from outside computer sciences, encouraging those from diverse backgrounds who share the curiosity and the basic aptitude necessary to become hired cybersecurity professionals in as little as six months. 

The Hacker Mind is available on all podcast platforms.

[Heads Up: This transcription was autogenerated, so there may be errors.]

‍

Vamosi: All my life, I’ve always wanted to be a writer. I studied English and Film Making in college; I did not get a traditional CS degree. Then I got one of my first jobs at ZDNet. I was a paid writer--whoo, whoo. My boss at the time didn't know much about infosec. And frankly, neither did I, but she realized it was going to be a growth area -- for ZDNet and for my own personal career. So I started attending Black Hat, Def Con, and after many years wrote my own book on the insecurity of internet of things devices. 

I also went after a CISSP certification. As a journalist, I, of course,  had experienced all of the relevant domains, but my knowledge in each was only so deep. So I holed up for a week and half and read Shon Harris’ amazing CISSP prep guide-- all 1100 pages of it-- cover to cover. She died a few years ago, but I believe the book continues with other authors. And then I sat for six hours and took the test.

My arc represents about 15 to 20 years of consistent work in infosec. The problem is, we have a shortage here and now--not twenty years from now. In a moment I’ll talk with someone who is trying to make a dent in that shortage of infosec professionals, and how he’s encouraging everyone in the industry to start looking outside the industry for new talent. 

[Music]

Welcome to the Hacker mind, an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living. I’m Robert Vamosi in this episode I’m talking about how the infosec industry would be better served by looking beyond the traditional “do you have CS degree” and bring fresh talent from other areas. This shift in mindset could start to address any short of infosec professionals we have   .

[Music]

Vamosi: Depending on who you ask, there is a shortage of infosec professionals in the world today.  Then again, others will challenge you and say there’s not--it’s inflated. I guess the answer is what I usually say to a security question: It depends. Clearing you don’t want someone off the street coming in as a Level 2 security analyst. Then again, you might want someone --anyone -- to come in as a Level 1 security analyst so your current Level 1s can advance. It’s simple things like that. But how do you even start to identify who might be good in a role in information security? Turns out, SANS Institute -- which stands for SysAdmin, Audit, Network, and Security -- has launched some programs to find out.

Sandelius: I’m Sonny Sandelius. I'm the Assistant Director of the SANS workforce programs. My background with sans has been just focusing on this sort of mission driven program in our business unit called Cyber talent. Our goal is really to build the pipeline right of future professionals, and how do we do that? Where do we find them? That sort of innovative approach to what we do? So it's not that we're not looking for those people who have completed degrees and previous experience in the field. That's not the target market for us in our programs. We find that people off the street if you like, you know, from unconventional backgrounds. That's where the talent really is right now. Or the future talent is so bad I spent 10 years working on building these programs, finding these individuals, training them and helping to get employment. 

Vamosi: The labor shortage in infosec has been ongoing for years. So why, then, is Sunny talking to the media at this time? 

Sandelius: I think we wanted to show the public that we actually exist, we have established programs. So if you're interested in pursuing a career in cybersecurity, and you may not be looking at your conventional educational channels or avenues to pursue, we wanted to let you know that there may be some opportunities for you here to gain some world class training. That would help open doors into the job market.

Vamosi: Since 1989, the SANS Institute has attracted some of the best infosec talent in the world to teach their courses. It’s a matter of pride to announce that you’ll be conducting a class at SANS. So given that this, and other training programs exists, just how acute is the problem with finding infosec talent? 

Sandelius: It's very acute, and it's been a big challenge for many, many years. The last report I read was created by Glassdoor in 2021. There was some more than 400,000 open positions in the US alone. If we think globally, it's probably in the millions. So we're not talking about 10s of thousands of people. We're talking about hundreds and 1000s of people. So it's a very big problem and there's not enough people with the skill set to fill these positions. anywhere in the country. So employers are literally recruiting from other companies. If you look at the talent pool, a conventional way of finding talent. You're just hiring from someone else's talent pool, basically. So it's a big need and it will not get less. The more technology we introduce in our lives, in our lifestyles. The more opportunities for the bad guys to steal your information and your data and your money. So the numbers will just increase in the future.

Vamosi: What InfoSec is going through today, there must be some parallels in the past have you seen in other industries rapid growth and then a lack of people to fill the jobs that have been created by that growth?

Sandelius:I think there's been numerous wavs over the years. I think we can talk about sort of older vocational programs that are out there that you know you have programs in which you become an electrician or a plumber, things of that nature. I think that we in this field, it's kind of in the same situation. I just think the numbers we're talking about here are much larger. Right in the US alone. Was it four, maybe four over 400,000 open jobs. That's a lot. So I think it's the same challenge. It's just a different field this time around. So yeah, I think this is exactly the same. 

Vamosi: Part of the problem, I think, is that we need more diversity in InfoSec and  I don’t mean diversity not in terms of the traditional HR diversity and inclusion, but in terms of I worked in healthcare for several years. Now I want to get into InfoSec.  I worked in automotive and now I want to get into InfoSec. There needs to be more non-computer engineering people in infosec.

Sandelius:  Yes, yes, yes. Yes. There is a great need for diversity. And there's an opportunity there to find talent from all other kinds of life water backgrounds. Wherever you are, in your career, you can change your career, you can do that, you can work your way into the cybersecurity field. It could be difficult, but it's not. In our sales work we call them cyber emotional academies. We recruit military veterans, women, and minorities. We launched a new program recently for HBCU students and alumni. For example, we have a cybersecurity workforce development program in the state of Maryland, which is funded by a grant from the state of Maryland, for example. And we find people with unconventional backgrounds, that's where they are desperate, a few challenges. And there are many people that are looking to change careers. So some of the students we have had in our programs have been buying cooks that are Uber drivers. If you stay at home moms that have made it raise two or three children over 10 years, I feel like I need to get back into the workforce. I find cybersecurity really interesting. I've been dabbling around at home but I can't find the right trajectory, the right path to learn things I need to get the foot in the door. So there are people out there with passion for the field for the industry. They just don't know where to go yet to get into the field. So they come from all backgrounds. We have office managers who've been through the program. People stocking shelves to the supermarket. Not like I mentioned that. So they're out there. Do you just need to find out and you might need to train them to help them get into the field 

[MUSIC]

Vamosi: So this is what I don’t get. If we have all this new technology in our lives, if we have romantic expectations of what it means to be a hacker in our media like Elliot Alderson, or Dade Murphy , then why do we in fact have a labor shortage in infosec?

Sandelius: That's a good question. We have spent some years trying to figure that out. A colleague of mine used to travel around to sans training conferences across the country. We hosted lunch and learned to talk about our programs. But also to sort of try to figure out why the recruitment is not working for companies? Why aren't they finding the talent? We had all these professionals in the same room? Sometimes there were 40 people in this room. Sometimes it was only 20. But what we wanted to figure out is how do they recruit? And why are they not finding the talent? Well, the bottom line seems to be there's a little disconnect in what a security team really needs in a new person in a new hire, and what HR is doing to check the boxes to do their job. That's one key thing. I think.  The other thing is, do you recruit the same old fashioned way as you always do? You have a job posting you're posted on LinkedIn or a job board somewhere. You have some basic requirements: a college degree, two to three years of work experience, maybe for entry level jobs. So you're really fishing in the same pond as everybody else and there's not enough fish in the pond anymore. It just isn't. It's empty. So what do you do well, to recruit from other companies basically you cannibalize the current existing workforce, that's really what you're doing. But you're missing everybody else that is not in the field, but might have the aptitude or potential to learn cybersecurity, to do the job you need to do. We think those are some of the key issues.

Vamosi: This is going to sound harsh to HR departments, but there’s a grain of truth to it. This isn’t traditional recruiting and hiring, this is more curating curiosity and talent. Also, the HR team aren’t always knowledgeable in the needs. HR seems to be disconnected a little bit to what the needs are perhaps.

Sandelius: I want to go a bit further down there. I think what we're talking about here is if you have a large company. Let's say you see a business opportunity that's going to require you to hire let's say 30 or 40 professionals over the next couple of years. You have your specific security team, some security teams, they need to hire maybe 30-40 people whatever it may be, and you send them the job description the way it goes. You have to send HR a job description. Here are the things we want to continue some work experience for employment. We would like for them to have a couple of industry certifications. So on and so forth. Hrm post those dope descriptions and get applications. But HR doesn't always know in the screening interview. For example, they look at the look about what the security team center because that's the structure they have for hiring right they have these. They have these set processes that they have to follow. HR looks at this checklist. They're looking at your role and they go okay, Robin has XY and Z. But he doesn't have one, two and three. Right? So they just do checklists. But what we've seen happening here is that if you really want to cast the widest net you have to start thinking outside the boxes in employment. How do I recruit people and where do I recruit them from? So what I mentioned earlier when you can sit the HR people down with the technical team to really look at a job description. Does this job really require a four year degree, doesn't matter what kind of degree it is, right? Because that's how these job applications work and that you might have software tools that filter out people that don't check the box that you have for you. Then you already put up a barrier there. So what if you get those folks in the same room and start looking at JavaScript, what is really necessary? And what can we be more flexible on? You can actually open up the candidate pool back if you break down some of those initial barriers because that's the way you've done it in the past and we have already started that way. You mustn't find any more people to tell them that you didn't know what's out there, which probably means that your recruitment process will hopefully be less cumbersome and you will find more candidates that can be suitable for your job. But that might also mean that you as an employer might need to help to train them up. If you find someone you really like that are self taught and is trying to explore things on their own because they really want to get into this field. Maybe you should actually hire that person. Maybe you need to put some training towards them. And some training market to make sure that the person can actually do the job. I think you need as an employee to rethink the way you recruit and who you recruit. But if you can do that, you have a problem finding the people you need. You may have to put some more money towards developing a different recruitment process. Maybe also trained in it. So they can actually be boarded.

[MUSIC]

Vamosi: So again, we have all these media representations of infosec professionals and hackers. Who wouldn’t want to have all the mad skills of a Lisabeth Salander? Again, just putting out a job req -- asking for 10 years of Kubernetes experience doesn’t do it. At the time of this podcast, Kubernetes has been around for 10 years, so you get the point. The fact is, we need a new pitch.

Sandelius:Well, the pitch is really it's an attainable career. If you have some passion for it. You can make it happen. We do some marketing around our initiatives but the bottom line is you don't have to have a strong technical background. To be good at cybersecurity. You don't need to know programming to be able to do cybersecurity. What you need is a passion for it. And some aptitude to learn technical content. And if you can offer these folks a pathway, they will find a way to you. And then eventually they can work the way that can be trained and you can help them find the jobs. It's possible. It's doable. We do it every day.

Vamosi: So given that we’re widening the net for new infosec talent, who are some of the successful students?

Sandelius:The most successful students we can see in our programs have an aptitude to learn technical content, parsing, critical thinking reasoning, but also a drive and a desire to learn. It's. So if you think about the people that sit at home on a Friday night trying to figure out how Wireshark works. How do you do port scanning? What does that look like? What tools do you need for that? Do people that actually are taking free online courses through Coursera or Udemy or any other kind of free resources? The folks that play captioned flax redeem on their own, just trying to learn what is cybersecurity. Those people can be really good at this. And it doesn't matter what your background is, but you have to have a little bit of you must have some passion for it. Otherwise, you can probably do it. But maybe the field is not for you. So then natural curiosity to figure out how things work the problem solving skills, looking at details. Those are valuable. Skills that would help you towards a career in cyber.

Vamosi: I should also mention that there’s a ton of content available for free, online. Youtube has influencers like LifeoverFlow and Stok. You can learn a lot by following along with their videos. But some people may need a much more formal program such as the one offered by SANS.

Sandelius:We have heard we have a pretty good established program here, where we utilize his science courses that mean IT professionals come to take and I believe stands between about 40 to 50,000 professionals every year we take that training, so it's already developed. And it's world class training. So we don't really need to go anywhere else to get that training, packaged and delivered. We have that channel already. But I think for you as a person who might want to get into some secret that's correct. It's probably really beneficial to you to look into those resources. You can learn from it. You can follow along with some of the instructions they have. But will it be a red flag? It's really hard to learn cybersecurity on your own. And I think what I've heard a lot from the people we interview applying for our programs is I spent the last two or three years trying to figure out what is my baseline? What do I need to start with? What do I need to have in my back? Before I can actually start knocking on some employers doors? That is really difficult. You can get sidetracked more often than not. You go into those rabbit holes and you find yourself looking at Python programming and next day you're trying to figure out how to install the virtual machine to test some things on your computer. Right? So that is difficult, but there's a lot of content out there that you can actually use. If you find a trusted source. You should probably look into that

Vamosi: Again, this sounds all well and good if you’re employer is going to pay for the program. Just taking a certification costs a few hundred dollars, and then there’s the training that’s involved. 

Sandelius: Yes, that's a great question. So our cyber emotion Academy programs. The ones I mentioned earlier are 100% scholarship based. So our applicants pay nothing towards the program if they are selected for the program. It's 100%, free, free right for them. So that's a great opportunity. But there is another organization that has a really good program to its distance Technology Institute. I just think I don't know too much about the specific part or what they're offering but they have something called an income share agreement where you as an applicant if you get into one of the undergraduate programs, which can't afford tuition right now. But you're accepted to this specific income share agreement, you pay nothing towards tuition. You will get the number of sound scores and you will have onsen certifications. And once you land your job and make I think over $40,000 that when you start reimbursing the technologists as Technology Institute for the training. So I think that's a really great avenue if you are at that level and you're really serious about a career in cybersecurity when it comes to pursuing other certifications, I think there are other training institutions that have training to cost much less. But to find money towards that certificate certification exam is probably the biggest cost and maybe not so much the course itself you can find by books, I think and read up a study for the certification exam. I think Dennis is a person if you need help with that need to just shop around and look and see what are the types of organizations out there who are trying to help me get into the field right? So do your research, go online, spend a number of days looking up nonprofit organizations, there are a lot of them out there with the same mission. They're all focusing maybe on different areas in different populations. But if they are, I'm sure there's something out there for you and they may be able to help you with that specific part. So there I think there are multiple avenues. You just need to do some online research to find out there are bigger there are smaller ones. There are a lot of different organizations that are well funded, that do a lot of similar things as we do. They also offer mentoring ships, things of that nature to help you to react to career forward.

[MUSIC]

Vamosi: So walk me through the process. There's an application process, and I submit my details. You guys review it and say I'm selected. What would be the next step.

Sandelius: Was to start with what I think it's a key component here in the application process. Any person that meets our general requirements to apply for one of our programs they all have to take an online assessment. And the assessment test will help us understand if you have some basic skills, certain technology, you know something about technology, but it's also going to show us if you have an aptitude to learn this technique. What we don't want to do is to put someone into our program that might actually save it wouldn't be fair to them. We don't have a little off ramp, we can tell them to go and look at these free resources. study those who live in it, come back and apply again in four months from now and have another shot. But if you move on in this, our application process, you submit some documentation. It's the resume transcript, some of the normal stuff, just for us to look at and get a better grasp on who you are and what you're looking to do. And then we have a personal interview and I think this part is the most important part in our application process. It's where I get to learn about what your goals are. What do you do in your spare time that is focusing on anything related? Are you following people on Twitter that are in the cyber security field? Are you subscribing to some mailing list? Or listen to podcasts? Do you conduct it? Are you participating in Capture the Flags? We try to learn all these unconventional effects. Sure we want to learn what your five year career goals are. But that's not as important as learning. Are you really passionate about this? Because if you are, then you are probably going to do really well in our program and you will succeed and employers when they're really excited to talk to you. So that's sort of the quick overview of our application process.

Vamosi: Sounds great. So what does that program look like? What can you expect if you’re chosen?

Sandelius: In our programs you can own up to two SANS courses and the connected DX certifications. In some of our other programs. You can pursue three sans courses and the connected GIAC certifications. It's a very fast track. Our students get eight weeks to complete one sans course and the certification as a commercial client taking the same type of course, have 120 days to prepare for a certification exam. So ours is more condensed, more fast track and it's back to back. A three course program takes six months. But what we also have to support our students in the program is we have technical mentors who are certified in these courses. Some of them have been through our programs in the past and are working professionals. Others are working professionals but also certified in these programs. They may not definitely tomorrow, specific scholarship programs and they run weekly checking calls with all the students making sure they'll also track questions about the course content, helping them guide them through hurdles. If they get stuck. Maybe they're working on a lab and they're putting in the command line and not getting the output data. The mountain can then guide them through that little corridor. To make sure they're moving on in the program. But we also have a career service team that work with every student to prepare them for the job hunt that includes resume building, mock interviews, talking about imposter syndrome but also helping to connect with employers, all these things that are really important for you to be ready to knock on doors

Vamosi: So we've talked about people that are in the workforce today and all that you get high school applicants? Is that below your criteria? Or you know, is that an option?

Sandelius: No, not for this particular program. Because we train them to literally come onto our programs and secure a job, their success is other initiatives that help high school students explore some moderate initiatives called cyberstart America, which is a really fantastic online competition tool where it's a gamified platform. I think once or twice a year. It looks like a video game. It's amazing. You go through different levels of stages and basis and Jalon as you play the game and the thing from network security, password cracking, digital forensics, things of that nature. And I think sense also ran inside the camps for high school students in the past, so there are some avenues for you as a high school student to pursue the interest in cybersecurity. But the workforce program is not really for the high school. It's more for getting a job ready. 

Vamosi: As I said I read Shon Harris’ CISSP book on my nights and weekends while working a full time job. What sort of time commitment and you said it's compressed. So is this something I can do after my day job or is it something I have to commit to

Sandelius: You have to commit to it. It's literally part time starting. So if you have let's say you are a career changer and you are admitted to one of our programs, and maybe you work a full time job, well then you have to start a part time job. That means I have to work off to dinner. Maybe you have to put your kids to bed with me in the evening and not get very long and you sleep less and less. But it's a very short time of your life. Do you invest in this programming yourself? So you can do it? But yeah, it takes a lot of discipline. It requires a lot of hours. You live and breathe this program. As long as you're in this there's always a light at the end of the tunnel and that's a high chance you will be employed once you're done in our program. 

[MUSIC]

Vamosi: The key to success here is that SANS is not going alone on this. They’re partnering with employers to make it successful. 

Sandelius:Well, we have a lot of what we call employer partners. They support our initiatives. And once our students are getting ready to look for jobs, we either reach out to our employer partners as hey, we have now 25 Students coming up to the programs they are interested in. Do you have any available in the openings? Sometimes they come from down there and they sent us job postings? Hey, do you have any students interested in working for our company? We are not yet right now looking for a network security engineer. Do you have someone that fit the bill and someone who might be interested in a particular company? So we have that dual channel communication with them.

Across all our different accounts? I think we're around three to 400 students a year. That's in the US alone. We are also the training provided to a really great initiative in Ontario, Toronto, Ontario, where we help the Roger CyberSecure catalyst. Train hundreds and hundreds of Canadians over a number of years. So they are building a future work for stellar where they are as well. Very similar to our programs in us so we're also active. So that adds hundreds and hundreds more people.

Vamosi:  And that’s just a drop in the ocean for how many more information security people are needed today. The existing process … it just isn’t enough. 

Sandelius: Just a large gap expansion. If you look at example, higher education today we're talking about college and universities, right that there's not enough people coming out of these programs to fill these positions. There's not enough people that have the hands-on skills to actually fill these jobs. So that's when you now have to start looking at, as an employer, how do we recruit and also who's going to train all this? Right? Maybe then as an employee, you need to start looking at partnerships. Okay, I might need 100 people to fill open positions within the next six, seven years in my company, but we are going to find all those people because there's other companies that want those 100 people as well, right? But if I can find 100 people that I think have a good aptitude or passion for this field and they want to work for me for my company, I might need to start looking at how I can train those. So maybe you need to find some partnership with a training organization that can actually deliver the skills that you want these people to have to come work for you. So I think you need to broaden your horizon. Not only is it about finding the people, it's also probably going to be how do we train them? Who's going to train them? I have a really, really good example here. We have done this a few times in the past, we had a private organization reach out to us a number of years ago. This company needed to hire 30 or 40 people within a couple of years. They were growing and growing fast. And the person who led the talent acquisition team, he understood cybersecurity. He reached out to us he had seen the programs were running and he liked the idea of that. So he said I want you to set up that same thing but for our company alone. We need to hire this many people. We need to have these skill sets and these types of courses you SANS is offering are very much in line with what we need our people to be able to do at work. So what we did then was set up an emotion Academy program just for them. We ran the application process on the front end, we assessed people, put into assessment tests, collected all the documentation we needed such as resumes and try transcripts, things of that nature. And then we put the top people in front of them. The companies that hit OK, here are the people we think could be a good match for your program. And they typically recruited them and installed interviewing all these people. To make sure that okay, we like these people. We think that will be a good addition to our company. They seem interested in working for our company. Great, let's put them in the first course of training. But the key thing here was that the student knew exactly how the process worked. They were going to go to the first course in the program. If they pass the certification exam, they will be hired on the spot. So they knew there was a set end goal. I need to pass that first course and certification exam. I will then be hired by this company. They got onboarded. And then they got the second course while actually being employed by the company. And that worked beautifully. It worked. There was very innovative demand around this team. He understood what he wanted to accomplish and how to get there. And we were just happy to be part of being the training provider. So it works. But you might at some point need to find someone that can help you with that.

Most of our alumni who complete our programs come into entry level cybersecurity, because you got to keep in mind that none of these people have any prior substitute work experience. Some of them may have a few certifications, that sort of mid entry level certifications. They go into entry level jobs, cyber analysts, tier one can do incident response. You're not going to come out to become a pentester because that generally requires so much more knowledge and experience you're looking at. If you want to be a penetration tester, you're probably going to look seven, eight years down the road. Because you have so much to learn before you actually can step into those types of roles or the entry level jobs and we have seen companies from all different industries hiring our students

Vamosi: Short of hiring right out of the program, and reflecting the on the idea that this is become more of a vocational talent than an academic talent, are there apprenticeships in information security that might be a good idea?

Yes. That's glad you mentioned that. Over the last couple of years so we're starting to see that apprenticeship apprenticeships are popping up. Companies are launching apprenticeships. I think overall they're good. I think they're really great if they actually want a job with your particular company. So if you as an employer start an apprenticeship. Firstly, I feel that you need to have a specific goal with it. That means I need to hire people. So you bring them on board into your apprenticeship to train them on the job. That's livable. I feel an apprenticeship should and it should lead to an actual job. I have a horror story. This was a military veteran I spoke to a couple of years ago. Just an apprenticeship started surfacing and when I spoke to him he was very unhappy. He had found an apprenticeship on the west coast with some company he had at the time had lived on the East Coast. And I think it was a four to six month apprenticeship I think was just sort of a general IT program maybe not security specifically. So he canceled his lease on the East Coast, packed up all his belongings, moved to the West Coast, completed an apprenticeship in his program and was under the impression that it would be a job after that. But it wasn't. So all the people in that apprenticeship were hired, so he was stranded in the west. Coast with no job opportunities. So he was promised something that was not delivered. But the other other companies that do it in a really, really great way. They're onboarding these people in their apprenticeship. They are training not to do the work they need to do. Those are good apprenticeships. And they work. I have also seen other companies recently starting apprenticeships. Those seem to be a little intricate in a way. I spoke to a person not too long ago, who had just been accepted as an intern, sort of an apprenticeship. But the key thing and discipline to ship was that this person had to compete for different industry certification. So he had to go out, find a course content, study that on his own, and prepare for the certification exam. He received a weekly stipend, a couple $100 to just keep him going and working towards that goal. And this particular apprenticeship meant that you have to complete and pass all the certification exams down them. We've hired him on board for a specific I don't know maybe there was a government contract. I'm not entirely sure there. But he had to do all that work on his own to get that job offer. And he received some stipend on a weekly basis. I don't know if that model is really good in terms of quality. If it's Sunday morning, you need a massive amount of bodies to go through this so you can put them into positions. In that aspect of feeling like you're on a desktop or apprenticeship probably need to have some more support systems for these potential employees of yours. So while they're studying and preparing for a nice certification exam, you might have some kind of mentorship tied into that support system to make sure that these people that are showing an interest in working for you in the future, you might need to help support them through that period of time. Before you onboard them. So there are some variations of apprenticeships out there. We have seen some seem to be a little bit more fruitful than others.

Vamosi: Is there a big distinction between an apprenticeship from an internship

that's a good question. I'm not sure I can answer in a good way. I think internships seem to be a bit short in time. I might be completely wrong here. Internship seems to be more or you get to shadow along somebody for a few months. Learn to trade a little bit. Getting some professional experience from the specific industry or field apprenticeships is in my world as far as I know. But it's more. We're training you up to do a specific job. That's really what we're doing. So you get to maybe do a little bit more hands on stuff than you would otherwise in an internship. I think internships are good too. Especially if you are really new to the field and get the land. That's a summer internship. In a sock in a security operation center. I think that's fantastic. Because then you can get a look and feel for how the industry actually operates while you're in the office. If you maybe you're in college and you learn a summer internship, that is great because then you know what to expect from that type of environment once you graduate.

[MUSIC}

Vamosi: So might it be that there's such a general ubiquity to computers and high tech that it's so large of a gap that we're experiencing. I think maybe that's part of the problem in that we think of InfoSec we think of computers as something high level like you need a degree to understand it and it's lofty, and we haven't yet thought of it being vocational that you know of course you need a plumber Of course you need an electrician. Of course you need a computer technician or an IT expert could that be part of the problem?

Sandelius:I think so. I think that sort of it is cybersecurity particulars being a very little small branch or everything is right. I think we need to think about it as I said it's an occasional ring. Everybody's gonna need someone that knows how to do this. And by doing so, we can start introducing that as a potential career field for a much much broader audience. You might need to start introducing cybersecurity. Third down to age groups. We're talking about high school students. We know there's a lot of initiative for high school students already. We know that some middle schools start slowly introducing programming for example. I think if you really want to look ahead in the future, you have to go backwards a bit in terms of age group to start introducing it as a potential career field. There are I think a lot of people out there now talking about grownups in particular that have always been interested in it in some schools and never really been brave enough to take this step, sort of test it out, or maybe their career trajectory didn't take it that way. And you know, we're talking about Nordic groups in the field where women are really good at cybersecurity minorities from all kinds of backgrounds, right? A lot of women I've spoken to over the years come to our women's Academy program. You know, I've been thinking about it for 15 years of cybersecurity, but I never really get to take the step for I think the time is now from now it's my time to try this make or break. But introducing this, this field early on. When you bring in schools when you start talking about caring, you don't always have to be a firefighter or policeman, you don't always have to be the person that developed an app for the iPhone that you can sell and become a multimillionaire. If you can start introducing this is actually really the career field and all different branches within it. And a younger age, we might be able to sort of broaden that front end funnel a bit more

Vamosi: So as an employer, how might I go about recruiting for cybersecurity?

Sandelius:Yes, I think when it comes to hiring people, we touched a bit on it back and forth there. When you're an employer, there's such an imbalance between supply and demand and we're not getting enough people coming out of higher ed. If you are an employer and you listen to this podcast and you have a great hiring need. I urge you to look outside your normal channels over truanting Stop looking at military veterans coming out of the military service. These men and women are exceptionally skilled to pursue a career in cybersecurity. It does not matter where they're from in the military. But they have this knack for hit the floor running when you ask them to do something. Even if they don't know how to do it, they're going to try to figure out how to do it. They are really great resources for you to recruit from. A lot of companies do that, a lot of government contractors recruit attorneys because they have security cameras, but I'm thinking about all the other companies across the country. The law firms, the Walmarts, the Costcos, any kind of organization needed a security team. Look at military veterans. Start looking at women in general and minorities. There are so many talented people that you can tap into that you find that actually have some really good ability and skill set to perform cybersecurity for you. And unemployed underemployed. break down those barriers for entering. Rethink your process. There are such a big talent pool out there. You just need to go find them. That means you probably need to change the way you find it. And I want to say I'm going to sort of say some encouraging words for your listeners who might be thinking about a career in cybersecurity. First of all, don't give up. Find resources and find training opportunities. We know we understand it's really difficult to sort of self teach you these things if you can't afford to go to college or pursue certification exams. Don't give up. Keep doing what you're doing. Learn some programming here and there. Participating in capturing the flags there are a lot of free resources online that some entry level I should call hacker or cyber security sandboxes you can play around them. If you look at all these Capture the Flag competitions online you have a National Cyber League for example that consists of a lot of network security and other competitions you can participate from entry level to expert level things of that nature. Explore that but most of all, if you're interested in a career in cybersecurity first learn all the different fields in fact secure. Because if you find out what kind of different branches are available, you might find what you're most passionate about. Then you have a goal to work towards, then you can learn about the specific role you're very interested in and what would you actually need to be attractive to an employer in that specific job role. And if you think about penetration testing, for example, that is probably more of a long term goal. But then you have to look at what your entry level goal is. How do you get the foot in the door? How do you get in front of a keyboard every day so you can sit and do some real hands-on work? There are opportunities for you out there. You just need to go find them. But have a clear go learn about the different fields that I think that's my biggest recommendation for you are looking for a career in cyber.

Vamosi: And there are advantages to this for everyone. For example someone who's already in the field can benefit if they're an analyst one and want to move to being an analyst. It would be beneficial to have someone that can take their place. 

Sandelius:  So if you need more people to do such good work for the company, you probably need to also look internally, right. As you just mentioned, we've talked about upskilling. It's not necessarily raising money, we're talking about upskilling internally. So you look at the security team. Who do you have in what position? What does the future look like for this team? Do you need to hire more people? Okay, who can we move up the ladder in the company? Okay, so you got to have a good plan for that. And then you look at who we help with the house to help us plan for example, right? The Network Operation Center, maybe has a big network operation center and you have a lot of people punching tickets every day and to level helped us. Why don't you sit down and talk to them? Listen, to hear what their career goals are. And actually there's a couple of those folks there that want to get into cybersecurity. Then you got to start building that ladder. Who do we move up? In each position? And who do we then need to recruit for our entry level job, right? So you got to look holistically all that whole approach. But then I also think that kind of leads to retention. Right, how do you retain and that's a big issue as well. A lot of employees, how do you keep the comp? How do you keep the staff on board? How do you keep them happy? How do you keep them engaged? I think that kind of builds into what we're right now talking about when you move in people off the ladder up the ladder and you feel those positions. When you move people from I think as an employer, you might need to spend more, lose less. That makes sense. That means you spend more on recruitment. You might need to put more funding to recruit or your conventional waste and the unconventional recruitment channels, but also spend a little bit more internally that means you might need to train those people you want to move up, right? If you're not really smart, you want to move the person up to maybe that person needs some more training. Well, you might actually have to increase your training budget. But doing so would actually only benefit you as a company as a whole. Because what if you don't, what if you don't spend enough money to train people you have and a breach happens then you can lose millions and millions and millions of dollars. It might be worth spending a few more $1,000 on each individual in your team on an annual basis. And I think it's only because the happiest people are a non nice. I've seen a stay with an employer if the employer is investing in them to offer them more training on an annual basis. I've heard people getting you know I'll ask the question. So what's your training budget for this year? $500 or $1,000 but that doesn't go with okay, but if you want to employ look at the people you have, okay, I might need to put some people to have some training, probably spend 1000s and 1000s of dollars for it. But that's probably a very good thing. Because that means you keep people trained and skilled at all times. It keeps them after work. And if you also see them in a future career with your company, you can train for that as well and then you're building then you're torn apart by writers just talked about but it also makes employees feel more engaged and you as an employer. You're making a statement that you are very important to us. I'm going to give you this training every year that will keep the person very happy because as human nature we get bored doing the same thing every single day right? We might have other interesting products to pursue. If you as an employee can feel that passion. Employee probably going to stay with you for a long time. So spend more, lose less.

Vamosi: And if all this still seems daunting, it’s not. Sonny has some words of encouragement to anyone thinking about starting a new career in cybersecurity.

Sandelius:  I just want to mention there are other things besides that employer. unconventional approach to recruitment. Probably good way to go right now. There's not enough people for you. If you want to break into the field, look for all the specific opportunities out there. You can find a way you just need to find the right fit for you. But don't give up. Doesn't matter if you are 40 years old or 25. There is a spot for you in the in the industry and there really is

Vamosi:  I want to thank Sonny and the SANS Institute for addressing this problem by presenting a novel approach to hiring in infosec. Actually, it’s not that novel. Thirty years ago people were learning from articles posted on bulletin boards; there were no formal training programs at that time. And they went on to have careers in information security. We’ve lost that  - in part because you can get training today -- but that training isn’t available to everyone. If you’ve got the curiosity and the aptitude to learn, I encourage you to look into programs such as the ones at the SANS Institute. Having a career in security is cool -- I’m just surprised there aren’t more of us.

‍