Useful Links:
2025 U.S. Cybersecurity Job Posting Data Report
Guests:
- Nic Muy: https://www.linkedin.com/in/nicholasmuy/
- Deidre Diamond: https://www.linkedin.com/in/deidrediamond/
- Amélie Koran: https://www.linkedin.com/in/webjedi/
- Bil Harmer: https://www.linkedin.com/in/williamharmer/
Transcript
Narrator:
Welcome to 9 0 9 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host veteran chief security officer at Cyber Aficionado Den Jones taps his vast network to bring you guests stories, opinions, predictions and analysis you won't get anywhere else. Join us for 9 0 9 execs panel on solving Cybersecurity's Talent crisis.
Den:
Okay everybody, welcome to another episode of 9 0 9 Exec and we have a special edition LinkedIn live event. We're going to talk about the solving this cybersecurity skills gap or is there a skills gap? I dunno. Let's find out because I have got some outstanding guests on the show. Little panel discussion here. Let's do some introductions over to my esteemed guests.
Amelie:
Well, hello, my name's Amelie Koran. Pretty much simplest thing is say go see LinkedIn handles Web Jedi, do lots of things in cybersecurity, but to keep it short and sweet and pass it off to other folks.
Bil:
Thanks Amelie. My name's Bil Harmer, CEO and founder of Kill Switch Advisory four time, five times ciso. Again, same. Take a look at LinkedIn. I've just been kicking around this thing for about 30 odd years.
Deidre:
Deidre Diamond, founder and CEO of cyber sn, 11 years of talent matching solutions and three years of workforce risk management. This is near and dear to my heart, particularly in that women don't get enough representation in the industry and it's already broken in finding and matching. So it's a big passion of mine. Good to be here.
Nic:
Thank you Nicholas Moy, credit automation, then a security engineer, security operations, product management, kind of all in cybersecurity for over 15 years to be.
Den:
Excellent. Thank you. Yeah, thank you everybody. So this is for me an interesting thing. So we in the industry continually talk about the fact there's a skills gap and I don't care which Slack channel I'm in or which WhatsApp group I'm in or looking on LinkedIn, I seem to see a lot of people saying, Hey, I'm looking for work or I'm struggling to find work. I'm looking for good work. I want to pose the question. And Deidre, I'm going to come to you first. I think as, I mean you and I have known each other about 11 years, even though me butchering your name every single bloody time would not show that. But we have worked together for a long time at Adobe. I was one of your early customers and we stayed in touch ever since, which makes me know that you've been in this game for a long time. So over the last 11 years, what have you guys seen as the evolution of the skills crisis or is there a crisis?
Deidre:
There is a crisis without a doubt. I like to look at the word skills and take it a bit further to the definition of experience. And the challenge is that everybody hiring and I have the jobs data for three years of all job posting and cybersecurity. We've been following that data forever. And even though it's job posting data, it still normalizes and it tells a serious story, meaning there's lots of people hiring. At the end of the day, what we see is that people want people coming out of having just been doing the work that they need done super similar. So it's not just a sim, it's the sim or you get the picture and that's just a very tiny piece of the picture. It's literally industry job function role. What were you doing? It's not the title, it's the experience and that we have a shortage in because the experience is different per industry that's needed and it's a different skillset per vertical. And we stopped training as a society.
I'm in my fifties, I think it really stopped about 15 years ago. We've seen significant change in the last five. And so if we're not willing to train and we will only take people that have the majority of what I need them to do as experience that they're doing now, I'm not going to hire them. And that's the case. And by the way, let me throw on top of that location. Many organizations are not doing remote anymore, so then that completely changes it or they can't because maybe they're in OT or something that has to do with safety. And so meaning they're more in the work together. So you add that onto it and wow, we have a massive experience deficit.
Den:
Yeah. Amelie, any thoughts on that?
Amelie:
Well, here's where I get to be the devil's advocate just from personal experience, but also I did a talk at Schmo Con back in 2018 regarding firemen versus safety matches. How that was was just dealing with trying to adapt skill sets that were non-traditional stuff that wasn't just like I got a degree in cybersecurity, which didn't exist when I was an undergrad. I came from bopping around on computers and BBSs and stuff and learned it as I went along. But one of the things before I was just recently laid off, I was in a hiring mode and based on what was being submitted for offensive security specialist, it was the percentage of folks that were coming basically to this job postings, or three of them actually. It was probably maybe like 5% of those folks that I would figure I would want to have a conversation with at best.
And this was to six two to 600 people resumes. And it wasn't for I think a lack of the candidates trying. There are some that were obviously where I worked before, there are folks who had jobs elsewhere like shelf stockers and pharmacists and stuff like that who were taking cybersecurity training in their own time to skill up. But folks who were coming in as experienced, most of them were ones that wanted to get into it into the offensive security side of the house, but just had a very light foundation of cybersecurity skills and being for me, when I came up through this, I graduated with degrees that were not technical and learn to become assistant administrator and so forth. That doesn't seem to be the route that a lot of people follow. And that's a little bit disturbing because as Deirdre said is that a lot of these postings are, they want to be very specific for a particular tool or an installation configuration or architecture, and nobody actually runs into that.
I would not want to just hire somebody that's got this specific product experience. I know that down the road, having had products that have come in, services that come in, you change your mind over time and to be adaptable to say, Hey, this is the person who has some really good skill sets to be adaptable, but also has the institutional knowledge, that would be very hard to just basically say, well, we're done with the tool, we're going to go hire somebody else and let this person go. So I think that's our big challenge more than anything right now.
Den:
And I think you're both hitting one point, which is technology. There's so many technologies out there, and if an employer is looking for someone with specific technology experience and not willing to train in other technologies, then we certainly have an imbalance there. Because to your point Amelie is God, I remember joining Adobe in 2001 and my peers were called, their title was NT admin, and my other peer title was Nove admin. I'm like, wait a minute, so you guys can, you're only allowed to play around in one operating system. I was a Windows Novell, Unix, Linux. I mean for me it was just, I knew shit. Right? So the reality is if we get down into the, oh, I can only hire you if one specific thing or depth on this one thing, then I think we're toast just on that one. Nic
Bil, that's the problem that we've been suffering with. I mean I never hire for or try not to hire for the specific I, I hire the attitude and the characteristics of the person and I would actually prefer if I had a Palo firewall, I'd rather hire somebody with Fortinet experience because then they will learn this and they will bring what they know from the other side to it. That's sort of my expectation because you're right too much. It's like what's our stack? Let me go find the person for that stack. And we feel that that's a lower risk. And truthfully, I find it's a bigger risk because you have blind spots all over the place at that point.
Amelie:
I think too, to adjust expectations too is the candidates like myself will bemoan, okay, so this is a entry level role, but yet you're requiring three to five years of experience or as a senior level person, me with 25 to 30 years of experience, I can't get a callback. And I'm just like, so I've done everything. I've collected all the cybersecurity infinity stones on my gauntlet here, but yet I have a hard time getting a conversation with somebody regarding a new position and I'm just like, so what am I missing? And is it the applicant tracking systems that are filtering stuff
Bil:
Out before they get to somebody? Totally. Is it totally is. You said you don't have a degree in computer science? I don't have a degree. I'm a university dropout. I don't make it through the applicant tracking systems. The best I can do is if I'm lucky, I tick a box that says high school
Den:
And a Canadian high school building, a Canadian high school with that. So it's a me version. Geez, man. You're not even allowed to a lot of maple syrup.
Amelie:
It's slightly longer and only ends in even numbers. There we go.
Den:
Exactly. Nic, what were you thinking, man?
Nic:
Yeah, I was just going to add something I've seen from kind of the hiring side is and talking to friends who are hiring and what else is, I think a lot of hiring managers depending on the role, the companies, I think we give 'em too much credit that they know what they're looking for, that they know what they want, that they know what they need. I think they, they know what they want and what they say and they'll work with recruiting firms to try to find people. But then a lot of times I think when you, a recruiter will reach out to me, they'll say, this is what the company is looking for. I'll go talk to them, I'll talk to a hiring manager or the recruiter in the screening process and it's clear to me they want something else. What they say doesn't always match what they want and especially, and I feel pretty strongly about this for leadership roles because it can ruin a team, it can ruin an org.
You say you want this and you're kind of, but you're only, this is what you're hiring for. And so there's a huge mismatch in, it's like saying, I want someone with all this stuff and I want to pay them like a junior CIS admin or I want a junior CIS admin, but they need to be distinguished security engineer level skills. I mean I think it sounds crazy, but within the last 90 days I would've been approached for roles where they say like, Hey, we're looking for such and such type of leader to run this org. And then you ask 'em a few questions and they're like, no, we don't. The reality, what they don't say is we don't really want to invest in that team. Things are falling apart and there's a lot of turnover risk and this is like a cleanup job, so we should bring a consultant.
Deidre:
Nic, I love that you're bringing that up because this conversation is going between what are people hiring, what's going on with the market and job postings and the whole process of interviewing and what have you. And your point hit me. When I first founded my firm having left staffing for 10 years, I didn't realize what the digital error had did, has done. And one of the things that can put perspective is that before the digital error to post a job, you had to pay $5,000 in the Sunday paper. Think about how much that $5,000 was worth back then and you got about this much space and it was only Sunday, it would never be around again. And now people can just post jobs so they don't have to really take the time to figure out what they're advertising. Isn't that, it's such an interesting thing to say, wow, that ad being free or cheap as hell caused organizations to just be one more thing.
They just fly by the seat of the pants on, which is the job description, and now we're all suffering for it. We're suffering because of making the wrong matches. To your point, that's so solid Nic and really messing up with teams, we're doing it and burning out people because jobs are left open too long and we're also hurting that we're not moving our teams forward, we're not progressing, we're standstill or go back at best as somebody who's come up through operations before the digital era and built high profile companies that do extremely well, it's maddening to see the sort of the pre-digital post-digital effect of these job descriptions. They really need to be the source of truth of work. And what is the workload? What are the tasks, what are the projects that have to get done versus who do I think I want to hire? What's the persona of the human? I think I want, let me slip that up on the screen for a hundred bucks.
Den:
Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to subscribe and share the show with your friends. If you know of anyone else that would benefit ideally for us that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion.
Amelie:
Take an add-on to that one, which is for me, when I've been in a hiring manager role is I act as the hiring manager I wish I had. When I go looking for a job, which is regardless the volume of applicants I get and the resumes as a team leader or a manager or an executive, if you're hiring for somebody who's going to be reporting to you or significant input on a specifically say particular new role, that's part of your job. You need to be an active hiring manager. You just can't say, well, I'm just going to let the thing filter it out or whatever. When I was hiring at Health and Human Services, I went to the gym that way. It got me out of my office away from people and I brought my iPad of all the resumes and I read all of them top to bottom while I was doing exercise.
But that was the thing is I made sure I made time to give everybody a fair shake. And the thing is also I see people complaining is like I get these really impersonal feedback though. They be popped out of the at ts and they're like, what did I do wrong when I was trying to hire, when I was at Walmart, I had a spreadsheet of every one of those applications too, and I had different columns for whether or not they were junior, too junior where I assessed they were. So I could give them feedback as these are the other skills you needed to have. And then notes potentially to the HR partner or recruiter. I had to basically say, Hey, this is the reason why I want this person so that if I needed to get it justified through another executive, they understood why I was interested in 'em. So they may have not had the perfect skill or the perfect tool set, but I saw potential in them and that's how I would dictate how I wanted them to grow and where I saw them in the future, not just now
Den:
I think. And that's brilliant. I think it's really interesting because if you think of this as the whole pipeline, the process of going from knowing we need a position filled, we have budget now we're going to write the job up. And I've seen a job post last week where they were looking for an AI engineer, they wanted five years experience with Gemini and their tells me the sign straight away, you want experience in something that's not been,
Amelie:
Is it mayor or did he disappear?
Den:
Oh, I'm still here. You might find a little lag on Streamy yards sometimes. So yeah, so basically it's interesting because then I think of when you apply for positions, and one thing I knew is we were doing our diversity. We had a women's executive shadow program at Adobe that I used to participate in every year. And one of the things I learned in my first year was when there's a job posting, a guy will apply for the job, even if he can only see himself fit in probably 50% to 70%, a woman won't apply for the job unless she sees herself matching almost a hundred percent. So I think even the industry, so there's that piece. And then when you bring the applicants in, if you're not finding the applicants you want, and I worked with a team at Cyber SN for years on this one, which is anytime we're not getting what we want, use the hiring manager need to work with the recruitment team to adjust what you're looking for, get feedback and huddle together so that you're refining it. It's equivalent to when you're looking for a house and you realize your budget doesn't go that far. I wanted a chimney. Yeah, I wanted a fireplace and two car garage and a swimming pool, but then it turns them out. My $4 99 million in San Jose doesn't get that. It gets a one bedroom hut. So I need to change. And I think
Bil:
I, that's a big thing. I too often the hiring managers don't think that they've made a mistake. They're like, no, no, this is what we should get. That's our budget. We will get it. You're so far off on those things and they won't adjust. They say, well, there's a skills gap out there.
Den:
Yeah, so do you guys think, sorry, bill, but do you then therefore think, or what you're getting at is we have an expectations problem from the hiring manager, the employers
Bil:
A hundred percent. A
Amelie:
Hundred percent there too.
Bil:
And the more we talk about the gap, the more they go, oh, I can get more because there's all these unemployed people that want jobs. It's not how it works. And the pandemic threw everything into a shift because a lot of people moved away from certain areas. They did the, oh, I can work from anywhere, so I'll go to Boise, Idaho. And then everything changed. And then a lot of companies went, no, we want at least hybrid. We want two days a week in the office, which isn't unreasonable, but it's impossible if you live in Boise in the companies in the Bay Area.
Den:
Yeah. Now also we've got people watching live here, so please submit any questions. And Tamika Jones actually, she just raised that one thing on her little chat. She was saying, Hey, what about the redefining of hybrid remote? So as we kind of went through the whole COVID thing and then companies are trying to, I'm going to say reset from their working style. How do you guys see that changing our dynamic?
Deidre:
We definitely see clients that are requiring in the office, even if it's two days a week, jobs open five times as long, if they fill it, if they fill it, that's how hard it is to get in office. I had a client call the other day, wanted to do security researcher startup in the office every day. I was like, no, it's just going to be a waste of our time. I'm not interested in that work. It's not possible. Nevermind for a researcher. So people are fighting against it. They don't want those roles, but they're not going away. People aren't budging. If they're doing it, they're doing it. If they're not doing it, they're not doing it. Everybody's made their choices as companies and startups are doing in person a lot because
Bil:
I know three in New York, all in office, they will only hire in office and they're crushing it. They love what they do. And I went over to one of them for lunch a few months ago and I was meeting the CEO and we were sitting and he goes, do you want to have lunch in the office? Yeah, great. And it didn't clue into me, but we went downstairs, we did the lunch line, sat down at a table, and I realized I was sitting there with 55 people having lunch. I hadn't done that in years
Deidre:
Old school,
Bil:
Old school. This is going back to SAP days where they had an inbuilt cafeteria on the campus. And I have to admit, the nostalgia came back, but there was something amazing about it to see people just talking about their weekend, the Simpsons, whatever, and forming those bonds that really, so it was a really interesting way to see it. But then I've got another company that is 100% remote, no office, and I'm like, okay, I got you. Where's head office though? They're like post office box in Delaware, literally. And they're crushing it as well. They have built around that culture. So I think if you build around the culture, the shift, the change, trying to change from one to the other is very difficult. Have ingrained people that are used to human contact daily basis and they want that and they tend to be the executives because they've been there the longest. That's going to be hard to change to a remote only. But if you build it from day one as remote only, it can be very successful.
Amelie:
You can transition that too. I think the expectations of certain types of jobs don't necessarily need to be in an office. Like my last role, the times that it was a hybrid two to three days a week, and while I was a manager and stuff like that, my entire team was remote. So there was honest to goodness, no reason for me to be in the office. And I felt those were the most unproductive days because I never had focus time. But prior to that, I've been generally remote for five years, since 2019. But prior to that I was in the office, but my deputy was remote in Wisconsin and I had zero problems with, in fact, that was probably the most productive employment situation I've ever had because we just managed to knock stuff out of the park. And that being a government agency, we had regional offices and stuff like that.
So you can manage certain roles, certain jobs, certain tasks with a distributed team. It's really up to the manager to understand how they need to work within that space. And I think putting it on the employees that you need to adapt to this. You have people who may be neurodiverse, they may have family needs, handicaps, work, work-life balance situations with spouses living in certain places that they be able to afford and enjoy what they do need to live where they live. And adapting to that I think is fundamental, but I don't see that move coming and I wish it would because I think we'd be better as a society if we're a lot more adaptable.
Den:
Yeah, absolutely. I was just about to ask the whole concept of Monday to Friday, nine till five. I know a lot of people where that's totally out the window now and it is really funny. So I'll do my shameless plug for our 9 0 9 IC platform where we're trying to connect students to employers. And the whole concept of this one is, first of all, how do we bring students into the industry before they graduate? Like Bill and I, bill and I have been in the industry for decades and we've not graduated yet, so we're technically still students, bill. So the thing for me is this concept of Monday to Friday, nine till five, I think that's behind us now. I think there's other industries where that's cool, but I think in the cyber industry, I don't have any problem with my team not working an eight hour day Monday, Friday, nine till five, provided we agree what's required, we see progress, we get shit done, we deliver the results, we impress the business.
You can work on a Saturday for all I care. And for me, that's part of my ethos of when you build a team, maybe I want a blended team of people who are hybrid, they're on premise, they're whatever they are, they're in their van doing van life shit when that was cool. I don't know if that's still cool or not, but for me it's a blend of everything. And then I think Deidre, you hit on the biggest thing for me is training. I've heard so many people tell me how after COVID their company are no longer really investing in any training at all. If I hire, like Bil said, for enthusiasm, energy, and a certain level of skill and talent, I should assume I'm going to invest in those employees. So what are you guys at on the whole, why is training gone to shit recently?
Amelie:
It's seen as a cost center, to be honest. I see this as the easiest thing for people to cut. When I was at HHS, I gave up my own training dollars to make sure my staff got training. We had stuff that was partitioned out part of the individual development plans. That's also a big thing for managers is to sit down, set your, you mentioned before about setting expectations, but making sure that when you're developing those training plans, you look for stuff that's free. That could be local stuff that involves travel and you try to do those balances. But part of that is it's not just like, well, we have a subscription, we have some seats for Sands or whatever, first come first serve or we need to burn that out versus actually have a structured plan so that as you're doing that budget planning, those investment dollars, they exist in the budget. There's alignment to strategy, there's alignment to development, there's a progression for both the organization and the employee. And I have seen that go by the wayside, not just recently, but literally the last 15 plus years.
Deidre:
Exactly. And to add to that, if they do have the training, there's no time. I have lots of clients that have the training, but their people don't feel like they have the time and they're not sure which training should they take, what's going to be best for my career. And so then nothing happens because time is an issue. And so to your point, Amelie, you got to have a plan and the employers got to take lead on the plan and workload management to have the training, have time and focus. And I love that you've said that. That's exactly it. It's the employer's responsibility. We're at a 24 by seven connected world. No longer is there such a thing as nine to five. It's not just because you like to give that dent. Most people are just not even capable of shutting it off because their employers won't allow it. And so if that's the case, or even if it's not, it's an employer's responsibility to make sure that the workload is manageable for mental health and for safety.
Amelie:
You can also do think about it as your farm team too. You're developing people that are going to eventually hopefully go into other roles. They maintain that institutional knowledge, but you're giving them a development path as well.
Bil:
Yeah, the whole idea of asynchronous work, I've done it for god almost two decades where I don't believe in a work-life balance. I believe in a balanced life. So if that means I go to the gym at one o'clock in the afternoon, I go to the gym at one o'clock in the afternoon and I am going to be working at nine o'clock at night or two in the morning, and this comes back from the old days where we used to, I used to sleep under the desk at work. It was just, you get into crunch time, you get into those things where I'm going to finish this. I'm so vested in what I'm doing and I have such pride in what I'm doing. I'm sleeping on the floor, I'm building, I'm deploying, it's out. And then I took three days off and nobody said anything because that's just who we were. It's the way we did it. And I'd love to see that coming back in response come back anymore. Oh yeah, I are. Absolutely.
Amelie:
Yeah, I've slept on folding tables more times than I can count or under a desk. Yes,
Bil:
But I also see Deidre, you said it, it's on the employer to get this going. And I agree, but I say it is a balance. The employees have to want it, right? I am not going to pay for all of their training. I'm going to pay for some training, pick some stuff that's maybe the real expensive stuff. I'll find that expensive course and I'll get you that. But I want you to train yourself in something else. Show me the initiative, show me the desire, the curiosity, and that's the give and take. I'll pay for this. You come back and at the end of the year you've got four courses. I paid for a super expensive one. You did three freebies on your own and now you are a way better employee.
Deidre:
Yeah, I'm just saying they have to give them the time to do it or they won't go out.
Bil:
That's
Deidre:
Where they
Bil:
Want. I'm kind of old school at times too, where it's like if you really want the training, I had a father that did night school for 10 years. I went to try to finish my degree, which I didn't. I failed at it, but I always did all my training off the job. I know even if it was paid for, I did it off the job because I had my job and the training was to get me better and get better job, more money, higher responsibility. And I think that's one of the things you have to ask. I know that there's again, how do you live a balanced life? And these are choices that we have to make. I know I pay for choices with my daughter. There were years where I was not around, there was big stretches. I was on the road traveling, I was doing stuff and then having to think, oh, I got to go spend Saturday in a course. I'm going to go spend Saturday in a course. I need to get better at it to give my family the better life because I want the better job. And it's all personal choices, but we have to look at them. Unfortunately we don't get everything.
Nic:
Yeah, go ahead. Sorry. I was just going to add too, I think you do have to look at the company values. I think the pandemic kind of showed there's no loyalty in big companies. I think a lot of us who started out in the office Mondays, Friday, really Monday through whatever day, and it wasn't really nine to five, it was like seven to nine. I think the expectation was like, Hey, we show up, we get work done. We're doing what the company needs, and there needs to be some kind of loyalty. I think during the pandemic, the relationship between employer and employee became really Arial. It's a lot of big companies. Some chose to take care of their employees, some chose not to. And then I think the trust was really gone. There was no social contract, there aren't rules. People who worked at Google for decades laid off by an email, not even an email just shutting off their email, no notice, no notification, layoffs before the pandemic. Having been part of the teams being on the security side, preparing for these, there was a lot more care put into it. The expectation was like, these are people's lives and these are people. These are people who give more time than they do to their families to be at the office and do work.
And then I think the idea, it's very hard to imagine as a junior employee or a mid-career employee, I'm going to go invest all this time, but what is the company? The company may just lay me off not for any performance, zero justification. Because the reality is it's at will, right? And so especially in our field in security, I've seen few exceptions to that, that it is at will. And I think, and look, I'm not saying the world's going to change tomorrow. So instead you just have to find founders, CEOs, companies and teams that kind of match what you're looking for. There are teams who want to be in the office and a certain part of your career being in the office can be useful from, you can get mentoring for more senior team members a lot faster than you could remotely and you can build a camaraderie.
And then if you're more senior in your career and being in the office doesn't really work for your lifestyle, you just have to find different company. You can't really expect the employer to change. Not going to, if I want to go to a big company, I know what I'm going to be in for because I know they're just believing anything else would be very hard. They are what they are. I've hired so many teams at a very big company and I've seen kind of how they've changed over the last few years. I left three years ago and it's been less than desirable for the people who have been there. And it's tough, but there's a lot of trade offs they have to make as Bill said. But I do think if you can where possible, don't trade off your values. If you can get the compensation you need and the location that works for you, the values aren't worth it for the brand, I'll tell you that much. The brand will probably kill you in the end.
Den:
That's great, Nic. Yeah, I'd love to shift to tips and tricks for either hiring people or applicants. So let's start Deidre with you. Do you want to share one or two tips and tricks that you find or that you think will be helpful to improve our crisis situation?
Deidre:
I don't know if we can call it a tip, because to me, without this nothing works, which is something that Nic talked about and I think all of us touched on. You have to know what we're looking for, meaning what's the job that needs to get done, not the persona of the human you think you want to hire. Clearly document the workload, what it looks like, what percentage of time on what tasks, what projects with what tools, and who else is on the team and really understand that so that a match can be made. You can't make a match without the job description being right. Everything else is just spins the wheels if it's not there.
Den:
Excellent, excellent. What about Amelie?
Amelie:
Oh, definitely alignment on that one a bit, but also for me, I have always bucked our hiring standards. Typically, to be fair, everyone's supposed to go through the process, have the same questions, being asked to remove bias. I always set up a screening call. I want to talk to people where they're not pressured, they're not stressed out. Find out the human first. I mean, we can talk about the job during the interview and stuff like that, but I think honestly just taking some time for a screening cough. If you look over somebody's resume as a hiring manager, that's one thing. Then again too is what I've been told now that I'm actually literally hunting for a job is like network, network, network. I've seen hit and miss on that. I've been lucky this time around where it's people I've known and working that, but it's a lot of extra effort.
I think there's very little tips I can give because things have just, they keep changing so rapidly and the tools that people are using to be found change so rapidly. And then the methods for hiring are different from company to company. So it's like I think for any candidate is to be extremely adaptable. If you can, not all can be, but I think for that is just to understand. You may have some dream stuff that you're wanting to go for, but it's okay to shoot a little bit lower and hopes that, as Nick said about finding that culture match with the company, see if there's alignment there and the like. So I think those are from both ends. From the hiring manager, it's okay to break rules if you're just trying to find out more about the human. And then on the candidate side is be adaptable.
Den:
That's excellent. Bil, any thoughts on this one? Any good tips?
Bil:
Yeah, definitely. So the networking part and people have different response. I have not applied for a job in 18 years. Everything has been, somebody knew me, gave me a call, said we think it'd be good for this, and which come in and talk to us. So remember in this industry, especially in this industry, it's your reputation and your history. We need people with integrity. We need people. So never compromise those values as you're going through, if you're applying for jobs, read that job description to get through the a TS, read the job description and use their words back to them. So if they're talking about some project and you've done the project, take their words out of the project they've asked for and put them in your description so it starts keyword matching. I think that's one of the tricks I would say to get through to somebody.
But also show initiative. Find ways to get to the hiring manager and reach out to them directly. Don't be a pain, but find the balance. And again, in the security world, I want people that'll hack through the system. I want people that'll find ways around the rules that will get to me in a way that is I think appropriate and show up my front door. We're going to have an issue, but there will honestly be a part of me that respects that they even did it. You might not get hired, but I'll have a little bit of respect in there for it. So show who you are and show why you are a value to that hiring manager. Because this is a trust issue. We talk about zero trust and no trust and don't trust, but when it comes to this, and especially with remote employees, because you're not there, you're not interacting with them every day.
You need to trust what they do and trust what they say. One of the only people I've thankfully had to fire very few people over the years for cause, and the only one I did was a trust issue and they lied directly to me and it was a remote situation. I couldn't trust them anymore. They were great person, they were great human being, great skills, but they were afraid of what the answer was going to be if they had told me the truth and it was exact opposite. If they told me the truth, they weren't getting fired. If they lied to me, they were getting fired, they lied to me. So honesty is your best policy.
Den:
Nic, what about you?
Nic:
Yeah, I think on the networking piece, there's a lot of different ways to do it. It doesn't always have to be showing up to some kind of large function with a ton of people you have to go shake hands with and kind of whatnot. You can do it, you can do it. I think you can do it on Zoom. There are people willing to have virtual coffee and they'll take the call. I've referred, I think one thing not to do is I've had folks I've tried to help with their kind of job search. I've referred them to folks in my network and who are willing to have a call with them who are, if they're not hiring managers today, they will be in the future. I think the biggest mistake is not following up on that. I mean, especially if it's virtual and they're making time to do it, do not do that.
The feedback will come to me, it comes to me and then someone, my friend old colleague will be like, Hey, the person who you referred to me, they didn't show up for the call. Kind of no notice, no nothing. And it's like for me, I get stuff comes up, but then send an email and just be like, Hey, if they're unwilling to take the call that it's kind of a no fault situation. Just it's better than not showing up, not saying anything and ghosting a person who's making the time and who I statistically know, it's usually the second to third degree connection. The person I introduce you to won't be the person who hires you. They will know someone who's hiring timing wise. It just usually works out that way and you're just really, and I get it, I think it's always said, networking takes its time, but it's hit and miss just as much as a TS systems. There are good tools online you can use to rank. You can copy and paste the job description and copy and paste your resume and it will rank your resume for that job description. From an a TS perspective too, and obviously there's a lot of chat g, PT Gemini tools to use. I mean at this point it's like there's kind of no rules. So I think for you, saving time is important. Use those tools to optimize your output so you can make time for networking.
Den:
And Amelie, you sparked the word networking at the start of your answer. And then Bil and Nic, and it's funny, I wrote it down straight away for me, like Bil actually I applied for a job in the year 1992 and since then I have not applied for a job of all the jobs I've got. I mean, I've applied for other jobs and never got them. Just don't get 'em.
Yeah, I've never got those jobs, but all of the career moves I've made have been via my network. And the one thing I learned years ago was build your network before you need it. Don't build your network when shit's hit the fan and all of a sudden you start contacting these people you haven't spoken to in ever. Now funnily I say that because when I've had more time as I've been building our nine to nine cyber business, I've had more time. And then if I see somebody pop up on LinkedIn and they mentioned something, I'm like, oh, I haven't spoken to them forever. Lemme just drop 'em the line and see how they're doing. So there's a little bit difference on the genuine nature of it and your integrity. I think there's a big thing here that we've all touched on, which is ethics, integrity, brand and how you show up really matters.
And in some cases for me, when my little bit of advice for employers when they're posting their nonsense job descriptions and shit online, as Deidre says, right, you're not posting the $20,000 article in the Sunday times any longer. It's free pretty much. But I think you should take a little bit of thought and actually stop talking about the technology you want and start talking about the people and the industry and the disciplines more than anything else. Because I want to know somebody's passionate about working the SOC or I want to know someone's passionate about working incident response or doing research. The technologies they use to do that. If you start listening technologies, you're naive as an employer because you don't realize they're continually evolving and changing when you go to the conferences. Yeah, like RSA, I dunno, three and a half thousand security vendors these days.
It's a lot. Whatever the number is, it's a lot. I didn't count them though. So I think the reality is write job descriptions in a way that makes sense. And actually, like I did with Cyber SN partner with the recruiters, whether you're doing a contract hire, full-time hire, whatever. I think that acknowledgement back and forth as a hiring manager, recognize that's not your daily job. The recruiters do that day in day out, seek their advice as you write the job description, how successful will it be and how urgent is the hire? So I think that partnership's vital
Deidre:
That just real quickly, that job building technology is free to people now you don't have to be a paid client. I can't stand it. I made it free a few years ago with founders of the job taxonomy and the job building taxonomy in cyber. Please use it. It'll make everything easier for you. That being, it's not as easy as posting a job. Go ahead.
Den:
Yeah, but even pay scales as well, right?
It's like that as well. What pay scale. I saw somebody post for a job in New York on premise and they were struggling to hire and they were talking to me about it and my joking response, we just launched nine to nine IC was, oh, that sounds like you can't afford a full-time employee. You should maybe think of a couple of students. You'll get them local, they'll want the money. Think about a different tactic, a different approach. So I know we're up on time, everybody, does anybody have any closing words? Any wisdom better than the Scottish guy's? Bullshit
Bil:
On your networking side. Like you said, building your network. Once you have your network connected, stay in touch with 'em because like you said, the last thing you should do is show up with an handout asking for something if that's the first contact you've had in 15 years or eight years. And I cannot tell you how many times I've had that. And then for the non-entry level people, for the people like us at our level connect with the recruiters, I always accept connections to recruiters and I help recruiters because they'll reach out and say, Hey, I'm looking, are you thinking about moving? I am not thinking about moving, but let me help you find somebody because the day you need help. If you've helped place somebody with them, they will be on your side to get you a job because they know the integrity of who you are.
Den:
Great advice. Anybody else?
Amelie:
I guess also to maybe kind of talk about network activation, but also just being trusted and whatnot is don't be a jerk. I have a lot of people where throughout my career I've seen people who've gotten theirs and they don't offer hand up or a leg up. And I think those are people I'd steer away from because it's the ego. I'm much more giving than I am taking a lot of times. And I would rather help someone find a role, direct them what kind of skills they could build up, steer them away potentially from a potential toxic employer. But the thing is bring your whole self but also don't be a jerk and that'll help you. I think both as a candidate but also as a potential employer. My whole other recent job I think was because I had volunteered at places and I was a known quantity and it got me to at least be able to talk to somebody. And I value that. And thank you Skylar, if you've ever watching this, thank you so very much for that opportunity because it did really kind of change my life. But again, I always like to try to pay it forward. So I think that's another thing to carry forward.
Den:
That's brilliant. Brilliant. Anybody else? Nic, you look like you're full of wisdom, but if not, man, we can wrap this shit up.
Nic:
I think I just second what everyone says,
Den:
Networking
Nic:
Is kind of key.
Den:
And I think the giving thing, I think volunteering. I think these are all just great ways to let people know who you are, where your ethics are, and from a trust and likability and all that stuff I think is critical. So everybody, first of all, thank you very much to our esteemed guests. Again, going back to networking, right? I mean everybody on the panel, with the exception of Amelie, I've known for years. So hopefully Amelie, you and I, we get to bond for years and I think the reality for me is finding good people in your network. Even for me doing stuff like this, I like to think I'm a giver. I try and help companies in their early stages. I think in our careers, that's a wonderful thing. However we can help people, I always think it comes back. So for me, that's a vital thing of showing up and showing who you are because that's a very attractive quality to employers and people in the industry when they see other people trying to raise everybody else up together.
So with that positive note, everybody, thank you very much. We appreciate your time. We'll be posting this obviously on our 909 exec podcast channel in a few weeks, so look out for it. But until then, catch everybody on this panel on LinkedIn, be their friend and yeah, network with everyone. And we've got Kill Switch advisory, we've got Cyber SN, we've got kickass. Amelie and Nic will automate the shit out of any of your Scrut. I dunno, Nic, man, I got to come up with a better joke for that one. Anyway, if you're in Black Hat, I think almost all of us, I think. Are we all at Black Hat next week? Probably. Well, yeah, unemployed. Can't go too much money. Good chance. Good chance. Most of us are going to be there, so yeah. So hopefully, yeah, hit us up and try and catch us. We'll be out and about. Thank you everybody. Have a great week. Bye.
Narrator:
Thanks for listening to 9 0 9 exec. Subscribe wherever you get your podcasts and don't miss an episode of your source for wit and Wisdom in cybersecurity and beyond.
.svg)
.svg){kind=icon}
