3092: Infosec - The Future of Cybersecurity Training and Upskilling

[00:00:03] With cybersecurity roles surging to fill a daunting 4 million person shortage, I recently found myself wondering, are there enough people with the right skills to secure our digital future? A digital future that we all take for granted like we do our digital present.

[00:00:21] And today I'm speaking with Keetron Evans, VP of Portfolio and Product Strategy at Infosec. And he's also a seasoned expert in cybersecurity training and workforce development.

[00:00:33] And he brings with him a wealth of unique insights on how diverse non-traditional backgrounds from military service to nursing can help fill cybersecurity gaps.

[00:00:45] But also how targeting upskilling can expand the talent pool.

[00:00:51] And we'll also discuss the transformative power of training programs, emerging cybersecurity roles in everything from AI to cloud security.

[00:01:00] But most importantly, practical advice for job seekers.

[00:01:04] We'll look at how companies and candidates alike can meet the needs of this evolving industry.

[00:01:10] So are new pathways the key to securing our digital landscape?

[00:01:15] I certainly think so.

[00:01:16] But let's get my guest on today to find out more.

[00:01:20] So a massive warm welcome to the show.

[00:01:23] Can you tell everyone listening a little about who you are and what you do?

[00:01:27] Sure, I'm Keetron Evans.

[00:01:29] I'm VP of Product Portfolio Strategy at Infosec.

[00:01:31] I spent, you know, more than 20 years developing content for training in the cybersecurity field and AI field for beginners and also for people that are transitioning careers and also upskilling.

[00:01:47] So that's what my career has been.

[00:01:49] And now I'm in charge of three products that give us the ability to push that, you know, that message and that mission forward.

[00:01:57] Well, it's a pleasure to have you join me today.

[00:01:59] One of the big topics I wanted to talk about is a different narrative because very often when we're scrolling down our news feeds, we hear our technologies taking jobs.

[00:02:08] AI could be threatening careers, etc.

[00:02:11] But what we don't talk about is the fact that the cybersecurity industry has an unemployment rate of 0% and is also facing a shortage of 4 million workers,

[00:02:23] meaning anybody can train to enter that field and also pretty much have a license to work wherever they want in the world.

[00:02:30] But how do you see this industry addressing the gap and what role can IT professionals play and maybe help fill some of these positions?

[00:02:39] Yeah, well, one part of that digging in and figuring out what we need to do is to kind of see what the actual profile of that gap is, right?

[00:02:48] Like when we say there's 4 million jobs open, like is it 4 million entry level jobs?

[00:02:54] You know, of those jobs, how many are entry level and how many require some experience?

[00:02:58] So I think if we break that down, we'll find that most of those open jobs are not necessarily ideal roles for entry level people to be going into.

[00:03:08] And I think that's a misconception.

[00:03:10] In other words, you know, it's probably not often said, but you know, we don't say that, but it's interpreted that way that like these are, these are 4 million brand new jobs or 4 million jobs for entry level people.

[00:03:22] And that's not the case.

[00:03:24] I've even seen some statistics that dig into it a little bit more at a micro level and say that the openings for beginner level roles are less than what's available in the job market.

[00:03:34] So in other words, there may be a surplus of people trying to get those beginner roles, but there is clearly a deficit in like the, you know, where we need people with, you know, just some basic IT skills or some people that's got a little bit of cyber skills and things like that.

[00:03:48] So I think one challenge and one way that we solve that is we have to get into the micro of that number and figure out just how many new cyber workers do we need and how many people do we need that already have some skills that just need to be upskilled.

[00:04:04] So if we start right from the very beginning, then people from non-technical backgrounds that are listening, wanting to enter the cybersecurity industry, what unique skill sets did those individuals bring to the table?

[00:04:17] And how can they complement the maybe technical expertise traditionally associated with the more advanced cybersecurity roles?

[00:04:25] Yeah, that's a great question.

[00:04:27] You know, it depends on where they're coming from, but, you know, I've mentored everyone from airline pilots to military nurses to bartenders and everything you can imagine in between into cyber careers.

[00:04:38] And, you know, some of the things that you see specifically for people coming from like the military, you see a lot of discipline, a lot of organization and, you know, being able to stick to and follow processes.

[00:04:52] And that's something that's a very valuable skill pretty much in any area of cyber that you go into.

[00:04:58] What some of the, for example, like the military nurse that I helped mentor into the field, you know, came with a completely different level of attention to detail, right?

[00:05:10] That we don't see a lot or we don't see always in cybersecurity.

[00:05:14] So it's those types of skills like that that may not be technical that makes those people really valuable bringing them into the industry.

[00:05:22] And upskilling has always, especially in recent years, has become a big focus for organizations looking to widen their talent pools.

[00:05:32] I think maybe five, 10 years ago, there was a lot of fear around doing that because soon as that IT professional puts that cybersecurity certification on their LinkedIn profile, they get headhunted by someone else.

[00:05:43] But if we move that fear to one side for a moment, how can employers implement upskilling programs more effectively to meet the growing demands of the cybersecurity job market when talent is so short in supply?

[00:05:58] Well, so I think a couple of things.

[00:05:59] One is they have to make sure that they're creating awareness around these opportunities in the organization.

[00:06:06] And they're doing active recruiting inside the organization, you know, just sending out an email blast and kind of sitting in there and forgetting about it is not going to work.

[00:06:15] They have to really put some effort behind these programs and try to make employees aware that there's opportunity there.

[00:06:22] And more importantly, I think having a clear roadmap or a path to show people like, look, you know, when we bring you in, you're going to start off doing this.

[00:06:30] And in a year, we'll have you doing this thing.

[00:06:32] And there's a clear career trajectory here for you to move up.

[00:06:37] Because when you're asking these people to upskill or reskill into cyber inside the organization, some of them may be taking a slight pay cut, you know, from a role that they've been in for 15 years to go into an entry level cyber role.

[00:06:51] But as long as they can see that that's a temporary cut to where they have a path to get back to what their current compensation is, then I think it takes away a lot of the shock from that.

[00:07:01] So I think we just have to make sure that internally we're being very good about communicating those things to people that we're trying to recruit internally for upskilling.

[00:07:12] And as someone with years of experience in penetration, testing, incident response, and so much more, is there any particular advice that you'd give to any professional that could be listening anywhere in the world to our conversation today, wanting to transition into cybersecurity from non-traditional backgrounds?

[00:07:29] Anything that you'd advise there?

[00:07:32] Yeah, I would say, like, if you want to get into cyber, like, do some research and find out what that really means, quantitate that.

[00:07:38] You want to get into cyber and do what specifically?

[00:07:41] What cyber role do you want to do it?

[00:07:43] If you don't know what the roles are, then that means you need to research a little more and get something more concrete.

[00:07:49] And then set a goal for yourself and figure out, after you pick that role, what things do I need to learn to particularly do this job?

[00:07:57] And then set a plan for yourself to spend some time working on those things to kind of prove yourself worthy to yourself and actually develop some demonstrable skills to where you can start to go to meetups and capture flag events and things like that and start to get the proper networking in place so that you can land a good job in cyber and you are able to do that job once you land it.

[00:08:21] Before you came on the podcast today, I was doing a little research and one of the things that stood out to me was that InfoSec has trained 70% of Fortune 500 companies.

[00:08:31] So what have you learned from working from all these organizations and how do their cybersecurity training needs differ from those of smaller companies?

[00:08:40] Are there any big differences there?

[00:08:41] What are you seeing from all these conversations?

[00:08:44] Yeah, so several different things.

[00:08:46] So with smaller companies, what you tend to have is you'll have maybe a cyber person that also does a little bit of IT support and also does a little bit of network engineering and also does a little bit of this and a little bit of that.

[00:08:58] So those people in those smaller companies tend to have more varied hands-on experience because they have to do multiple jobs usually.

[00:09:07] Whereas when you look at the big enterprise organizations, they're very segmented as far as what people's jobs and responsibilities are.

[00:09:15] So they need more specific training and very deep training in specific areas to keep those people growing.

[00:09:22] So I think that's one difference that you see.

[00:09:24] And also with bigger organizations, they generally have the revenue and the resources to build out more complex and more mature internal training programs,

[00:09:35] which gives us a little bit more of a completed palette to paint from and to create from and to help them build out the outcomes that they want as far as education in cyber.

[00:09:50] And as we mentioned a few moments ago, certifications and on-the-job training, they're both essential in upskilling the cybersecurity workforce at all levels.

[00:10:00] So how do you think these programs maybe need to evolve a little bit more to keep up with the constantly changing cybersecurity landscape?

[00:10:08] We've seen the impact of AI over the last few years and how quickly that is speeding up things.

[00:10:13] But how do you see that industry having to evolve to keep up?

[00:10:18] Yeah, I definitely think one key thing is going to be leaning more into skills-based verification and being able to demonstrate actual skills is going to be a big part of where this is going.

[00:10:32] I mean, even the U.S. government has made a shift to where the focus is not as much on certifications, but more on knowledge, skills, and abilities through that we learn about from this nice and some of the other things out there that we look at and study to figure out the direction here.

[00:10:50] So I think one thing is definitely going more towards a skills-based training and certification lean and definitely coming up with ways for organizations to see that you can demonstrate being able to do certain things.

[00:11:04] I think that's going to be important in the very near future.

[00:11:07] And again, if we look back to those conversations you're having with business leaders around the world, from everything that you've heard there, what would you say are the biggest challenges that workplace leaders are facing right now in embracing diverse backgrounds in cybersecurity and how they can overcome some of those barriers?

[00:11:25] Because this doesn't get talked about enough, and I'd love to hear more about what you're seeing here too.

[00:11:31] Yeah, I think some of the diversity challenges that come up are just based on tradition, right?

[00:11:37] Like, you know, where do these meetups normally happen?

[00:11:40] Who normally sponsors these meetups?

[00:11:43] What are the barriers of entry, right?

[00:11:45] Like, what do you need to know already to come into these conversations or into these meetups or into these situations where you get these opportunities?

[00:11:53] Or some people from some of these other backgrounds, you know, actually have access to, you know, the skills need and know what's going on in the industry.

[00:12:03] So I think that's one of the big challenges is just making, you know, exposing diverse backgrounds to these opportunities and really just recalibrating what we have as expectations for people coming into the industry.

[00:12:18] Because what we found is, you know, a lot of people that have five to six years experience in the industry can come in and they need a certain amount of training.

[00:12:27] And we can take someone that has no experience and train them the right way from the ground up.

[00:12:32] And oftentimes that person with no experience in cyber ends up being a better candidate than the person that has a lot of years of experience, especially if that person that has a lot of years have been doing things, you know, quote, the wrong way or not the best ways.

[00:12:46] So I think we have to recalibrate our expectations and how we look at bringing people in.

[00:12:51] And that opens us up to a lot more diverse backgrounds.

[00:12:54] And that opens those diverse backgrounds up to us.

[00:12:56] I think we have to bridge that gap in that way.

[00:13:00] Well, we've covered so much here.

[00:13:02] Obviously, we're only weeks away from 2025.

[00:13:05] If we continue to look ahead at some of the trends that might dominate next year, anything that you foresee in the cybersecurity industry, particularly regarding things like workforce development, the integration of non-IT professionals into critical security roles?

[00:13:22] I know it's a big question to try and predict this, but what do you think will happen next year?

[00:13:28] How can businesses prepare for it?

[00:13:29] What are you seeing?

[00:13:31] So I definitely think there's going to, you know, AI is obviously playing a big role in some of that development and what we're seeing takes shape here.

[00:13:39] For one thing that's not often talked about, AI is enabling people to learn more faster, right?

[00:13:47] Like they can get from a novice level to being effective in the trenches in cyber a lot faster if AI is applied in the right way to their learning experience.

[00:13:58] So I think we're going to see shorter paths for those people with diverse backgrounds to get in.

[00:14:03] That's going to be something that we're going to see trending in 2025.

[00:14:07] Also, you know, more focus, like there's a lot of focus, but just more cloud-based security roles are going to become open as organizations have now matured in their cloud adoption strategies and more of them are standing up cloud capabilities.

[00:14:22] You're going to see there, there'll be a bigger, bigger need for people that have cloud and security experience.

[00:14:29] So, you know, you can have a lot of cloud experience, but at some point you have to marry that to cyber skills.

[00:14:35] And that's what I'm seeing shape up coming into 2025 and just AI skills, being able to come into an organization, help them build an AI strategy and do the technical work to bring those AI principles into the organization for cost-cutting revenue gain and things like that.

[00:14:52] I think we're going to see those kind of start to merge into cyber in some interesting ways.

[00:14:58] And although everything we're talking about here today is a very serious matter, both for today and the future, the world of tech is a fun and interesting environment to work on.

[00:15:09] And as someone with a rich history in the industry, I know you're going to have more than a few stories of, as you've heard, your stripes out there in the tech field.

[00:15:17] So I'm going to ask you that.

[00:15:18] What would you say is the funniest or even most interesting story that's happened in your career that you are able to share?

[00:15:25] Because I'm sure you've got many stories.

[00:15:28] So I think the funniest thing that's ever happened is we were pen testing an organization some years ago, you know, in a big city here in the US.

[00:15:38] And we went in to do the physical part of the test because we were doing a physical assessment as well.

[00:15:46] And once we got into the organization and started to look around, these people were really nice.

[00:15:53] They gave us access to everything that we needed.

[00:15:56] What we found is that in the process of doing that penetration test, we discovered an entire illegal financial thing that one of the employees had set up on one of the servers there that was going on.

[00:16:12] And when that employee discovered, you know, through the cease of the organization that we were actually doing a penetration test, the person literally grabbed a couple of servers and just ran out of the building with it.

[00:16:24] So just watching that unfold in front of us.

[00:16:26] And the thing is, we would have never found that out because we weren't there for that.

[00:16:30] We weren't there to do forensics.

[00:16:31] We were there to do the pen test.

[00:16:33] But for that person, security is security, right?

[00:16:35] So they thought we were there either to investigate them or we would investigate and find those things.

[00:16:40] So this person kind of played their own card and, you know, showed themselves guilty by running out of the building with these two servers in hand.

[00:16:48] And we had no clue that that was going on because that's not what we were there for.

[00:16:52] But we did end up having to come and testify and stuff like that.

[00:16:56] And it was just amazing that going in to do basic penetration testing uncovered a whole international, you know, financial scam ring that this person was running out of that company without the company's knowledge, of course.

[00:17:09] So that's probably the craziest thing that I've ever seen happen in the industry.

[00:17:13] Wow.

[00:17:14] What an incredible story.

[00:17:15] I absolutely love that.

[00:17:16] As I said in the beginning, we've got people listening all around the world.

[00:17:20] We'll have people wanting to enter cybersecurity, tech professionals, people wanting to upskill or also have business leaders looking at how to solve this problem.

[00:17:29] So anyone wanting to dig a little bit deeper, maybe connect with you or your team or just read out more or find out more about how InfoSec can help them.

[00:17:38] Where would you like to point everyone listening?

[00:17:40] Yeah, just go to InfoSecInstitute.com and, you know, everything from training all of your end users on how not to click on malicious emails and be aware of cyber and AI threats that are coming up,

[00:17:53] all the way to training your most technical staff on technical and cybersecurity things.

[00:17:58] We can help you with that.

[00:17:59] And it's just InfoSecInstitute.com.

[00:18:02] And again, thanks so much for joining me today.

[00:18:05] We started with that powerful stat.

[00:18:07] Four million cybersecurity workers needed to fill open roles across the industry.

[00:18:12] Zero percent unemployment.

[00:18:13] Filling these roles is still an incredibly daunting task.

[00:18:17] And I think this is just the start of the conversation today.

[00:18:20] So I do urge anybody listening from around the world, no matter what industry you're in, if you want to find out more,

[00:18:26] please check out the links that we'll associate with this podcast so people can find it nice and easy.

[00:18:32] But again, Keetra, just thank you for starting this conversation with me today.

[00:18:37] Yeah, absolutely.

[00:18:38] And, you know, just one thing I want to add that might be valuable to you is, you know,

[00:18:42] I do a lot of mentoring on the weekends and talking to people trying to get into cyber.

[00:18:46] And if you talk to the people that are going out and getting these certifications and posting it on LinkedIn,

[00:18:51] then they're not getting those calls, those mythical calls that we hear about from headhunters

[00:18:55] that automatically grab you up if you've got certain cyber certifications.

[00:18:59] It's just not reality.

[00:19:01] You know, people that are new to cyber, that are getting these certs,

[00:19:04] they're struggling trying to get these open roles.

[00:19:06] So we definitely have a lot of work to do to bridge those gaps.

[00:19:09] I think our discussion with today's guest highlights not only the challenges,

[00:19:13] but also the opportunities in bridging that cybersecurity talent gap.

[00:19:18] As we've heard, a mix of non-traditional skills and forward-thinking training can provide new solutions for employers

[00:19:25] and open doors for candidates.

[00:19:28] But over to you, this is a hot topic right now.

[00:19:31] Where do you see the future of cybersecurity talent heading?

[00:19:36] Please share your thoughts.

[00:19:37] Let's keep the conversation going.

[00:19:39] And as a sweetener, maybe I'll throw in a cybersecurity book for the best, comment or email.

[00:19:44] How's that sound?

[00:19:45] Awesome.

[00:19:46] Well, email me now, techblogrideratoutlook.com, LinkedIn, Twitter, Instagram.

[00:19:51] Just at Neil C. Hughes.

[00:19:52] Send me a message.

[00:19:53] That's it, though.

[00:19:54] We're out of time for today.

[00:19:55] I'll be back again tomorrow with another guest.

[00:19:58] Hopefully you'll join me again then.

[00:19:59] But bye for now.