Once You Show Me Your Diploma, I’ll Explain Why We Don’t Gatekeep
To be successful working in cybersecurity, you need an inquisitive mind with an eye for problem solving. Yet so many organizations are turning a blind eye to talent who lack technical degrees. How do we move past this kind of criteria to find the talent we need for our security programs?
This week’s episode is hosted by me, David Spark , producer of CISO Series and Andy Ellis , partner, YL Ventures . Joining us is Jimmy Benoit , vp, cybersecurity, PBS .
Starting early on security awareness?
Do we need to introduce cybersecurity awareness training earlier (like as students?) to establish security-conscious habits instead of waiting until employment? ?lex Martin of Cyber Hogen Ltd recently highlighted a security awareness toolkit for children, with games like “spot the phish” that can help build a security mindset from a young age, potentially reducing the need for extensive corporate training later. More generally, interactive approaches, like gamified "cyber fairs," have proven effective in workplaces by engaging employees in hands-on activities that make security concepts more relatable and memorable, unlike traditional computer-based training, which often struggles to keep attention. This shift to more targeted, relevant training aims to foster proactive security behavior and improve organizational culture.
The limits of gamification
Gamification is helpful in cybersecurity awareness, but it could hold us back with higher-level training. Daniel Gilbert on LinkedIn argues that it may stifle curiosity and lead to hollow achievements if it emphasizes task completion over actual learning. Gamification can effectively introduce concepts, but excessive reliance risks reducing training to a series of superficial milestones. Effective gamification can be a helpful roadmap, especially for newcomers, providing a structured path to key skills. The key is ensuring each activity promotes genuine skill development, not just compliance. Just as a football player’s helmet stickers signify progress and accomplishments relevant to their sport, cybersecurity "badges" should reflect meaningful growth in security awareness and capabilities, fostering personal development and business relevance.
Technically qualified
There’s been a concerted effort to break down the traditional walls around cybersecurity hiring, such as reducing requirements for technical degrees. Programs like Service for America promote skills-based hiring, apprenticeships, and collaborations with nonprofits to open cybersecurity roles to diverse backgrounds, as highlighted by Chris Konrad of World Wide Technology on LinkedIn. Non-traditional candidates, like philosophy or journalism majors, often bring critical thinking and communication skills that are invaluable in cybersecurity. While practical skills can be trained on the job, these problem-solving mindsets are more challenging to teach but are essential in roles requiring quick, analytical thinking. Degree requirements still pose hurdles, particularly in the H-1B visa process, which mandates degrees for foreign hires, complicating efforts to lower entry barriers. To build long-term careers for individuals without degrees, companies may need to provide training in writing, critical thinking, and other foundational skills typically gained in college.
Understanding your risk tolerance
To align departmental objectives with risk tolerance, CISOs should focus on concrete, scenario-based discussions rather than hypothetical metrics. Many organizations lack a clear understanding of their risk tolerance, often due to vague or overly simplistic assessments. Rosalyn Page in CSO Online highlighted an example of a team assuming internet downtime could last 48 hours, only to discover during an incident that they couldn't function without it for even an hour. Effective risk tolerance validation involves conducting a business impact analysis, identifying core functions, supporting systems, and interdependencies, and speaking with each system's actual users or “customers” rather than just the system’s owners. This structured approach, involving continuity planning and real-world stories, allows CISOs to understand genuine business needs and set realistic recovery time objectives, helping bridge the gap between security and operational priorities.
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Huge thanks to our sponsor, Bitdefender
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Best advice for a CISO…
"Don't attribute to malice that which can otherwise be attributed to ignorance, meaning your colleagues aren't out to get you. And if you have disagreements on trying to get something done, it might be because they don't understand why it needs to get done, and the best thing you can do is help educate them, work with them, and work together to get what needs to get done, done." - Jimmy Benoit, vp, cybersecurity, PBS
Listen to the full episode of "Once You Show Me Your Diploma, I’ll Explain Why We Don’t Gatekeep."
I'm a CISO who broke into the cyber industry WITHOUT a technical background
This week CISO Series is running its monthly AMA ("Ask Me Anything") on r/cybersecurity.
This week's discussion: I'm a CISO who broke into the cyber industry WITHOUT a technical background.
Our participants:
Patty Ryan , CISO, QuidelOrtho - Background in economics, sports TV, MBA, and then IT.
Lee Parrish , vp & CISO, 纽威品牌公司 - Background with Marines where he did lots of coordination and operations, which was technical, but not IT or cyber. Also worked as a correctional officer,
Davi Ottenheimer, vp trust and digital ethics, Inrupt -Background in history, philosophy and political science (ethics of intervention).
Jump into the conversation here.
Understanding the Ransomware Realignment
Your cybersecurity program doesn’t stand still and neither does the ransomware ecosystem.
I recently spoke with Jason B. aker, principal security consultant, GuidePoint Security about the latest trends in cybercrime, including the realignment of ransomware groups and reduced barriers to entry for cyber criminals. He emphasizes the importance of fundamental security practices like defense in depth and network segmentation to counteract the surge in opportunistic attacks. We also covered the nature of targeted attacks by hacktivists and nation states, and the importance of adapting to new defensive measures.
But that’s just a tease for what’s going to happen THIS Friday, November 22nd, 2024, where our Super Cyber Friday discussion will be “Hacking E-Crime Trends” on November 22, 2024 at 1 PM ET/10 AM PT. Joining David and Jason for this conversation will be Howard Holton , CTO, GigaOm .
REGISTER HERE for November 22th, 2024, Super Cyber Friday
Thanks to our Super Cyber Friday sponsor, GuidePoint Security
Boston Cyber Fans! Join us for our CISO Series Meetup in Boston
David Spark will be in Boston, specifically Cambridge for a meetup of fans of CISO Series next Monday, November 25th, 2024. Please join us after work to connect with your fellow Bostonian cyberpeeps. Huge thanks to our sponsor Entro Security who will be hosting the event.
The Argument For More Cybersecurity Startups
"My point is this. If cybersecurity is indeed and everybody's problem, then having 4,000 to 5,000 startups is probably not as many. In fact, I would argue that we do need cybersecurity companies. We need more cybersecurity companies. First of all, we need to have a way to innovate as fast as the adversaries do, right?" - Ross Haleliuk , author, Venture in Security
Listen to the full episode of "The Argument For More Cybersecurity Startups."
Subscribe to our newsletters on LinkedIn!
We've got our bi-weekly and daily?Cyber Security Headlines?newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter?- Twice every week
Cyber Security Headlines Newsletter?- Every weekday
Cyber Security Headlines - Week in Review
Make sure you?register on YouTube?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be Jimmy Benoit , vp, cybersecurity, PBS . Thanks ThreatLocker .
Thanks to our Cyber Security Headlines?sponsor, ThreatLocker
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at?cisoseries.com.
Interested in sponsorship,?contact me,?David Spark.
Award-winning tech, cybersecurity & digital lifestyle journalist |Content writer | Content strategy | Thought leadership writer & trainer | Speech writer
1 周Thanks for including my risk tolerance article in your round-up.
Information/Cybersecurity Professional | Risk and Compliance | Trusted Advisor | Results-Driven leader | Advocate for a diverse cyber workforce
1 周Thank you so much for addressing a topic I often talk about. Most security jobs don't require a tech degree but do require the right mindset that can be gained from so many other degrees or non-degree learning experiences. I hope we continue to have this conversation within the industry and start to see this change.
Vice President | CISO | MBA | CISSP | Veteran
1 周I had a blast, thanks again for hosting me on the podcast. Looking forward to the next one. ??