Is the cybersecurity talent gap a myth—or just a result of outdated hiring practices? In this episode, we explore why mentorship, business alignment, and bold leadership are essential to building a resilient pipeline.
⬥GUEST⬥
John Salomon, Board Member, Cybersecurity Advisors Network (CyAN) | On LinkedIn: https://www.linkedin.com/in/johnsalomon/
⬥HOST⬥
Host: Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥EPISODE NOTES⬥
The cybersecurity industry keeps repeating a familiar line: there’s a shortage of talent. But what if the real issue isn’t the number of people—but the lack of access, mentorship, and investment in human potential?
In this episode of Redefining CyberSecurity, Sean Martin speaks with John Salomon, an independent cybersecurity consultant and a contributor to the Cybersecurity Advisors Network (CyAN), about how the hiring structure in our industry may be the problem—not the solution. Together, they explore why entry-level roles rarely provide an actual point of entry, and how hiring practices have been shaped more by finance and compliance than by people development.
Salomon draws on decades of experience to outline the problem: security is often treated as a pure cost center, so training and mentorship are deprioritized. Early-career professionals are expected to be “job-ready” from day one, and organizations rarely account for the long-term payoff of investing in apprenticeships or junior hires.
He also points to the silent collapse of informal mentorship that once defined the field. Leaders used to take risks on new talent. Now, hiring decisions are driven by headcount limitations and performance metrics that leave no room for experimentation or learning through failure.
The conversation shifts toward action. Business and security leaders need to reframe cybersecurity as a growth enabler and start viewing mentorship as a risk mitigation tool. Investing in new talent not only strengthens your team—it supports the stability of the industry as a whole.
And it’s not just on companies. Universities and student organizations must create more opportunities for experiential learning and interdisciplinary collaboration. Leaders can support these efforts with time, not just budget, by showing up and sharing what they’ve learned.
Whether you’re a CISO, founder, or just getting started, this episode challenges the idea that “mentorship is nice to have” and shows how it’s a cornerstone of sustainable cybersecurity.
⬥SPONSORS⬥
LevelBlue: https://itspm.ag/attcybersecurity-3jdk3
ThreatLocker: https://itspm.ag/threatlocker-r974
⬥RESOURCES⬥
Inspiring Post: https://www.linkedin.com/posts/activity-7332679935557300224-1lBv/
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Interested in sponsoring this show with a podcast ad placement? Learn more:
[00:00:00] Sean Martin: And hello everybody. You're very welcome to a new episode of Redefining Cybersecurity here on ITSP Magazine. I'm Sean Martin, your host, where I get to, uh, chat with some cool people about some cool things, all, all in the context of helping, uh, organizations and their leadership team, uh, build, build the business in a way that's secure and, uh, not just protects the revenue but actually perhaps even helps grow revenue.
And, uh, and it's not often a, a common thing to think about when we're talking about cybersecurity. Um, so we look at everything from, uh, the, the teams, the programs, the operations, and of course there's technology, uh, rooting in all of that as well. And all those things come together to hopefully build a program that, uh, that, uh, is successful for the organization.
I'm thrilled to have, uh, John Solomon on today. John, how are you?
[00:00:53] John Salomon: Very well, very hotter than the hinges of hell right now. But aside from that, aside from that, Mrs. Lincoln, how is the.[00:01:00]
[00:01:00] Sean Martin: Exactly the, uh, the, the, the weather's been warm. I think it's around the globe. Uh, record heats in many places. Uh, I'm in Manhattan at the moment. We had, we set some records last week here, uh, uh, in the city. And I know, um, my business partner Marco, is in Florence and in, uh. He's been saying it's pretty hot there too.
I think 35 3 6, uh, Celsius today. Not the 42 that you're experiencing, but, uh, hopefully you're inside safe and, uh, and cool at the moment. Looks
[00:01:31] John Salomon: I am, I'm inside. We're the only working air conditioner in the building except for the wine cellar. So, you know, greeting greetings from north west, north, uh, northeastern Spain where we are getting hit by the same heat hammer as, uh, the rest of Europe.
[00:01:44] Sean Martin: Well, uh, yeah, hopefully you stay cool and, uh, I'm excited to to chat with you today. We didn't get to meet in person in, uh, in Spain when I was there for the Oasp event, but we did catch up for a few minutes that day and, and, uh, we, we decided to have, [00:02:00] have at least one chat, perhaps many. Uh, I know there are a lot of topics that, uh, that you can speak to and, and, uh, I'm excited to get into some of 'em.
I think today we're gonna look at, uh, the. The, the, the talent pipeline and, uh, mentorship and all of that good stuff. So, should be, should be fun.
[00:02:17] John Salomon: That's a topic that's, that's very near and dear to me. So, so I really appreciate the opportunity. And by the way, just as a quick side note, I, I, I do it. Appreciate that you mentioned, uh, not only, uh, securing the revenue, but growing the revenue. It's on one of my favorite slides on why do we do information security.
You know, I usually have the, it makes us more money sometime way far in the future as people are still giving data to Facebook voluntarily. So I am hoping that, you know, your words are prophetic and I appreciate you mentioning that.
[00:02:45] Sean Martin: Yeah, it's, it's. The dream I have and, uh, hopefully we arrive there, uh, mainstream, uh, might, might be hidden under the covers at this point, but, uh, I, I do hope we get there. And, uh, yeah. So John, let, [00:03:00] just so folks know who, who you are and what you're up to, and I know you have, uh, the non-profit that you're working with as well, but maybe take a moment to give us some, some background on the things you're, you've been working on, maybe your path into.
Cybersecurity and then, uh, then we'll get into the whole talent thing.
[00:03:18] John Salomon: So, yeah, thanks very much for having me. I appreciate it. Um, so my name is John Solomon. I'm originally from Switzerland. Um, so half Swiss, half American by, by origin. I live in Spain. I've been doing information security work in various forms since the late nineties. Um, I am kind of s. Accidentally tripped and fell into the industry back in the days when you could get a job in it by being able to spell it more or less.
So it was a, you know, serendipitous mixture of, of luck, a little bit of hard work and a lot of very kind people, which will tie into what I hope will we'll talk about a bit today in terms of, you know, mentoring and talent development. Um, I'm an independent consultant. I come originally from, uh, network security.
I've done a lot of work in [00:04:00] strategy architecture, uh, GRC, um, spent quite a bit of time in cyber threat intel and also public private cyber defense. I primarily consult with cybersecurity startups. Because they're lovely to work with. They tend to listen more than big companies, so they're, you know, it's, it's, it's a pleasure working with agile organizations and, and, and, um, it, it also kind of ties into this discussion because, you know, many of the founders and, uh, and, uh, entrepreneurs I encounter are.
Younger career entrance, career transitioners, and it's really nice being able to give a little bit back to the, to the industry. Giving, giving back to the, the, the creation of, of new things. It's, it's, it's, it's a pleasure to see. Um, I, you mentioned cyan. I do a lot of pro bono work for, uh, professional network.
I'm, I'm very, uh, enthusiastic about, called the Cybersecurity Advisors Network or si. Um. We are a group of international information security professionals working in cybersecurity, trust and [00:05:00] safety, resilience, you know, across areas like law, technology, management, politics, what have you. Uh, and it's about a 50 50 mix of, of professional mutual support and, uh, public service.
So, you know, we try to support the, the maturity and development of information security, resilience, liberal democracy. Free markets and trade online, uh, and basically helping to secure the digital ecosystem that we live in today. So it's, it's, it's also kind of a way to give back a bit. Uh, I think the reason why we got started talking about this topic was, um, I've in, in, I've worked for several, not-for-profits in the information security space over the past few years, and one red thread that has been present throughout all of this has been that of mentorship.
And it's a topic that's always, let's just say not, not mentorship so much, but, but talent developments, helping new people, not not just young people, but just basically people who are entering or who want to enter the information security fields. [00:06:00] Um, helping them understand what questions to ask, uh, how to network, how to write their cvs, what to learn.
And it's always been a topic that's frustrated me a little bit. So I've always tried to, to find ways of, of, you know, after all these many, many years of experience and a lot of nice people being very generous to me and helping me develop, trying to give back a bit and, and, and help not only industry, but also the individuals who might otherwise be a little bit afloat.
And, and Scion has been a, a very good, uh, channel, um, and, you know, very good means for, for, for converting that, that, you know, goodwill into action.
[00:06:37] Sean Martin: I love it. Great, great background and, uh, yeah, I love that you're, you're giving back through, through Cyan as well and uh, of course we'll include a link to that so folks can learn more, more about what you're doing there. Um, so un not unlike you, I think. Um. I think we, we both work hard. I think we have, we have, uh, I think we come from a [00:07:00] generation where hard work is, is kind of grounded in us.
Um, but I also think, to your point on entering this field, uh, it was kind of, it was new, right? Uh, when we started, and to your point, we kind of were drug in to, to cybersecurity information
[00:07:20] John Salomon: With, with me it was, I was a, I was a Unic systems administrator and somebody literally dropped the uh, Cheswick bellow and firewalls and entrance security book on my desk and said, read up. We're seeing the client in 30 minutes. You're the security expert.
[00:07:32] Sean Martin: there you go. I was a CNE managing Novell Networks, and, uh, eventually I was asked to help test, uh, from a security perspective, Novell and a lens, uh, to make sure they weren't vulnerable
[00:07:46] John Salomon: Now, now we just make, I was, I was doing a A IX admin, so now we're making each other feel old.
[00:07:51] Sean Martin: I dunno. Exactly. Exactly. Um, it's a very different world today. Uh, we, I think, I don't know if we had numbers [00:08:00] back, uh, back in the day for how many people we needed and how many short we were. Um, but, but the point of we don't have enough people still exist. I, I don't know what that number is off the top of my head.
How many tens of thousands perhaps? Um. Yet, I still hear that it's hard to, hard to find a job, hard to land a job. Um, experiences needed, certs are required. It becomes costly, it becomes timely, uh, in terms of, of preparing to enter the field. And then even still, I hear that, that, uh, many, many opportunities are not.
Granted newcomers. Um, so maybe your perspective on, on that and, and perhaps some insight if you have any on where, where we might need to take things because of that.
[00:08:54] John Salomon: Uh, I don't know about insight. Definitely opinions. I'll do my
[00:08:56] Sean Martin: Alright. There you go.
[00:08:57] John Salomon: Um, and I have a few views on this [00:09:00] that'll probably. Be fairly controversial and annoy several of your viewers and listeners, but, you know, just, just yell, yell at me, not Sean. Um, I love a good debate. Uh, for me, I think when I got started was I think in 97, 98 or so.
And, and it was really a question of I walked into a startup, uh, an internet service provider in Switzerland back in I think 96. And the guy said, drop outta college, come work for me and need somebody who knows how to basically how to internet. It was literally that, and I didn't want to, you know, finish before my degree, but, um.
There was really in, in the large bank environments where I mainly got my start, there was this idea of, let's, let's hire smart people, pay them very good money, let them do their thing, just trust them. And I really sensed that a, a, a sea change came around Y 2K. Uh, for, for the younguns, that was a, a, a, a big thing.
Look it up. Um, and I really, I got a, and this is again, just just my subjective, uh, opinion. I, I, I got a feeling that I got a vibe [00:10:00] that a lot of managers, especially from the finance and leadership fields who didn't really understand technology, had previously been very happy to let, let people just do their thing and develop.
And the mentoring and talent development were kind of. Ingrained, right? You know, you'd bring new people in, you bring your friends in, you teach 'em, and that's how you learned. And there was a nervousness around this because, you know, there was Y 2K and people thought there should be more structure, more reporting, more quantitative factors around getting all these, it costs under control.
There was a lot of taking them, Mickey in terms of, in terms of, you know, contractors charging huge sums, providers charging huge sums. So I kind of understand where the finance guys are coming from. I, I, later on made the mistake of. You know, doing an MBA and, uh, seeing it from the, the, the more finance driven side.
Um, and so there became, there, there came this, I think this much more, this desire to have a much more, uh, understandable, quantifiable, PowerPoint friendly approach to, to what your people are costing you. Uh, [00:11:00] at the same time, this resulted in a, I think, a formalization of expectations and also of how do people get into the industry.
When you and I started, it was a fairly freewheeling time and that that decreased tremendously. I, I am glad I'm not entering this field today. You know, despite the huge opportunities, fascinating technologies and, and very, very smart people, you coming outta schools or apprenticeships. Um, but. I found I, I like this kind of anarchic, um, again, freewheeling approach that, that, you know, where, where I got my start and it was very heavily dependent also on people just tolerating you, screwing up occasionally and teaching you things and taking the time to talk to you and you know, things that you can't quantify.
And nowadays what I've noticed is there is a much stronger involvement of, on the one side, the finance, on the other side, the hr, and on the third side, the, the, the, the [00:12:00] compliance and risk management people. So there's a lot of pressure, whether it's cost pressure or regulatory pressure. Things have to work.
They have to, they have to happen as, as inexpensively as possible, and that makes it very, very difficult to get started. And I think the thing that we, we got talking about, uh, was a LinkedIn post I did, um, about an article I found, which is basically ranting about the concept of entry level jobs. Right.
And I think the phrase that I, I reused, it's not my own, is entry level, mean entry level. And, uh, I, I, you know, I I, I, I don't wanna talk too long right now, but I, I, I, what really got me started on this was when I was in the senior IT leadership team of a very large international bank and that had a fabulous IT apprenticeship program.
You and I both know, a good security person takes a very, very long time to develop. Right. It's a multidisciplinary involved, uh, affair that requires a tremendous amount of work, a tremendous amount of [00:13:00] enthusiasm and curiosity and attitude, but also a willingness by employers to to, to help develop the individual.
And this program was structured to do just that. Drive people across different areas of the organization, different technological fields. And I said, this is great. You know, I have all these teams I'm running, let me bring some of these kids. They're kids, right? They're 18, 17 year olds. Let me bring some of these kids in, right?
These little snots are me 15 years ago. Perfect. I can help give back. And the response was, that's great. Anal John. Um, each of these people count against your headcount. that sink in for a second. Right. For the non, for the non-management, uh, exposed, um, uh, lucky ones among you, if you're in a leadership position and generally in a corporate environment, you have certain amount of headcount, you have a number of people that you can hire, you have objectives to comply with, to meet, are you gonna hire an expert who's experienced, who's gonna be able to [00:14:00] help you meet those experts?
You know, get your bonus, not get fired, or are you gonna risk it and get a, get a, get an apprentice in for a couple of months? Who, who will probably move on afterwards? That kind of brings it down to, to, to where we are and, and really over the next couple years, I, I, I started, you know, trying to figure out how we can address this situation because I, I started seeing, you know, also talking to, to, to, to Jeff, feel old now.
Children are friends of mine who are entering the field and, and, and understanding from them just how difficult it is just to kind of get a, a, a claw hold into getting started in security.
[00:14:34] Sean Martin: Yep. And I think, uh, so many thoughts in my head now at this point, but, um, yeah, the, the com I'll say the simplicity then. The complexity now, um, where do you start that, that question was asked a few years ago. Um, you might say networks and endpoints. Then you add in, you add in cloud and mobile and, and of course there are AI and, and [00:15:00] applications and APIs and you know, I can go on and on and on.
Just all the different things we have to look at. And there are regulations that have, uh, sprouted and, and grown and, and intensified and, and frameworks that are designed to be helpful, but also add complexity and a, a level of, of knowledge that's required to actually know what you're doing. Um. Policies and reporting, uh, from an SEC perspective, all, all this stuff just makes it
[00:15:28] John Salomon: Yeah, I, it's, it's amazing because it's not only technology, it's, you have to have an understanding of the context. It's, you know, even psychology, economics, right? How does a business function understanding business, p, p and L. So you can, you can grok the concept of budgeting for a project, even if you're a security tech who just, who who'd be happiest sitting in a corner, just coding all day.
[00:15:51] Sean Martin: Yeah. So a lot of, a lot of my listeners are security leaders, uh, CISOs, uh, some business leaders as well. So I wanna [00:16:00] speak to them a bit here. 'cause it in, in the notes that you put together, it was part of the list of things we could talk about. We selected talent for today. You, you talked about risk in the, in the pipeline, and I'm just, I'm thinking over time, maybe a bit ironically, have, have we turned risk management from a cybersecurity perspective?
To a binary where we, we don't allow for your to report earlier. We don't allow for failure so the business can fail and security has to have policies and backups for backup options for, uh, to mitigate the risk when, when failure happens, then business to recover and respond and all that stuff. But we don't allow much for failure in our own programs.
Is that, is that a fair assessment?
[00:16:52] John Salomon: you know the trope right about security, which is basically if it breaks, what are we paying you for? [00:17:00] And if nothing happens, what are we paying you for?
[00:17:03] Sean Martin: right.
[00:17:03] John Salomon: Right? So there is definitely that pressure and part of that is why I, I, little, little digression here. I am a huge fan of very, very oppressive honors security regulation.
The, the CISOs may not like this, but I, I believe, you know, have something. You know, going back to this point about making money, we don't make money. We cost money. And one of my employees once taught me the concept of a technology debt, which is something that most companies have incurred over the years, over the decades by underspending on security because we'll see what we can get away with.
We accept the risk and what regulation has increasingly done, it has taken that competency away. From managers, from leaders, you can no longer decide whether or not you want to accept that risk. You, you have to make sure you put these controls in place. Now, whether these regulations actually are, are strong enough and enforceable enough and or people still just say, look, we'll see if we can get away with it.
Maybe we'll take the, we'll, we'll eat the fine. [00:18:00] We'll see if you know, NIS two Dora in Europe and similar regulations are as, as, as harsh as the GDPR finds have been levied against some American tech companies will be, but it's encouraging to see that, uh, there's no longer at a, at a regulatory level, a tolerance of of, of, of mediocrity.
In terms of spending and you have to spend, right? So companies are under cross pressure. It's completely understandable. You know, shareholders are screaming down the backs of CEOs we're screaming down the backs of the cso, et cetera. Um, but this is not optional any more than you, you, you cannot, you know, dump radioactive waste into a lake.
You, you, you, you have a, you have a responsibility to society as a, as a, as a whole, especially as a part of critical national infrastructure to bring it back to mentorship and talent development and risk. Um, it's not just risk to your organization. If you are not investing in talent, it's risk to the entire industry and by extension to society as a whole that you operate in.
Right. You are allowed as a company to operate in [00:19:00] society, um, by not only your own, you know, success metrics and hard work, but also by the goodwill and infrastructure provided that provided that society. And as, as a result, society expects you to invest in ways of keeping yourself and by extension its safe.
That was my philosophical political rant for the day. What this means though, for us is that, that, you know, if we don't. Invest enough in creating a, a strong and sustainable pipeline of talented people. We hurt ourselves by hurting the industry. And this kind of goes into the whole, you know, I, I, my, my, my analogy is the tragedy of the common.
Right. Where, where, you know, I, I will try of course to seek as much rent. I will try to benefit as much from, from, from, from common investment without investing back. But ultimately that doesn't work. Right? And every company's gonna wanna save money. So they're gonna wanna invest as little as possible in developing people, you [00:20:00] know, just on a financial level.
But that then means that the industry as a whole doesn't have enough good people. And to your point, you know. It's a, it's, I, I, this is a really, really contentious point, and this will get me a lot of hate, right? But I keep saying this, and I maintain this. We don't have a talent gap. We have a salary gap,
[00:20:19] Sean Martin: Hm.
[00:20:20] John Salomon: you know, even, even with, with cybersecurity, salaries being perceived as exorbitant. Honestly, if you're not getting enough people, sorry, you're not paying 'em enough. And the same goes for the kids, you know? I mean, I see some, some, I live in Spain. Spain's not a high, a high salary country. And I see what some companies try to pay, um, you know, even entry level people. And it's, it's, frankly, it's not enough to afford apartments on.
Right. So how do you expect to get, you know, people interested in the industry and investing all this time and effort? If, if you're not, not only not investing the, the, the, the effort into training them up into, into giving them the knowledge and the networking and the contextual [00:21:00] information they need to succeed, but you're just simply not paying them enough.
[00:21:04] Sean Martin: And that comes back to being perceived purely as a cost center, right? So if, if you have to pay them more and you need more people, uh, that starts to add up. And I'm wondering again, let's speak to security and business leaders here. Is there a way to rethink, redefine how we. Uh, define the roles and define the outcomes that those roles are connected to, uh, so that it's not just a cost center and, and, and it perhaps could be a way to connect more to the business, connect more to the revenue, connect more to market share and growth.
Um, I don't know, are we, I mean, we, when we get to the CSO level, we often hear the CSO doesn't, doesn't speak. The business language and therefore has a hard time connecting the risk part of it to the [00:22:00] rest of the business. Does that start earlier? I don't know. All, all those things. What are your thoughts?
[00:22:04] John Salomon: I'll disagree somewhat, or at least I'll, I'll put it this way, if the CO doesn't speak the business language, that's not excusable anymore because the CSO has not been a technology function for a long time. It is a business function, like it or not. Right. So the one of the reasons I didn't wanna be, you know, I used to wanna be a CSO and then I met a bunch of them.
Sorry. No, and I, I, I, I just.
[00:22:26] Sean Martin: on on a few calls and you might change your mind
[00:22:28] John Salomon: Very, very, no, it's just a very, very, you know, it's a thankless task, right? It's not because they're not good people. Um, I just, you know, they have bigger, I have big bags under my eyes. They have bigger bags under their eyes, and that's not a good sign. But you have to understand the business context.
But at the same time, you know, I really don't want to give a glib answer to this. And it's very, I think, easy to fall into the trap of saying, well, I have a simple solution. Um, however, I think. Ironically, even though I'm somebody who [00:23:00] is a huge fan of regulatory mandates, the increasing influence of, on the one hand, the accountants on the other hand, the regulators, or at least the interpretation of the regulators, has caused a, a strictness to descend on, on large parts of the cybersecurity industry that that need to be there.
I think. To develop talent. First of all, I, I worked for a guy once, um, and, and I'm not gonna name him, but you know, he, he had a phrase that he used, which was, you want passion? Go to a whorehouse. And that kind of stuck with me because I'm somebody who was, I hate the word passion, but I'm very passionate about this field.
I don't think you can succeed in security without having a childlike enthusiasm like you would for, for Lego. You know, you see my background, I'm a child. Um, but. I think one of the, the important things is to understand for leaders, and this is talking [00:24:00] squarely to your, your, your audience who are in leadership positions to understand the need to foster that fascination, that curiosity that you get with entrepreneurs these days that that childlike.
Desire to play with things and break things and to give people the space to break things. You, you, you, you made a very trenching point before, which was, you know, um, have we become too intolerant to failure? Right? There is the tech bro, you know, fail fast, which as we've seen, doesn't really work. It's not good, but you have to let people fail sometimes.
And, and I think a, a really good aspect, especially as a senior person, quite simply, is. I don't have children, right? But all my friends who have kids, they, they say, read to your children. I think the read to your children thing applies to your employees as well, to your younger people. Read to your apprentices, talk to them.
You know, there's this sense of awe sometimes if you're a 22-year-old coming into a new company and the [00:25:00] head of whatever comes and sits down next to you and, and it takes an interest in what you were doing, that means a lot. You know, I remember the, the general manager of one of my first employers, you know, when I had a massive crisis in one of my systems crashing all over the place.
And I was there sm chain smoking at my desk at two in the morning and he'd been working late and I just realized after about 20 minutes he'd been just staring fascinatingly over my shoulder. That meant so much to me. You know, just that interest, taking an interest in what the person is doing, not just breezing through the office.
Um, I think that's, that's a really good start. One other thing I wanna mention is, is I think, and this is perfectly natural, I have a, a, a, a, an idea that I, I I I use very often, which is that one of the problems insecurity is that nobody will ever thank you for doing the right thing on principle, right? If it's not in your goals and objectives,
[00:25:52] Sean Martin: Oh.
[00:25:53] John Salomon: if you know this ought to be done. It's, you're not necessarily gonna be, do it, be doing it because, you know, there are such [00:26:00] stringent, uh, requirements. Again, your bonus, your, your, your salary, your, your continued employment. Um, but where I saw this most, most, I think tragically demonstrated was when I lived in Australia. The state of Victoria has some world-class technology universities.
And the organization I was working for at the time had a phenomenal scholarship and mentorship program, um, called Building Cybersecurity Diversity, getting Women Into Cybersecurity, an underrepresented group. Right. And I, I, I don't look at this from a di perspective, even though I think it's a good thing.
I look at it from, you know, uh, from the perspective of, of exploiting available talent pools, get more good people in, regardless of who they are. And I went, I must have gone to seven or eight of the top name universities around Melbourne and said, look, I have this scholarship program, but I'm also an experienced security executive.
I have lots of stuff to share. Let me at least [00:27:00] share my experience with these kids who are not yet graduated of the two of the seven who even bothered to get back to me. Um, they basically said, oh, okay, we'll sponsor a cocktail evening and we'll bring you our recent graduates and then you can interview them for the jobs that you have to offer.
And I'm thinking. We can't place all the blame on the companies here because on the one hand, the government governments, in the other hand, the universities are doing an actually terrible job of this kind of soft introduction of the the youth who should be gaining this enthusiasm for a field that is objectively fascinating.
Multifaceted and developing and endless, right? Cybersecurity is amazing. The stuff that happens, it's, it's so cool. And they're not doing that because they're really just okay. Training, job, hiring results, boom. And whether you're, whether you're a leader, whether you're a university placement person, whether you're a government agency that ought to be getting these guys around a table together, [00:28:00] I would really.
And, you know, this is the idealist in me speaking. I would love to see them focus more on these, these soft aspects, the personal aspects that, that, you know, it's not just all about learning topics and end results.
[00:28:16] Sean Martin: And we just, uh, funny enough, we just, uh, recorded a podcast on, uh, entry level pen testing and, uh. This organization putting together a program to, to bring folks into the field. And part of it clearly is the, the pen test itself. Uh, but, but, uh, these two co-founders talked about, um, uh, the need to actually communicate with.
Leadership team and with the development team and, and to, to your point on the soft skills, it, it's not just understanding the tech or understanding the environment, uh, but it's fitting in. And I go back to, to the business as well, understanding, and it kind of ties to your other point of [00:29:00] you're not rewarded for taking initiative.
Right. But if you have a clear view of, of the business and you know that an action will support the business or protect the business, um, and you have a way to communicate that, and the, and the rest of the organization is ready to listen to you and you've been trained from high school up through college or whatever, uh, on what that looks like and sounds like.
Then I think we're in a better shape, but I think there are, to your point, too many missing, missing pieces in that puzzle.
[00:29:36] John Salomon: I am. I'm glad you.
[00:29:36] Sean Martin: too, too siloed, perhaps. I don't know.
[00:29:38] John Salomon: Sorry, I'm, I'm glad you mentioned pen testing specifically, because I think, I think you have to be a little nuts to be a red, a good red team or a pen tester or vulnerability researcher. I, I have nothing but, but mad respect to the people that, that are good at this. You know, who you find bugs.
I had, I inherited in, in one of my roles, a a, a world quality pen test team. I would've had no [00:30:00] chance of assembling on my own. Um, thank you. Thank you, Bryce. Thank you. My predecessor. Well done. Um, and I, I offered him a bottle of scotch for whoever found the coolest book, the best vulnerability, and I mean, I just, I, the glee, the sheer unadulterated childlike glee that they took in, check out what I found.
That was cool. You know, I mean, it's, it's, it's for, for me, it's those kinds of interactions that, that, you know. Also when I was on the receiving end of things like that, I, I'm ter, I'm a, I'm, I'm a terrible manager. That's the reason I'm a consultant. I'm horrible at leading people. Right. I can't do it. Um, but when I was on the receiving end of somebody, obviously showing an interest and appreciation of what I was doing, even when I didn't have what I was up against.
Right. Thank you. I'm so glad Google, Google came about around when I was starting my, my career. Um, but uh. That was, that was a major factor. And again, these, these kind of soft, you [00:31:00] know, this, this, this, this soft touch, this, this willingness to talk to people, to encourage them to, to, to mentor them, um, is, you know, it doesn't have to be a, we, I mean, cyan and several other organizations have, have mentorship programs.
Big shout out to, you know, women for cyber with their massive program in Europe and there's a couple of others. Um, it doesn't have to be a program though. It just, if, if you're a leader. Whatever level of hierarchy you're at, you know, taking the time to take risks on people, even when they're not yet in the field, going out and talking to them and helping them understand, you know, things like why do you care about risk?
Right? One of my favorite presentations I give is, is this is the most important presentation you'll ever hear and the most boring one when talking to techies, right? Because this is why you and I get paid. So if you understand risk and compliance and stuff like that, you'll understand what motivates the CFO talking language like that and interacting with people and giving them a chance.
And if [00:32:00] you're the CFO or the CIO, not being too strict about budgeting for headcount, for people who are entering the career, I think these are the easiest, in quotes, ways to, to get more talent motivated and not, you know, fear. This jungle of certifications that you mentioned before.
[00:32:20] Sean Martin: Right. And one of the things crossing my mind now, we'll, we'll wrap here in a second, but the, um, the, the idea that universities are kind of missing, missing an opportunity to feed organizations. And I'm wondering, so you went to seven or eight who came back and said, this is the limited, uh, opportunity or.
Here's our limited response to what we really could do.
[00:32:47] John Salomon: And it wasn't, it wasn't just the administrator. It was, it was also, you know, some of the student groups.
[00:32:51] Sean Martin: Yeah. So I, I guess I'm wondering, is there, well, I'll put it back on the organizations, um, but is, is there a way, [00:33:00] uh, businesses and their leadership team can do something different to perhaps invest in the university?
[00:33:08] John Salomon: Uh, absolutely.
[00:33:09] Sean Martin: Yeah. What, what, what, what does that look like,
[00:33:12] John Salomon: So I, some, some, somehow, somehow slid into, into, into Berkeley, and I credit, not the university per se, but a group they're, they're in called the Computer Science Undergraduate Association with, with getting me started. Uh, this was a group decided to getting a social life for geeks.
And it was kind of a product of its time, which included having, you know, the, the on-campus labs where you would go do all-nighters and, you know, people didn't have PCs in their dorms yet. Um, but it would, you know, let us screw around with servers that, you know for, uh, Quin, I dunno if you remember that company.
They donated a bunch of servers. Uh, we had a secret symmetry, which we, which we eventually put down with a baseball bat. Um, we broke the bat. They [00:34:00] used to build. Computers different in those days. Um, but also we had, you know, Hewlett Packard and other companies that were donating not huge amounts, but reasonable amounts of money and equipment and time and, and creating also pipelines for recent graduates to talk to, to, to members of the CSUA who would have their, you know, internal soc proto Crow Magnan social network, um, uh, predecessors.
Um. Creating a pipeline for jobs, again, for mentorships, uh, you know, for showing people what this stuff even is in the first place. My Unix experience, my, my internet experience came from, you know, hanging out with a friend and we wanted to go drinking, but he had some coding homework kiddo. So he put me in front of a diskless sum, three 50 workstation playing net and said, don't bother me.
Go play for a while and blow things up. And then it crashed, right? What do I do now? And that's what got me started. And, and, and having, if you as a company, and I know some companies do this, I, [00:35:00] I can't put, I can't name any because, but I've, I've, I've, you know, off the top of my head, but I've seen some do this.
If you are sponsoring environments where people in universities can get together and screw around and learn from each other. As opposed to just having to focus on their, their classroom deliverables and their diploma. You are doing one of the most important things, in my opinion, to develop the next generation of talent that will then come into this industry and, and support us in our, in our dotage when we're old and tired.
So please, you know, don't only go to recruiting fairs, but, but actually consider and, and we're not talking huge amounts of money. If you're talking to a student group that's got a couple of PCs, if you ki if you kick 'em 5, 5, 10 grand outta your marketing budget. They can buy a bunch of kit, you know, and even if it's them buying, you know, having a hotdog barbecue and getting the, the computer science people together with some liberal arts people, you may end up with some really enthusiastic liberal arts people like myself, entering the industry just because it's something they wouldn't have had access to otherwise.[00:36:00]
And you have created through that very minuscule investment, a, a multiplying effect. Way beyond what you could do with a structured, you know, coding bootcamp or not to denigrate those, right. Or capture the flag exercise or something like that. But again, I, I, I keep coming back to this, these soft interactions I think are one of the most valuable things that you can possibly do just because you were opening the door to people to use their own, uh, the curiosity and dynamism and an initiative to start learning more about this and seek people out.
[00:36:35] Sean Martin: Yeah, I love it. O off the top of my head, I'm thinking back to, uh, one of my early managers who's a history major and uh, I was,
[00:36:44] John Salomon: relations. You know,
[00:36:44] Sean Martin: there you go. And my business partner Marco, he is a political science, uh, doctorate. And then, yeah, I
[00:36:51] John Salomon: I, I still, I still co, I still couldn't code my way out of a wet paper bag, you know, but.
[00:36:56] Sean Martin: Exactly, but you can help teams do it or help [00:37:00] organizations, uh, deploy, deploy that stuff better. Um, yeah, I think we, we can talk about this for ages. I want to, um, I wanna wrap here and, and
[00:37:10] John Salomon: Can, can, can I, can I, can I throw one more thing in?
[00:37:13] Sean Martin: of course.
[00:37:14] John Salomon: And I, I did, I did say, don't worry too much about the structured mentorship programs. I do wanna encourage leaders of all stripes to participate in those kinds of programs. Now, you know, blatant plug, cyan, you know, come join us. We're a good, good bunch of people.
We have one, there are many others. Uh, if you have the opportunity to engage in a mentorship program, you'll have, you'll, you'll get kids sometimes, or, or just career switchers, right? Who turn out to be. Wet squibbs, right? Not everybody is as curious as sociable. As as enthusiastic. It is what it is, right?
But at the same time, it's very possible that you will get somebody who will just knock it out of the park. I, I [00:38:00] remember, you know, one of, one of the women who was in, in, in one of my previous clients, uh, mentorship program, um. She ended up doing her PhD in postdoc and she's now at one of the NATO cybersecurity think tanks in Eastern Europe.
And I, I absolutely incredible person. Right? And for me it was just such a. You know, and I basically forced, um, the program to, to have a session at one of our conferences in London where, where these, these candidates would get up on stage and talk about their work, talk about their research, because you know, if you're student, you don't know how to present, right?
So if you're forced 'em, sometimes you give 'em a good opportunity to kind of get a feel for people might actually be interested in what I'm, what I'm doing. There were some amazing presentations and he's such, such bright, enthusiastic, brilliant minds and seeing this person at, at a massive cybersecurity exercise, you know, a couple years down the road, it was just like, it was this, this chilling moment almost.
This is cool because this [00:39:00] is. It's not because of me or because of us, but just having maybe contributed just a tiny bit to this person's professional developments. Um, what a, what a cool feeling. You know, what a, what a great reward. So if you can, if you can mentor people, if you can talk to them, if you can show them how to ask questions, what fields and opportunities there are, do, its please.
It's a good opportunity. It'll help your business, it'll help the industry. It'll make you feel better too.
[00:39:25] Sean Martin: Yeah. Uh, I love that and I'm, I'm glad glad you took that moment. It reminds me, um, I was up in, uh, Toronto for a secor, which is a, a Black hat event. And, uh, in, in, in the middle of, of the, the expo hall was a. Basically a stage, a mini stage where people can come and share share stories. And some of the main presenters, there were, um, members of, I believe it's called this Canadian Cybersecurity Network, that that does the same thing.
It's basically organizations and universities coming [00:40:00] together to support new, new folks coming into the, into the industry. And, um, there was a, a lady there who was a nurse who then moved into the soc. And she was a soc analyst after being a nurse for, for many, many years. And I actually had her know on the show.
And, uh, I'll link to that podcast. It's pretty cool. But to your point, the, the mentorship, the, the more you give in, the more you'll get back out of it. And the more different organizations come together across cross sectors. Yeah,
[00:40:30] John Salomon: and it'll get us access to the, the psychologists, the mathematicians, the economists that we otherwise, the, the international relations idiots whom, whom we otherwise wouldn't have access to.
[00:40:40] Sean Martin: Yep. Absolutely. Well, John, pleasure chatting with you. I'm so glad we got to meet and, uh, and thrilled we had this chat. Uh, I hope we have many more.
[00:40:50] John Salomon: I hope So. Thank, thank you
[00:40:52] Sean Martin: there are other topics we can, uh, we can, uh, rile up from some folks around.
[00:40:57] John Salomon: Always, always happy to, and I really, I really appreciate the opportunity [00:41:00] to talk a bit. Uh, it's a topic that's very, very near and dear to me. So, um, you know, if we can motivate one person to, to support somebody trying to enter the field or, or thinking about entering the fields, I think we've done our job.
[00:41:12] Sean Martin: Yep. Yep. Excellent point. Well, John, thanks so much and, uh, thanks everybody for listening and watching, uh, this episode of Redefining Cybersecurity. Much more coming your way. I know I've been busy with events the last, uh, few weeks. Uh, so not many new episodes, but, uh, kicking things back into your year here.
And, uh, I'm thrilled to share this episode with everybody, with John, and, uh, stay tuned.
[00:41:37] John Salomon: Thank you.