Satisfying the Shortage in Cyber Warriors

In this episode of Cybersecurity (Marketing) Unplugged, Clyde also discusses:

  • The history of ISACA and the importance of professional organizations for cybersecurity practitioners;
  • Factors that contribute to the success of online training platforms like;
  • Board-level cybersecurity awareness;
  • How companies can do better at incorporating cybersecurity frameworks into the business.

Rob Clyde is a senior board director of ISACA, the chairman of the board for White Cloud Security and an advisor to ShardSecure. And as the former CTO of Symantec for almost nine years he’s grounded in operational technology and is an expert thought leader in the cybersecurity space. He also sits on a variety of boards and has served as the senior C-level officer for many leading technology companies.

In ISACA’s recent 2021 State of Cybersecurity Study, 61% of respondents reported that cybersecurity teams are understaffed and 55% revealed that they have unfilled cybersecurity positions. Among other topics, Rob and Steve theorize about the best strategies to close the cybersecurity skills and talent gap, from training non-security employees to pivot in their career to educating children in K-12.

Investing in training and education is key. So consider non-traditional methods. For example, do you have non-security staff who are interested in moving into cybersecurity? And could you provide them the cross-training and invest in them and help them do that? That will help build loyalty, but also help actually deal with this shortage.

Full Transcript

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors. 

Steve King 00:13
Good day everyone. I’m Steve King, the managing director at CyberTheory. Today’s episode is going to focus on the current state of training and education in cybersecurity. Joining me today is Rob Clyde, a senior board director of ISACA, and the chairman of the board for White Cloud Security and an advisor to ShardSecure, and a former chairman and head of the Finance Committee for ISACA. Rob has a long history in cybersecurity education and training. And as the former CTO of Symantec for almost nine years he’s grounded in operational technology, and is an expert thought leader in the cybersecurity space. He sits on a variety of boards and has served as the senior C-level officer for many leading technology companies. So welcome, Rob, I’m glad you could join me today. Thank you, Steve. It’s a pleasure. Great, thank you, Robin. In my opinion, there’s no stronger proponent of cybersecurity training and education, then asaka. He spent a couple of minutes sharing with our audience, the history of asaka, and about your leadership experience with the organization.

Rob Clyde 01:23
Well, Steve, thank you for the kind words about ISACA. I couldn’t agree with you more. It’s one of the reasons I choose to spend some of my time with ISACA. I do believe we are a very strong proponent of cybersecurity training and education. We have a strong history in this arena. We started as an association in 1969 and grew from seven individuals to today over 150,000 individuals. And one initial chapter two now over 220 chapters, in over 180 countries worldwide. So truly a global organization.

Rob Clyde 02:01
We initially focused on IT audit professionals in the very early days. We moved from there a short time later into cybersecurity, governance risk, and more recently, we added privacy. So very strong history, a great deal of financial strength, staff strength, volunteer strength – and I happen to be a volunteer – and of course, our chapters so that we have that local reach. So education goes from things that you can get online all the way to the chapters.

Rob Clyde 02:34
You know, I’ve been involved with ISACA for a very long time, since the early days of the internet, even just a little bit before the internet, initially teaching as a speaker, sometimes doing workshops, sometimes getting involved with planning conference events as one of the committees on one of the program committees for conferences. Often I’ve been a subject matter expert over the years, been an author of many publications, and research. Over the last decade or so I’ve been very involved with ISACA from a leadership perspective. So I served on the strategic advisory council about a decade ago. And over the last seven years, going on my eighth year now, I’ve been serving on the board of directors, as you mentioned. I’ve been the finance committee chair, the vice chair, the chair, the compensation committee chair, I’m currently the governance and nominating committee chair, and I’ve been a member of many other board committees during this time.

Rob Clyde 03:34
I really enjoy doing it. And one of the reasons I love to volunteer for ISACA, is it’s one of those organizations where you can actually get things done. We can’t do everything. But those things we choose to do, we actually have the money, the staff and the resources to accomplish that. And that is just gratifying when you choose to spend your time on something you’d like to see a result. And I’ve always felt like I could with ISACA.

Steve King 03:35
Yeah, and you guys are organized in such a way as to deliver this quite well. And that local chapter thing makes a lot of sense. As you know far better than most, we have an expanding skills gap across all work roles in cybersecurity. Most of my colleagues point to a severe shortage in the cyber warrior class, kind of the frontline soldiers that we need to defend and provide an active defense on our behalf. What, in your view, should we be doing to close that gap and have a better chance at defense than we do now?

Rob Clyde 04:43
Well, if you look at ISACA’s state of cybersecurity study that we just did, the 2021 version, part one survey, we had a report that came from that. And I have to say unfortunately, I just agree with you and your colleagues.Sixty-one percent of our survey respondents say cybersecurity teams are understaffed. So that’s the vast majority. And an amazing 55% say they have unfilled cybersecurity positions. So it’s not just a question of getting budget to staff the positions, when they do have budget, they can’t get them filled like they’d like to. And that’s definitely causing some challenges.

Rob Clyde 05:26
And we’ve got to think outside the box. Just going out and trying to hire the best professionals, we’re just going to have one company stealing from another company. And that’s pretty much what’s been happening. And that’s why there’s a continued shortage. We need to look at this a little more holistically. And investing in training and education is key. So consider non traditional methods. For example, do you have non-security staff who are interested in moving into cybersecurity? And could you provide them the cross training, and invest in them and help them do that? That will help build loyalty, but also help actually deal with this shortage. We see an increasing use of contract employees and outside consultants. And I think that will continue. It’s a great, great place to go, if you’re interested, is to go into that world of outside consulting, because companies are very interested in that.

Rob Clyde 06:26
There’s also, you know, considering what we might be able to do earlier in the education cycle, because there’s not necessarily a quick fix to this problem. And so one of the things we look at ISACA is how can we partner with universities? How can we partner with other educators to help encourage more people to come into this field? And to ensure that the curriculum is in place, that they can get the training that they need.

Steve King 06:53
Yeah, sure. It’s funny, the some of the folks that are faced with this dilemma say, “Gee, what happens when I train these folks up? And then they leave?” And then I think the humorous response to that is, “Yeah, but what if you don’t train them and they stay?”

Rob Clyde 07:08
That’s right. Yeah, and I’ve done this before in my career, I’ve done training programs. And I can tell you, in particular if you move somebody – somebody that’s not necessarily a cyber security person – and you move them into that field, they’re usually extremely grateful to the organization that helped them move, make that career move that was so important to them, and it does help to build some loyalty as part of that. And while there’s no guarantee, when you train people that they might stay, there is a guarantee that if you don’t engage in this, you’re probably going to continue to have a severe staffing shortage. And even the people who do come to your company, when they learn that you do not believe in investing in training your own employees, they’re not gonna stay around long.

Steve King 08:01
That’s absolutely true. And when I was a CEO of one of my tenants was: Give me our best network engineers from the IT side and let me train these guys up. And you know, six months later, I’ve got a very competent security analyst and and then it’s much easier to fill the network engineering side role than it is to fill …

Rob Clyde 08:26
Or even a programmer who is, you know, kind of middle of the road not not necessarily a star programmer can become a star cybersecurity person. And their coding ability will help them as they become cybersecurity professionals. And so there are all kinds of places where people can come from and move to this career. And it can just be such an exciting career path. I highly encourage people, it’s always challenging. You have a real adversary, not just competition, you have a real adversary. There are actual bad guys that you worry about in this job. And it just makes it exciting and challenging.

Steve King 09:06
Yeah, no kidding. Speaking of starring new star in a short video that announces our entry into the world of cybersecurity education here, formally anyway. Our focus with our program is on supplementing our original content with coursework from ISACA and other third parties. Our value proposition is essential unified source for training material curated by a faculty of working CISOs. What in your mind are the most important success factors in the delivery of an effective online education program in cyber?

Rob Clyde 09:43
Sure, well, first of all, it’s got to come from a respected source. I certainly think your case, you’ve ticked those boxes. Thank you for, by the way, by partnering with ISACA, certainly one of the ways to tick those boxes. And the other is to look at the faculty. You know, working CISOs is a great place to start from. People want to learn from practitioners, people that actually do the work. And so having those highly qualified instructors is key. When you look at it online, you also want to have it in a format in a way that can be effective as well, might be live presentations, webinars, could be recorded webinars, could be course material that you work through. And it can also be hands on training. In today’s world, we can have virtual environments where people can actually try some things out. And so that’s another approach. And last and most important is I think it’s important to get some type of a credential, something that indicates after you’ve done the online education, you actually receive something tangible, a certification, a certificate, something tangible that you can use to demonstrate that you met the learning objectives and use that with an employer as you share it with other people so that they understand what you’re capable of doing now that you’ve taken the online course.

Steve King 11:10
Yeah, sure. And we plan to make those badges and certifications …

Rob Clyde 11:17
Good point about the badges. That’s another key thing, people love to have those, show them on LinkedIn. LinkedIn has a great, you know, can actually tie to various certifications so that people can very quickly determine if your credential is real.

Steve King 11:35
Yeah, that’s right. And that’s nice that LinkedIn does that. It helps very much in the in the actual certification process. So that we know as you say that this is something that you actually did earn, and that is real.

Rob Clyde 11:49
Yeah, gone are the days where you can just make stuff up and put it on your resume and actually not get caught in field of cyber.

Steve King 11:57
Yeah the internet’s good for something, right.

Steve King 12:01
You earned your undergraduate degree in, in computer science from Brigham Young a few years ago. Do you see private and public colleges stepping up to provide a adequate amount of coursework and focus on preparing students for operating in the digital world? And how much have curriculums changed over the last 20 years or so?

Rob Clyde 12:24
Yeah, I mean, there’s there’s a number of points in there. And yes, I did go to BYU, thoroughly enjoyed my time there. There were no cybersecurity curriculums back then. In fact, there were relatively few schools doing computer science and BYU at the time was one of the top 10 schools in the country and very much enjoyed that, still a great school to go to, highly recommended anywhere in the computer field.

Rob Clyde 12:49
But we have seen over the last couple of decades, schools actually providing cybersecurity degrees of various kinds. Oftentimes, they come out of what used to be the MIS department. I actually serve on the advisory board for Utah State University for their curriculum in this space. They have actually renamed it to the data analytics and information systems because they felt that the MIS designation was a little bit dated and didn’t speak to it as much. I have seen the curriculums improve. One of the things I think our universities to do is to partner with credential providers, and educate other educators like yourselves like ISACA, so that they can actually get a credential. And to ensure that students have live hands-on experience, particularly experience in today’s world with cloud. And with tools that you can use to run a business securely in the cloud. Kind of skate to where the puck is going. Don’t just go backwards, and have universities training you on how to run servers, physical servers. Useful as that might be, most of today’s opportunities and most organizations are looking for the younger talent, the talent coming out of universities, to understand the newer technologies. That’s why they want to hire young and so that becomes very important. And I have seen curriculums, and just using my own experience with Utah State University, I’ve seen curriculums stepping up to do more there. Those organizations and universities that are still a little more old fashioned and more around the physical systems, I would challenge them to move forward to today’s world that is more in the cloud.

Steve King 14:46
Do you think that a combination of a degree in cybersecurity with a set of certifications – CISSP CSM, etc. – Do you think that combination is powerful? And is that what you’d recommend somebody who’s in their 20s and is trying to figure out what to do?

Rob Clyde 15:08
I do think it’s powerful, you also have to be realistic. Some certifications, including the two you just mentioned, CISSP and CSM actually require a certain amount of work experience in the field. And so they are meant to be for not necessarily graduates who have no work experience, but people who actually also have work experience. Can you achieve that in your 20s? Absolutely, you can, are there also though, credentials certificates, for example, ISACA has a cybersecurity fundamentals certificate that is designed for students. And I think you’ll see more and more student credentials that are not requiring work experience that people can actually walk out of the university and not only have their degree, but also have a certificate or certification of some type.

Steve King 16:00
So that gives them kind of a more specific target in terms of …

Rob Clyde 16:04
Yeah I mean, you need to kind of be realistic. Some students, you know, are fortunate they have lots of work experience and they’re students, great good for them. But I think universities, and I see it happening more, should partner with credential offering organizations like ISACA to find the correct credentials that they can help their students earn as they go through their degree program. Secondly, I’m not sure everybody has to have a four year degree to be a strong cybersecurity professional. And so I think we need a little more focus on associate’s programs and other types of programs. I like the university program and getting a well rounded education. But truth be told, can you be a great cybersecurity practitioner with a couple of years of strong technical education? The answer is probably yes.

Steve King 16:45
I think that’s true myself. And so you know, the community college sort of path makes a makes a lot of sense to me.

Rob Clyde 17:08
You’re not in debt for the rest of your life. And later on, you want to go back and get your degree or your MBA, which may make a lot of sense. Maybe that’s a pathway that doesn’t require you taking on what today can be overwhelming student debt.

Steve King 17:23
Yeah, no kidding. You’re no NACD certified. We all agree that there’s a gap in communications with with the C-suite and board members with respect to cybersecurity. Tell our audience about what that certification means. And then how you see the state of board level cybersecurity awareness today, versus let’s say five years ago.

Rob Clyde 17:50
Yeah, there’s a lot there. So recently, the NACD realized, like many other professionals… The NACD, by the way, stands for the National Association of Corporate Directors. So just as there are certifications for cybersecurity professionals such as this, the CSM or the CISSP, or some of the others, that ISACA has, we have a number around emerging technologies that are getting quite interesting around those credentials. The NACD, which focuses on board directors, that’s who joins that association, recently, over the last couple of years came out with a certification for board directors. So board directors have to go through a process to demonstrate that they will actually know a certain set of subjects and can respond to a certain set of cases in order to become certified. So it’s a proctored exam, like many of these others very interesting process. And like many of these others, you have to have a certain amount of work experience as a board director to achieve it. Interesting enough. There’s a great deal of focus within that certification around cybersecurity. And I can tell you at the NACD – and I’m very active with the NACD – there is a great deal of attention on cybersecurity. There are many webinars, many training programs for board directors to learn about cyber security. And so if I were going to compare where we’re at today with the board level understanding of cybersecurity, versus just five years ago, it’s leaps and bounds better. Whereas five years ago, the board often only talked about this once in a while, and usually struggled to understand what the real governance issues were from a board perspective. Today’s boards I find are far more digitally savvy, and far more aware of cyber risk, and what it means as a board director to be able to deal with cyber risk. So the result of that is that, you know, you’ve got board directors being more demanding of their CISOs, of their CIOs, of their heads of IT audit, to speak to cybersecurity and speak in such a way that makes sense at the board level, and not get lost and all of the technical jargon that, you know, sadly, people in our profession tend to drill down into quite quickly, but actually speak to, you know, how much should we spend on cybersecurity? How do we know that our cybersecurity is any good? How do we compare to others in our industry? What risks do we have? Are any of those risks at the unacceptable level? And that level can change, depending on the threat landscape?

Steve King 20:51
Yeah, of course, we have case law now at the circuit at the circuit court level that supports the notion of of a personal liability, in addition to professional liability on behalf of board members who can’t attest to full understanding of what they assert. So you would think that that would have gotten folks attention.

Rob Clyde 21:16
It has. And one of the ways that boards are dealing with wet is to ensure – just like you can’t have a board made up entirely of former CFOs, or financial experts, nor would you want such a board, you also probably don’t want a board made up entirely of just cybersecurity experts.

Rob Clyde 21:36
The whole point is to have diversity of backgrounds, diversity, in many respects, in all the classic areas of diversity, but also consider diversity of background. And boards are anxious to have someone serving on their board that is digitally savvy and has a strong cyber understanding. And at the same time they’re looking to bring the entire board through certifications, like the one I received for the NACD, up to at least a certain level of cyber understanding and awareness. Much like all board directors well, they’re not all financial experts, they all have to know how to read balance sheets and profit loss statements and cash flows. And be very adept at that. That doesn’t mean you’re a financial expert, but you at least know how to do your job. And it’s kind of that level equivalent of what you’re looking for from a cyber perspective.

Steve King 22:30
Yeah, indeed, I see that we’re up against it here. So the last question I have for you Rob, Cobit is a business framework that ISACA owns, that helps enterprises govern and manage their information and technology. You also on the Capability Maturity Model Institute, which I think you acquired from Carnegie Mellon. What’s your view on why companies generally ignore models like these? And in addition to that great threat model from MITRE in favor of appearing to just fly blind in a world loaded with high risk?

Rob Clyde 23:10
Yeah, you know, I think in many senses, they’re not completely ignoring everything. So you see many organizations saluting the NIST flag. So they’re looking at the NIST framework relative to cybersecurity, you also see some paying attention to ISO standards like the ISO 2700 series. So I don’t know that they’re always flying completely blind. However, I’m here to tell you that to completely implement NIST, just to kind of go down at checklist fashion, you’ll put your company out of business. It’ll cost you more than you make, not not profit wise, probably revenue wise.

Rob Clyde 23:48
You can’t do it all. So how do you know what to do? And that’s really where these types of frameworks like Cobit and a Capability Maturity Model can come into play, is to help you understand what the right amount is for your organization. Cobit does map to NIST and various ISO standards, so does ISACA’s CMMI that has a capability, cybersecurity capability platform tool, that underlying maturity model relative to cybersecurity maps to NIST as well and to the ISO standards. So there are usually mappings. The beauty of frameworks, like these, like Cobit is that it can help you get to NIST, but help you get to it in a cost effective way. And provide the necessary guidance that auditors and cybersecurity professionals can actually do their jobs and have it be against a framework as opposed to just trying to go down a super long checklist and check things off.

Steve King 24:55
Yeah, and it’s it’s frustrating to watch from over here, but you know, I think things are moving in that direction at least. So, you know, maybe the future will be brighter. But we’re out of time today. I do want to thank our guest, Rob Clyde, for taking time out of what I’m sure is an insanely busy schedule to join me in this exchange. So thank you again.

Rob Clyde 25:20
Thank you, Steve. It’s been a great experience and an absolute pleasure and I hope everyone enjoys listening to this.

Steve King 25:28
I’m sure they will. And and thank you to our listeners for joining us in another episode of CyberTheory’s exploration into the complex world of cybersecurity, technology and digital realities. Until next time, I’m your host, Steve King, signing out.