Home

Search
Close this search box.
EPISODE 67
 
Why Location Matters When Looking for Your First Cybersecurity Role
 

WHY LOCATION MATTERS WHEN LOOKING FOR YOUR FIRST CYBERSECURITY ROLE

About this episode

In this episode, we are focused on what the real world looks like in cybersecurity supply and demand and the role of geography and location when looking for a cybersecurity job.

Jason Dion will walk us through cyberseek.org for a cybersecurity job. He will discuss how to explore the heatmap of the site so that you will understand why you need to consider the location, given data about a certain position, and even certifications when hunting for a job.

For those who don’t want to relocate but would want to be hired, Jason also advised how to figure out first what kind of company you want to join. He mentioned three company dynamics that you might need to consider – remote only, remote-first company, and remote eligible. He and Kip will then discuss the differences between the three.

What you’ll learn

  • Why take advantage of cyberseek.org when job hunting
  • How to use the heatmap
  • What data is available in the heatmap
  • Which certifications are most relevant to cybersecurity

Relevant websites for this episode

Other Relevant Episodes

Episode Transcript

Kip Boyle:
Hey, welcome to Your Cyber Path. I’m Kip Boyle. I’m here with Jason Dion. Jason, man, what have you been up to?

Jason Dion:
What haven’t I been up to? It’s been really, really busy recently. Right now, I’m in the studio this month and I am working really hard to get my new penetration tester plus course out and done in time for the retirement of version one and the launch of version two. This course is really, really in depth and it’s taking a lot of time because we’re covering not just the theory, but we’re also going and doing a lot of hands on demos. So last night I was in recon-ng showing how to do open-source reconnaissance and how to get intelligence and be able to collect that and all the things you can do with it. And it really just eats up a lot of time when you’re trying to do this stuff, because it takes a lot of time to use these tools.

Kip Boyle:
Yeah, yeah. For sure. Well, I hope somewhere in there, you’re all also getting our NIST Cybersecurity Framework Course shoved out the door, right? It’s almost done, right?

Jason Dion:
Yes. Yeah. So the NIST Cybersecurity Framework Course, as we are talking and filming this right now, it is actually about four days away from being finished with editing. Then we’ve got a couple of days of Q&A. And so by early next week, I expect that it’ll actually be live and ready to go on Udemy. If you want to get more information about that, it is at yourcyberpath.com slash/udemy. We’ll have a link to that Udemy course, and it’s a great course on the NIST Cybersecurity Framework. We cover all about it. We talk about all the different pieces and parts of it. We show you how to use it. And even the last section of the course, Kip actually takes you through how he does this in his job at Cyber Risk Opportunities and kind of opens his playbook to you and shares it with you throughout this course. So it’s a really awesome, awesome course. And we’re excited to have it out there.

Kip Boyle:
Yeah, it’s going to be fantastic. I have been getting ready for a webcast or a hack and cast, and I’m going to do with Wild West Hackin’ Fest. We’re going to talk about how certifications can help hiring managers build the team of their dreams. And along the way, I’m going to explain how job seekers can take advantage of both traditional certifications, as well as skills-based certifications to send really strong signals during the hiring process, that you are somebody that the hiring managers are going to want to look at, so. Anyway, so that’s what I’m getting ready for. I got a lot of training to do myself this year as well. So-

Jason Dion:
I think that’s totally a really important topic too, right? And I think the key there is you’re talking to hiring managers, right? People always bring up this concept of, this cert is better than that cert or why doesn’t people like this cert, and why do they like that cert better? I hear this a lot with CEH versus Pen Test+ versus OSCP for example. And really it comes down to longevity in the marketplace and what hiring managers are used to because a lot of hiring managers and HR folks in particular aren’t necessarily cybersecurity professionals, even though they’re doing the recruitment and hiring for those positions. And so it takes people like you going out and talking to these other hiring managers and going look, “There is this skills-based training out there, and you really should be looking at this instead of all this multiple choice stuff that’s really easy just to study for and brain dub.”

So I really appreciate that you’re going out there and doing that. And I think that those conversations are what helps change the industry in five years, 10 years from now and we’ll make a difference, but what we’re going to look at today is what is the real world look like today? And that’s really important to people who are looking for a job today, because it does take time for those things to change.

Kip Boyle:
Exactly. So can we do a little programming note before we get going? If you’re watching us on the Your Cyber Path channel on YouTube, you’ll see that we’re doing a screen share right now, right off the bat. And so this is going to be a session where we do that, but if you’re just listening to us, don’t worry because Jason promised me that he’s going to narrate what he’s doing on the screen shares. So you’re going to be able to benefit without having to take the extra step of watching the video. Is that right, Jason?

Jason Dion:
Yeah, definitely. So if you’re in your car, listening to me on the podcast right now, don’t worry. I am really good at narrating step by step what you’re going to see on the screen-

Kip Boyle:
That’s why he wouldn’t let me do it.

Jason Dion:
Close your eyes and visualize it, but don’t close your eyes because I want you to stay on the road. But the idea is what we’re going to be talking about today is geography and location and how that affects the cybersecurity industry and your chances of getting a job in the cybersecurity industry, especially with your first job. And so to help us with that discussion, I’ve brought up cyberseek.org, which is a website we’ve talked about before on the podcast. It’s an excellent website with tons and tons of great information that is updated in near real time, usually within about three months. It does a continual update of the site based on jobs, what employers are looking for, what the supply and demand curves look like, what the salary ranges are, what the certifications are, all that stuff. But today, we really want to focus on location because one of the things I’ve seen is that location really, really does matter. Kip, what do you think about location? Why does it matter so much?

Kip Boyle:
Yeah. Well, location is kind of a backward looking thing in the sense that, in last two years, we’ve all been inundated with remote work and our workforces have gone on their heads trying to scramble out of big buildings and skyscrapers and stuff to guard against infection, but historically people just went to a building and so guess what? You got cities, bases, right? Air force bases, or army bases or naval ports, or whatever, right? People congregate in order to go to work together. And so even though we’re evolving, right? Where we have all this tech that let’s just do remote work, there still is this very pervasive attitude of location. And I don’t know if that’s ever going to go away. It certainly hasn’t gone away completely even with remote work. So we’ve got to consider it.

Jason Dion:
Yeah, most definitely. I mean, I see this even in my company. Right now, my company is a remote-only company. All of my employees, we have 14 as of today, as of yesterday, actually the 14th member joined the team. And they’re located all over the place, right? We have people in 1, 2, 3, 4, 5, 6, six different countries right now out of 14 team members. I’ll tell you though, next year we are getting an office, and we are going to have people in the office. Now, I’m not going to fire those people who are not locally to our area, but as we are hiring for new positions throughout the rest of this year, we are hiring with a preference of, we are going to be remote-first company, but we still want you to be relatively close by so that once a week, once a month, we can get people together, we can do staff meetings, we can do outings, because that part of the culture gets lost in remote a lot of the time.

And so it is something that I think is valuable as a CEO and the leader of my company. And a lot of other companies do it that way as well. And so I’ve seen this trend, especially recently with the pandemic where people say, “Oh yeah, it’s a remote job. No problem at all. You can work from home.” And then six months later, they’re going, “Oh no, I want you back in the office on Monday.” And if you took a job in California and you live in Virginia, you’re not going to be there on Monday. It’s kind of hard to move from Virginia to California in one day. So it’s important to understand that and put that out. And one of the people I just hired, that’s going to be starting in April, he lives in California. I’m down in Puerto Rico. We’re also opening offices back in the states as well.

And because of that I’ve told him, yes, you can work remotely, but over the next 12 months or so, you might be making trip once every couple of months to come fly out and hang out with us, especially because he’s going to be doing some filming and recording with me. It’s a lot easier to have him in my studio where I can help him get his presence up, do all the technical stuff, and make sure it all works out right.

Kip Boyle:
Definitely. So anyway, there you go. I mean, there’s Jason’s perspective on geography and how that’s affecting his company. And you know what? That’s true across the board. There are some companies that are not remote-first, but remote-exclusive, like my company is remote-exclusive, right? So we don’t get together in a physical space and I don’t have any plans for doing that. That works for us, right? But for a lot of other people geography does matter. So, all right. So that’s why we’re talking about this. And a couple of other things I think you should know before we really crack into this. So again, we’re focused on the United States and that’s what we’re going to talk about is U.S. metro areas and that sort of thing. But the concept of geography I think is applicable anywhere in the world, no matter where you’re working, all right? So that should carry over just fine. And just remember that all the statistics and everything we’re talking about is about the United States, okay? So, all right, Jason, let’s do this.

Jason Dion:
Yeah. That’s a great point. Cyberseek.org is a wonderful website, as we said, but it is U.S.-focused. I have not found an equivalent for the UK or Canada or India or other countries around the world, or even a global one. And I think it’s just because it’s hard to get that kind of data into a single place. And there’s a lot of time and money spent by a lot of organizations to create Cyber Seek.

Kip Boyle:
There’s sponsors here, right? You got to find sponsors and you also have to have sources. I mean, it’s a big data challenge. I also want to say, too, that this data set is backward looking. So once you get ready to actually do job hunting, you have to go someplace else to do that. So, just another caveat.

Jason Dion:
Yeah. Great point. And as I’m looking at the screen, I’m at cyberseek.org, C-Y-B-E-R S-E-E-K.org. If you’re in the car on the podcast, please don’t try to go do it right now. You can do it later. It will be in the show notes, we’ll have a link. And we’ll also have a link to the video if you want to go back and watch it later to get in depth, deep dives and see exactly what I’m looking at. But on the main page, when you get there, there’s really two big things you can do upfront.

One is the heat map and the other is the career pathway. We’re going to save the career pathway for a different day. That’s where you start talking about what jobs lead to which jobs inside of cybersecurity. And if you want to be a pen tester, what are the three jobs you should have before that? And what jobs can you get after being a pen tester and things like that, but today we’re really going to focus on the heat map. And when you click on that heat map, you’re going to see a map of the United States pop up. Now, right at the top, it’s going to show up a color-coded map. And in that map, you’re going to have different colors based on the total number of job openings in those areas.

Kip Boyle:
And that’s why it’s a heat map.

Jason Dion:
That’s why it’s a heat map. Exactly, right? And so the darker colors have more jobs and the lighter colors have less jobs. Right now, I’m looking at it, and as I’m filming this, it is right towards the mid time, mid February, late February timeframe. As the time this episode goes live, we’ll probably be about the beginning of March and this is fairly relevant, but it has been affected by COVID as we’ve said. In fact, at the top of the site, there’s a big banner going across and it says, please note the data on Cyber Seek has recently been updated and a reflection of the United States job market, which has heavily been affected by COVID-19 pandemic is resulting here.

They are seeing things like burning glasses projects, that cybersecurity jobs will be some of the key roles that are driving the post-pandemic job recovery over the next five years. And they believe the current data reflects this short-term deviation from the longer term trends, which means you may see that there are less jobs in a particular area because that area is suffering really bad from COVID and other places are not. And so there is some of these shifts that are happening, that aren’t normal in nature. And we’ll talk about that as we go through here a little bit as well.

Kip Boyle:
Yeah. That’s great. Keep going.

Jason Dion:
Yeah. And the other thing I think that’s really important to say is when you look at this total job number, total jobs is really not that important, in my opinion, as much as the ratio is. And why I say this is, if I go to California, you would expect they have a lot of jobs, but they also have a lot of people. And so if there are a million jobs in California, but there’s 2 million people fighting for those jobs, that wouldn’t be a great place for us, right? Because that means there’s two people for every one job. Now, in the cybersecurity industry that tends to not be the case. There’s a lot more jobs than people. And we’ll talk about that as well. But what you’re going to see is that right off the bat, the first map you see is a state level map with color codes that show you exactly which states have the highest number of jobs.

And there is another button that you can click on that’s called Metro areas. And when you do that, it’s actually going to break it down into the counties because just because California has a lot, or Texas has a lot, for instance, when I actually go into the metro area of Texas, I can see there’s only about four or five counties that are actually heavily having jobs in Texas. So if you’re in Western Texas, there’s not really any jobs, but if you’re in the Dallas, Fort worth, Houston area, there’s a lot of jobs. So you have to keep these localisations in markets in mind as well, especially with larger states places like Texas and Montana and Washington and California and Florida, those are pretty big states. I’ve driven across Florida. And it takes about eight hours to go from tip to tip, from Pensacola to Miami. And that’s a long commute. If you’re getting a job in Miami and you live in Pensacola, you’re not going to do that, right? So it does matter. Geography does matter here.

Kip Boyle:
Especially in the beginning too, because we’re really trying to focus in on what does this situation look like for the entry level person? The so-called first cybersecurity job that you’re trying to get. And this is really crucial because a lot of people believe, and I think there’s a lot of truth to this, that especially when you’re starting out, it’s so important to get the right mentoring and a lot of people think that the best mentoring happens when you’re actually in the same room with the people that you’re trying to learn from, right? So there’s other ways to do it, but there’s a strong preference for that.

Jason Dion:
Yep. And then let’s go ahead. I’m going to go ahead and scroll down page just a little bit. I want to talk about some key numbers before we start doing some deep dives. Now, when you first go to the page, it’s going to give you the national level information, which is a consolidated look across the entire country. And the first thing I see here is some really key numbers under the national level. And this is the total number of job openings for cybersecurity jobs in the United States. As of today, the total number of job openings on this site that they’re showing is 597,767. So just shy of 600,000 jobs for nice, easy math for those of us who are on the podcast audio-only.

Now, if you look at the total number of employed cyber security professionals in the workforce, it’s just over a million people. It’s 1,053,468 to be exact. So what does that tell me? That tells me there are a lot of job openings and there’s not really that many people. If we’re looking at an industry where you have almost 50% or 60% of the workforce having those jobs available as well, that’s a pretty high number. As you look to the next column, you’re going to see the supply and demand ratio. Right now, the national average is 68%. This is the supply demand quotient. What this means is that there are a lot more jobs than there are people. In fact, if I took everybody who was fully qualified for the position and hired them today, we would still have three jobs out of every 10 jobs going unfilled, because 32% of the jobs we just don’t have people for. And this is what we’re talking about, the cybersecurity skills gap.

Now, I know this brings up the question, hey, I’ve got my cert, I’ve got my degree, I’ve got whatever. Nobody will give me a chance. Nobody will hire me, right? But that is one of the problems that we see inside of this industry is that hiring managers and what they’re looking at and what they think makes somebody fully and best qualified is not lining up with what they’re seeing as the supply. Now, that could be because of location, it could be because of salary expectations, it could be because of certification levels they’re asking. Sometimes I see people asking for an entry level job and they want five years experience and a CISSP. It’s not really entry level at that point, right? And so you got to keep those things in mind as well. Kip, do you have anything to add to that?

Kip Boyle:
Well, this just goes back to a previous episode that we recorded about how entry level jobs are not really entry level, right? There’s this common interpretation of what entry level means, which is like McDonald’s, right? I can come in off the street, or Uncle Sam will take you off the street and will train you, then you have skills. That’s what most people think of when they hear the term entry level, but cybersecurity isn’t like that. An entry level job in cybersecurity is typically going to require some experience in a previous job. And the Cyber Seek website shows that graphically in the career pathways section.

And by the way, another thing to note is that in this part of the website that we’re on, those numbers that you were telling them, Jason, those numbers include jobs, such as systems administrator that have heavy cybersecurity job responsibilities, such as setting permissions on file shares or allocating users into groups, right? In order to grant access to resources. And so we talk about the idea of a two-step transition into cyber security for people who are outside the industry. And that’s actually encapsuled really well in here. The whole website really takes that into account.

Jason Dion:
Yeah, most definitely. And then as we continue moving over on this dashboard, I want to point out that everything is clickable. So as you click on things, as you move your cursor around, it’s highly interactive for your specific case. So I do recommend, spend some time on this website and click around and play with it as well. The next column we’re going to see here is called geographic concentration. And this is one of the ones I think is really, really important. I said earlier that the total number of jobs being really high in Texas really doesn’t matter to me if there’s a bunch of people in Texas that already can fill those jobs. But instead this geographic concentration is going to tell you what that supply and demand ratio looks like in a particular area. Now, the national average is one.

Now, what does that mean? Does it mean we have the right number of people? No. It means if we look across all states, we have to have a baseline somewhere of what is the mean, what is the average for everybody. And that’s what we’re looking at there with that one. But if I take my mouse and I start putting it and hovering it over, you’ll see all of those locations actually listed going from the left to the right side. Oh, actually I’m still on the metro area. So let me go back and click on states here. I’m sorry about that. And when you go back there, now I can see that the national average is on the far left side of this chart, and going anything lower than the national average means there is less jobs for the amount of people that are there. And then if we go to the right side of the chart, we’re going to see that there are more jobs for those people.

So if you wanted to know really quick, where is the worst place to look for a cybersecurity job? Well, just put your cursor on the left side and you’ll see that right now it says, it looks like it is Arkansas. Arkansas has a 0.8 quotient out of one, which means they are 80%, which is about 20% lower than the national average. Now, if we go over to the far right, and see who is the highest place in terms of jobs versus supply or… Yeah, the amount of jobs for the amount of supply, who is the most in-demand area. It is by far Washington, D.C. Washington, D.C. has a quotient of 8.2 out of one. So they are really, really needing people in Washington, D.C.

Now, the weird thing is I’ve done a lot of looking at this site over the years and I was working in the Washington, D.C. area for about seven years as well. And at the time I was working there, our quotient was usually around three to four. I was really surprised today when I loaded up the site and saw it was at 8.2. Now, why is it three times higher than it’s been historically over the last 2, 3, 4 years? Kip, do you have any guesses?

Kip Boyle:
Since it’s Washington, D.C., I’m going to guess that it’s related to federal government spending. And so my guess is that there’s a lot more money available to spend on cybersecurity right now.

Jason Dion:
I think that’s probably a good guess. I don’t know the right answer. So I’m just making a hypothesis here as well. But I do know that under the current president, there was a big fight whether government workers had to get vaccinated. And it got held up that government workers had to be vaccinated. And so did government contractors, right? And so a lot of people who refused to get the vaccine, they’ve hit the end of their time and they’ve been asked to leave. So guess what?-

Kip Boyle:
That’s another reason. I think it’s a confluence of both.

Jason Dion:
That’s a lot of open jobs.

Kip Boyle:
Yeah. I think it’s a confluence of both, because there was a big spending bill for state and local governments to get cybersecurity grants. And it’s a big amount of money. It’s like a trillion dollars or something. And so I’ll bet it’s both of those things together.

Jason Dion:
Yeah. And I think the other thing is that a couple of years ago, the DOD asked for a lot of money to do more cyber defense and cyber warfare, and budget timelines on DOD is three to five years. And we are kind of getting into that three to five year window. So I think a lot of those jobs are coming in line as well. So I think a confluence of all these things are coming in, but when I look at the next highest place after D.C., the next highest place is Virginia at 4.5, which is right in that same D.C., Virginia metro area. And you go to the next one, I bet we’re going to find Hawaii, another highly government area, Colorado, Vermont, Rhode Island. And you can keep going through as you look at the different places. So that’s a good way to look at things.

The other thing that I really like on this chart is you can go over to the right side and it shows you the top cybersecurity job titles. Now, one of the things we always tell people is you have to know what you’re aiming at. You have to know what job you want. And if you’re not sure yet, and you’re still doing the investigation, because there are lots of different jobs out there, one of the good things you can do is go here to Cyber Seek, and even on this side with the location side, I like to look at the top job titles. And right now I’m looking at it from a national level, and I can see that the most in-demand top job is cyber security analysts. And this actually supports what I tell my students all the time. I have people who ask me, “Should I go for CySA+, should I go for Pen Test+. Pen Test+ sounds so cool. It’s so sexy. I love the idea of being a hacker and all that stuff.” Right?

The problem is there are four to five times as many jobs for defenders as there are for attackers. And the numbers here show it, right? We could see on this chart, the top 10 they have is cyber security analyst, cybersecurity manager, cyber security consultant, software developer, systems engineer, network engineer. Those three don’t even have cybersecurity in them. Like Kip was talking about earlier, these are jobs that are cybersecurity-adjacent. And a lot of times people go into those to get into the field. And then we have penetration and vulnerability tester. And then we have systems administrator and cybersecurity specialist. And so really people are asking for cyber security analysts, lots and lots of people want to fill up socks, and they need these people. So this is another thing you need to think about is what are the high level jobs that people are asking for, and making sure you can then meet towards those needs.

The next thing I wanted to point out is just here at the bottom, there’s two more areas that are interesting to look at. And the one on the left is going to be the NICE framework, which breaks things down into different categories, such as overseeing governance, protect and defend, analyze, operate and maintain. And as you look at these categories, you’re going to see the total number of jobs. And so this tells you where is the bulk of jobs in cybersecurity. And the biggest category is operate and maintain. And so if you want to be somebody who is operating and maintaining, that is somebody like a cyber security analyst, a systems administrator, a network administrator and things like that. Another big area is going to be oversee and govern. And that’s your governance things, that’s your management, your GRC. And as you go down, collect and operate, that’s more Intel, that’s much smaller percentage. And as you keep going down the list, you’ll see them smaller and smaller.

And then on the right side, the last thing that they have is a thing on certifications. And I recommend everybody who’s thinking about which certification to take next goes and looks at this area, because this tells you based on the number of jobs and based on the number of people who have that certification. So if we look at certification holders, there are 177,000 people who have their Security+. If we look at CISSP, there’s only 93,000 who have their CISSP inside of this data. Now, if we go over to our openings requesting certification, we can see that the number of jobs that are asking for certification, the number one certification they ask for is CISSP, 116,000 jobs with that title in it.

Well, guess what? I just told you that over on certification holders, there’s only 93,000 people who have it. So this goes to that skills gap, right? We have 20 something thousand more jobs available than people who are certified to take it. And a lot of the people who are certified to take it don’t want to take that job. I have a CISSP. I’m not looking for a new job, right? And so that means there’s a lot more opportunity when you start doing this. And so as you look at which certifications and which jobs are there, this can help you as well. But now, we’re going to go back to the idea of location, because that’s what I want to talk about. And I want to kind of give this overview. Go ahead, Kip.

Kip Boyle:
I got one clarification for you. So you were talking about, we have this NICE framework and I want to make sure that people listening realize that it’s not a pleasant framework. It’s actually an acronym called N-I-C-E, NICE. And that stands for the National Initiative for Cybersecurity Education, which was published by the National Institute of Standards and Technology. And what that is, it’s a way to categorize different cybersecurity jobs and cybersecurity adjacent jobs. So it’s a taxonomy, right? It’s just a way for us to organize all of this data. And so that’s what Jason was talking about.

Jason Dion:
Yeah. And the whole goal there was to be able to say, “If you’re going to do this job, it’s this category. You should have these basic skills.” And that way, if you’re getting a job with company A or company B, it should look pretty much the same, because before it was the wild west.

Kip Boyle:
Yeah.

Jason Dion:
All right. Let’s go back up here to our map. So when we go back up to the map, we have the interactive map and we have our color-coded hot map. And by default, as I said, the first thing they show you is total job openings. But I said that wasn’t really the thing I love the most about this map because that’s just a total number. And so instead, I like to go over to the left side and there’s public sector data, private sector data, and then there’s this dropdown where it says total job openings. If I click on that, I can actually change that to the supply of workers, the supply and demand ratio or the location quotient. And so by going here and going, hey, show me the supply demand ratio, for instance, for those states, I can see exactly where those hotspots are.

Now, on a state level, I see right now that some of the darkest areas, the most in-demand areas are Texas, New Mexico, Colorado, and Massachusetts, it looks like. Those are the four darkest spots. But if you go to metro areas, it gives you a lot better and more usable information, because as a person, I’m not thinking about moving to Texas, I’m thinking about moving to Dallas, for instance. And so as you look at this, you can now see exactly where those spots are. And as I look at this map that I just put on with the metro areas, I can see really that there are basically five, six, maybe 10 counties that really have the highest supply and demand ratio areas. And if you want to find out what those are, what that specific county is, you can just hover your mouse over it and click on it.

For instance, I’m from Miami originally, so I’m going to go and click on Miami. It is showing me that it is a 0.68 ratio, which is pretty darn low. They need a lot of people. And if I click on it, it’ll actually blow it up and show me a little bit more information in Florida. I can see exactly what I’m looking for. And as you click on it, you can zoom in or zoom out. Now, in addition to that, you can also filter out metro areas by population. Maybe that your wife really likes to be in an area where there’s great theater and there’s entertainment and there’s a big city vibe, she just does not want to live out in the sticks, right? In the country, in the rural area. Well, you could say, show me only the metro areas that are large, or only the metro areas that are small, if you only want to be in a rural area, for example, right? And so when I say, just show me large metro areas, there’s only about 20 right now. And so I can really focus in on those areas.

In addition to that, you can go ahead and click on that again and change it to your location quotient or your supply of workers or total job openings as well. And as you do that, you’re going to get those different things based on your state or your metro area, that really helps you narrow down, where do you want to work? Coming from the military and government and contracting world, I have a lot of friends that, they do their 20 years in the military and now they’re figuring out what do they want to do next? And when you hit that retirement date, and they go, “Okay, what do you want to do next?” You’re like, “Well, I want to be a cybersecurity analyst.” “Great. Where do you want to work?” “I don’t know. I’m used to living all over the world, so whoever wants to hire me.”

Well, that’s too big of a job target to hit. You really got to start figuring out where it is you want to live. And doing that, and if you’re picking where you’re going to go, you should pick a place that has a lot of jobs for what you want to do.

Kip Boyle:
Yeah. Yeah, absolutely. This is excellent information, Jason, and without sort of upending this whole idea that geography matters, one thing that we’ve got to factor into this conversation, too, is that the last two plus years of operating in a pandemic with quarantines has really changed the dynamic as far as remote work. And there’s a lot of places where their strong preference is to be together in a building or in a physical location. But they’re unable to do that now. So I think we should probably unpack a little bit, what’s it going to be like for somebody who is searching for a remote job and doesn’t want to relocate to a different geographic area? And uses this heat map in order to find a job that says that this is a remote position, and let’s say they’re living in Colorado and they snag one of these remote positions in Washington, D.C. Now, talk a little bit about, is that a good idea? What are the risks? Or what are you seeing?

Jason Dion:
Yeah. So that’s a great thing to talk about, right? So I think we could talk a little bit more about remote versus not remote as well in general, and there are some places where you’re going to have to go into the building. A lot of cybersecurity jobs, especially if you’re doing clear jobs, you’re going to have to go in the building, because you don’t have top secret information in your home office or secret information in your home office. So those jobs, you have to be in the building. You’re not going to be able to work remote. But for a lot of companies, remote is an option, right? If you got hired by Kip’s company, for instance, he’s a fully remote company. There’s nothing wrong with that. I think some of the things you really need to think about when you’re think about your career and long-term growth with a company, especially when you’re going with a remote company, is are they remote-only? Are they remote-preferred? Or are they remote-eligible? I guess is the best way to put it.

And so let me break down those three categories, right? Remote-only is what Kip says he is, right? Everybody on his team is remote. Nobody’s coming into the office. And so that is the best environment if you want to be a remote person, have the best job opportunity for growth and promotion, because everyone is on the same level playing field. Everyone’s remote, and so everyone has the same opportunity to get the same face time with the CEO and the decision makers, whether that’s through Zoom or Skype or whatever it have happens to be, but you’re all in the same level playing field. So that’s remote-only.

The second is more what my company is. We are a remote-first company. Now, what that means is that most of my employees are remote, but there are a couple of employees who work together on a daily basis or at least are within a 20, 30 minute drive. For instance, I’m located down in Puerto Rico and four of my team members, I can drive to their house within about an hour and we can go meet up for coffee or lunch and we can have meetings that way if we wanted to, even though we’re not in the building. Now, the challenge with that is you have to figure out what that company culture is. Do they actually value all remote employees equally? Just because somebody is working in Colorado, if everybody else is in the office in Washington, then guess what? You’re going to be out of some of those meetings, because a lot of those sidebar meetings that happen after the Zoom call is over, that’s where a lot of the money is made per se in terms of social capital and making inroads for the next promotion.

So that is a risk you’re taking when you’re going to a remote position where the company is kind of half and half. Right now, a lot of companies are in that situation where people are working from home because they kind of have to, but they’d really like them to come back to the office. And so if you took this job right now, over the next two years, you might get promoted wonderfully because everybody’s at home anyway. But in two years, when everybody goes back to the office, you say, “No, no. I’m going to stay home,” somebody else might beginning that promotion you might not. And then the third category is those companies who are kind of remote by exception or remote-eligible. I think about the government, I think about the military, I think about hospital chains and universities, they are designed as an in-person institution and they may allow you to work from home one day a week, two days a week, maybe even a month or two at a time, but it’s going to hurt you when it comes time for promotion.

Because they’re so used to seeing Joe in every meeting or Mary in every meeting that they’re not thinking about somebody else who’s at home. Because yeah, you’re getting your work product in on time, you’re doing all your work, you’re staying on budget, you’re staying on task, you might be more productive than you’ve ever been before you, and yet you’re not going to get that social capital because people don’t see you. They’re not sharing a coffee with you on break. They’re not going out to lunch with you. Those things do matter. And I know it’s a bunch of political games, but honestly I’ve seen it in my career too many times, where the person who is the best worker is not the person who’s getting promoted. It’s the person who can communicate, the person with social skills, a person people like, they know, they trust, and whether or not that person really knows what they’re doing or not, they are there. And there, sometimes matters.

Kip Boyle:
Yeah. A lot of the dynamics in play here that you’ve just reviewed, Jason, are longstanding dynamics, all right? In other words, the fact that we’ve got a pandemic that’s going on right now that is forced a lot of workforces into a remote situation, it’s really sort of caused typical patterns of human behavior to become more pronounced and more pervasive and all over the workforce, whereas in the past most companies, I think it’s fair to say were, they either didn’t have remote work or remote was like yeah, maybe one day a week or something like that, right? As more of like a flex kind of a thing, right? Almost a benefit. But I just want to say that these factors that you’ve mentioned have always been there. My first work-from-home opportunity was over 20 years ago. And I became very sensitized to this stuff very quickly. The whole idea about being seen, having a face that goes with my name.

And so I lived in Seattle, my company was in San Francisco. I would fly to San Francisco once a month, and I’d spend five days in the office, and that was predominantly my FaceTime. I didn’t have an iPhone.

Jason Dion:
Yeah. I mean, that was a way for you to be seen. And so people didn’t forget about Kip.

Kip Boyle:
That’s right.

Jason Dion:
And I’ll tell you, I have had the same issue in my career, even in the military, which is a predominantly in-person business, right? When I was in the military, I was working as a cybersecurity planner at one of my positions. And I was being flown all over the world to go to conferences, do planning, do incident responses, all that kind of stuff. I’m doing great work, more work than anybody else, I’m putting in 80, 100 hour weeks to get things done. And when it came time for them to figure out who’s the number one person, who’s the number two person, as we’re going down the 40 people in row, I ended up being pretty high up, but I wasn’t number one.

And the answer I got was, “Well, you’re never here.” They’re like, “You’re always in Hawaii.” And I’m like, “Well, it’s not like I’m on Hawaii on vacation, man. You’re flying me out there on Sunday. I’m flying home on Saturday. And then you’re turning me around the next day to go out again. My family’s never seen me because I’m working hard for you. I’m doing all these great things. You love what I’m doing.” “Yeah, but you weren’t here for all the meetings.” That’s the kind of thing that sometimes you have to realize. And had I realized that up front, I probably wouldn’t have killed myself to the amount I did trying to do everything that I was doing for them. But that’s one of those things you just have to think about and you have to realize, and it does happen in a lot of organizations because you’re just there. And when you’re out of sight, sometimes you’re out of mind.

Kip Boyle:
And it’s not fair. I mean, I’ll just tell you that right now, it’s not fair in the sense that Jason and other people in his situation aren’t being rewarded for the actual work that they’re doing, that’s to say the outcomes that they’re producing. So that’s another thing you should be thinking about when you join a company that has a remote culture, you got to find out like, are employees measured based on what they produce, what they actually deliver? Or is it just a matter of, hey, I need a butt in a seat. And I better see your butt in the seat. Otherwise, it doesn’t count. That’s a huge culture difference. And so if you don’t know that going in, you need to figure it out fast.

Jason Dion:
Yeah. And one other thing that I think is really important for you to realize is if you are new to this industry and you’re trying to get your first job, I would recommend you take a job in-person, for your first job. I would not take a remote job. And the reason for that is it is really hard to get spun up, to learn, to figure out what you’re doing and how you’re doing it when you’re sitting at home by yourself or trying to meet with somebody over Zoom. There is something about being able to just sit next to somebody. And I will tell you this to you as somebody who has run his company as a remote-only company for the last five years, I have a lot of employees that are all over the world, but now I have to start figuring out about time zones.

I need to figure out, hey, this thing is happening. And I’m like, “I really should call Jonni and show him how to do this. But you know what? It’s 3:00 AM in Jonni’s time, so I’m not going to call him. I’ll just take care of it. I’ll tell him tomorrow.” And then I forget to tell him tomorrow because the next fire is happening. And so these things happen. And if you want to work… I’m working right now with a company down here in Puerto Rico, they’re building a cyber security operation center here in Puerto Rico, that’s going to be serving a bunch of clients back in the U.S. They are hiring people from the U.S. and from Puerto Rico. And they’re hiring a lot of remote people. The problem is a lot of people they’re trying to hire don’t have the skillset and the experience to work effectively remote when they first show up.

And so you have to think about that too. If you’re that person who needs that training, you really want to have somebody who can just pull you up next to them and show them what to do. And a lot of those things, they’re not planned meetings. Sometimes it just happens, right? I get an email in, this shows that this incident is happening and I go, “Hey, Kip,” you’re sitting right next to me, “Come over here and let me show you what’s going on.” That kind of thing happens all the time in the real world. And when you’re remote, it’s an extra step for me to call you up, tell you to get it on Zoom, share my screen, and then start trying to work with you when I already wanted to start putting out that fire. And if you’re next to me, I can just grab you. And that kind of stuff happens.

Kip Boyle:
Yeah. So if you find yourself in that situation anyway, where it’s your first job and you’re remote anyway, because that’s just… You find yourself in that situation, here’s one thing that you can do that will help. I know people who just open up a Zoom or a Teams link with somebody else that they’re working on remotely and they just keep it open for hours, or they’ll keep it open for an hour, they’ll take a break and they’ll come back and then they’ll open it up for another hour. And it’s not designed for you to have an hour long conversation, rather it’s to simulate what it would be like to sit next to somebody or sit across from somebody and just be able to chat with them whenever it makes sense. So it’s not the same, but it might work.

Jason Dion:
Yep. And then the other thing, when you’re thinking about remote and working different places, right? We had mentioned earlier, if you’re in Colorado and you want to take a job with somebody in D.C., because there’s 8.2 quotient for D.C. right now, that’s great. But guess what? They may still want you to work D.C. hours from eight to four every day. And if you’re in Colorado, that means you’re waking up at 5:00 AM to be butt in a seat, ready to go at 6:00 AM your time. This happened with one of my recent hires and we made it clear to her upfront, “Hey, we have a Monday morning staff meeting and everyone worldwide goes on our Monday, well, my Monday morning staff meeting,” which is 9:00 AM my time, it’s 8:00 AM in Florida, it’s 6:00 AM in Central Time Zone, where my new hire is. I have somebody in India, I have somebody in the Philippines, so for them it’s 8, 9, 10 o’clock at night. I’ve got somebody in Italy, for them it’s three in the afternoon.

And we all get on this call. But I told him like, “Unfortunately you happen to live in a place that it’s going to be the crappiest time for you, because it’s like 5:00, 6:00 AM for you. Kip, you joined us at one of our staff meetings and you woke up what? 4:00 in the morning? To be on the staff meeting with us at 5:00 AM? That kind of sucks if you had to do that every day. So keep that in mind as well. For me, I’m-

Kip Boyle:
Just know what you’re going into.

Jason Dion:
Yeah, for me, I’m a late sleeper. So I have always liked to work remotely for companies on the West Coast or in Hawaii. Because I could sleep util 8:00, 9:00, 10:00 in the morning and then wake up and go to work their time. That works great for me, but if I was doing it the other way, from California to D.C., forget it.

Kip Boyle:
It’s a good thing I’m up early in the morning anyway, so. Okay. Well listen, Jason, we’re coming to the end of the amount of time that we have for this episode. So I just wanted to ask you, was there anything else on cyberseek.org or this whole idea about geography matters?

Jason Dion:
Yeah. I think the biggest thing is you want to figure out what kind of company you want to work for, right? Whether it’s remote, whether it’s in-person, and then that is going to start driving where you are going to be looking for jobs. And again, geography matters just because of the sheer number of jobs and the amount of competition you have. I had seven students who say, “Hey, I’ve got my certifications, I’ve got my degree, I even have some experience, and no one will hire me.” And I look at where they’re located and it’s some small farm town in Oklahoma, right? And it’s like, well, you might want to move for a year or two over to California, Texas, Florida, New York, Massachusetts, D.C., get a job, get some more experience that’s in that particular field that you want because maybe they had some help desk experience or system administrator experience, but they didn’t have any cyber security experience. And people are more likely to hire you if you already are a known quantity.

Kind of the traditional thing in the old days for remote was you proved yourself in the office and then they let you go home kind of as a reward. Again, that’s all very different now with COVID, but keep that stuff in mind. If you’re having trouble, it may be where you’re living and where you’re looking. The other thing I will tell you, one of the things that employers sometimes will be prejudiced against you when you’re applying for a job is if you’re not in their area. And what I mean by this is you’re applying for a job in D.C., and you’re willing to move to D.C. for that job if you get it. But they see right now that your address is Oklahoma, Kansas, California, whatever, and they’re thinking, well, this person’s going to have to put all his money into it, they’re going to have to move, they’re not ready to start right away, all those other problems.

If you know that you’re going to be moving to the X area, let’s say Washington, D.C. area, because there’s 8.2 quotient of jobs and you think you’re going to get your best shot there, what I recommend is go on to a site like anytimemailbox.com or one of these other virtual mailboxes, get a mailbox in that location or in the county right near it. You can get it for about $10 a month, they’ll pick up your mail for you, they’ll scan it and they’ll put it in your online account so you can see it. And then list that address as your address whenever you’re applying for a job. So if I’m applying for D.C., I should have a Virginia, Maryland, D.C. address. If not, you’re hurting yourself. And for $10 a month, it’s cheap insurance.

Kip Boyle:
Don’t lie and tell them that you’re already there, if you get an interview, but this is just one of those ways that you just sort of avoid getting screened out too early in the process.

Jason Dion:
Yep. Definitely. That’s all I have, Kip. Do you have any parting thoughts as well?

Kip Boyle:
I hope that people will find this idea will resonate with them and that they can go to cyberseek.org and they can start digging for themselves, where are the opportunities for me? Am I one of those people that just lives in a place where there just isn’t that much opportunity and I’ve been banging my head against the wall or whatever? So, hey, you should tell us, can you put this information to work for you? And if you have, what has it done for you? How has it helped? We’d love to hear from you.

Jason Dion:
Yeah. And with that said, I want to thank you for joining us for another episode of the Your Cyber Path podcast. We love doing this for you. We hope it’s valuable. If you enjoy the show, please take the time to leave a quick review for us over on iTunes. It really does help the show spread and let other people know about it. If you’re watching us on YouTube, feel free to share it with your friends. If you’re listening to it on the podcast, makes you subscribe in your favorite podcast players. You never missed an episode. And other than that, we will see you next time.

Kip Boyle:
Thanks a lot, everybody.

Headshot of Kip BoyleYOUR HOST:

   Kip Boyle
    Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

   Jason Dion
    Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.

Wait,

before you go…

Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!