In this episode, Kip and Jason, with special guest Deidre Diamond from CyberSN, talk about the current state of the cybersecurity industry with regard to hiring. CyberSN is a digital platform that aims to match potential employers with skilled candidates in order to help close the cybersecurity talent gap.
Deidre Diamond, the founder of CyberSN, has spent decades as a cybersecurity staffing and leadership expert. She is a passionate advocate for building diverse, multi-talented teams, and her company works hard to match the right candidates with their dream employers.
CyberSN is a platform that allows you to create an online profile that is used to instantly match you to potential cybersecurity jobs around the world that would be a good fit for you. Currently, CyberSN has over 100,000 active cybersecurity positions available as part of their platform.
CyberSN also created a unique cybersecurity role taxonomy to identify positions based on 45 different functional roles across 10 different categories. This taxonomy helps to ensure that the right candidates are being placed in the right positions for better long-term success.
Kip, Jason, and Diedre also explore the current state of the industry after the unique situations caused by the global pandemic. As Diedre points out, she has seen a growing upward trend in new cybersecurity roles, which demonstrates that employers are adding additional cybersecurity positions to their organizations.
These positions are focused on leadership and education, which is a sign of a future increase in entry-level positions since these positions require more leadership/management and training than higher level positions.
Another interesting trend noticed by CyberSN is that the salary gap between leadership and individual contributor roles has again shrunk, leading to similar pay ranges for both types of positions. This means that employees no longer have to move into management to receive higher pay. Instead, we are currently seeing both leadership and individual contributors breaking the $200,000/year mark in terms of their compensation packages.
Finally, we will cover the concept of recruitment of individuals into different cybersecurity positions and how the recruiters are compensated by your future employer when they place you in a role.
Kip Boyle:
Hi, welcome to Your Cyber Path. I’m Kip Boyle and I’m here with my cohost, Jason Dion. Hey, Jason.
Jason Dion:
Hey, Kip. How’s it going this week?
Kip Boyle:
It’s going really good. Did I tell you that a couple of months ago I sold my car. Did I tell you that story?
Jason Dion:
No.
Kip Boyle:
So I’ve got this car. I actually bought it as a company asset. Okay? And because I was just driving around all over the place, wearing my personal car out, and so I was like, “Okay, I need a company car. Put the miles on that.” So I had it for five years. And so I was like, “Okay, what am I going to do with this car now?” And the price of used cars has gone up quite a bit.
Jason Dion:
Oh, yeah.
Kip Boyle:
So I figured out that I could sell my five-year-old car for pretty much what I paid for it. Right? And so I was like, “Well, this makes total sense. This is good for a company and so forth.” So I listed it and then immediately I started feeling this apprehension and I was like, “What in the world is going on with me?” And I realized after reflection, I was like, “If I sell this car, this will be the first time since I started driving as a 15 and a half year old that I won’t have my own car, because I wasn’t planning on replacing it because I don’t drive anymore.” The pandemic and everything, I just don’t drive anymore.
So my use case is just isn’t there. So I sold the car about two months ago and I just had this, again, this apprehension. I was like, “Oh, I hope I don’t end up regretting this.” I don’t regret it at all. I haven’t thought about that car a bit. So I was like, “Wow, really? I can’t believe I was able to give that up so easily.” After 40 years of Boyle addiction, I was able to [inaudible].
Jason Dion:
I actually did this a similar thing about three, four months ago when the used car prices were so high. I have a Tesla Model 3 or I had a Tesla Model 3 that I was running. I bought it back in 2018. I paid like $50,000 for it. And I started seeing the car prices raising and raising and raising. And so I actually shipped my car from Puerto Rico back to Florida, went to a dealer and gave it to them, and they gave me a check. I got almost the same $50,000 for that car after driving it and putting on 40,000 miles over four years. And I ended up not replacing it as well because like you, I’m a business owner. I work from home most of the time. And so for me, I don’t have to go very far. And my wife and I, we both work at the same company and we have an office, but we go there together.
Kip Boyle:
There you go.
Jason Dion:
We are now a one car family because we usually drive together everywhere. And so we just didn’t bother replacing it. But it’s just that weird thing, this whole supply and demand that happened because of the pandemic and shortage. And then the desire of fuel prices being so expensive, the electric car values went up. All that kind of stuff kind of went into this perfect storm where I was able to drive a car for four years and get all of my money back out of it.
Kip Boyle:
That never happens. It never happens crazy.
Jason Dion:
Yeah, it’s crazy. I know people who had minivans that they were able to sell for $10,000 over what they bought two years ago because the prices just went up. I see a lot of that in the cybersecurity world as well because we have this for qualified people that have experience and have the certifications and all that stuff. They’re so valuable because nobody wants to take an unproven asset that the prices have been going up on labor as well because of the supply-demand shortage. And I think we’re going to talk a little bit about this whole cybersecurity industry like we normally do, and today we actually have a special guest. So Kip, who do we have today?
Kip Boyle:
Right. Yeah. So this episode of Your Cyber Path, we have a guest, her name is Deidre Diamond. And I want to tell you a few things about Deidre. First of all, she’s super generous and this is not the first time that I’ve spoken with her. When I asked her, “Hey, do you want to be a guest on our podcast?” She gave this really enthusiastic, “Yes, please.” And so I was really excited. So she’s here. Now, let me tell you about her. She’s actually been working as a cybersecurity recruiter for quite some time. I’ll let her tell you a little bit more about that. She’s the founder and CEO of CyberSN. She’s the founder of a nonprofit called Secure Diversity. She’s the co-founder of Day of Shecurity, which we’ve sponsored before actually. And she’s a board member for the International Consortium of Minority Cybersecurity Professionals.
So she is just this tremendous leader in our space. What we want today to do is ask Deidre to give us some deep insights from this position that she has in the industry to help our audience. So Deidre, welcome to the show.
Deidre Diamond:
Yes. Thanks for having me. Thanks for everything you two are doing, you’re social servants. This is so important. It’s good to be here.
Kip Boyle:
This is great. Before we hit the record button today, we were chatting about all kinds of things and we were actually starting to do the show. So I was like, “Hold on. We better hit the record button so we could actually record this.” And one of the things we were talking about is how the cybersecurity career field has so many options. Most people don’t even know where all the options are. They just show up and go, “I want to be a pen tester because why? Well, that’s what we see in Hollywood and that’s what’s consuming all the news headlines.” But there’s so much more. But it’s so obscure and non-standard. So Deidre, how many types of cybersecurity jobs are there from what you are seeing? Could you give us some numbers or yeah. How do you describe that?
Deidre Diamond:
Yeah. I saw this eight years ago when I founded CyberSN so significantly that I either had to solve the problem or not have the business meaning cost of sale to make a match to a professional, to a job was so significant. So I set out to create the taxonomy of the common language coming from a background of understanding how to fill jobs. It’s all about really understanding the job and certainly the professional.
So today, we’ve gone through… Six years ago, Dom Glavach and Erik Ligda who came to CyberSN from government world of cyber to create this taxonomy and also to secure CyberSN because we hold great data started in the 20s. We’re now at 45 functional roles. We update every year across 10 categories. And I would say, not only do we have a challenge out in the marketplace still today with this in terms of everybody understanding how many roles there are, it’s also important for everybody to understand within each functional role, depending upon a company’s maturity and their security practice, what industry they’re in, the size of their company, what locations they’re located in around the world, even those one functional worlds of let’s say a security engineer could be 20 different profiles.
So this is the framework and then yet it gets deeper and deeper into the tasks and the projects associated with that persona, if you will. So it’s important and we’re loving it. We’re having fun giving this content. We have a free career center. It’s all there.
Kip Boyle:
Right. That’s what I wanted to ask you about is this sounds amazing, this taxonomy and you just answered my next question, which was how can people see this? So what’s your website address? So if somebody listening wants to check it out right now and stop listening to us… I think I shouldn’t even say this it’s too late. I said it. So Deidre, where would they go?
Deidre Diamond:
They would go to cybersn.com. And if they’re new to cyber completely, they auto register for new to cyber and yet use the free career center. If not new to cyber or transitioning from IT or software, we have a job matching platform for you and you should make a profile. We have all jobs posted in the last 45 days at cybersn.com and cybersecurity. In fact, yesterday we went over 100,000 for the first time.
Kip Boyle:
Wow.
Deidre Diamond:
It would’ve been in the 90s for almost nine months and now the market has increased that much. And so we will match your profile to those jobs so that you don’t have to do all that searching stuff. That being said, yes, there is salary data, roles and responsibility data as well as what is this job. And that’s why I love what you two are doing, taking that to the digital world, even at a greater capacity and excited to really have you two doing what you’re doing. It’s so-
Kip Boyle:
Well, thanks. Thanks. Does it cost anything for somebody listening in our audience right now to sign up?
Deidre Diamond:
No. And neither do my conferences. My Day of Shecurity conference is a free conference. Everything I do in terms of knowledge is free and it will be always.
Kip Boyle:
No wonder why we get along so well.
Deidre Diamond:
Yes. But I didn’t give away a car this last year. I think I might have acquired another one. So I feel like very guilty [inaudible].
Kip Boyle:
Well, I just wish I’d called you first. Right? Hey, if you’re in the market for another car, great.
Deidre Diamond:
[inaudible]
Kip Boyle: I
got one. Jason’s got one.
Jason Dion:
Not anymore. Mine’s gone.
Kip Boyle:
Yeah. Well, not anymore. Yeah.
Deidre Diamond:
Oh my gosh. It’s so funny.
Jason Dion:
Deidre, so for you guys at CyberSN, you also have this recruiting capability so people can search your site, they can find these jobs. I’m assuming you guys help them with the recruiting and the placement aspect as well. One of the questions I always get from people who’ve never used a recruiter before is how does a recruiter get paid? Do I have to pay them for this service, right? In your business model, is it the company that’s paying you or is it the candidate that’s paying you?
Deidre Diamond:
Yes. My whole career has always been that the organization, the employer pays the fee. How recruiters are paid on the outside from an agency perspective is part of why we have a broken system out there is that… And what everybody should know is that most agencies are what’s called contingency based workers, which means they work for free and they only make money if the company hires somebody. And by the way, if that person stays 90 days, so they have to do all the work.
So I came up in that world and as I’ve gotten a lot older over the last 30 years, I realized that, how awful that is for us all because it really just takes the seriousness out of it, takes the focus out of it and then breeds this weird competition piece. And this is like where the grossness comes in. So yes, free and working with recruiters, if you don’t have experience is probably, they’re not going to be available for you. It’s why we’re developing this whole platform for new to cyber and why I have the free career center, because so many people need help and yet employers aren’t paying for the service of finding new to cyber.
So that’s why recruiters probably don’t respond to a lot of folks in new to cyber. And overall it’s the number one challenge is responding to everybody. I mean, even at agency where my people are petrified of not responding of what might happen to them from CyberSN, still we have to constantly think, how can we do this? How can we respond to everybody? Just yesterday I was in a meeting about how we can get better messaging to help people understand why we’re not able to even respond all the time.
Kip Boyle:
And the people who need the most help are the ones you’re struggling to respond to.
Deidre Diamond:
Yeah.
Jason Dion:
Yeah. I totally relate to that. That’s one of the reasons why I joined up with Kip and started doing this podcast with him was I teach a lot of cybersecurity certifications and I’ve got over 500,000 students. And they say, “How do I get a job in cyber? How do I get this job? How do I get that job?” I’m like, “I, as one person, can’t answer 500,000 people.” And that’s why the reason we do the podcast, because it becomes this one to many where Kip and I compare a lot of good information, give you tips and tricks.
Now, it’s not customized to you individually, but it does help people in general or lots of lots of people at once. And that becomes the big challenge. I think that’s one of the things you guys at CyberSN are trying to solve is how do you scale that relationship and that placement opportunity?
Deidre Diamond:
Right. Or eliminate it. I want to eliminate it. It’s ridiculous that it even exists. Right? And so I think for me, I see it in the taxonomy because the taxonomy is a living, breathing information set. In fact, we’re most likely open source it here soon to say pay education institutes. Here’s what the jobs tasks and projects are. This is what literally employers need done. Not a title, not a wishlist of what I think this person should have on their resume. It’s about the tasks and the projects that an employer needs completed.
We’re up to date in real time with that data, which is what my platform does. Then we can get ahead of ourselves instead of constantly being behind, which is what where we’re at today.
Kip Boyle:
Oh, you’re playing into our narrative. I don’t know if you realize it, Deidre, but you’re playing right into our narrative. Because we tell people all the time when they come to us and ask for like, oh, anything. It could be like, “How should I write my resume? Which certifications should I get? What kind of training do I need and so forth?” And we’re like, “Have you looked at the job descriptions?” “Well, no.” Well that’s the one source of truth. Right? You have to go look at the job descriptions and you have to do a little homework because you got to know what industry do you want to work in? What size of company would you like to work for? And a job title.
If you can just get those three things nailed down at least temporarily, then you can go do the job posting search and then you can find out what the answers are. So thank you for saying essentially that. Now, I want to ask you, what are the top jobs in terms of… What’s most available and what are most people searching for? Is that lined up really well? Is there a mismatch? What are you seeing?
Deidre Diamond:
Well, yeah, I mean, we definitely have a shortage everywhere. The roles that in the last year have come to be more significant are some obvious, some not so obvious. So cloud security, super obvious where that’s gone and we’re seeing that. Product security, super obvious. That’s going because of compliance and regulations. And then what was great surprise and just welcomed is these two roles which are director level security, operations or GRC, or anything director level, which implies that we’re finally building teams and that’s exactly what happened.
We saw the title uptick before we saw the actual, “Hey, we’re building a team. We’re going to give you five roles instead of one role. Two roles every year.” Meanwhile IT and software is hiring hundreds and thousands. It’s wild. And then we also saw a huge uptick coming into the year in education roles, right?
So these signs say… And I can see signs of recessions too, so we can talk about that. I mean, talent, we see it before anybody sees it. I’ve been 30 years playing that game. But anyhow, that uptick is really inspiring because for the last eight years since I decided to found CyberSN I have been shocked at how little investment in people is being done in security comparative to functional roles that are either similarly important or maybe less important, depending on who you’re talking to. For me, it’s less. So we must solve this and yet, I’m seeing some uptick in investment.
Kip Boyle:
Interesting. Interesting.
Jason Dion:
So when we talk about these different type of roles that you have, there’s obviously different pay bands, right? So you mentioned three big types of roles, I heard you talk about. One was the director, the team leads. One was kind of the people working on those teams. And then you talked about this newer field of the education and training. When you look at those three type of roles, what are kind of the typical pay bands and experience level the people who are going into those roles?
Deidre Diamond:
Yeah. So this is the year where we’re seeing the base salaries break the twos, or both individual contributors and managers. In fact, the salaries aren’t that different we’re starting to see, which makes sense and is respectable. This isn’t gods over gods. I prefer not to see that. And so it’s roles and responsibilities and who’s going to be good at it. Do you want to care for people or do you not want to care for people? Do you want to stay so close to this lane that you don’t have time to care for people or are you open to taking some of that back?
So over the twos, round the twos for experienced engineers and management level, director level, round that number two could be a little less, could be a little bit more depending on the bonus structures. There’s a total call piece to all of this that salaries vary because of whether companies have stock options or bonuses or pensions, or what have you, or sign on bonuses. So that’s about the average number that you’ll see give or take 10, 15,000 up or down.
Kip Boyle:
Yeah. Okay.
Jason Dion:
So before I let Kip jump in here, I just want to say that’s one of the things that I actually love to hear. I will tell you, for 20 years I love being a technician, but in my 20-year career, it was always, “Hey, if you want to hit the next pay band, you’ve got to go into management. You’ve got to go become a director.” And I’ve done those jobs. I’ve been a manager of a team. I’ve been leads at pen test teams. I’ve been an IT director. And to get to the higher level, you had to go into those management type roles. And it always seemed kind of, I guess, strange to me that we want to take our best technicians and make the managers where they never touch tech, right? And the techs do that because they want to increase their salary for their families, things like that.
And it’s refreshing to see that companies are starting to realize like, “Hey, there are two different skill sets. And just because you’re a great technician, doesn’t mean you’re going to be a great manager. I know people who are great managers who are horrible technicians. One of the best managers I ever had was actually a horrible technician. But he led a team of very technical folks because he relied on us as the technicians to do those jobs.
In that particular organization, he got paid more because he was the manager. And kind of silly because you have a hard time retaining that engineering talent because they’re leaving to go to become a manager to make more money. So it is for me refreshing to hear that. Kip, I’m sorry, I cut you off.
Kip Boyle:
Oh, not a problem. I think that was a great point. I wasn’t even thinking about that. But what I was thinking about was, Deidre, I didn’t hear you talk about so-called entry level or new people to the career and what their pay bands are. Do you have any insights on that?
Deidre Diamond:
Yeah. So a couple things there for those new to cyber, where A, getting in is at and where most of the money is at is any company where you are seen as a revenue generator. Focus on that. So that’s managed service providers, consulting firm. Anything that’s service based as the company that you’re working for, you’re now revenue. If you’re in the InfoSec team, you’re not. If you’re in the services, if you will, or the spot supporting these organizations, then you’re going to find a lot easier to get in and better pay.
That being said new to cyber is anywhere between 50 and 80, depends on where you came from. What do you have in your background? And then I would also say that if you’re new to cyber, but you come from IT or you come from software, you do not have to take a salary cut. You are absolutely qualified for many, many jobs. You have to recognize that you have already had security experience. You just didn’t know it. And then you just need to learn that and then go to these interviews, speaking that, and you’ll be good, and most likely get raises. So yeah, it’s a little bit all over the place for new to cyber only because where one came from will make an impact on that dollar.
Kip Boyle:
Yeah. But that’s really great because it’s encouraging, right, Jason, because I can come in at 50 to 80, but I know that there’s so much opportunity for more.
Jason Dion:
Oh yeah. And the other thing there that she just spoke about was the fact that when you’re going into revenue generating versus cost, and we’ve talked about this before. In a lot of organizations, let’s say, you’re going to go work for, I don’t know, big insurance company, State Farm, you are a cost to them if you’re working in cybersecurity. You’re not making them money. You’re preventing their losses and things like that. But if you go work for a managed service provider, for instance, somebody who runs a service operation center that then takes on work from other places because they’re an outsource provider for small businesses, medium size business, whatever, you are generating revenue because if your eye is on glass for five companies, that’s five companies that are paying your MSP and that’s therefore paying your salary.
So it is a big difference when you realize that. And so as a new person where should you be looking? You should be looking for those MSPs, those soft positions, those SOC analyst positions outside of a traditional company that are doing these services, because that’s where you’re going to be making the money instead of costing them money. That’s important to think about as well.
Kip Boyle:
Yeah. It’s a little difficult to see this, but I want to point out one other possibility too on this theme. I think some of the very best security executives see this and work really hard to get their internal teams to be seen as sales enablers. And when they can do that, it doesn’t mean that their team is generating revenue, but it means their team is shortening the sales cycle. It means their team is clearing obstacles for the sales staff. And all of a sudden your internal equity, your political capital just goes through the roof. And it’s easier at that point to give people more money. The work is more interesting to do.
So if you don’t want to work for a consulting company or an MSP or something like that, try to find a security executive who thinks this way and get on their team. And then you’ll have maybe the best of both worlds. But, Deidre, that’s really great, really insightful.
Deidre Diamond:
I would add to that security software companies might be where you find both, right? Because they have selling software and the security team helps them sell the software. Now, there’s always sales engineers, security sales engineers that were usually practitioners that realize they can make more money in sales. Or they just enjoyed the sales role. One or the other. And so maybe that’s where best of the both worlds is.
Kip Boyle:
Thank you. Yeah, that’s another great idea.
Jason Dion:
I know on the podcast before I’ve mentioned, I have a friend who works for Splunk and when he works for Splunk, they work in pairs. There’s a sales engineer and there’s a salesman, and they work together. Or salesperson, excuse me. And they work together. He started as a salesperson and then he picked up the skills to become the sales engineer because he also had interest in cybersecurity and that’s kind of how his interest in the cybersecurity happened. But because of that, Splunk is a security solution. They are a security software. And so that’s why you can get into that without… You may not have security experience, but that’s a good way to enter the field as well.
And the other thing that Deidre just talked about was transferable skills. I know Kip and I talked about this a lot, wherever you came from, you’ve got some skills, no matter what you did. If you worked in marketing, accounting, bookkeeping, sales, whatever, you have skills. Now, you may not have the cyber background, but you have those skills. And so if you compare that, like Deidre just said with some cyber language that you can speak to, so maybe you get your security plus, now you have a basic foundation in security and you have this previous transferable skills, you put those together and that may help you get into a job.
The other thing we wanted to talk about, and I think you’re a great person to ask this to, Deidre, is career progression. So let’s say you start out, you got one of those 50 to $80,000 year jobs. You’re brand new into cybersecurity. You maybe you got a job at a SOC working as a security analyst, as a junior security analyst, what does that career progression look like to go from that 50 to 80 to that 200 number you’re just talking about because that 200 sounds great.
Deidre Diamond:
Yeah. Well, the cool thing is that it doesn’t have to take that long, that jump from that 50 to 80 to the 200s is probably five years, could be three, depending on how eager and aggressive one wants to be for sure. In our career center we just launched some really cool graphics in each job card that says, “Here’s the feeder role to this role. And then here’s where you can go from this role to these roles.”
So I really encourage people to look at that. And majority of people start in the analyst role. I mean, that’s just very common place and make sense. It’s sort of an operations overall perspective, see whatever all the seniors do type of stuff. But from there, there’s some pretty neat things that… Options that people have and you have to make that decision.
Eventually you hit a fork if you want to make that 200 where you’ve got to choose a specialty, if you will. And so you can see that graphically in the job cards, which is really nice. It’s important because picking matters, I mean, so many people regret not picking things correctly and that’s why it’s just what you all are doing. What we’re doing is so important. We can avoid all of that because ultimately who cares if we get a job and we don’t like it? I shouldn’t say who cares, because we need to put a roof and food in our mouth. But other than that, it’s a miserable thing if we don’t like it.
Jason Dion:
Oh, yeah.
Kip Boyle:
Yeah. I mean, we spend 160 hours a month, right? Every week we have 168 hours and we spend 40 or 50 hours either driving to work or being at work. And so you don’t want to be some place where you’re spending a third of your time in a miserable environment too. So I think that’s important. And one of the things I think I just heard you say that I hear a lot in the online business space as well is we were talking about the saying the riches are in the niches. And it’s true, right? Even in cybersecurity, once you specialize, that’s where those big numbers come because you become that person who can do that specialized thing, whereas you’re not a generalist anymore. And that’s why we pay electricians a lot more than we pay a handyman because a handyman or a handy person does everything generally. And they can do a little of everything, but they can’t do anything exceptionally well. Whereas you go to an electrician or a plumber, you’re paying those specialist rates in those fields. And the same thing happens in cybersecurity.
Deidre Diamond:
Or they may not be able to even do it. I wish my handy person could do a electrician. I just moved this week. Yesterday, today, couple days I’ve been moving, so I wish. That’s exactly right. That’s where the money is. I like that phrase. I’ve never heard that.
Kip Boyle:
Well, and doctors, right? That’s you don’t have as many general practitioners because doctors have already figured that out and they’re all becoming specialists, right? I’ve read out of medical school. So I’m just keeping my eye on the time and I know we could talk for a lot longer than the amount of time that we set aside. But there’s a couple more things that I know we want to get to. So one thing is around your advice. Now, Deidre, you’ve given a lot of advice already and if we stop this episode right now, I think people would be super, super satisfied. But what is there anything else that you would say as far as job searching both for the professional who would like to get a different job and then any advice for the hiring manager?
Deidre Diamond:
Yeah, absolutely. So advice for new to cyber or not new to cyber, unless it’s a CyberSN taxonomy job, you have no idea if that job description is truly the job description. Because unfortunately people are cutting and pasting or using an old job description and just throwing it over the fence or whatever the thing is, it’s not, the job description I can tell you that comes to us is not the job description that we end up posting.
So respond until I have every job in my taxonomy and people don’t have to work it, you got to respond because you don’t know. So that’s my biggest advice. And for the hiring managers, you have to have a partner like us. And if you don’t, you will chase your tail and you will not be able to fill your roles and keep people. because there’s just so much more to it. This whole career support, this whole career conversation, selling your roles with that in mind and supporting the hiring managers to have that conversation. They’re not experts in every functional role and how to support everybody they hire. And so I’ve just watched for the last eight years, our retention rates from our placements are four times higher than the market.
I published that data last year. It’s mind-blowingly wonderful for me and us. And yet I know why it exists. First, everybody’s on the same page of what the damn job is. We knew that. Number two is that there’s this whole career support conversation and that we make the client the hiring organization do before we even start. Otherwise, what are we doing? Nobody’s just going to come because we called them. We have to sell a great opportunity and career opportunities is the only thing that makes a great opportunity.
So I would say get yourself the right partner and recognize that you have to sell a story and you have to really fulfill what you’re selling. And so that requires effort. And partnerships with people that are intelligent and know how to support that conversation.
Kip Boyle:
Yeah. So as I listen to you talk, what I’m imagining in my head is I’m seeing Deidre building a bridge over this yawning chasm where hiring managers don’t understand everybody they’re trying to hire and the positions they’re trying to hire for. And people who are searching for a great job and a great boss don’t necessarily know how to find those people. And so they’re all staring into the void and here you are saying let me give you a way to meet in the middle.
Deidre Diamond:
Yes. Like the dating apps did, by the way. They transformed like happiness rates and relationships, marriage rates of success.
Kip Boyle:
When can I swipe left on my next cyber?
Deidre Diamond:
You can find it against the swipe left [inaudible] and yet it’s exactly that. No, shouldn’t have to waste time looking at that job description onto your phone. That’s true today in our job descriptions that you know in a phone’s view and whether you’re qualified and interested. So yes, like that. Or like Uber and Lyft. Everybody just has been living with the problem of taxis and how hard it was to deal with that life of waving our hand to get a ride in the snow, in the rain, or in a place where they know aren’t even existing. And here’s comes Uber and Lyft and how awesome. Right? But nobody in that business was trying to solve that problem. And I could tell you, my staffing peers are not trying to solve this problem.
Kip Boyle:
Interesting. So you’re a real innovator in the work that you do. And that was my sense when we met and one of the reasons why I said to Jason we need to get Deidre on the on the podcast here.
Jason Dion:
Since we have Deidre, I’m going to ask a couple. I have three questions that always come up that I would love to have your perspective on because you live and breathe this job market, before we move into the wider industry. So a couple of quick questions for y’all kind of do rapid fire here. First one, we talked about salaries. We talked about salaries, we talked about positions and trying to break in. Have you noticed that there is particular locations that are better or worse?
I know we’ve talked before. If we’re trying to get a job in Kansas or Oklahoma versus DC or San Francisco, obviously, it’s easier in DC or San Francisco. There’s a lot more companies there. But is there any other trends you’ve been seeing from a location perspective?
Deidre Diamond:
Yeah. In fact, yesterday I was on with the product team and they were like, “God, this location thing in the last two years is driving us crazy.” Two years ago, so different than today. Today, it’s literally, “Look, if you’re not doing remote, you’re not filling your roles. Or if you do fill your roles, it’s going to take you 10 times longer. And if you make more than one or few of those roles, not remote, you’re certainly not going to have a successful practice.
But now employers don’t want to hear that and they still try to do what they try to do. And yet now what’s happening is… So it’s remote. You got to come in the office once a week or three times a month, or whatever it is, some hybrid thing. And also by the way, remote means now a time zone. So I have to do all this product work. Right? So now it’s a time zone too. But you got to be on the East Coast. While I don’t see any trend of like back to office, what’s happening is it’s really just, who wouldn’t want somebody on the same time zone and who wouldn’t want to see their teammates once in a while or some sort of hybrid?
I think that’s sort of more of what the… Not who, but more of the majority wants that. So there isn’t a lot of pushback, it’s just adds another complexity to what’s this… I don’t know that until I go talk to somebody, unless you’re dealing with CyberSN where we know that’s just adding more churn because these job postings say remote, but they’re truly not remote. And that’s what’s bothering people. We’re posting now East Coast time zone, and we’re putting it in the taxonomy actually. So that’s that. That’s where we’re at today.
Kip Boyle:
Fascinating.
Jason Dion:
We’re seeing a price difference. So I know before if I was getting hired at a job in San Francisco, I would be being paid San Francisco wages. And then with this whole work from home thing, I could work from Kansas and still make San Francisco wages. I know Kip and I have had this discussion before. I’ve seen where that’s kind of drop wages some places. He’s seen where everybody’s kind of going up to the San Francisco wage. What are you seeing?
Deidre Diamond:
Yeah. I would say there’s very few trying to not pay the wage that they were making. They try or they think they’re going to do that. Again, you can onesie-twosie that stuff. There’s nothing there for scale. The demand is just too high. The minute you do that, somebody is going to grab that person. They’re going to put an InMail or some sort of message to them and they’re going to put a salary amount in that message. And that’s it. It’s over. So you might get them, but you’re not going to retain them.
Kip Boyle:
Right. And retention is huge. It is something that hiring managers don’t often think about. They take retention for granted. I talk about this in our hiring handbook, the open source project that I’ve mentioned before that retention is an important part of the life cycle. And people get retained for reasons that hiring managers don’t intuitively understand right off the bat, which is ironic because at one point they were individual contributors and they wanted the same things, but they become a manager and it’s like, they get a lobotomy and they forget what it’s like. [inaudible] But anyway.
Jason Dion:
The other question I had for you was about career progression, right? So I know in the old days when my grandpa was roaming the earth. He was, you get a job at a company, you worked there for 40 years and you worked your way up and you went from that entry level to that director position. Are you seeing people still doing that in cyber or are you seeing more that when you want to get those… You talked about three to five years to get to that 200,000. Are they having to jump to a different position at a different company to make those larger jumps? Or are they able to do that in the same position? Because in my experience I’ve seen it as a company, especially as a business owner, if I hired you on for 50,000 a year, I’m going to have a hard time in the next five years justifying that you’re now worth 200 when I just paid you 50 two years ago, right, or three years ago. But if you left the company and they went someplace else, you’d probably get a quicker pay raise. What’s your perspective on that?
Deidre Diamond:
Yeah. I think that most people are still moving to get it only because companies are now… So before they didn’t want to do it because they didn’t want to pay it, now they know they need to pay it, but they have the Equal Pay Act. And the Equal Pay Act says you need to pay everybody the same no matter what. And so that kind of wonderfulness came out of the Equal Pay Act by the way. But also the disruption piece is this, “How do I counter somebody? How do I move quickly? If I’ve got to do everybody?”
Well, the answer is you don’t. So you’re either compliant or you’re not compliant. So the big companies are not… That’s just going to continue. You’re going to have to leave if you’re in the big companies. All our companies, I still see the same thing. They’re not, like you said, who wants to go from 50 or 80 to 200 in five years? And I’d say some of them are, and most of them are not because we have retention issues overall even in the C-suite. If you think about it, the C-suite is moving every 12 to 18 months. And that means they’re interviewing for a year because that’s how hard it is for those people to find. So who’s really committed to the team and making all of this happen anyways? Go fighting with HR and CFO, and everybody else to get the… So there’s no… We’re not even capable of doing that.
Kip Boyle:
Oh my gosh, the dysfunction is just oozing out of people’s speakers right now as the more we talk about this. It’s like some slime from a Ghostbusters movie.
Jason Dion:
And then my last question, then I’ll let Kip go back to the talking points. Sorry. The last one that always comes up is when people are looking for employees, they’re looking for certifications, degrees and experience, where are you seeing the preference on those three or which one is most important? I know all are important, but the other ones that may hold more weight.
Deidre Diamond:
Yeah. Here’s what I say to everybody is that if you truly have the experience for the job that somebody wants to hire for, they don’t care about degree or certifications. That doesn’t mean that somebody that has degrees in certifications won’t get called before you, they will. They will, because we’ve been conditioned as society that that’s better. And that’s how your recruiters think and that’s how people think. The good news is there’s a shortage. So as long as you’re willing to pound the pavement, it won’t matter.
And then this country and this world values education economically, and that hasn’t changed yet. And until that changes, we have to be very careful about saying it doesn’t matter. So while I wish it didn’t because there’s a financial barrier to it that’s right and not humane, it is reality.
Jason Dion:
Yeah. What I’ve usually seen is that certifications help you get through the HR filters. So you at least can get into the pile for consideration. Degrees in my experience tend to help establish where on that 50 to 80 on that entry level you’re going to be. If you don’t have a degree, you tend to be at the lower side. If you do, you tend to be on the higher side because they’re compensating you for the time and effort and money that costs you to get that degree. But really experience trumps everything.
I’ve even seen people with experience that have trouble getting a job because they don’t have that certification. And the job posting says must have security plus, and they’re just not making it through the filter into any… A same person go, “This guy’s got 20 years of experience or this gal has 20 years of experience. I’m going to hire them.” But they don’t ever make it in front of a hiring manager because they don’t have that keyword because they didn’t get that one $300 certification or something like that. So that’s where I’ve seen those three. So I appreciate your perspective on that.
Deidre Diamond:
Yeah.
Jason Dion:
And I know that the last thing we wanted to talk about was the DEI cybersecurity industry. What is DEI?
Deidre Diamond:
Yeah. I know, right? Diversity, equity, inclusion. They’re actually backwards. If we have inclusion, then we can have equity and then we can have diversity. And so while this conversation has been brought to light for what’s deemed minorities, women or genders that are not deemed male and also race and nationality, really, the solution benefits everybody. And we just said that the C-suites moving jobs every 12 to 18 months. While that doesn’t happen because people are enjoying each other.
And so these inclusive environments don’t exist for anybody. As far as I’m concerned, I feel like an alien. I worked for the same two serial entrepreneurial men for 21 years. They hired me out of college. I worked three different companies for them and, of course, founded my own company. And we all stick together. I have people that just had their eight-year anniversary, seven years, six years, five years. In fact, we went to [inaudible] last weekend to celebrate them all.
I come from that. That’s all I know. It’s how to stick together, how to be together, emotional intelligence. A lot of empathy and yet super successful. Accountability and delivering companies that are billion dollars in public companies. It doesn’t have to be one or the other. And so because that’s not the norm, we need this message to stop being just focused on genders and races and be more focused on how we interact with each other. Emotional intelligence skills. Because that then can bring diversity in and we will not succeed if we don’t have diversity because it’s 40% of the population or in terms of ethnicity, and then it’s 50% in terms of gender. What are we doing? So who’s left? We’ll be very alone if we don’t.
Kip Boyle:
Yeah. Well, unfortunately it’s a very politically divisive issue, right? Because people think that it’s about quotas. There’s a lot of fear, right? There’s a lot of fear. There’s a lot of posturing. I mean, this is a really difficult thing. If I may, I just want to share as a hiring manager how I see this is I see it as diversity of thought primarily, right? I want a team of people who don’t all think exactly the same way I do. And what I’ve noticed is that a way to get that diversity of thought is to think about people’s backgrounds. And what socioeconomic experiences have they had? What cultural experiences have they had? How old are they? Right?
So in my company, for example, I’m a Gen X’er. We have a boomer, we have a millennial, we have a Gen Z, and just the other day, we had the fun of clashing intergenerational values on display. It was very stressful. Right? So sometimes it does turn into this difficult thing. So I would say that you need a lot of emotional maturity, if you’re going to work in a diverse, equitable and inclusive environment. Because everybody doesn’t have the exact same value system, clash is inevitable. How you handle that clash is going to determine whether or not you can keep this team together.
Deidre Diamond:
Yeah. You know what, really well said. In fact, this is the conversation we need to have more of because people are genuinely going out and being genuine about wanting to hire diversity and then hiring diversity and meeting lots of what you said clashes. And I’m learning still today too. It’s that difficult. And if somebody, of course has a large operation and does the same thing. And so if I even get challenged by it, I can’t even imagine. I know what’s happening to the rest of the world.
Kip Boyle:
Yeah.
Deidre Diamond:
So we have to take this seriously and invest in emotional intelligence, communication skills training that is continuous. It isn’t this what type course that you send everybody off to.
Kip Boyle:
Right. The box, done.
Deidre Diamond:
Yeah.
Jason Dion:
[inaudible]
Kip Boyle:
That’s right.
Deidre Diamond:
Don’t offend anybody else ever again or-
Kip Boyle:
I’m going to put my DEI badge on right here now. I DEI’d.
Deidre Diamond:
Yeah.
Kip Boyle:
Well, Deidre, this has been fantastic. We’re out of time, which is unfortunate. But that means that you’re going to have to come back at some point and we’re going to have to continue this conversation because it’s been great. I hope our audience has enjoyed it. Any last words, Jason, before you wrap it up?
Jason Dion:
No, I just think that Deidre has done an amazing job of sharing what the industry looks like, what career progression looks like, what is important to employers as well as people trying to break into the industry and people in senior positions. I’m pretty knowledgeable about the industry, but I still picked up a couple of key things here such as the directors and the individual contributors, both making the same amount at a lot of companies now, which I think is a welcome change. And the change in DEI and the focus that we’re having is definitely amazing.
So I want to thank Deidre for coming out here. I want to recommend everybody check out CyberSN. That’s Cyber S as in Sam, N as in Nancy dot com. Also, you can check out the hiring handbook and we’ll have links to all of this in the show notes at yourcyberpath.com/episode78.
Kip Boyle:
78 is what I got too.
Jason Dion: I
got it wrong last week though.
Kip Boyle:
You did.
Jason Dion:
yourcyberpath.com/78. We’ll have all the episode notes. And the other thing I wanted to point out is Deidre had mentioned the different positions and we talked about there’s 45 different positions in her taxonomy. Kip and former cohost West head back in episode 31, did a whole series for about 10 or 14 episodes that went through all the different positions in a cybersecurity workforce. So if you want to check that out, you can do that at yourcyberpath.com/31. And again, that’s just a great way to start learning about these different jobs and seeing which job would fit you and your personality. And we interviewed people who are in those positions, so you can figure out what people like about their jobs, what they don’t like about their job, what the average day looks like, what a task looks like.
You can get an idea as you’re moving into this field of where do I want to be? And it’s not just about being a pen tester. There’s all sorts of different jobs that touch cybersecurity. And by going through those, you’ll really be able to learn a lot about this industry. So with that said, I want to thank you for listening to yet another episode of Your Cyber Path and we’ll see you next time.
Kip Boyle:
See you. Bye, everybody.
Deidre Diamond:
Bye-bye.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!