Hiring The Future: Filling the Gap in Cybersecurity | Navigator Series By: Alana Walker March 20, 2024 Estimated reading time: 39 minutes. Note: This episode of the Navigator is better if heard. If you are able, we encourage you to listen to the audio as the text may contain errors due to the hard-to-follow nature of a complex discussion. The transcript was generated using a mix of speech recognition software and human editors, and can only be edited to a certain degree without losing the nature and the meaning of the conversation. Please check the audio before quoting in print. Welcome to the Navigator Series presented by Lighthouse Labs. In this episode, CEO Jeremy Shaki sits down with two cybersecurity experts, Penny Longman and Michaela Clouston. They discuss the future of cybersecurity in Canada and how leaders can help fill the current employment gap by fostering growth and considering the crucial role of soft skills. Enjoy. Or listen to the podcast. Jeremy: Hi, my name is Jeremy Shaki, co-founder and CEO of Lighthouse Labs. I'd like to welcome you to the Navigator Series; a series of panels featuring leaders in cybersecurity and data from across Canada discussing their tech journey, what's impacting their current job market, and what to expect from the future of work. Our session today is titled Hiring the Future, where we're going to discuss what it takes to get hired in the current tech landscape and how non-technical expertise and diverse backgrounds can help connect employers with the right candidates. When you're ready, let's dive in. Jeremy: Today, I'm joined by two amazing leaders in the Canadian tech scene. Starting at the far end, we have Penny Longman, the Director of Information Security for the Fraser Health Authority. Welcome, Penny. Penny: Thank you. Happy to be here. Jeremy: And joining Penny is Michaela Clouston, our manager of Enterprise Security Education at the Financial Crimes Unit at BMO. Welcome, Michaela. Michaela: Thanks for having me, Jeremy. Jeremy: So we have a lot to cover today. I'm excited to have you both here. Let's dive right into it. Michaela, you have an amazing journey. You have some really interesting stuff that got you into this space; a non-traditional path. Why don't you tell everyone a little bit about what you do now and how you got into it? Michaela: Yeah, for sure. So, I mean, my background, I went to school for criminology and sociology, so it's an arts degree, not necessarily the technical background that most people have, I'd say. But then I moved straight out of school and went into a physical security job, and I worked within that area for quite a few years. I did operations work. I did intelligence work. And then I also did some analytics as well. And then I shifted from the physical security realm into the cybersecurity area that I’m in now, which is enterprise security education. And that's essentially teaching employees how to be secure in their everyday behaviors. Jeremy: So. Okay. So like, fix your password every single day. Michaela: Don't click on the emails. Please don't click on it. Don't do it. Jeremy: It's not coming from anyone inside the company. Michaela: Exactly. Okay. Jeremy: And did you feel — do you feel like there's a lot of skills that transferred from the physical security side to the cybersecurity side? Michaela: Yeah, I would say a lot of the foundational skills that I got, the theories behind it. So, I mean, understanding criminal behaviour, trying to anticipate their next move, investigations; there are really a lot of different elements and skills that I was able to transfer into my current role now. Jeremy: Okay. I love it. And we'll come back to that. And speaking of untraditional paths, we have Penny here who has an equally untraditional path from the beginning. Maybe tell a little bit about what you do. And same thing: how are you up to this space? Penny: Yeah. So I'm the Director of Information Security at Fraser Health, which is one large health delivery organization in the Vancouver area, British Columbia. And my role is essentially overseeing the majority of the cybersecurity work within the health authority. So I've been there for about three years. And before that I had sort of a ten year career in sort of heading up I.T. in a much smaller organization. And I kind of got into security because we had a couple of breaches, and I found it really kind of exciting and more ransomware incidents, actually. So that's kind of how I moved from I.T. and to security. But, you know, I have a previous life as a vegetation ecologist and have worked in don't and computer training before. So quite a circuitous and varied path to get there. And, you know, I think you're going to ask the same question about Michaela. And absolutely, the variety of skills and experiences that I've had have made me much more successful at my role, in part because I've been a customer and a client of I.T. and security. So I have a real feel for what it's like on the other side and that ability to have that business perspective on it. What is the impact of the decisions you are making on the people trying to actually do work or in our case, actually save lives? You know, really kind of gives you a maturity to your outlook in the work that we do. Jeremy: I love that. And when you I mean, this is to both you, but I'll start with you, Penny. You know, you move over, you make this transition; you obviously have both professional experience before ever getting into cyber, something I've noticed quite common with a lot of people. Talk to me about that moment where, like, how does that moment happen: where you decide to go towards cyber? Was it somebody doing something for you? Was it just you went to school and you enrolled in skills training? Like how do you take that leap? And then where are you getting those skills? Penny: So for me, like I said, it was running I.T. for a sort of medium sized private sector organization. And I still remember I was sitting in my little red car and got the call that we had been in ransom, had a ransomware incident, and it was kind of like, oh! And at that point I was involved a certain amount in the security side of it. We had outsourced all of our I.T. to a provider. And I just remember that feeling was like, how do we do now? And the service provider, they sort of a breach coach and kind of walked me through it. And even though it was terrifying and we were actually more well prepared than we thought. So we actually got up and running very quickly. But I just found the whole experience frighteningly exhilarating, you know, because but also just it was like, okay, it was people skills. Like who do I tell first? How do I tell them? What do we tell them? What is the technical side: we can do this, we get to do this, what do you think, Penny? And I'm like, okay, you know, I don't know, but I know who I need to ask. So it was just that the perspective of those 17 things happening, all the support that you need and just being able to move through and then come to sort of, you know, get the organization back up and running and then spend three weeks fixing everything in the background. But I was just kind of like I was like, it was kind of fun, sort of, you know? And that just got really interesting to me because there were so many different aspects. It wasn't just technical, it was people, it was business. It was, you know, enjoying that, that sort of the bit of the thrill. Hate to say thrill because it's a terrible thing, but it is a little bit of a thrill. Jeremy: Were you surprised at yourself that you didn't wilt and that instead you kind of were exhilarated by it? Like, was that a surprise for you or could you have called that? Penny: So I have actually been towing a trailer on a mine road and had the flat tire with these great big mining trucks going by. So I have to say, it wasn't the scariest thing in my life. But that goes back to the topic around these previous skills that you bring. You know, that I weathered that. Is this good? Yes, it's scary and it's different. But I've got this other skill set of things that I've weathered that is, you know, giving me a little bit of confidence. I guess I can weather this too. Jeremy: Love that. And Michaela, for you, how does it happen that you make that decision to jump from physical security to cybersecurity? Where did you pick up the skills? Like talk me through that a little bit. Michaela: Yeah, it's funny that Penny mentioned sort of that fast paced environment. So I think honestly, that's where I really got the bug. So yeah, with physical security, don't get me wrong, it was really busy. It was fast paced, but it was just also the evolution of the technology within cybersecurity and how fast that was also going. The environment of like, learning constantly: I think that's just sort of a personality trait I have. I really love to learn. And so for me it just felt like a perfect fit. So I think getting into the industry, what really was that lightbulb moment was just meeting the people there and having some mentors in that space. I was in physical security, but I had some mentors that were cybersecurity focused and so, making them being able to make those connections to, hey, this is my current experience and — wow, there's actually some similarities or some skills that I'm currently using and I can use them in this different space and learn even more. I mean, that's perfect for me. Jeremy: I love that. And I think I think, Penny, you kind of said it, but you just alluded to it as well. A lot of people think of cybersecurity as like a set of very specific technical skills when in fact it's truly understanding of business and so many different points of thought that you have to have when dealing with this. Talk a little bit about what kind of skills it takes to be good in a role like this. Penny: So we'll also note there are large areas of cybersecurity that are not edge of your seat kind of roles. You know, one of my whole teams works on risk assessments and compliance. So their job is to go and work with project teams and help them understand how they should set up their project so that we don't have security incidents. Right. So it's not all of it, that sort of adrenaline rush, but so there is a large area of work that is in cybersecurity where you don't necessarily have to have that sort of perspective, but the security chain is changing. I mean, even just in the three years I've been with Fraser Health, the things that we're focusing on now are different from the things we were focusing on before. So you just you, you have to be, you have to be interested in learning constantly. You can never, ever stop learning because, we were really worried about, you know, passwords had to be eight characters and well, now passwords have to be 16 characters and we don't care about changing them. And when you get stuck on well, that's what I learned at school. So you have to be able to continue learning and you have to be able to adjust and adapt. Yes, we used to worry about that. But honestly, right now that's the least of our worries because we're worrying about this new concern. Or we're not worrying about those other controls we used to put in place because of the environment that we have right now. You need to get people to be paying way more attention to the way they've set up their cloud instance, then, you know, whatever their password security is. So it's just you just no matter if you're which field in security you're in, you just have to be understanding that you're going to have to be continually learning, but also that there's just still you're going to have to rely on other people because there's vast areas of knowledge that you're just not going to be able to be a subject matter expert in.And you just have to be comfortable with that. Those two different kinds of uncertainty in order to be able to be successful. Jeremy: Do you think you knew where you were headed in this field or do you think the field has taken you for left turns, right turns and all around. Penny: When I started my role, what they were looking for was someone I met — one of the you know, eventually it'll get old and people have heard it from me 100 times — But I'm not necessarily the expert in security in any given situation. But I yeah, I am the expert in getting security done right. So my role at my current role was that they wanted to mature their cybersecurity program and that's what I'm good at. So, that was my role to start from a small group of three people now to this sort of 18/19 that I have. So from that perspective, it's been exactly what, you know, exactly what was on the menu was, you know, we're going to invest in it. You have to kind of move the program forward. Are we doing now, three years later, the things I thought we were going to be doing, you know, three years ago? Yes and no. It's kind of the same trajectory, but, you know, different things in different areas. As the organization has changed as well as security, now we're focusing a lot more on large scale digital transformation. So we're shifting our focus a bit to be able to support that. So yes, yes and no. Jeremy: I mean, that that makes a lot of sense. And I guess, listen, I mean, it's your job to know what's coming in the future, right? Penny: Yeah, pretend I do. Jeremy: Yeah. Yeah, absolutely. I feel like, though, when you're talking about kind of how people evolve in this job, how people — you're both leaders that actually take a lot of interest in bringing people along. You're both from untraditional paths, at least at the beginning. You both have these moments where you recognize something that matters to you, something that you really like in this. I mean, I won't call it, you know, adrenaline junkies, but I'll say something did it for you. Do you think where we are now that we're dealing more with a talent gap and a skills gap problem as two leaders who are really looking to bring people along? Or do you think we're dealing more with a talent recognition problem and how to actually recognize people with the skills and talent that they have? Michaela, I'll bring that to you first. Michaela: Yeah, so I almost want to say both. I think that there are skills — Jeremy: Take the easy way out. Michaela: Yeah, I know, I know. That’s the diplomatic answer, but I think it's genuinely I mean, we see the technology evolving, the number of systems going online. We're obviously going to need more people in the cybersecurity space and we need to make sure that they're being trained in the areas where we need those people. So the subject matter experts are really important. And I know that like, some of the spaces, for example, are like cloud computing and even now artificial intelligence and that space, it's ever growing. So we need experts in those areas and we need maybe people coming from other spaces and being reskilled to those areas where we're seeing that skills gap. And then I'd say from the talent recognition piece, it's really about them, I guess, organizations not recognizing that people are able to leverage those maybe nontraditional skills and use them in the cybersecurity space. And that's a bit concerning for me because I personally have that experience and I've been able to show that I can succeed in that area. So I make it my mission to really bring diverse talent in. And that's diversity in all elements of the world, including experience. Jeremy: Okay, I love that. How about you, Penny? Penny: So I agree there is a lack of highly trained and experienced professionals in cybersecurity. I will say from that perspective, you want a cloud security architect. Well, you and 5,000 others, you know, for the 200 that are out there. So there's definitely a gap in some areas. But I'm adamant that a lot of the issue is talent recognition. You know, same as Michaela. There's I, I managed to get into the field because I sort of transitioned from the I.T. side and was in a situation where security suddenly just became part of my job and then I just transitioned into that. But there's so many areas in security where you need to know things other than security. And that I feel is not recognized. Some of my recent pet peeves are people who will talk about hiring for, you know, potential. Right. But what they're talking about is they're going to hire these technical people who hire them for their potential to become good cybersecurity practitioners. Well, a good cybersecurity practitioner needs to be articulate and needs to understand the business and needs to have a broader understanding of how that security cybersecurity fits into whatever organization they're in. That is harder to teach than the technical side. And yet we don't say, I'm going to hire this very articulate person with a business background and some technical knowledge because they have the potential to learn all the technical aspects of cybersecurity. And yet that's the easier way to go because, you know, people like to gatekeep a bit and pretend that cybersecurity is this, you know, rocket science that only few people can understand. It's actually really not. It's really just a bunch of facts and the same as I.T. and the same as many things are esoteric to people if you don't know it. So it's really not rocket science, right. So we can teach them the technical side of things, but I can't teach people how to understand the business environment. I can't teach people in our case when they're talking with a physician to understand that that physician there, their world view is I'm saving this patient, then this patient, then this patient. And no, they don't want to log in every time they have to use the ultrasound machine. It's very hard to teach people that. But I can teach them the basics — I can teach them the technical side of things. So we tend to say, well, they have to have the technical stuff. Then we can teach them the soft skills, but actually teaching the soft skills is a lot harder than teaching the technical skills? Jeremy: I love that obviously for what we do. But how do you feel about that? I mean, you're working in a company that, I have to imagine the certifications, the cyber skills, the you know, what's matters for cyber starts with cyber skills. How do you feel about that — let's set up some conflict or, you know — Michaela: I think it was really interesting because you were talking about this space is really where those worlds collide, right? Where the technical or the cybersecurity collides with the business side of things. And I sort of occupy that space right now. It's like I'm trying to work with our lines of business to make sure that when we're training them, they're really getting — I'm trying to take these technical terms and translate it into business, speak right? And so I sort of see those crossroads a lot. And so I advocate very highly for that as well. I agree. I think that the technical aspects can be taught. I mean, me personally, for example, I was able to do certifications to get my understanding of the basics of cybersecurity in those technical aspects. But I think for our space, it's important that this culture changes overall, because I agree across the industry, I think a lot of the time it's ticking the box of the certification and that's not necessarily the best way or most efficient way to go about it. It's finding individuals that are passionate about the space, excited, interested in it, and if they don't necessarily have their certification ticked off, that that shouldn't be really a hindrance, but that they're attempting to move in that direction or interested in that space and have this other experience with it with them that maybe applies in those sort of I don't want to say peripheral roles, but those roles where you don't really think of like on the keyboard technical, right, could be an example. Yeah, don't get me started on that. Jeremy: We don’t like the hoodie culture. Penny: I don't look good in it. Michaela: So I think I agree with what you're saying. I think it's important that we're really taking advantage of that and the culture needs to shift towards that kind of mindset. Penny: Now I don't, just to have a devil's advocate, I don't have a problem with certifications. I think in many cases, you know, for me, the certification that I got as a you know, I worked in cyber — when I said, okay, I want to go into a purely cyber role. There was some certification that I went out to get because that was going to show that, yeah, I only have five or six years of experience in security, but this shows you that I have a level of knowledge and experience. And the same thing — if I'm looking at new grads or people trying to shift from previous careers, if they go and write one of the basic certifications that don't also require experience, to me, that's great. I mean, they cost money. Not everybody has the opportunity to do that. But if they write like the CompTIA or the security Plus or the new one from ISE squared, that's great because it shows that, yeah, they have a basic level of understanding of the broad disciplines and they’ve taken the effort to get the certification. But I don't want to gatekeep all of the rest of the rules for not having this, so it's a plus, I don't see it as a requirement. Jeremy: Well and so let me ask that because, you know we can get on to kind of new talent and what kind of stuff they should be doing in their first jobs and or what they should be looking to do or so on. But let's just start with like, you know, that H.R. person or other people who are actually in charge of some cyber roles. When you look in that category, you know, we use the words soft skills. And soft skills is really like probably my least favorite word only because it just means too much to too many people. That's not what most business leaders are talking about. You know, I've always been decent at speaking. That's very different. That's not just being good at speaking isn't the soft skill that we're talking about. You said they have to look at coming from different parts of a business, understanding a business, being able to be articulate. You use a lot of those examples. Can you give an example of somewhere where a soft skill has been very like — a real tangible example. Somewhere where a soft skill is really useful or valuable in a moment while dealing with this job. Penny: In security, we're sort of doing the same things that if you think about it, that you know, that clinical practitioners are doing, they're trying to either help people not get into poor health situations or they're trying to triage and fix existing situations. Most significant issues or situations that I remember really coming home to me was when I was having a conversation with a group and a relatively senior person, said Penny, “I can't even put a sticker on my laptop without I.T. How are they going to take over the world with my username and password on my computer?” And I was like, you know, up until then I had really prided myself on being the person who always saw the other perspective, but that was — I suddenly realized that me and my team, we have all this knowledge of how I can — not I, but people can take one person's username and password on their locked down computer and find ways to to get their credentials and move laterally and then, you know, take over the world and they're just patient zero. But I realized I never actually communicated that. And I was able in that situation to explain to him, well, here's what happens is there's lots of ways in the computer where passwords are hidden around in little files, a user can get onto yours. If they have administrative rights, they can look into all of this information, they can get other passwords, they can move laterally. And, you know, when I was able to sort of explain the whole sort of kill chain, (which again, is one of those words that fine people use because they want to feel special). I was like, if one of my more technical team members had taken that, they would not have necessarily been able to rephrase that in a way to speak to that person. Because it was a relatively senior person and he carried that conversation and made it a fabulous learning opportunity both for me, but also for that other person and being able to take the complex and simplify it, or I think of it more as democratizing it so that anybody can understand it. That is something that you cannot easily teach people how to do. They either have to have a skill for it or they need years and years of training to be able to do that. That was a perfect example for me, was if I didn't have the background that I did in dealing with different people in different situations and always having to take technical concepts and reframe them for non-technical people, that wouldn't have been the quite such a seminal moment in my relationship with that entire group. In our organization that fundamentally changed how we interacted. Jeremy: It would make sense that to protect the perimeter, the goal is you have to get as much buy-in as possible from all the people at the perimeter. Right. Like the ability to actually talk them through and make them feel a part of it, as opposed to just telling them what to do, the end. I mean, that's a major tech that's been a major tech divide for a long time. Penny: For a long time. Jeremy: To not just do it is just to just do it right. Like, “why can't you just do it” is a dilemma. I mean, you're on the education side of what you do. Is there — when we talk soft skills, we talk skills that you're teaching like do you find yourself educating on more than just the hard cyber skills like talk about how that what that looks like. Michaela: Yeah. And I think, my gosh, everything you were saying, I was just like nodding along, nodding along. But I think buy-in is a big thing. And that's really difficult to get across the industry. And I mean, cyberspace, we are talking about attacks and different types of attacks. Well, that's going to impact different infrastructure, right? Like the connection between physical security, the connection between cyber, this connection between the business and business continuity; all of those aspects are really important. And so making those connections to the business is so important. And I think as we're hiring and looking for individuals, I think it's important that in certain roles they're able to communicate that emphasis on it. I think networking is a big thing that I emphasize to people. I say meet people, understand what they do and why they maybe do it. And that will help you tenfold. Because knowing that person, as you mentioned earlier in a crisis, is going to make a huge difference and it's going to cut down your time to remediate the issue or deal with the situation or problem-solve in that moment. So a big part of it is networking. I used to always joke, too, when I was in school because I'd have people with business degrees and they'd go off and do their conversations with people and their networking events and I'd be like, you're just meeting people! Like how is that helpful? But to be honest, most of my roles that I've been able to get is through knowing an individual in that area, really saying to them, “Hey, I've got some extra time, I've finished my business as usual stuff. “Can I help you with the project?” And then I'm able to get that stepping stone into the area and really understand, like get that hands-on experience. I think too, for individuals that are first coming into an organization that might not be as easy. However, talking to the people in cybersecurity across the industry and understanding where you want to go is also really important, I think. Cybersecurity is such a wide range of types of jobs. You have technical skills, you have more periphery. Jeremy: Complicated. Michaela: Exactly. And I think knowing where you want to go is also really important when you're getting into the space. Jeremy: Makes so much sense. I mean, first of all, both organizations are so lucky to have you thinking on this level, because I think that when I asked originally, are we talking about a skills gap or a talent recognition issue? And we say talent recognition — as part of it, I think what that means — like how do you recognize good talent and how do you recognize what skills people really need in fields is something that not everybody spends a lot of time on, and I think you both do. So let me ask you, like cybersecurity, this is you know, we joked about this because I had no one's really doing cybersecurity. You know, they're just writing on WordPress and they're just pretending. But obviously not true. Massive amounts of stuff goes into this, too. Protecting companies and organizations. This can be a scary job for a lot of people. You said there are some jobs that are not maybe for you know, you don't have to be the junkie for that kind of exhilaration. But there are a lot of components to it for a lot of those jobs. Do you think cyber is for everybody and do you think that there are some parts of what you look for in a first level talent, an entry level talent that you think is really critical for someone walking into the field? I mean, you kind of said, I hate the gatekeeping, but what are we talking about here as to how accessible and open this should be, considering the grave, the seriousness of the job itself? Penny: Obviously, we want people who are going to contribute to the cybersecurity, maturity and protection of the organization. So there is a certain level of knowledge, experience, skill, communications, abilities, all of those sorts of things that that people have to have. But I think, again, go back to yes, there's a gap. There's a skills gap in the senior levels, but you can't fill your senior levels without getting more junior people in. One of the jokes we would have is I want someone with ten years of experience and you know Kubernetes six cybersecurity. Well Kubernetes’ only been around for five years. So, you know, Jeremy: You see it all the time. Penny: We can't grow our senior skills. We can't fill our senior skills gap by just waiting for them to appear. Right. So you post this and you want someone with this level of skills and ability of skills and experience and nobody applies. That's not because they're shy. It's because either what you're offering and the experience you want aren't the same or there's just not enough people to fill that. So I've had a coworker sit with an empty job for 18 months because he couldn't find the exact right skill set. And whereas in that time I hired seven, six, seven people and two of them got promoted into sort of an architect role because we brought them in and trained them and gave them the experience that they want that they needed in order to be able to mature. Now, you can't just hire people and give them jobs and expect that they'll grow into more senior people. You do have to have in your organization, you have to have structure around that, right? You have to say, okay, we're going to bring these people in. We're going to rotate them through all these different projects. This is what they need to have to get to the next level. We want them to perhaps do these different certifications. So you can't just hire people, expect them to develop into experts. You have to have an organizational structure around training and advancement and support for their certifications or self-study and that kind of thing. And that's how we're going to get to filling the skills gap is by saying, okay, we just have to start hiring more junior people. You just do. Jeremy: I love that. And I will say as I come to you that when you ask, is this for everyone, the mistake is I think people think that that question is really about diversity or different types of people. I know for you, you're very passionate in making sure that there's a lot of diversity walking to cyber. And I think that question is sometimes like overly evaluated on the are we talking is this for everyone? Is it for, you know, a certain type of gender? A certain? That's not the question. The question is, what type of soft skills and what are those things that matter most that and are there some that just are not conducive to coming into the cyberspace, which I think is the really interesting question. How do you feel about it? Michaela: Yeah, I know I totally agree with Penny and the conversation around. I think investing in people is really important as well. So like as you said, those junior roles are important to fill. And I think anyone with a passion for learning and a passion for the space or interest in the area, you're going to succeed. You're going to do well in that space and be able to hopefully break in if you're using your networking tools, all that kind of stuff. And I think it's important for organizations, though, to really leverage those talents, like leverage those junior roles to build people up. And because as you were mentioning too, I think there's a lot of open, maybe see more senior roles and people are hoping to fit all of these boxes. But having that organizational knowledge come up through and you're investing in those people, they're going to stick with you and they're going to want to grow within that space and grow within cyberspace. So yeah, I think it's for everyone if you have an interest in it. Jeremy: Do you think like, you know, at Lighthouse Labs, for instance, when we're looking at talent and people coming in, we're looking for a kind of intense motivation like so the passion has to be there, the interest has to be there, and problem solving and the willingness to kind of stick through the challenging parts that that skill of it's okay to struggle as long as you kind of continue pushing through as a major. That's how we look at talent walking in the door and what we think it takes a leader to take a risk in bringing on a junior talent like that's what they want to know. As leaders on your ends, what is the - if you're interviewing someone tomorrow and you're going through a whole host of interview questions that they expect, what's the one thing you're what's the one skill you're really honing in on to decide, Do I want to take this person as an entry level person who's going to have to keep growing within this company? What matters to you most? Penny: For me, even before the interview, it's things like networking. If I've met them at a networking event, then I will almost always interview them. That's always a plus to interview them because it's showing that they're making the effort and they're getting out there and they're connecting. If in an interview, there's a couple of things which are specific to my situation are sort of red flags, which okay, this they may not be a good fit, but honestly, if I'm just talking with them and I get the sense that they they have a passion and an interest in lifelong learning and in the topic, then to me, that tells me that they can be part of this team and we can take that enthusiasm, we can feed it as a team and we can, you know, we can move it forward. We'll just make a note, though, about defining passion. Like I'm very outwardly passionate about things. Nobody has any doubt as to what I feel about things, what I'm passionate about. But you do have to be careful because passion can show itself in different ways. There's a difference, you know, my older son, for instance, can be wildly passionate about something, and that just means he blinks twice. You know, it's only if in certain circumstances that that will come out in an overt way. And yet he'll be the, you know, the sort of the more introverted person will be just as passionate, working just as hard and just as committed, but not necessarily so flamboyant about it. And so that is something that I've learned over the years to be careful to look for. You need to be able to look past the one who talks a lot and loudly and raise their hands as well for passion. Jeremy: And so would you say like, you know, obviously the exhibition of passion is very different for different people. Would you say, though, that you are looking for passion? You're just not going to bias it against everything else? Like it's hard sometimes to see before you let someone prove themselves on the job for a while and see where that comes out. Penny: Or just ask other questions about, you know, because you might find that they've you know, one of the things I suggest to people when they want to get into cyber is go find a charitable organization or some and go do a security audit for them. You know, just run them through this, just run them through the CIS controls and help, you know, and because, A: that's something you can put on your resume, B: you will learn a lot, and C: you know, you're doing a good thing. You might find someone who you have to ask questions to find out that, yes, they've done that. You know, they've gone out and worked with three different organizations and they're doing something else and they're reading this book and they're also a mentor for this. But you have to ask the questions about it to see the depth of their passion that shows in the work that they've done; not so much in the words coming out of their mouths. So it's something I've learned over the past few years. There's sometimes a lot of deep passion in people, and that's what I want. But I have to learn to look at what I think of as passionate, which is singing and dancing and cartwheeling. It can manifest differently. So, you know, for me, that's a lesson that I've learned and I've been wanting to share that with people. That passion can manifest differently. Jeremy: So we see that a lot. And I would completely agree.I think Michaela, for you, as you know, a similar kind of question of, all right, are these skills that when you're interviewing someone like what are you really honing in on? But I'd just like to add, like, do you think that even at the interview stage, because I thought that was a really good point, like at the interview stage, do you believe you can evaluate some of these things well enough, or do you think that, like this is something that has to happen on the job and develop on the job that you're watching over time? Michaela: I think that there's ways to evaluate it. I mean, you mentioned, like you said, that passion can be either outwardly or maybe a bit more under- questions. You can sort of probe it out of people. Right. But I think it's also on the applicant as well to emphasize that within their resume. Right. So, I always one of my things I always emphasize to people is, for example, if you have skills or experience in another field, really be blunt about those connections because the recruiter that's reading that resumé might not have a lot of experience in, for example, that technology role or or that specific space. So saying hey, in the job that this is what it says and then connecting it to your experience using those words that were in the job posting and connecting it to your previous experience in your resume, I think is a really, really good way to go about it. And it also shows that you're customizing it for that specific posting. And I think for me, that's what I look for initially is did they put that effort in to really show those connections? Because that shows that they care about this, this job and they want to get into maybe this field. That's sort of like a green flag for me. And then, yeah, when it comes to the interview stage, I think it's just really understanding what they do in their day to day life outside of work. I think that's really important because it shows you are maybe interested in this outside of work, you like maybe a bit of technology, like you, like making computers. I had a guy that he didn't have any cyber experience before, but he made computers on the side just in his day to day life. He didn't put that on his resume, but I was able to find that out in the interview process. And I think that just shows, though, that he has an interest in technology and he has an interest in problem solving. He is an interesting sort of building things. And I think all of that really feeds into a successful candidate. Jeremy: I love that. What a great answer. I know we're going to be coming to a conclusion pretty quickly. It goes so fast. Just I guess for each of you, kind of rapid fire here, someone wants to come into this space. You've talked about all the things that they should do. For you, what is the most important skill to learn, truly to go and learn before walking into this field? What would each of you say? Penny: From a technical perspective, you do have to understand the basics of tech, of cybersecurity. So you do have to have a really good - if I talk about encryption, if I talk about public key infrastructure, which is really boring - but if I talk about security awareness training, if I talk about things, I have to have that basic knowledge. But I don't, I don't know if there's any particular skill set that I know I'm lacking, but I don't feel that there's any particular thing that - especially if I'm not hiring for sort of a senior specialist role. Because if you've got knowledge in one thing and you exhibiting all of the other factors that I'm looking for, which is the interest in learning and the passion and the the embracing the state of constant uncertainty that you're in, even if you're in a GRC role, because things are always changing, then I don't feel that there's any particular skill set. Just do you understand the basics? Do you have maybe a bit of specialization in something or some I.T> background to bring or some business background to bring? I would say it's more the person and the personality that I'm looking for rather than any particular skill set. But then I have a larger team so I can afford to have a bit of flexibility. Michaela: Curiosity. I'm always looking for people that are curious. I know when I was starting out in the field, I was really interested in the space that I didn't have any of those basic skills. And so for me it was literally just like following people on Twitter, like, like experts, security researchers. It was just researching like, sort of going down these YouTube rabbit holes of, okay, I don't understand this concept or they're talking about this concept in maybe an interview or something like that. And then I would go and I would research and just understand the concepts and maybe the theories behind it, or what does that actually mean: like public key infrastructure, you know? So I think having that kind of curiosity and I think that can be brought out in an interview style as well, understanding like, what have you really done outside of maybe like are you getting certifications or trying to research it outside of your day to day? I think yeah, that's really what I'm looking for. Jeremy: I think that's great. And I mean, as a junior, you know, I'm sure for all the people who'll be watching, who are thinking of this from a junior talent level and where they are, sometimes they feel a little bit gaslit on the like, okay, what do I need to do to get in? But if I was to ask you, you know, you mentioned this great point about, like organizations dealing with learning cultures and having to think about this. If you're giving a message to organizations to change one thing in the way they think about their hiring process, what's that? What's that one thing? Yeah, I know. Penny: I would say - Jeremy: You can say five. I know, I know pain. When I say one, you tend to go to 2 to 3, go for it. Penny: So for me it would be that you can train your own talent without necessarily having a whole team of experts in security or training. But again, don't don't expect to hire junior people and then just have them suddenly become experts. You have to put a structure in place to have them come in and do it at the junior level, find out what their area of deeper knowledge is, and get them to spend time in other areas if they need a broad background or focus them if you want them to be specialized - but have some sort of organizational structure to take those junior people and turn them into the more senior people that you can't hire. It doesn't happen organically. It does have to be planned. And you don't have to be a big organization to do it either. Even as a smaller organization, you got three people. There's so much out there, free training, not-so-expensive training. You just have to have a plan to bring the junior people in and train them up into the senior people, knowing that some of them where they'll leave and go somewhere else. But you, you know, you have nothing if you don't hire them to start. Have a conscious plan around bringing them in and training them up. Don't expect it to suddenly, organically happen I think would be the message. It's doable, but you have to have a plan around it. Jeremy: So the plan, yeah, I mean, in making a plan for training juniors up into companies and you know, as of late as I feel like I'm screaming from the rooftop all the time, the idea of like, Hey, I get it. You want senior talent, I get it. You want this kind of talent. If you can find it, go and get it. But the truth is, most organizations are struggling to find that. And that's a necessity. And if you think you're going to get there just by hiring a junior and just saying, well, let's see what they do, the end, you probably aren't going to get there. How about you? Michaela: I think it's investing in the talent. I mean, I scream it from the rooftops. I think it's really important that I mean, I advocate for those junior people to really like, it costs money. Like you have to spend the time to really train people and it can even, like you said, be an internal structured program as well. But people need to have exposure to the area and invest that time; so maybe your day to day work is working in a SOC and taking that like few hours a week to maybe do some shadowing with individuals and provide them with that opportunity to see what it is and understand the area. So then maybe they can take away that time. Okay, This is sort of the skill set that I see them using in the day to day world. And now I can go and find the programs or have internal programs that are set up. So it's a shadowing program and then investing in the training to get them up to speed while they're shadowing you're sort of taking that foundational knowledge and then applying it within your organization. Because I think that's also an item as well, is you can train on these foundational skills and work in lab environments and get that knowledge. But applying it to your specific organization sometimes is difficult. And that requires investment from the organization to do that. Penny: Yeah, and it doesn't always have to - look, I have no budget for training. But what we did is, because of the way our funding works as well, we should have brought in tranches of people. So, you know, the first year, I wanted a lot of them to get one of their certifications and some basic training. So every Friday, from 2 to 3, all the analysts met and they cycled through the topics for one of the certifications. And if they wanted someone to come in and talk about it, then one of the more senior people would come in and give a talk about it. And, you know, that kind of worked. We've done some internal sort of CTF capture flag exercises, which is training them on some of the red team Packer hoodie stuff. And that costs a time but it doesn’t necessarily cost any budget. Right. But again, it just requires that structure and the intentionality - I think is more even than the structure - just the intentionality that I have to create these spaces for these people to move through without necessarily having funding for external training, although that would be great. Michaela: And I think a lot of it too, you mentioned like investment and leadership really needs to be heading that charge of saying we want to invest in our people, we want to retain this talent, and we want to upskill or reskill into certain areas. And having that leadership is so important to getting those structures in place. Jeremy: I think that's to me, that's where it always starts, is the leadership buy in and, you know, look who I'm speaking to you today: it's two leaders who've come from different paths who can talk to why that's important and how to make space for it and how to deal with the training. Now, Penny, you know, you undermine Michaela's effort at getting more budget for her training programs. Okay. So just, you know, be careful. And I think there are a lot of ways to do that kind of stuff. And you both have just so eloquently outlined a nice different set of variables that can be used to make this real in organizations. But the commitment to juniors being able to actually grow on the job is a must. And it's not just a must for companies. I'm going to end off by asking you like, do you see a world where Canada, three years from now, if I'm a junior and I'm looking at this field, I'm saying it's hard to get in. The one thing I like to say is like, okay, it might be hard to get in, but once you're in, trust me, there is a long-term career here because do you see any world where Canada needs less cyber professionals three or four years from now? Penny: Well, if they mandated that nobody's allowed to ever pay a ransom in the whole world, now they’ll still find a way. But I do see some - when I say rationalization, I don't mean the polite term for downsizing. I do see a rearrangement of things. I see there are technologies coming into play that will change where we focus our energies on protection and detection and response. But I don't see there being a reduction in the workforce. I do see it changing. I see a lot more in what we call shifting left of boom. So before not responding after the attack, but also preparing but also better software design. You know in our field it's medical device design. We still have devices running Windows XP because of the nature of this cycle, but it's better software design, better application security, better architectural design. And I do see that there's a lot going to be a lot more in that and how do we design and develop and retrofit better systems as opposed to bigger and bigger and bigger SOCs? Jeremy: Yeah, we recognize that the reactive side is not the way to deal with it. Penny: Right? And in some of that, what I'm going to say it may - Jeremy: Let’s not scare everybody. Penny: It's going to make it better in the security operations. There's a lot of ways that the grunt work in cybersecurity will change. And I think, probably downsize, but the support on the preventative and the planning and the architectural side, I don't see that getting any smaller any time soon. And the need for people to be able to communicate and train the organizations, that's going to get bigger and bigger. Jeremy: Love that. Michaela, yourself? Michaela: Yeah. I think as the attack surfaces get larger, you're going to need to train more people because more people are going to be exposed to technology. And it gets more difficult. As the systems get more complicated, so does the training. And expressing that or communicating that to the line of businesses is difficult sometimes. So as we move forward in this industry, there are automation opportunities. We're seeing that across the board. You're going to find that processes are going to become more efficient, which means maybe less people are needed in those areas. However, as Penny mentioned, they can be shifted into other areas where we do need people behind the screens or people in those areas. And I mean, I keep coming back to education because that's where I am, but that's where we need people. It's easy to put a screen in front of someone and say, all right, click through and that's your training. But having that connection point or that person that's able to have those conversations ongoing with those different areas, when something happens, being able to communicate in a timely manner that, hey, this is what's going on, this is the potential impact or this is the impact. And I mean, it moves into the crisis management space, right? So also the connection of the different security fields I think is going to we're going to see more of that as well. So those connection points are going to be really important because as technology and physical security and fraud and crisis get merged together, you're going to find that you're going to need people in those intermediary positions to make sure that they understand both sides of the coin. Jeremy: So what a great answer. I mean, so what I'm not hearing, though, is we're not going back to paper. That's not happening. We're not just heading that way. Just forget the whole digital side right now. Listen, I want to thank you both so much for all of that information. I can't imagine for our listeners and watchers, I hope they gained as much as I just did in listening to both of you talk about this full realm of the way to think about talent and organizations need to think about talent. The challenges coming, the qualities and skills needed. Both organizations are really lucky to have such phenomenal leaders in both of you. And thank you so much for spending your time with us. This has been wonderful. So thank you. Michaela: Thank you, it’s been a pleasure. Penny: It's been great. ICT Boost is a workforce development initiative led by Lighthouse Labs and a consortium of partners, funded by the Government of Canada's Sectoral Workforce Solutions Program (SWSP). The primary goal of this initiative is to empower sector employers and enhance their ability to attract, retain, and advance a diverse pool of talent. ICT Boost also provides comprehensive support for the training, workforce integration, and job sustainability of Canadian individuals, particularly those from equity-deserving groups, who aspire to join Canada’s ICT sector and its sub-sectors. This statement of work centers on initiatives designed to raise awareness, promote engagement, and nurture relationships with ICT sector employers.