Skip to content
     
    Episode 55

    Investing in People and Reducing Skills Gaps with Kevin Hanes

    EPISODE SUMMARY

    With millions of open cybersecurity positions, what does the industry need to do to fill these roles? CEO of Cybrary, Kevin Hanes, shares the importance of investing in people as a critical aspect of reducing risk. How can organizations hire qualified individuals, increase retention, and address the skills gap? In this episode, we discuss ways to increase curiosity, reduce the fear factor, involve other industries, and promote continuous learning.

    Subscribe or listen now:  Apple Podcasts   Spotify   iHeartRadio   Google Podcasts

    powered by Sounder

    Joseph Carson:
    Hello everyone. Welcome back to another episode of 401 Access Denied. I am the host of the episode. I am Joseph Carson, chief security scientist and advisory CISO at Delinea. It's a pleasure to be here with a guest who is awesome and comes back to the show today. Kevin, welcome to the show. I'm really excited about our conversation. Tell us a little bit about yourself, what you do, and the things that you get up to in the industry.

    Kevin Hanes:
    Yep. Hey, Joe. Hey, everybody. Kevin Hanes, CEO of Cybrary. Interested in all things to do with cyber and helping get millions of people involved. Helping the cause, if you will.

    Joseph Carson:
    Absolutely. This is a big problem in the world. There's so much going on in the security industry. Threats and problems. One of the topics I think is really important in the industry is the skills gap and how organizations can make sure that they can future proof the hiring process. Because organizations are competing for the very few resources out there. There's millions of unfilled jobs.

    Joseph Carson:
    Organizations are looking for highly-skilled individuals. I think, for me, it's an area we need to address. We need to find a way to quickly get people up to speed on the skills. Kevin, tell me a bit about what you're seeing in the industry when it comes to the skills gap. Organizations ... What challenge they face. What are some of their top priorities and how they can start addressing this area?

    Kevin Hanes:
    As you look at different publications, you hear or read exactly what you said. There are millions of vacancies, if you will. Or job postings that don't have the people to fill them. Depending on which publication you pick up, the numbers are a little different, but they're all big. They're all bad. My personal experience with it was in the pain that I felt in a prior life trying to hire hundreds of cybersecurity professionals a year. They weren't there. And so, as you described it, kind of fishing in really small pond of resources.

    Joseph Carson:
    Yep.

    Kevin Hanes:
    The first thing, Joe, for me, and which is why I joined Cybrary ... Because I feel like this is critical. The first thing is we can't just keep fishing in the same pond.

    Joseph Carson:
    Absolutely.

    Kevin Hanes:
    That's got to change. We've really got to be much more inclusive and get millions more people involved in this, interested in this, engaged in this. Having curiosity about this and seeing it as a destination for their purpose. But also, a great opportunity for them from a career perspective. Because they really are.

    Joseph Carson:
    Absolutely.

    Kevin Hanes:
    These are high-paying jobs. Really good jobs. They also have the benefit of doing things to really help. You can help the economy, help organizations, help people. And so, for me, it starts there. How do we get millions and millions and millions more people involved and curious and learning? And then, give them the things that allow them to have some early success, some early wins.

    Kevin Hanes:
    This is a field where ... Man, there's a lot. You can get overwhelmed pretty quickly and feel like, "I'll never learn all this stuff." It's so deep and it's so nuanced. We need to help people along the way find early wins, get some success, and continue to invest in people once they're in it. Because this is a field where ... I don't know if there are others like this, really.

    Joseph Carson:
    It's continuous learning.

    Kevin Hanes:
    Your learning never ends. It can't.

    Joseph Carson:
    It never stops. It never stops.

    Kevin Hanes:
    It can never stop. We've got to get people who ... When I think about this, I think about some early wins. Give people something where they can feel success. A lot of times that can be a certification. Their first certification. Because it's something that they can work towards. A path. Right?

    Joseph Carson:
    It becomes theirs. It's theirs for their lifetime career. When you get a certification ...

    Kevin Hanes:
    It's repeatable, predictable a little bit, in terms of how you do that. And then, you feel good, because you accomplish something. You get it and now you feel like, "Okay. I can start to be part of this." But from there, even the certs aren't sufficient. Because you really have to have people who solve the problem. You have to have people on keyboard that know what they're doing.

    Kevin Hanes:
    And so, that is really the skills, capabilities, and knowledge piece of it. I think we have to do all those things and do that at a pretty fast pace. I've been walking around the last couple of years with this thought in my mind, which is ... When I first got involved in cybersecurity 18 years ago, it felt to me like we had to have the tech in place. Because if you don't have the fundamental tech in place and you can't see, you don't have visibility, then there's no way you're going to prevent, detect, or respond to threats without having the basic tech in place to give you the visibility.

    Joseph Carson:
    Correct.

    Kevin Hanes:
    But I feel like a lot of organizations now, they have done that. They have the basic tech in place, and what they really need to do is ... Have you really sat down and thought about, "Okay. For the next dollar or pound that I spend. What's going to reduce the most risk to my organization?"

    Joseph Carson:
    Absolutely.

    Kevin Hanes:
    Is it buying another layer of tech? Or is it investing in my team to be equipped and enabled? I would submit that, at this stage, it's investing in the team. Investing in the people to have the skills and capability.

    Joseph Carson:
    Which unfortunately, for many organizations, that's the smallest part of their budget is investing in people. For me, it's always ... When you're even looking at your acquisition of security solutions and purchasing, the training is always the smallest part of the budget. The certifications are always the smallest part. You look to maybe get some consultants in to get them up and running, but you fail to invest correctly in the people.

    Joseph Carson:
    A lot of that ends up coming afterwards, if you fail to get the metrics and measurements that you want to. But I completely agree with you that we definitely need diversity. In our industry today, it used to be very much an IT industry that had a very much security technical expertise and specialization. But that's no longer the case today. All of the things we look at, all of the incidents that affect organizations, it's a business response. It's a business impact.

    Joseph Carson:
    Therefore, we need to make sure that ... One, is that we need all parts of the business working together. We need legal experts. We need communication experts. PR experts. We need financial experts. All of those need to be basically functioning as part of this industry as well. We need better communication, better transparency. Even at the point where I've seen a lot of people entering into the market, into the security industry, from even psychology backgrounds.

    Joseph Carson:
    Because we need to understand the human aspect. How do we effectively make the right things happen? Absolutely, diversity. A lot of that means ... Absolutely. It's not looking at the youth coming into the industry, but it's also re-skilling existing, very experienced people that have been doing careers in other industries or other sectors. That we need to make this industry something that they want to be participating in.

    Joseph Carson:
    Sometimes we make it scary for them. The news that you see on TV is always the doom and gloom. The fear. We need to make it something that is an attractive industry for people to want to have their career enter. That's another area.

    Kevin Hanes:
    It's hard sometimes to give someone a chance. When you say, "Coming from ..." Maybe they don't have the exact background or skillset. Because when you give somebody a chance in the security world, how do you do that in a way that is responsible? That you can minimize the risk?

    Kevin Hanes:
    You have to be really thoughtful about putting somebody into a position that they just don't know. It has to be said. This is deep and nuanced. But I think we have to find ways to give those people that have those non-traditional backgrounds ... We've got to give them a chance.

    Joseph Carson:
    Absolutely.

    Kevin Hanes:
    I think that some of those skillsets that you talked about coming from different backgrounds, even a therapist. Think about an incident response consultant maybe, who has to know how to connect to people with tons of empathy.

    Joseph Carson:
    Yep.

    Kevin Hanes:
    Because if an incident response person is working with a customer, it's probably a bad day. There's probably a lot of emotions. Their having a therapy background might be pretty useful.

    Joseph Carson:
    I've done a lot of incident response in my past. For me, I think it's the event that leads to a lot of burnout. Because people, they're working 24/7. One of the things that I remember in incidence response is that the project manager, those who are supporting the team ... They were just ready to get you anything that you needed. If you needed a pillow just to rest for a bit. You needed a chocolate bar.

    Joseph Carson:
    Anything that you needed to make you comfortable during that period of time, because it is very stressful. People are worried. People are fearful. People are worried for their job. People could die as a result of those incidents.

    Kevin Hanes:
    100%.

    Joseph Carson:
    You absolutely need people. I always remember. I used to have one person on my team who just was a comedian. Just made me laugh all the time. And in the worst situations, when you're dealing with those major incidents, just a simple comment from him was enough to bring everyone into laughter. Just like, "Okay. Let's just reset. Let's just move forward and let's kick the can. Let's keep the momentum. Keep the joy in it."

    Kevin Hanes:
    That's a fabulous way. Something that you were saying, which is, "How do we find those skillsets?" Bring them in. Give them the opportunity to really shine with what they're naturally good at. And then, learn. Be soaked in the cybersecurity projects or work and absorb that over time.

    Kevin Hanes:
    My guess is that person that you said that was really funny and was able to bring levity. Over time, they probably really learned a lot about security. They're probably a really capable security person. Right?

    Joseph Carson:
    The person on my team. He was in my team for 10 years and was just kind of the heart of the team at the end, and became very ... One of things. My requirements always was a person who had the willingness to learn. I didn't care if they had whatever technical experience in the background, as long as they were willing to learn. Because I could always teach people those skills.

    Joseph Carson:
    What I couldn't teach people was their personality. I can't change people's personalities. It was always about making sure that somebody was interested, passionate, wanted to learn something new. That was my basic criteria. That person could be coming from a linguistics background. They could be coming from, as you said, a therapist. Or they could be coming from an economic background.

    Joseph Carson:
    But as long as they basically wanted to learn. You can always train the technical piece. That person became hugely successful. He became one of the top members of the team. They weren't set up to be management, because that wasn't the direction. But they became very good technically.

    Kevin Hanes:
    We need to do that a lot more and be better at identifying that. And then, also be willing. I've done similar things and had similar experiences where I thought that somebody with a pretty non-traditional background ... Let's give them a shot. A lot of people will be pretty uncomfortable with that. Or not think it's a good idea.

    Kevin Hanes:
    You sort of have to be open-minded. Hey, it may not work. But it might. It might work great. And so, just being willing to give it a shot. But also, do it in a responsible way. You don't want to throw somebody into something where they're going to either create harm for an organization or damage their own reputation in the process. You need to think about ... How do you do that in a way that you can bring people along in a responsible way? Yet, let them soak in it enough to really just get immersed and up to speed.

    Joseph Carson:
    Absolutely. You just reminded me of an important thing as well. One of the areas. I remember bringing on ... That was my main criteria of hiring. Just getting the personality and the rest that I could train. I remember bringing on people. After all your monitoring, there are metrics. The measurements that you are looking for. There's always the case that sometimes you look back ... I remember there were certain cases where sometimes I had to learn things.

    Joseph Carson:
    When I onboarded somebody years ago, they appeared to be doing really well. But when you look at the metrics, they were just underperforming. You're going, "How is this the case?" What I ended up doing was every now and again, I created what was called the sub-body system of mentors. I could actually have somebody go and sit with them. Just maybe one day a month. Just to understand how are they performing.

    Joseph Carson:
    When I did that, ultimately I ended up finding that actually it was my fault in the training process. At the end of their tasks, they were simply missing a checkbox. And that checkbox was important for our metrics measurements. When we corrected the training, and we went back and we made sure that was something that was missed, they ended up becoming a top performer. It was all basically so simple.

    Joseph Carson:
    Sometimes we had to make sure. Sometimes we have to look back at our training and make sure that we're continually improving it. Because if we make assumptions that things are going to be a certain way for a long time, and we don't go back and re-look at them and improve them, and make sure that we're actually evaluating our training methods as well, which is important ... We're not going to get the best out of people.

    Joseph Carson:
    One of the things you mentioned earlier. In our industry, this is an industry where you don't stop learning. I think that's where ... When you onboard people, this is not a checkbox. This is not onboarding. Onboarding is part of the continuous. It's a continuous onboarding. In this industry, you don't stop. After a month of training, you don't do the checkbox and that person is now ready.

    Kevin Hanes:
    Yes.

    Joseph Carson:
    You have to keep investing in them. You have to keep improving them. The more you invest in people, the more they become loyal, the more they enjoy their job. The more they stick around. That's the problem. I look at the industry. In some places, you see many of the issues that we have right now. As you said, fishing in the same pool. Retention in the industry is really bad.

    Joseph Carson:
    You get people who spend six months here, and rather than being successful within the same company, they just jump between companies. It's a battle of ... If people six months go to one company and then go to another company, we want to get as much value out of people. You have to invest in it. We need to make sure that they are happy doing what they're doing.

    Kevin Hanes:
    This is funny, Joe. Cybrary, it's our mission in life to help here. I will say that I'm often surprised when talking to some of our customers. Particularly, the individuals. Because Cybrary is two-sided. We help organizations that need to train their employees, but we also help individuals who want to grow professionally and get into the space. Those individuals, I'm oftentimes really surprised talking to them.

    Kevin Hanes:
    When I hear things like, "I'm not sure or I don't think my manager will invest in my training." I'm kind of blown away. I know that's true. I know that exists, but I'm still shocked and blown away by it. Just back to the point of why would you hire somebody, a security professional or somebody who's a workforce transformation from maybe an IT person to a security person ... Why would you do that if you're not going to continue to invest in them? You might as well just outsource and pray.

    Joseph Carson:
    And that's what we're seeing. That's one of the areas in the skills gap that we have in this industry is a lot of it has been outsourced to service providers in order to provide that temporary ... Ultimately, what happens is the more organizations ... Outsourcing is not bad thing.

    Kevin Hanes:
    No.

    Joseph Carson:
    But you have to keep it in a balance. And that's a fine balance. The more you outsource, the more you become less knowledgeable about your own business. The more you become less visible about what potentially the risks are. There's always a fine balance. Some things you outsource because it might be very specialized and you might not get those highly specialized skills. But you definitely want to make sure that you want to retain people. You want to invest in them.

    Joseph Carson:
    For me, I think even in the industry now, that organizations need to be looking somewhere between 30% of a person's time. Not even just financially, but time. There's one thing I've seen, is people getting the investment into maybe a training course a year. But they don't get the time to do it. Or they have to do it in their own time. For me, I think organizations, one day a week, should be invested into continuous learning.

    Joseph Carson:
    Two days a week? Even better. I think the organization that's going to get the most benefit is those who invest 30% to 50% of a person's time into continuous learning. Of course, you must look that there has to be a return back for the business. It must be always related to the job. Not directly 100%, but it can be somewhat related in that area and field. For organizations, I think that is where they get the most value out of employees.

    Joseph Carson:
    Because once somebody learns something to be more efficient, or be better at doing that job, or better at doing that specific skill ... They do things quicker. They do things better, more consistent. I think that ultimately reduces the risk for an organization. And it also gets the best out of the solutions they invest into as well. Because then, that person actually knows it much better. Can actually get that investment of technology or processes to the most value, the most optimum the organization can get out of it. It's always a fine balance.

    Kevin Hanes:
    Going back to something you said about the attributes you look for in hiring. That sort of passion to learn. Curiosity. I always really love when people in interviews would ask about, "What is your training? What do you offer in terms of training benefits?" That was a key for me to say, "This person, they really care about that." I wish more people would inquire about that, because you want to join a company where you can work with people that you're going to learn from.

    Kevin Hanes:
    Respect and learn from. A company that's going to invest in you. At the end of the day, I do believe that organizations are starting to realize that they can't just invest in tech. They have to put some investment in the people. I think in doing so, we should almost think about as a basic benefit of working at an organization. Almost like insurance or other benefits. Where it's like, "I will expect this to be there and it needs to be there."

    Kevin Hanes:
    It should be something that really helps people with that retention. I do understand that there are opportunities out there that people want to pursue to better themselves, better their career. But I think a lot of security professionals, the reasons that they leave sometimes ... Maybe it's a $10,000 raise or something. But I think the real reason behind it a lot of times is they don't feel like they're growing or developing. And so, that really is the root.

    Joseph Carson:
    The reason I left my last job. I didn't feel I was being invested in. I felt that I became stagnant. The company was happy with me staying in that position and doing that job, and didn't want me moving around. If I look back at my career, most of the jobs that I left is because I was being held in doing the position when I wanted to grow myself. I wanted to keep learning. One thing that I did though, in the last few years.

    Joseph Carson:
    Because I always felt, in the recent years ... Actually, it was quite a long time. Maybe seven or eight years ago ... When I changed jobs, it was that I was being forced to relocate into another country or city. I didn't want to do that. So that was one of the reasons why I was not being invested in. To the continuous learning piece.

    Joseph Carson:
    One of the things I thought when the pandemic happened and people were then more willing to work remotely, I thought that was going to accelerate more organizations getting more people. Because they were going to be more flexible in wherever that person lived. Because I always thought that a lot of the hiring issues were people wanted them close to the office.

    Joseph Carson:
    It was mostly focused around high competitor states. Whether it be San Francisco or California. Or whether it being places in New York where they were just competing for very fewer resources. But there were so many very skilled people across the country and across the world.

    Kevin Hanes:
    Right.

    Joseph Carson:
    I thought the pandemic might have opened that up more. Maybe it's been the reverse, actually. Maybe people are seeing the opportunity to go and change jobs because of that and work for other companies that are not in their location. That was my expectation, but it hasn't been ... What have you seen with remote working and organizations being a bit more flexible in that way?

    Kevin Hanes:
    Well, I do see exactly that, which is organizations for the most part haven't figured out how to make remote work. I would say, I was running a pretty large security operation center when this happened. If you would have asked me two weeks before, "Hey. Do you think you can just do all this stuff remotely?" I would've said, "Maybe, but probably not for a long time."

    Kevin Hanes:
    Literally, we went from everybody sitting in a room with all the monitors and everything. Everything that you would have envisioned of a SOC. We went from that to, over the weekend, everybody working from home. And so, we figured it out. It was pretty surprising, I think, that we could figure it out. I think there's some longer-term things that we're still trying to understand about that, because there is something to be said.

    Kevin Hanes:
    When there's an established culture and there's established people, and they already know the process, procedures ... Now, it's just you're doing that from a different place. But I do think about new people coming in. There is something still that we need to figure out about the operating system that is missing with full-remote all the time. I do think it has allowed most organizations to cast the net wider and find talent.

    Joseph Carson:
    Yes.

    Kevin Hanes:
    Open the aperture, if you will, to talent. Be able to get some talent that they possibly wouldn't have before. If your mindset is, "I need to see this person in this seat, in this building, in this SOC." Or whatever. Then, that's your limit to people who can drive in. And that's going to be a pretty small aperture.

    Kevin Hanes:
    But if it's literally, "I don't need that anymore," the aperture is pretty wide. I think that's helpful, but at the same time, we're not necessarily creating ... Back to where we started. We're not really having the sufficient amount of numbers anywhere.

    Joseph Carson:
    And it needs to be a hybrid approach. They need to have a hybrid model. I think that's where you get the flexibility dynamics, so that you give the person the choice.

    Kevin Hanes:
    Yes.

    Joseph Carson:
    But you have to find ways to bring them together when they need to. Whether it be certain ... Well, we've seen the shared working office, where you might have these basically shared central hubs for organizations where they can come together. It doesn't necessarily need to be an hour commute to work, but it could be one day a week. You might go to a specific city or you might fly somewhere.

    Kevin Hanes:
    Right.

    Joseph Carson:
    It might be a longer commute to the office for some people, but it's not as frequent. It's not as often. You go to do that social side of things. Because you're absolutely correct. For me, I've been remote working for a long time. With the pandemic side of things, I used to meet people mostly at conferences and events. That's where my social activity with my colleagues was. It was going to an event and speaking and engaging with them there.

    Joseph Carson:
    To the point, where the last two years, I haven't met my colleagues face-to-face. I've been fortunate enough that I've been with the company for a long time and fortunate enough to meet many of my colleagues before that. But a lot of them, in the past year or two, I have never met. I think meeting people in person is another benefit of a job that you do, at a career. There has to be that engagement.

    Joseph Carson:
    Absolutely. I don't think it's going to be one or the other. I think it will be a hybrid model and organizations need to be flexible. They need to make sure that's a choice.

    Kevin Hanes:
    I think it will help with some of the inclusiveness too, Joe. I think one of the hard things about cyber is it can feel pretty unapproachable. Very specialized and intimidating to break in. I think remote may actually help in that way, because of the flexibility. In order to do this, you have to be more flexible. You just have to.

    Kevin Hanes:
    I'll never forget. This was about ... It wasn't that long ago. It was probably about three years ago. I had reached out to somebody about an opportunity. A cybersecurity opportunity. It was one of those ones where it was like they had a particular skillset. It was non-traditional, but I thought it would just really help to balance the team. I felt like they just loved learning, were a continuous learner. Super motivated.

    Kevin Hanes:
    I felt like this would be a great opportunity. That they could really help the team with something they're already good at it, and it would allow them to just really learn cyber. Learn a lot. Be surrounded by it and just learn. And it was a female. I reached out to her and said, "Look, we talked about this and I think we have something that could really get you into the space."

    Kevin Hanes:
    We talked for about 10 minutes and she said, "I just don't know that this is the right space. I don't know if this is the right thing for me." I said, "It's perfect. What are you talking about?" She said, "I was never in the military." I said, "What are you talking about?" She said, "I just don't think this is for me. I was never in the military." I said, "Why do you say that?"

    Kevin Hanes:
    She said, "Well, everything I've read about this job posting and the stuff out there, it seems like I would have needed to be in the military." I said, "Oh my god." It was just a light bulb. This is a person who is reading stuff out there and thinking that she can't be in our industry because she wasn't in the military.

    Kevin Hanes:
    Man, we really have to think about that. I know why some of the jargon exists and the roots of it. But I do think, in order to cast the net widely and get millions of people, we're going to have to be thinking about how we do that. We're just going to have to open the aperture.

    Joseph Carson:
    You brought up an important point, which is a bit of an issue I have with our industry. We need to redo job descriptions. That is probably the fear factor for many people. When we put the skills and requirements to the hiring process, we are very technically focused. What happens is the hiring processors just look and go, "We don't know how to change that into something that's actually language or English-communicated, in a way."

    Joseph Carson:
    They basically take our technical jargon and just post that as the job description. Ultimately, when people look at that ... In the industry, I spoke to so many peers that are just fed up with looking at those really horrible job descriptions. It's full of acronyms. That sometimes is asking for more years experience in a technology that has never been run that long.

    Kevin Hanes:
    Absolutely.

    Joseph Carson:
    Or looking for certifications that need you to have five to ten years experience. We want to be inclusive. We have to make a way that ... Our job descriptions are sometimes like, "Queue lists. License agreements." That confuses people. It scares people away. And if we want to get it, we have to change the way that we advertise the positions. It's a big challenge.

    Joseph Carson:
    Every time, my peers, I see them sharing some of the posts on social media. It's always a scary thought. If there is one area that we can get better at that could take immediate effect, it's for all of those ... Anyone who is listening to the podcast right now. If you're in the process or your job is responsible for doing job descriptions, you need to completely simplify it to make it more objective.

    Kevin Hanes:
    Well, we're all guilty of it. I'm guilty as charged.

    Joseph Carson:
    Absolutely. Years ago, that was what we did. Because we were looking for technical people. But now, we need to be inclusive.

    Kevin Hanes:
    It's a little bit lazy. Because it's a little bit of way to filter LinkedIn searches and things like that. A lot of times, we don't take the time to help recruiters really understand what it is we're actually looking for. And so, we use some of those things as a way to say, "Okay. We'll go look for this." It's a lazy way to try to save time on the interviewing process.

    Kevin Hanes:
    Because we probably experienced ... Let's face it. Back to the skills problem. You probably have to cast a net to 100 people to find one, because we're all fishing in the same pond. I think we do it for those reasons, but you're absolutely right. If you're out there listening to this, we do have to be better. All of us. Including myself.

    Joseph Carson:
    Pick one thing that you really mandatory need, but don't put so much. You can't have somebody 10 years experience in penetration testing and having network certifications. The list just goes on and on. If there's something that you mandatory need for that position, just ask the one thing. The rest we can always re-train.

    Kevin Hanes:
    Open end and close end.

    Joseph Carson:
    We can always train that person.

    Kevin Hanes:
    Right. That's a good point. Maybe one of the things we should be most insistent upon is that curiosity and hunger to learn. Like you said, if you have the one thing we really need that and you have that ... The rest will take care of itself, generally.

    Joseph Carson:
    Exactly. I have another question for you. It's interesting. Because it's been a big thing ... Especially, in very experienced people in the industry is imposter syndrome as well. People in the industry feel sometimes that ... Even myself. There's so much to learn. I can never know everything.

    Joseph Carson:
    I've been benefiting that I know the person I can go to and ask a question, who can help me with those answers. But people find they've got a lot of imposter syndrome. Just because they get stuck in feeling that they're processed or skilled in a certain place, but not in another place. What's your thoughts around that? How can people make sure that they can feel included in the industry?

    Joseph Carson:
    Because it can be quite also aggressive on social. A lot of people, they negate people very quickly. I would rather our industry be more welcoming. Providing people with the ways that they can be open about, "I don't know the answer to that, but I'm willing to learn it." Rather than all of a sudden ...

    Kevin Hanes:
    I think you hit on a really key thing, which is just growth-minded. One thing. Maybe the mindset piece you have to have is that nobody is going to know all of this stuff. I don't care who you are. The other thing that's kind of cool about our industry that I thought of for new people coming in.

    Kevin Hanes:
    Because there's some industries that, unless you were here at the beginning of time, you'll never catch up. You'll never catch up with the best, because they were here at the beginning. Cyber is like, "Meh." A new person can come in. Because if you were here at the beginning of time ... That doesn't help them too much. Maybe a little bit on some side.

    Joseph Carson:
    Not too many companies using Cobalt these days.

    Kevin Hanes:
    Exactly. It changes so fast it's almost an advantage for the new person.

    Joseph Carson:
    You're right.

    Kevin Hanes:
    A lot of times people do get complacent in their learning. And so, if you've been in it for 10 years, maybe you're more complacent than the newcomer who is just so hungry to learn. Give them a year. It's such an advantage. I'd say, first, is just the mindset. Don't be afraid to just dive in. Yes. You're going to find those close-minded people and the know-it-alls, but you're also going to find the people that genuinely want to give back to the community.

    Kevin Hanes:
    That's one of the cool things about the cyber community is there's so many people who just do it for their purpose. They would do it whether they're getting paid or not, because they love it. Generally, they want to help people. There's a massive amount of people like that. Go find them. And if you find the close-minded ones, the ones that are not fun to be around. Don't be around them.

    Kevin Hanes:
    There's plenty of ones that want to help people. At the end of the day, there's a lot of folks that are more senior. They generally start to understand that their biggest contribution to the industry going forward is going to be through others.

    Joseph Carson:
    Yep. Absolutely.

    Kevin Hanes:
    Find those people who are wired that way and just be really curious. Ask them the questions. Like I said, I think for us that are in the industry already, we should really encourage that.

    Joseph Carson:
    Absolutely. I completely agree.

    Kevin Hanes:
    Great questions are a gift.

    Joseph Carson:
    Absolutely. I completely agree. I think you made a great point, is that technology changes really fast. People can basically get up to speed really quickly. Therefore, it's always be continuous learning. It's about finding ... There's so many amazing people in the industry. I've benefited. Even still today, I call them friends and mentors that I go to for advice and just for directions sometimes.

    Joseph Carson:
    It's always getting that reassuring. I used to be perfectionist. It was one of my good skills, but it was also a bad skill. It was one of those things that can be good in a way that you will always learn the detail. The very fine detail. But it was also a weakness in my area where I wouldn't share. I wasn't sharing with others. I got to the point where one of my mentors in the past said to me, "You have to learn that you have to share. Sharing the knowledge early allows you to make sure you get the feedback."

    Joseph Carson:
    It's one thing that I've changed. And it's changed my entire career completely. Because I see, for example, the value of being open, mentoring others. When I started mentoring others in the industry, to try to get them in close and giving them opportunities to try and help them with speaking engagements. Or to introduce them to others who might be able to help them in certain fields.

    Joseph Carson:
    Whether they're interested in getting into incident response or they wanted to do malware analysis. "Here's a person who is the best in that field. They'll provide you with some direction and knowledge." For me, I thought it was going to be something that I would be giving back. But in the same return, I have learned so much from doing that as well. When you find that you're in that position, you start learning from them.

    Joseph Carson:
    They start becoming ... Well, I thought I was going a good thing. But actually, in the return, it's actually very valuable back. You start learning about new ideas and being creative. I think that's where absolutely we all as an industry have to work together. Because this is something that you can never win alone. I think this is where it's all about a community. It's all about finding the best of the community and to really make that facilitated.

    Joseph Carson:
    That's what this podcast is all about. It's about bringing thought leaders together to share their experiences and to get those ideas and thoughts out to as many people as possible. It's great having you on the show. I think this is a really important topic. For me, I think we really need to look for those creative ideas about how to get in close. Or how to open up organizations to really looking beyond. To really redefine onboarding to being continuous learning. To continuously invest in people.

    Kevin Hanes:
    If you're that manager, Joe. If you're that manager of a security team that's out there and you've got those open roles. You're just not sleeping well at night, because you know you've got ... Let's face it. A lot of these things, they're around the clock. Three shifts. You've got to find that person that's capable at that third shift. Or you had somebody who was really a key leave and you're just facing this huge gap. Everybody else is now really stressed.

    Kevin Hanes:
    Let's face it. These things happen. They're never convenient. When you're really short-staffed ... You're working in incident or whatever. It's a horrible place to be. And so, I think we really have to figure out. How do we grow this? How do we get more and more great people interested? Because the opportunity and the careers. The way to help your career, help your profession, and help your life. They're all there.

    Kevin Hanes:
    It's just that we've got to get the right funneling of people to them. For whatever reason, it's just not working. That fly wheel isn't turning like it really needs to. We've got to make progress there.

    Joseph Carson:
    Absolutely. I agree. I think a lot of these topics, they're all actionable. It's not impossible. I think we can solve this as an industry. I think the more that we talk about it, the more that we share the ideas, then really they will pick up. Kevin, it's been awesome having you on the show. We should definitely have this more often. Definitely, for the audience.

    Joseph Carson:
    Listening to these topics really gives them ... Hopefully, some organizations out there listening will go and completely redefine their hiring process. To really open it up further. To get more choices, more people coming in. Ultimately, they might find that retention challenge and getting the right people and waiting for a long time to find those ... They will go away. Because if they make their organization attractive for investing in people and for those who want to learn, they will become very valuable.

    Kevin Hanes:
    100%. Thanks for having me. I would just leave people with this one question, which is ... If you're out there, think about, "For the next dollar that I spend or the next pound that I spend. What truly would help my organization the most?" Is it investing in my people? What would really make a difference in retention, attraction? Reducing risk? Being capable? Maybe it is adding another tech. Another piece of technology.

    Kevin Hanes:
    Because that could certainly be the case. But I would also submit that, for many organizations, I do believe that investing in developing your people would probably yield the best benefit. And that's not always the case. Sometimes you've got to deploy the tech. I'd ask people to really consider that.

    Joseph Carson:
    For me, I think definitely automation is an important area there. People who can take what they do and automate it.

    Kevin Hanes:
    Yes.

    Joseph Carson:
    But that phrase. People get worried that's replacing their job. It's not. It's give them more time to learn.

    Kevin Hanes:
    I was thinking ... What's the residual of what's leftover after automation is actually the harder stuff. Those are the real challenges. Automation leaves a lot of residual, harder stuff.

    Joseph Carson:
    Absolutely. You can't automate everything.

    Kevin Hanes:
    Exactly. Joe, it was great. Thank you so much.

    Joseph Carson:
    Absolutely.

    Kevin Hanes:
    Hope everyone has a great day and gets something out of this.

    Joseph Carson:
    Absolutely. For sure. For the audience, it's been a pleasure having Kevin back on again. Conversation discussions with Kevin is always hugely popular. Hopefully, everyone enjoyed the show. Definitely make sure you go and subscribe, so you can actually listen to some of the previous podcast episodes. Make sure you actually keep up to date for the future ones that is coming.

    Joseph Carson:
    We have got some great guests coming on in the upcoming shows. Stay tuned, subscribe, and tune in every two weeks. 401 Access Denied. The podcast that really brings you really important topics that can be really significantly changing in our industry. Stay safe. Take care and see you again soon. Thank you.