The Cyber Workforce

Cole French:

Tune into the news and it’ll become quite clear that the adversaries in cyberspace are far outpacing efforts to thwart them. The shortage of cybersecurity professionals is well known. As technology has become more and more ingrained in everyday life, the situation has become ever more consequential. The perception that cybersecurity is a field with high barriers to entry doesn’t help. If you have an interest in the cyber workforce, and especially if you’re interested in jumping in, you won’t want to miss today’s episode.

The cyber workforce is far more diverse than most people would ever know. If you believe what you see in movies or television or read in books, the cyber workforce consists only of those who can break into the most complex of systems. The reality is quite different however, just like any industry, cybersecurity needs professionals who bring many other skills to the table in addition to technical skills.

The need for soft skills, namely the ability to effectively communicate across diverse viewpoints within an organization is as pervasive as ever. As we’ve discussed previously, cybersecurity is primarily a people problem, not a technical problem. As we’ll discuss on today’s episode, we need those soft skills, and not just the ability to communicate. Also, the ability to develop processes, to evaluate cybersecurity implementations, to view cyber through the lens of human behavior, to make the business case. And that’s just naming a few. Joining us on today’s episode is Mike Thompson, senior sales engineer here at Kratos. Mike brings a unique perspective to the table, as his experience spans recruitment, compliance, sales, and cybersecurity assessments. His journey through the field offers great insight into the many ways professionals can contribute to cybersecurity without fitting the traditional mold. We hope you enjoy this episode. Mike, thanks for taking the time to join us today on the Cyber Compliance and Beyond podcast to discuss the challenges of the cyber workforce.

Mike Thompson:

Yeah, Cole. Thank you so much for having me here today.

Cole French:

Why don’t you get us started with just talking about what’s your background been like as it relates to the cyber workforce, both within the cyber workforce and maybe how you’ve helped folks break into the cyber workforce?

Mike Thompson:

Absolutely. Yeah, I would love to do that. Yeah, I’ve actually been on both sides, so I’ve helped recruit and help people break into the cybersecurity industry. And then I actually did it myself, so I helped myself get a position in the cybersecurity industry as well. I actually have understood both sides of the challenge.

Cole French:

As it relates to the cyber workforce more specifically, where have you helped folks break into the cyber workforce?

Mike Thompson:

I’ve worked in pretty much every role you could in cybersecurity. I got my start doing FedRAMP. I worked for a small company and no one wanted to take on these roles, because they were extremely challenging. No one could place anybody, and they’re like, "Hey, Mike, do you want to do recruit for FedRAMP?" And I was like, "What’s FedRAMP?" But I was like, "Sure." And I started doing research. I started learning about what space was, started recruiting in cybersecurity for the first couple of positions were for something called FedRAMP, which is the Federal Risk and Authorization Management Program. And I ended up being really good at it. I would find talent for companies, help them find assessors, and that’s kind of what made me fall in love with cybersecurity was talking to these candidates for these companies and learning about their background.

And something that I found out about each person was everybody had a really unique and different background coming into cybersecurity. And every person I talked to was just really cool, really fun. I was pretty much all in after that first placement I had for a company that I had worked in the FedRAMP space.

Cole French:

That’s great. Are there any other areas that you’ve worked in outside of FedRAMP specifically? Are there any other cyber roles that you’ve helped fill or cyber roles maybe even you’ve worked in yourself?

Mike Thompson:

Yeah, so I started the FedRAMP space, which was the Federal Risk and Authorization Management Program. Then once I started doing well with that, my company, we got positions doing something called penetration testing. Which is a pretty hot field in cybersecurity incident response, which is more on the blue team side, more defender, and then also other roles and compliance doing PCI auditing, ISO auditing, high-trust auditing. Those were the three main areas that I had focused on.

Cole French:

It’s interesting, compliance and technical stuff. There’s always this, do you want to work in compliance? Do you want to work in hands-on keyboard, as we say? I’m curious, in your work filling compliance oriented roles, because I always tell people whenever I’m interviewing or looking for candidates in the compliance space, I’m really focused on soft skills, writing, communicating, working well with other people, things like that. Whereas in technical roles I’m looking for maybe certifications or specific technical skills. In your experience, which role or which type of role, technical versus more of the compliance-oriented soft skills, which role is more challenging to find the right candidate?

Mike Thompson:

Yeah, that’s a great question. I would definitely say the compliance space roles were a harder fill, because you needed ... Usually my customers required a soft set of skills, talk to customers, interact with them, because you’re more front-facing. But then you also had to have a really technical background. You had to understand cloud environments, you had to understand networking, you had to understand the OSI model. Usually, those roles where you to find someone who maybe had an engineering degree or a computer science degree, but then who also had soft skills, who could talk to CISOs, talk to executive level folks, but also talk to the network engineers on the team, the pen testers on the team. That type of role was usually a little bit tougher to fill than just a, say an incident response position that required a certain certification. It would be a little bit easier to find somebody who could meet that certification, had those technical skills, and then they were just fulfilling that role.

Cole French:

In my experience it’s interesting, the compliance-oriented folks, it’s a weird, you interview them and it is, you’re right, it’s a harder thing to evaluate. It’s not as concrete. When you’re evaluating them, it is, I feel like more challenging. But on the flip side of that, when you identify a candidate who’s right for the position, it’s crystal clear. It’s an interesting, I do feel like the technical positions are easier to fill, just because the technical skills are easier to hone in on, but on the soft skills side it’s a little bit more difficult. But when you got a candidate that fulfills those soft skill needs you know almost right away just from talking to them and communicating with them, and you can glean a lot in terms of their ability to communicate and even their work ethic, right?

Mike Thompson:

Exactly. Yeah. Just once you knew your customer’s desires and what they wanted, and then you saw that this candidate met those needs, you could see that they were going to be happy there. And a lot of the roles I also filled were helping people break into cybersecurity. I was pretty well known in the recruiting space, especially in cybersecurity. I never touched positions outside of that, so I really just specialized in cybersecurity, so I would give talks at conferences and people would come up to me asking, "Hey, I’m a nurse and I want to get into cybersecurity." Or "I’m a stay-at-home mom and I want to get into cybersecurity." Or, "Hey, I’m a doctor and want to start doing this stuff now." Or I’ve even had lawyers who want to get out of practicing law and get into cybersecurity. So, a lot of the conversations I had were that.

And that was honestly harder than the compliance roles was filling those positions. Because they don’t have the experience. They’ve never been on a FedRAMP audit, they’ve never hacked into a customer’s environment. They’ve never worked with Splunk, which is like a SIEM tool. Talking to those candidates and helping them try and understand, "You have this law degree, how can you take your law degree and then blend that into a cybersecurity position. Don’t drop everything you’ve already known and done in the past," which a lot of people I found were trying to do. I said, "Hey, you have this law degree in background, maybe you could work in privacy. That could be a perfect blend over into the cybersecurity world, because there’s a lot of privacy laws in cybersecurity, that could be a good blend."

So, sometimes that would almost be even a tougher challenge is when I would be talking with candidates, or hey, they want to get into pen testing. Usually pen testing is a space that takes at a minimum three years experience for any position. There’s not many entry level roles in pen testing. All right, how do I have zero experience in then I get three years experience? A lot of what I would do is work with candidates and try and help them understand their background, and maybe they’ve already done stuff that fulfill roles that they haven’t even thought about.

Cole French:

I’ve got a great question to pull the thread on what you just shared, but real quick, just kind of an anecdotal sidebar, if you will. My own experience is almost exactly what you described. I was in the legal field years and years ago, and I just knew I didn’t really want to go any further with it. I wasn’t a lawyer or anything like that, but I knew I didn’t want to go that far. And so IT seemed like the thing to get into and it turned out that, yeah, I ended up in cybersecurity almost by accident, and a lot of it was compliance oriented. My undergraduate studies were in the arts and I really learned how to write, I learned how to communicate, and that really is what propelled me into the compliance space was I leveraged those skills in addition to some additional education I got and things like that.

That certainly helped. But those skills that I learned, pursuing a Bachelor of Arts were instrumental and still are instrumental in my career within cybersecurity. I always encourage folks that are in that college timeframe in life and are wondering what to study and are thinking that, "Hey, this degree I’m getting in is worthless, whatever." Not necessarily. You can always learn useful skills that apply to any industry, communication, all those kinds of things. Those soft skills are incredibly important. Like I said, back to pulling the thread on what we were talking about in terms of the barriers to somebody wanting to make that shift from being a nurse or a doctor or a lawyer to getting into cybersecurity. I’m assuming there’s barriers on both sides. You kind of talked a little bit about the barriers from the person making that shift. Maybe you can talk a little bit more about those. And then what about barriers from what organizations are looking for? What’s been your read on an organization’s willingness to take a risk on somebody with no experience?

Mike Thompson:

And I love your story, Cole. I mean, that’s the story that I would hear so often that people didn’t realize. You took your writing background, your understanding of people, and then you transferred that into cybersecurity. And so, little often do people realize that, yeah, hey, they have all the skills they need to do these really cool roles, but you have to just put that on your resume and explain that to customers. There was one candidate in particular, he wanted to get into pen testing and I had mentioned that’s a really tough field to get into. And I was looking at his resume and he had done a lot of the things, had gotten certain certifications in pen testing, they still couldn’t get a job. He had tried to do Hack The Box, which is a place where you go and you hack these black box, you do network testing or web app testing against boxes.

And he even was really skilled at that, and I kept talking to him, talking to him, and he was telling me about his home lab. He had built this entire really cool home lab with servers and networking, his own wireless Wi-Fi network, had built his own firewall rules, and that wasn’t on his resume. And I was like, something that maybe you would see or someone else who’s hiring would see, and then they would nerd out and think that’s the coolest thing ever and talk to them about that. So, I always, whenever I was talking to candidates, I was trying to dig as deep and try to understand their background, what they are doing as much as possible. Because sometimes what we are doing in life, we just think, "Oh yeah, of course everyone has built their own home lab." No, right. Not everyone has come and built their own home lab.

I would always try and dig really deep and try and see where I could overlay. "Okay. Okay. You have this and that. Okay, I think with these two things that can meet your role." In my own background, similar to you, Cole, I have a background in, I went to school for a more technical engineering focused, but I went away from that because I love people. And I went into recruiting because I was really good at talking with people, understanding people and learning about people. And then I took my background in recruiting, which is very similar to sales, and then my technical background and was able to merge into the role that I have now at Kratos as our senior sales engineer. Being able to find something in common with the role and your background is crucial to breaking into cybersecurity.

Cole French:

And then from an organizational standpoint, do you find that organizations have the appetite for folks who don’t have any experience or are trying to break in? Or is that a difficult-

Mike Thompson:

Yeah, what I would always recommend and what I always see is yeah, if there’s a, say it’s an entry-level FedRAMP assessor, or an entry-level penetration tester role that you saw on LinkedIn on Indeed or a job application website, of course, apply to that position. But take it a step further. In cybersecurity when you’re trying to break into a network or trying to help a customer understand their ... You don’t just try a vulnerability scan of their environment and then stop, "Oh, there’s no vulnerabilities." You maybe go one next step and try and see if there’s maybe another port open or something like that. So, I always recommend to my candidates that I’d say, "Hey, you see this job, find the person, find Cole French. He’s the one who’s doing this. Connect with him on LinkedIn, send him a message, right? Go one step or like his post about the podcast that he just posted last week."

Always go that next step, because it is very tough at companies. They do not typically hire entry-level positions, unless you know somebody there or you have some kind of network connection. Because these roles that they’re hiring for, they’re securing customer’s data, they’re securing cloud information, they’re securing government data. All these positions are usually touching or have involved some kind of PI, right? Some kind of sensitive information, so they want someone who has experience doing that. These entry-level positions, unfortunately, are very tough to find. And you can’t just get it by applying and hoping that someone gets back to you. You always have to apply or maybe go to a cybersecurity conference network, talk to somebody, get to know somebody, and that will usually help get your foot in the door.

Cole French:

It’s like the differentiators, I guess we call them in really not just recruiting or hiring, but really that’s kind of true of everything. You’re always looking for, "How do I differentiate myself?" And I really like what you said about the example you gave of the guy with the home lab and all that. And I’ve talked with young folks who are trying to build out a resume or articulate their experience and they go as basic as possible. And I like your approach of like, "Hey, we got to dig a level deeper. What have you done? All of us have done unique and special things and things that show that we’re gifted in different areas or across multiple areas maybe even. But a lot of times it takes us digging a little bit deeper to articulate what those things are. So, to that end, when it comes to resumes, you know, speaking of differentiation, I mean, I’ve looked at so many resumes, and it is, it’s like how do they stand out?

And even I think I’ve looked at so many, it’s hard for even me to... If somebody asked me, what’s a resume that stands out, I’m not even necessarily sure I would know exactly what to say. But from your experience working and recruiting, I think this is a really good place to provide some actionable advices. What are some resume tips you have?

Mike Thompson:

Absolutely. Yeah, resume tips are always fun and always a challenge. I love the golden rule of one pager if you can. If you have 20 years experience, okay, putting that onto one page is going to be tough. But yeah, if you’re fresh out of college, if you’re three years in, five years in, even 10 years, it’s rare that 10 years ago that position applies to this current position. I really try and keep it simple, keep it clear, try and keep it on one page if you can. And then I love, especially in our ... I’ll talk to cybersecurity since that is our industry. What I love is say you have a clearance where we live in the Washington, D.C. area, putting that you have a clearance on the top, that’s a great place to start.

Then next, I like to have any kind of certification. If you have a Security+, you have a SANS GSEC or if you have a CISSP, any kind of certification right at the top. Because usually employers, especially in the Washington, D.C. region, those are usually the first things, "Hey, I have a clearance, or hey, I have these certifications." They meet these certain types of roles. Then after that, I would put actionable things you’ve done. "I hit $1 million in my sales quota in 2024. I exceeded my sales quota in 2025." Or if your want to do on more, "I built a cloud infrastructure for a customer that saved us $2 million."

Anytime you can put bullet points under a position of things that you’ve actually done for the customer, then they can say, "Okay, I see Mike is really good in sales." Or, "Oh, Cole is really good at incident response." Or, "I see Cole’s really good at building cloud infrastructure environments." With those tips, I think you can usually break through the noise of just trying to put as much as you can on one piece of paper, listing everything on there. I usually like to see a one-page clean resume.

Cole French:

I think that’s great advice. And I think as you were describing that, it kind of took me back to what you were talking about earlier with if you’re looking for a particular position and to break in, one of the ways you can break the barrier is by finding out who is that person that’s looking for that, looking to fill that role. And I think this is a perfect, I think the structure of your resume and making it stand out as much as possible and as short of format as possible is great. But couple that with figure out how you can get that resume in front of who needs to see it in as personable a way as possible. In today’s world it’s not as likely that you’re going to hand somebody a physical copy of your resume.

But it’s funny, as you were saying that, I just had this thought of a couple of weeks ago, I had somebody reach out through LinkedIn directly and explaining what they’re trying to do. And they have education and they’re working towards some certifications and things like that, but not a whole lot of experience. But they reached out to me directly, I think they might have referenced the podcast, and provided a resume, and I looked at that resume and then immediately after looking at it, I thought, "Who can I pass this to that might be interested in this person?" And that’s what I did.

Mike Thompson:

Yeah, it’s networking, right? And it’s being personable and it’s doing those kinds of things. Yeah, that’s what’s going to get you, it might not get you that job, but it’s going to get you a job, right? Because you know a lot of people who are looking for positions, I know a lot of people who are looking positions, we’re going to try and help that person out.

Cole French:

100%. That was a great discussion on getting into cybersecurity and really how you break down the barriers. What are some good tips for getting your resume in front of the right people, things like that. Now, and I just want to transition the conversation a bit into, what does it actually look like? For us, we work in compliance, so we’ll talk more specifically about the compliance space and what that looks like from a cyber perspective. If you just want to go in, you already mentioned FedRAMP, Mike, if you want go into a little bit more detail on, if I want to be a FedRAMP assessor, what does that look like? What’s going to be required?

Mike Thompson:

Absolutely. The FedRAMP space or the Federal Risk and Authorization Management Program, it’s run by the government, run by GSA. And yeah, when I first started recruiting in this space, I didn’t know anything, but I started researching and googling and trying to understand it as much as I could. What I would say the skills that require a good assessor are soft skills, being able to talk to customers, because when you’re on an assessment you’re actually talking to customers, asking them questions. Being able to be able to talk to customers properly, excellent skill sets. The other side of that is the technical skills. A lot of our customers work in cloud environments, so having an understanding of the cloud, an understanding of network diagrams, how data flows through their network diagram? That background generally leads to a good assessor.

Now, I’ll say, I didn’t really have that second background understanding cloud environments. I think I had more of the soft skills to be a good assessor. Luckily, I was able to do some training and take some certifications that later on helped me understand cloud environments and kind of the more technical aptitude. Sometimes candidates come in with one set of skills and they have to train and learn the other set of skills. And that’s usually, I think the ideal assessor is having both that technical understanding, but also being able to talk to customers as well. Now, when you’re applying directly for, say a position at Kratos to be a FedRAMP assessor, we usually look for a couple of things. There’s certain certifications that the A2LA require, I think they’re called the R-III-XI certification requirements. And certain certifications will put you at a junior assessor level, senior assessor level, or a penetration tester. So, if you do want to get into the FedRAMP space, I would definitely recommend looking up those R-III-XI certifications. They are posted online.

And then the next step after that, so say you’re interested in one of these roles, you actually have those certifications. It’d be then applying to Kratos. The next thing if you actually did get the job working at Kratos is passing something called the Baltimore Cyber Range. So, to even be on these FedRAMP assessments you need those first, those specific A2LA R-III-XI certifications. And then once you get onboard at Kratos team to go on a FedRAMP assessment for customers, you need to pass the Baltimore Cyber Range, which essentially is a mock assessment, or it kind of makes it seem like you’re on a FedRAMP assessment. So once you’ve passed the Baltimore Cyber Range and you have those certifications, then you can start assessing cloud environments. And what’s cool at Kratos is we assess environments two different ways. We have our testers and assessors. We assess cloud from using the NIST 800-53 Rev controls. That’s the primary control set that we use to test our cloud environments.

But we also have a penetration testing team, and there’s six attack vectors that we test for all of our cloud applications as well. So, I’m specifically on the assessment team, but we have both teams here at Kratos, so there’s both opportunities.

Cole French:

And before I get into the CMMC side of things, which is where I sit, I can talk or I’ll go back just a little bit to what you said. And we’ve talked a lot about soft skills already so far, but one that one kind of specific application we haven’t mentioned, which I think you got close to there was, a lot of times something to keep in mind is, when you’re doing assessments or when you’re working in compliance in general, a lot of what you’re doing is you’re sitting between the engineers within the organization who are operations and they’re doing the day-to-day, right? They’re in the systems, they understand how the SIEM works, they understand firewall technology, they understand vulnerability scanning at a really deep level. But then you have leadership, right? Executives, maybe that’s a CIO, but maybe it’s just a project manager.

You have folks that they don’t speak necessarily that day-to-day language that those more technical folks speak. And compliance. A lot of times we sit in the middle of those, we sit in the middle and we have to be able to articulate the same information to both sets of individuals. So, you have to be able to talk to both and come to an understanding and then be able to explain that understanding across that broad spectrum of knowledge and understanding. I think that’s a soft skill to highlight as well, is like ask yourself, "Historically, have I been good at explaining things to various people no matter what those things are, and no matter how technical or non-technical they are?" That’s a really good skill to have and a good thing to be able to explain as you go through the process. But to keep us on track, as far as CMMC is concerned, it’s a fairly similar process minus the Baltimore Cyber Range is not a requirement within CMMC.

But to become a CMMC assessor, you also have to actually go through a couple of different certifications. So as CCP or CMMC certified professional and then a CMMC certified assessor. And there are required trainings that you have to take before taking those exams. That’s one component is you have to have those certifications to be able to participate on a CMMC assessment team. And then you do have to have a what’s called a tier three background investigation, so not a clearance, but effectively the same. It’s a secret level clearance investigation. To Mike’s point earlier, if you have a secret clearance or above and you’re trying to get into CMMC, definitely something to highlight. Because that puts you in the queue to be an assessor almost right away. You get those certifications, if you already have that clearance, then you’re good to go. If you don’t, we’ve had folks six months to a year waiting with their certifications ready and they can’t do anything, because they don’t have that tier three adjudication yet.

Mike Thompson:

And just to jump back to the barriers. I actually talked to a lot of candidates who were like aircraft technicians for maybe a Naval base or Air Force base, and they had all the clearances and all the background, but know maybe CMMC skills, so they could have, at the time, I didn’t work in that CM space, but to your point, they had the clearance, they could have gotten their CCP and then their CCA, and then been right into helping you with the CMMC assessments.

Cole French:

Absolutely.

Mike Thompson:

Yeah.

Cole French:

Well, Mike, this has been a great conversation and I think we’ve shared some stuff that’s going to really be helpful for folks as they want to transition into cybersecurity and maybe hopefully compliance more specifically. As we wrap up, I think it would be great if you could just share your own journey of breaking into cybersecurity and what that looked like for you and maybe some of your experience and any tips, tricks, whatever it is you might want to share about that journey to getting into cybersecurity.

Mike Thompson:

Yeah, I always recommend compliance. I’m always like, anybody, "Hey, come join Kratos. Come join FedRAMP. It’s a great space to be in for cybersecurity." But yeah, so I was recruiting mostly in cybersecurity, and eventually I was doing really well and I loved it. And I fell in love with cybersecurity so much that I actually opened up my own cybersecurity recruiting company that specialized in cybersecurity. At this time I only knew the buzzwords, right? I knew FedRAMP, so I could talk to that. I knew the words SIM or SIEM, I knew what a pen tester was, just all from research. I would go to certain conferences, I would go to Black Hat, I would go to DEATHCon, I would go to BSides, but purely as a recruiter and I’d be there networking.

And I was trying to be known as the recruiter who works in security. So, "Hey, you want a job in cybersecurity? Go to Mike." And while I was doing this, I didn’t have any recruiting friends. All my friends were engineers in security, penetration testers, CISOs, executive level people in cybersecurity. And I was like, "I love this so much. I go to all these conferences, why don’t I myself try and get into cybersecurity?" I was trying to break in and I couldn’t even do it myself. Someone who helps lots of people do this, it was even hard for me. Because I was like, "I have a sales recruiting background. How am I going to get a position at one of these companies doing something that I help other people get jobs for?"

I actually, at the time it was, I guess 2021, maybe 2020. And the state of Virginia had come out with a small business grant. I had a small business, was my own business. And they were working along SANS, and SANS is one of the biggest certification bodies out there. And they said they would help people who own a small business get three certifications. The three certifications were the SANS GFACT, which is the foundational, the SANS GSEC, which is the security essentials, and the SANS GCIH, which is their Incident Handler certification. I applied for this grant, I got into the program, and that kicked off my three certification journey of SANS. I was running my recruiting business. The first certifications was the GFACT, and you had two months to study and pass the exam. Now, that might sound easy for someone who had a background in cybersecurity, but I was coming from zero. So, I pretty much would wake up in the morning, study, work, at night I would start studying, and then I passed the GFACT. And I was like, "Okay, I can do this."

And then two months later I studied all day and I passed the GSEC. And then sure enough, two months later after that I passed the GCIH. And the GCIH was the pinnacle, right? Because that is actually one of the harder SANS courses. You really need to understand, there’s actually some penetration testing on that exam. There’s some incident handling, there’s some networking, there’s some password cracking, there’s some really cool stuff. I passed those three things. I was like, "Great, I have three certs. I have a recruiting background. What can I do?" I did what we had mentioned on this podcast. I started reaching out to my network. Who is my network? A lot of the companies that I worked for. Who was a company that I happened to help recruit for? Kratos. I had reached out to someone I had known at Kratos and I said, "Hey, I have this background in recruiting and sales. I just got these great certifications. Do you have anything that could fit this background of mine?"

It was kind of just more like, "Hey, what’s possible here?" And I think that is a good way to go into positions, not trying to fit yourself in a box, but be like, "Hey, I can do this and I can do that. What do you have for me?" And sometimes there’s positions that aren’t posted online, and the person who I was working with at the time said, "Hey, we actually have this role called a senior technical sales engineer where you need to be able to sell FedRAMP assessments, sell penetration testing, sell CMMC, but also help deliver on FedRAMP assessments, CMMC assessments and penetration testing assessments." And I was like, "Wow, that sounds like a perfect fit."

So it was just through some luck, I guess, and some effort. But I ended up finding a role that really perfectly matched my soft skills background in selling. But now these new skills I had built over time of understanding networking cloud environments and found this position at Kratos where I can help customers use our services and help us get them a FedRAMP assessment and also then also go on and deliver FedRAMP assessments myself. So, when I’m talking to customers, I can actually help them through what it is to be on an assessment and understanding of the NIST controls and various cloud environments.

Cole French:

One thing I really like that you shared, Mike, and it’s interesting, I appreciate you sharing your story around your career and your transition, your different transitions really. But I think something that you really highlighted what we talked about, which is, always look at how what you’re doing today can relate to what you might want to do in the future. And just because you’re doing X today doesn’t mean you can’t also dabble in what you want to do in the future. You talked about working on those certifications while you were working your regular job. So, sometimes it’s just putting in the extra time on your own time that really is a catalyst. And something else you mentioned that I think is really important is compliance. The great thing about compliance is compliance is the gateway to any other role in cybersecurity. I mean, don’t get me wrong, you certainly can go straight into a network engineer if you go to school for that, if you have the certs for it, all that, you can go right into that.

But if you don’t and you come at it a little bit different how you and I have described our journeys to cybersecurity, then compliance is a great place to start, because you really, really get a solid understanding across a wide breadth of how systems work from a technology standpoint, but also from an operational standpoint. You learn how organizations and those systems function together and how those systems achieve the business mission and goals and things like that. So, you get a much more holistic understanding of cyber from both a technical and business perspective. And you can take that and then decide, "Hey, I’m really interested in vulnerabilities and I want to really get into vulnerability management and use those compliance skills that I learned." And you can branch off and then become somebody who works in security operations, handling vulnerabilities and working on the front lines, so to speak, of cybersecurity.

I think there’s just a lot of different ways to get into this field, and I think really it is like we talked about breaking down those barriers, both us as individuals and thinking a little bit more broadly about our skills and how they apply, and then leveraging the relationships we have with different organizations and different individuals. I think networking is huge in that regard.

Mike Thompson:

I think people always see the hacker hoodie and think, "If you want to do cybersecurity, you first got to go into pen testing." And I talked to a lot of people who that was their thought, "I want to do pen testing." But then when they realize when they start doing pen testing, like, "Actually, this isn’t what I thought it was going to be, right?" They’re like, "This isn’t as cool as it’s portrayed maybe in the movies or in TV shows." And I would recommend that to everybody. Yeah, cybersecurity is not just hacking customer’s environment. It’s compliance. It’s working in the SOC, I mentioned a security operation center. There’s marketing, there’s podcasts. There’s so many endless opportunities to get into cybersecurity that you just have to go out and seek it and find it. And yeah, what interest you, whatever interests you, go dive deep into that, see where it takes you, and if it doesn’t take you to the right place, back out, try somewhere else. And yeah, I absolutely love that idea that yeah, you can go. It’s endless possibilities.

Cole French:

Absolutely. Well, Mike, I really appreciate you coming on and discussing the cyber workforce and how to get into cybersecurity. I think this was a really interesting discussion, and I think our listeners will really get a lot of value out of our discussion of the cyber workforce and how to get into it. I really appreciate you taking the time to join us on the podcast.

Mike Thompson:

Thank you, Cole. This was so much fun. And yeah, thanks again.

Cole French:

Thank you for joining us on the Cyber Compliance and Beyond podcast. We want to hear from you. What unanswered questions would you like us to tackle? Is there a topic you’d like us to discuss, or you just have some feedback for us? Let us know on LinkedIn and Twitter, @KratosDefense, or by email at ccbeyond@kratosdefense.com. We hope you’ll join us again for our next episode. And until then, keep building security into the fabric of what you do.