On todays episode:
I’ll be talking with Junior Williams, who is a CISSP, advisory board member of ElCanHack, and the Director of Cyber Risk at MIS3, We’ll be talking about the disparity between the number of cybersecurity professionals in the industry and the number of vacant positions in the market.
Below is the transcript of the podcast and links to some of the references as well.
ISC Cybersecurity Workforce Study 2022
Daemon Behr (00:44):
Today, I’m joined with Junior Williams. He’s a CISSP. He has all kinds of incredible experience. Um, currently he is, uh, on the, uh, advisory board of, ElCanHack. He’s the director of Cyber Risk over at MIS3, and he wears a whole bunch of different hats. So, junior, I’ll pass over to you. If you could tell me a bit about yourself and how you got to this interesting variety of roles that you currently have right now.
Junior Williams (01:14):
Thanks for the question, Daemon. It’s a pleasure to be here. So, my journey started in 1993. Uh, I got my first computer, I believe it was, an 80286, Intel Box. And, I learned to code in, in GW Basic and QBasic, um, got my first computer virus that year. I believe it was a new Jerusalem virus. It was a destructive virus. It literally destroyed the master boot record. So I had to rebuild the operating system from scratch. And my dad saw that I had somewhat of an aptitude. I was only in grade eight, nine at the time. And, he enrolled himself in a college, programming course, object oriented programming and c uh, so that I could, you know, learn up on programming. And I did that and basically coded throughout my teens until I got my first job in it, which was working for Sprint Canada.
(02:11)
It was internal support, as a systems analyst, so hardware and software troubleshooting. And went on from there to Alcatel, where I started doing web application development, not because it was within my role, but rather identified, a need or a gap anyways, an opportunity to, automate some of our inbound, service desk, ticket creation, right? So we basically had five analysts, and each one of us would spend a day on the phones, answering phones. So I said, you know, maybe I can code an application on the internet that would be able to, you know, put something in the SQL database. We were using heat ticketing, and basically would assign it to an analyst. They send them an email, send them a page. It would give our customers the opportunity to check up on the stats of their tickets.
(03:06)
And for that, I was rewarded a $50 gift card. So, I said that maybe, it’d be better if I took my skills, elsewhere and, I might better compensated for them. So I went to a, a smaller company. It was a, a venture capitalist reporting firm called McDonald and Associates. And I was basically their IT department. I had, it staff of two, me and an assistant, essentially. So I did their hardware, software support, but I also maintained a web application. So that company ended up getting bought out by Thompson Reuters. I had no equity in the company, so, I was laid off <laugh> a little bit after that. So then I went on to do a, a lot of, web development projects, you know, the little startup companies. I was doing web administration stuff.
(04:01)
We we’re also working with some non-profits, and that took me right up until about 2017 where I decided I just wanted a, a little bit of a change, right? So I went to real estate school that wasn’t really working for me, and a friend of mine, asked if I would considered being a, a private investigator. So I got my license and started being a private investigator. The company I worked for when they realized that I had this background in IT and computers, and of course put me back in front of a computer to do a lot of, intellectual property work. First use investigations, a lot of stuff involving the wayback machine. But then, you know, I was doing more, you know, James Bond kind of stuff too with covert surveillance and then even expanding my repertoire to take statements and, conduct interviews, even do canvassing, like door to door, a wide range of stuff.
(04:56)
As I was doing that, my wife, (girlfriend at the time) was like, well, have you considered cybersecurity? And I hadn’t really. So, I started putting some thought into it and then, you know, looking at the whole people process technology, and that order started connecting myself to a lot of individuals in security and in cybersecurity, right? So, this is about 2017. So I connected with my first mentor, Mike Allen. He’s the global CISO for Manulife. And also Ryan Duquette. He currently, I believe, is at, MNP, heading up their digital forensics practice. And, you know, over the years they gave me valuable insight on in terms of how large enterprises were securing their, their networks. So, taking that, I thought I would get a job at Checkpoint, checkpoint being an Israeli company.
(05:56)
Just, I like new things. And, the thought of working for a company that was, you know, outside of North America kind of excited me. So I applied, and I was interviewed six times over seven months, and I kept losing. I was a finalist in the competitions, but, I ended up getting passed over for people with their, master’s degrees in engineering. Okay. So then I got a call back, six weeks or so after my last interview with them, and they asked if I consider a sales role. Of course, I responded, yes. And, so I worked with Checkpoint for about a year and a half, learning the ins and outs of, channel led sales, again, enterprise sales, working with, value added resellers and systems integrators right across the board. And, I was there for about a year and a half end up leaving there and going with, a value added reseller systems integrator MIS three, or managing Information Systems three.
(06:59)
And I was brought on as their director of cyber risk. So basically, I am, I’m versed in all of their, technology partners, which is, it’s pretty much all the, you know, main players, Sentinel One, you know, CrowdStrike, Proofpoint, et cetera. And, you know, going onto those, partner portals and taking their sales training, taking their technical training, meeting the, you know, the SEs at all these companies. And all the while I’m, I’m very public and active on LinkedIn, so making connections. And then that’s actually how I ended up on the, advisory board of Emerging Leaders Can Hack, because people were like, well, you, you seem to know all these people and all these technologies. Why don’t you come in and advise us? So, and hence where I’m at right now, um, in a nutshell,
Daemon Behr (07:50):
Well, thank you for that. Now, a lot of people that are trying to get into the market right now are having a real difficulty do that. And it’s, it’s kind of interesting because the market itself says that there’s this huge deficit of talent in the security space. And there’s an ISC report that says that there’s three point something million vacancies in the cybersecurity community worldwide and 26,000 in Canada alone. Yet it’s difficult for people to get into, the field. And I’d just like to get your perspective on it. What do you see are some of the, the challenges that, the people have, and why do we have this big gap of, of vacancies in the industry?
Junior Williams (08:38):
That’s a good question. I would like to know where they’re getting these numbers from <laugh>, like if they’re getting them from HR, because there’s definitely a disconnect between, HR and the business, and, cybersecurity. I say this because, I’ve been trying to get into a technical job in cybersecurity for, in the past three years now. And, I’ve yet to land one. In fact, I’ve stopped looking, um, because I’m now involved in, in other things of which, you know, maybe the technical side is more of like a subset, right? But, you know, so as I told you, I was struggling to get into Checkpoint and, I came across this program called the Roger Cybersecurity Catalyst Program. And this program was to address this perceived, you know, skills and personnel shortage. So, Rogers and, RBC, they, approached, other large enterprises, and basically were like, so what do we need?
(09:42)
Because I, I guess the, the people who are graduating with computer science degrees aren’t, aren’t cutting it, right? Because there’s this, uh, this gap. So, you know, they, these industry leaders collaborated. And, um, with the SANS Institute, they decided to create this program, which awarded three certifications, the GFACT, GSEC, GCIH, that’s the certified incident, the handler from the GIAC. And they made it, very easy to get into because these certifications cost like, you know, many thousands of dollars. I think those three combined as close to $20,000 USD, right? So, they had a lot of applicants, maybe thousands of applicants, and only a handful of spots each cohort, I think like 20 to 60 spots. So I started at Checkpoint at the same time. I started in the Catalyst program in May, 2021.
(10:40)
So I was full-time checkpoint, full-time Catalyst, right? And, again, very active in the, in the Catalyst community and the alumni community. And, you know, because people saw that I was working at Checkpoint, I’ve kind of been championed as a success of the, the program, notwithstanding the fact that I got that job on the merits of my experience, my prior experience, right? So because I had that job, though, I am approached by dozens of, of catalysts, um, alumni, some of the less fortunate who were not able to get jobs. And these people are very bright. The majority of them are newcomers, new to cybersecurity and women, a lot of them have undergraduate degrees, some of them have master’s degrees, and they’re still reporting that they were having issues, getting interviews, having issues getting past, the first round of interviews. So that’s why I said, you know, is it a real gap or is it a perceived gap, right?
(11:41)
We spoke before about this, and I, I used the, the term unicorn cuz it would seem like they’re looking for an army of unicorns that don’t exist, right? And I’m of the opinion that, you know, you don’t need, you know, a four year undergrad, uh, a postgraduate diploma, uh, some vendor agnostic certifications to start as a SOC analyst tier one, right? Like, it doesn’t really make sense. You could do that kind of training right, when you’re in high school. So I’m, I’m somewhat skeptical when I hear like this, you know, millions of, you know, shortage of, of cyber professionals when I know personally dozens who are still looking and working jobs that, are not even in the field.
Daemon Behr (12:30):
Yeah, I definitely agree with that. I think that, um, there’s a big disconnect in between the educational system to what job readiness actually looks like. And I think the fact that cybersecurity is a very quick to change and evolving career that it is very difficult for educational institutions to keep pace with what is actually required in the industry. When students wanna get into it, they, they look around and they say, okay, what colleges, what universities can I go to? Can I do a two year program? Can I get a bachelor in COMP SCI and then do a specialty in cybersecurity? And then they may end up going to school for a long period of time, and then from that, you know, where, where do they really go? They have information that provides them with the basics, but despite all this time that they put into learning, they are still a few years behind.
(13:31)
So they have to play catch-up and catch-up and catch-up. Now, the, the problem that, that I see that a lot of companies have is that companies that need cybersecurity professionals don’t necessarily know what they need because they don’t have the cybersecurity professionals to tell them what they need. So there’s the chicken and the egg, type scenario where the, the only way that companies can really put together, um, or set of job requirements to meet the needs is if they know what that actually looks like. And the, the people that are providing the education to, to the students don’t really know that either. So the only way that, that you can really get the information that’s required is from the people that are working in the field. It’s, in my opinion, it’s just a big mess. Nobody really knows what, what’s required, and the people with the skills aren’t able to get the jobs because of the gatekeepers that don’t know that the skills are right there and they can just utilize them.
Junior Williams (14:34):
One of the things that comes to mind when we talk about this, or rather places in the world where they’re doing it right, is Israel, you know, I mentioned Checkpoint is it’s an Israeli company. They are definitely doing it right when it comes to cybersecurity, a lot of innovation is coming, you know, directly to Israel. What are they differently than what we’re doing? Well, they are keeping it in house. When I say keeping it in house, I mean that they are, empowering their employees in the cyber sector to stay by compensating them adequately, not keeping them tied down, you know, so they’re giving them exposure to different things. You might start off as a SOC analyst and go into compliance and go into instant response and round and round you go, um, but you’re rising. And then they’ll put people under you to mentor and then right up to they recruit.
(15:25)
The people at the top are the ones that recruit the newcomers that come in, and HR empowers them to make these decisions. They don’t act as gatekeepers. And that’s what I’m seeing all too often here, is that first of all, the, it starts with a job description, right? It’s an antiquated job description that doesn’t even match the rules of the job, right? So you have people preparing for this interview with someone that doesn’t really even understand what the, the role requires, and they’re preparing for this interview, you know, again, it’s, it’s not even what they’re going to be doing. And they’re, it’s almost like they’re speaking different language when it gets, when it gets to the HR person, right? And they’re thanked and, and, you know, way we go. So there’s a lot of, I find here nepotism, quite frankly, right? How do you get it?
(16:14)
A lot of these companies, it’s their policy to do external postings, but they’ve already filled their role before they even put the posting out, right? I’ve had issues where, and then <laugh> to, to boot, I’ve had issues with you know, tier one financials here. Like I’ve been, you know, groomed by some senior people in information security, basically selling me on their company, even applying for me, you know, um, I’m getting a notification from their HR, they’d like to have an interview with me, and you know, they’re talking me up in internally, I do the interview, I feel like I’m qualified. And then crickets, right? I follow up with them and they’re like scratching their head. They don’t get it right? Because, you know, they’re, they are talking to everyone up all the way up to the CISO.
(17:00)
And it’s like, so internally, I’m not really sure what’s going on in these companies because I haven’t even been able to get into the, where there’s a glass ceiling, right? <laugh> to see what’s going on above the glass ceiling. It’s just being like, not even letting me in the house kind of thing, right? And it’s ironic because I feel like I checked the boxes, right? I software develop, I was programming first before I even understood it. Then I was in IT fixing problems before I even understood, you know, network architecture. And then I was doing all that, and then I did, you know, four years of, of investigation work before I even formally went into cybersecurity, right? And you combine all this, I have four vendor agnostic certifications. I have certifications from over a, a dozen, vendors, you know, I’m on Try Hack Me, I’m top 1%, there’s 1.7 million users. Not to say that I am the most advanced hacker in the world, but I essentially do have some knowledge and experience, right? And it’s been documented because I’m, very transparent about, you know, what I do and what I learn and what I think about it, right? So I think there are other models out there that we could follow and, and use it as an example. I don’t understand why we’re not doing that.
Daemon Behr (18:19):
One of the problems that organizations also have is that they have a certain amount of budget, which they have allocated for security. And that budget isn’t really changing a lot, even though there are demands, their requirement are continually increasing. So they try to get the lowest costing resources in order to fit jobs that they’re asking all kinds of very large requirements in for. So either they’re not properly compensating the people and then the people that are good and have qualifications and have worked there for a while, they end up going over to other roles that are gonna pay more. So there’s more turn and churn of employees than there really should be, so if somebody starts having career aspirations and they don’t necessarily wanna be a, you know, level one SOC analyst for their, their whole life, then that may even penalize them because that organization needs level one SOC analyst and level two and level three and so on. But if they wanna do something else beyond that, then perhaps they’re not a right fit for their role. So <laugh>,
Junior Williams (19:28):
You know, I mean, I’ve spoken to people and it’s, it’s being basically like this in the role for, you know, a year to a year and a half looking for some type of, you know, upward advancement. And then they’re kind of being put in their place. Like, you know, not only are you not fit for the next level, but you know, we’re gonna put you under review as well. It’s kind of like a means to, I dunno, put the fear in them so that they’re worried about their job security. They’re just gonna keep their head down and continuing viewing what they do. From my time as a private investigator and then just, you know, being on LinkedIn and looking at people’s career trajectories, what I’ve noticed is that the sweet spot seems to be two to three years. And if you’re at a company for more than three years, you notice a lot of plateauing in careers.
(20:18)
It’s almost like they want you to go, you know, two years of one company, then tier one and tier two at another company, then you might go to that comp back to that company as opposed to, why not work with what you have? Right? Why not, you know, develop that talent, have the, like, instill a sense of loyalty. I’ll play devil’s advocate on that. Maybe the answer to the question is that, well, when you have large companies like Microsoft and Google, you know, laying off employees that have been there for 20 years, I think you’re telling the workforce that it doesn’t matter how big the company is, but there is no loyalty, right? So they’re almost like grooming potential employees to just see it as a job, which again, is completely counter the culture I’m seeing in, in other places where there’s cybersecurity is more thriving. So that’s definitely something that needs to be, I think organizations have to take a long hard look at themselves and, and kind of work that out.
Daemon Behr (21:16):
Yeah, I definitely, I agree. I think that companies should have processes in place to try to retain employees for as long as they, they can in a mutually beneficial manner, so that yes, they constantly get new blood in order to fill the positions as they, they hire within, but also have all kinds of different opportunities for career path. And in it, there’s so many different branches that you can take. Even from a cybersecurity perspective, you know, you can start as a, as a SOC analyst, you can start moving into governance and risk and compliance. You can look at threat intelligence. You can look at you know hands-on implementations of things in professional services, consulting engagements, all different kinds of skill sets, you know, depending on what you would want to focus in. So what my question is to you, for people that are just getting into the industry right now and don’t necessarily have a path, what do you see as a good strategy for them to understand what’s out there and to, to actually advance their career in a beneficial way?
Junior Williams (22:37):
Great question. I, myself am a big proponent of TryHackMe. As I already mentioned, I’m on a 312+ day streak right now. I’m going for my 365 day streak. I like it because it’s gamified. It’s for me, it’s fun, you know? And I think that a lot of people that I’ve, pointed in that direction have told me the same thing. The beauty of it too is that it has such a wide range of material from like beginner all the way to the most advanced, like, you know, simulations of real world, you know, real world networks and, so that people can really put their stuff, uh, to measure. The other thing I say though is is LinkedIn. I’m in the role that I’m in right now. In fact, every role I’ve been in post 2017 has been because of LinkedIn.
(23:25)
All the opportunities that have that have been afforded me, people coming to me, and also people that wouldn’t have otherwise met with me unless I had, you know, someone in between to make a warm introduction. It’s been on LinkedIn. I was at the CISO forum last week and approached by a lot of students who were saying, you know, how do I, how do I break into cybersecurity, right? And I’m like, well, you, you’re on the right path, definitely that you’re here asking me this question, right? But if, if, say you want to get in as a SOC analyst, say, right? So I told them every day, try to connect to 10 SOC analysts. You know, you might get one connection well, over the course of a year, that’s 365 SOC analysts that you’re connected to, right? Also try to connect with, you know, their hiring manager.
(24:16)
Also, try to connect with the HR generalists at the companies they work for, or the recruiters that work with those companies, right? And do this daily. It’s not a matter of if, it’s a matter of when, as long as you have a, a clear objective and you, you know, take a systematic approach towards that objective. A third thing I would say is, um, if you’re on the more technical side, definitely, set yourself up so you can showcase your skills as in, you know, participating in Git, if you’re a developer, say, you know, stack Overflow, these type of websites where you can, you know, put your name out there and link it to your profile. Also, there’s a lot of free trainings. I don’t think that you should have to spend a lot of money.
(25:02)
CISSPs are good for if you have, you know, multiple years experience and you just wanna kind of show that you have a very broad skillset set. But the amount of people that approach me with that, that have certifications that are supposed to be applied, you know, GIAC certifications are applied and they’re still having problems getting traction. So it tells me that there’s no cookie cutter approach. Take this course. It’s not like back in the day, like, you know, get your MCSE, you know, Microsoft certified systems of engineering, you’re good to go in in it, help desk. It’s, there’s no cookie cutter approach. It’s a multi-pronged approach. Um, you have to be socially active, participate at conferences where you can, but the very least on LinkedIn, also on, on learning site meant to TryHackMe, HackTheBox is another one. But you know, it’s a Google search away in terms of all the, the free platforms that you can get your name out there and acquire these skills.
Daemon Behr (26:07):
Yeah, I think that one other thing that’s really important is to find mentors in the industry. So, find somebody that is maybe two steps in front of you, and then get some advice from them and find out how they got to where they are, and then incorporate some of those strategies into your own strategies so that you can get to that. And the more mentors, the better. But you also need to make sure that whoever you identify as a, a mentor, that they’re a willing mentor. <laugh>. Yeah. I think that the longer somebody spends in the industry, the more they really should give back over to the community and help those that are just getting in into it. So, I know I’ve had multiple mentors myself. I’ve been a mentor to a number of people, and I think it’s a really great thing to do, but, if there is a mentor that’s identified, you wanna make sure that you don’t waste their time.
(27:03)
You know, you have to appreciate their time and, respect it. Don’t bombard them with questions, but still make sure that you have that engagement. It’s kinda like a social contract. Yeah. And you know, with the mentors I’ve had in the past, we may meet once a month. We may meet once a quarter, but it’s good to have that ongoing cadence. So there’s some accountability. So once, once you meet up with them again, you can say, what have you done towards the goals that we’ve talked about? And that kind of shows value in the overall, relationship with the mentor and mentee.
Junior Williams (27:41):
Absolutely. A hundred percent agree. Like, the first, like I, I mentioned Michael Allen, , he agreed to meet with me at the Timothy’s by the Manual Life Headquarters. And one of the questions I asked him was, well, why did you even agree with to, to meet with me, right? Like, I know that you’re a really busy guy and your time is, is precious, right? And he just said, you know, I, I believe in paying it forward. You know, fast forward in that same conversation I asked, you know, um, how did he find himself in the role he’s at? Because, you know, there’s a lot of people that have similar qualifications, but there’s only one him, right? So, how’d you get there? He said, doing what you’re doing right now. So I, I took those two things and, and moving forward, I made sure that I always made myself available to pay it forward. And you know, just let people know that, like I said, it’s not a matter of if, it’s a matter of when, as long as the, the objective is clear in your mind and you take 30 steps towards that objective, I have a hundred percent confidence that you’ll, you’ll get to where you want to go.
Daemon Behr (28:43):
Well, thank you very much, Junior. It’s been a fantastic call. It was a great conversation. Now, if people want to get in touch with you, what would be the best way to do that online or social media or so forth?
Junior Williams (28:56):
All right, so, on LinkedIn, I’m not on any other social networking platform. Just LinkedIn, so you can search for Junior Williams. I think you’ll see a, a computer somewhere like a emoji in, in, in my name. Another way, surefire way right now to reach me would be via my url, which redirects to my LinkedIn. So that’s, uh, trustcyber.ca.
Daemon Behr (29:24):
Any last words that, that you’d wanna say to our listeners?
Junior Williams (29:29):
Believe in yourself. That’s, I recently, not to get overly philosophical came across this, loving kindness meditation, essentially. Just take a deep breath in. I love myself. Take a deep breath out. Thank you. And that thank you is, is not just yourself, but just gratitude in general for existence for everyone in your life. All right, well, thank you very much. Thank you.
Designing Risk in IT Infrastructure 