Super Cyber Fridays!
Join us TOMORROW, Friday [03-28-25], for "Hacking Fragmented IAM"

Join us Friday, March 28, 2025, for “Hacking Fragmented IAM: An hour of critical thinking of how to simplify the confusion on identity management, governance, and security.”

It all begins at 1 PM ET/10 AM PT on Friday, March 28, 2025, with guests Ivan Dwyer, senior product marketing strategist, Axonius, and TC Niedzialkowski, former CISO at NextDoor. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, Axonius

Defense in Depth
Cybersecurity Is NOT an Entry-Level Position

We often wonder why there are fewer entry-level jobs in cybersecurity. But does that job category even apply to the field? Is there an argument that there are no entry-level jobs in cybersecurity?

Check out this post by Tallis Jordan of the U.S. Army Cyber Command for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Steve Zalewski. Joining us is Montez Fitzpatrick, CISO, Navvis.

Start with foundations

Cybersecurity is not an entry-level role, yet many aspiring professionals try to jump in without foundational IT experience. "If you do not have even a basic comfort with tech, you will never be a solid InfoSec professional," said Sev Obarian of SecurPro, advising juniors to start in entry-level IT roles like call centers or support desks to build technical fundamentals before transitioning into cybersecurity. The lack of proper career pathways is compounded by minimal investment in training. "Companies are not training their staff, but I think that's the same frustration point about why businesses don't invest adequately in cybersecurity," said Heather Noggle of the Missouri Cybersecurity Center of Excellence. 

Learning to learn

While it's undeniable you need a baseline of skills, success is more about work ethic and willingness to learn than technical mastery. "Anyone can learn a job. Cybersecurity isn’t this mystical challenging world where nobody can learn it. Most tools are automated and require very little input," said Daniel Sullivan of Leidos, who transitioned from being a weatherman to a SOC analyst. Michael Spanks Jr. of Mutual of Omaha Mortgage strongly disagrees with gatekeeping in the field, stating, "I went from being a police officer to a SOC analyst within a year. Acting as if certain roles within cybersecurity where new hires can’t be trained is nonsense." 

For entry-level roles, hiring managers aren't so much looking for pre-existing skills but rather the interest and capacity to learn. "There are entry-level positions in every IT discipline. You can teach anyone anything. The real question is do they have the aptitude and desire to learn something new," said Russ Lein of Essendant. However, Jeff Nye pushes back on the idea that IT should be seen as a stepping stone for cybersecurity careers, explaining, "The rest of the IT field is not some sort of minor leagues for cybersecurity, and I'm tired of people acting like it is."

Don’t get hustled

The rapid growth of cybersecurity has led to a surge of influencers promising unrealistic career paths, misleading many aspiring professionals. "The biggest problem I have are the ‘influencers.’ One guy promises ‘90k in 90 days,’ saying you can start cold from no IT experience to multiple certs and a job in 90 days," said Janet Gray of Optiv. Even those who invest in certifications may not be prepared for real-world roles. "Just because you have the money to take the tests doesn’t mean you can do the job. The other problem with classes I’ve taken is they don’t usually teach you the day-to-day stuff you need to know," said Linda Dickinson of Caldwell University. Beyond certifications and experience, adaptability remains critical. "The goalposts move every day and there’s no consistency. Best to just have a solid education base and adapt to whatever the job requires," said Jose Vela of Cyderes, cautioning against measuring professionals solely by their time in cybersecurity rather than their broader technical experience.

Building a pipeline

This whole debate occurs in a shifting landscape, where organizations are rethinking their prerequisites for cybersecurity roles. "While there are still many companies that require prior IT experience for cyber hiring, there is a growing trend of companies that don’t," said Reginald Fuller of Claiborne Parish School Board. What truly matters, he argues, is grasping the fundamentals and demonstrating real-world understanding—something that can now be achieved through online resources, home labs, and independent projects like bug bounties. In the past, IT experience was the only viable path into cybersecurity, but as Fuller points out, "There has to be an entry-level talent pipeline of some sort to maintain a healthy industry." 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to Jesse Johnson of Delta Health for being our other unwitting contributor.

 Huge thanks to our sponsor, Scrut Automation

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Reddit AMA on r/cybersecurity

Our monthly AMA on r/cybersecurity on Reddit is underway.

Our topic is "I’m a CISO who started from the help desk and it taught me everything I need to know about cybersecurity and people. Ask Me Anything."

Please click the link and ask your questions! https://www.reddit.com/r/cybersecurity/s/EgrY0TOrdq

Our participants are:

• Adam Glick, CISO, PSG

• Adam Koblentz, Field CTO, Reveal Security

• Ryan Link, Principal of Threat Detection and Response, CDW

• Sounil Yu, CTO, Knostic

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Jonathan Waldrop, CISO, The Weather Company.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

SECURITY YOU SHOULD KNOW
Getting Actionable Intelligence with Stellar Cyber

The sheer volume of security alerts and data being generated by various sources like firewalls, servers, and endpoint devices is daunting. The challenge lies in sifting through this vast amount of information to identify genuine threats without throwing manual effort at it. Traditional security logs merely tell us what happened but do not provide insights on what’s happening now. The demand is for more actionable intelligence that focuses on different, more relevant data types rather than just more data.

In this episode, Subo Guha, chief product officer at Stellar Cyber, discusses the company’s efforts to turn raw security alerts and IT data into actionable intelligence at scale. Subo is joined by our panelists, Nick Espinosa, host of the nationally syndicated Deep Dive Radio Show, and Steve Zalewski, co-host of Defense in Depth.

Huge thanks to our sponsor, Stellar Cyber

Cyber chatter from around the web...
Jump in on these conversations

"In-office work is the real threat to cybersecurity" (More here)

"Your data is now in the hands of some random guy" (More here)

"Question: How do you balance having a low security budget and having a lot of security objectives/initiatives to implement?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [03-28-25] [Hacking Fragmented IAM]

• [04-04-25] [NO SHOW]

• [04-11-25] [Hacking Social Engineering]

• [04-18-25] [Hacking the Evolving DDoS]

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.