Super Cyber Fridays!
Join us TOMORROW, Friday [04-18-25], for "Hacking the Evolving DDoS"

Join us Friday, April 18, 2025, for “Hacking the Evolving DDoS: An hour of critical thinking about the changing threats to service availability.”

It all begins at 1 PM ET/10 AM PT on Friday, April 18, 2025 with guests Ashley Stephenson, CTO, Corero, and Eduardo Ortiz-Romeu, vp, global head of cybersecurity, Techtronic Industries. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Corero

Defense in Depth
What Can Someone with No Experience Do in Cybersecurity?

There's skepticism about what people new to cybersecurity can do when they enter the field. Are we creating too many unnecessary requirements for what we need? What should we be looking for in future workers to support our security program?

Check out this post from Jerich Beason, CISO at WM, for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Dan Walsh, CISO, Datavant. Joining us is Rinki Sethi, vp and CISO, BILL.

You need a solid foundation

There’s a common misconception that cybersecurity experience exists in a vacuum, but as Nawar Kabir of DigiRISQ Consulting points out, much of the field is built on a solid foundation of IT experience. “We're confusing 'cyber experience' with 'IT experience,’” he said, emphasizing that even seemingly entry-level tasks like vulnerability scanning require core networking knowledge, such as IP subnetting and understanding TCP/UDP ports. Kyle Manel echoed this sentiment, noting that many roles in cybersecurity—especially on the management side—are not unique to the field. “These are all management tasks,” he said. “They should be generalized capacities that everyone can shift to when necessary.” 

A lot depends on the role

While there’s growing interest in opening cybersecurity roles to newcomers, some professionals remain skeptical about how quickly that change will happen. But don’t expect a major overhaul of entry-level opportunities anytime soon. “Most companies will have too much turnover, too many strapped teams unable to commit to training, and too many of the old ways being set in stone,” said Joe Hudson of TCM Security. “It’s 5–10 years.” added Aileen Kara at Wells Fargo. Specific responsibilities often labeled as entry-level require experience to do well. “Policy enforcement isn’t just about knowing how a vendor tool works—it’s about understanding whether the enforcement is actually effective,” she said. “And you can’t review a policy properly if you don’t know whether it’s working or what’s outdated.” Despite calls to lower the barrier to entry, some roles still demand a deeper level of expertise.

Underappreciated skills

Mastering communication and context isn’t just useful—it’s foundational. For those breaking into cybersecurity, documentation and reporting may seem like secondary skills—but they’re powerful entry points. Documentation is “an underdog” skill. It helps newcomers learn and retain both technical concepts and security mindsets. “If you have no experience, take charge and start documenting,” said Marvens D. of Precicom Technologies, emphasizing the importance of understanding the fundamentals: what, why, who, when, how, and if. Benjamin Corli of Zscaler reinforced this view, encouraging aspiring professionals to focus on clarity and audience relevance. “A non-technical person can read your documentation—do they make sense?” he asked. “There are so many things those with little technical skills or little experience can do.” 

Structures and frameworks

The key to scaling talent in cybersecurity lies in structured delegation. “There are three key reasons we value senior-level experience: innovation, triaging, and mentorship,” said Michael Llyles of TEKsystems. Instead of reserving all complex tasks for senior staff, he suggests documenting them in detailed standard operating procedures (SOPs) and training junior team members to take them on. This prepares newcomers for real-world responsibilities and frees up senior professionals to focus on higher-value efforts like crisis management and innovation. Drawing inspiration from military-style training, he advocates for a risk-based framework where junior staff are empowered to handle low- and medium-risk tasks. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Recorded Future

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Security You Should Know
Getting Ahead of Compromised Credentials with Permiso Security

We hear all the time that identity is the new perimeter. If we place that much importance on identity, then compromised credentials can give away the keys to the kingdom. In an environment where hybrid infrastructures introduce visibility challenges, the need for advanced monitoring techniques for identities becomes clear.

In this episode, Paul Nguyen, co-founder and co-CEO at Permiso Security, discusses how Permiso enables organizations to fortify their defenses against insider threats and malicious actors. Paul is joined by our panelists, Trina Ford, CISO of iHeartMedia, and Eduardo Ortiz-Romeu, vp, global head of cybersecurity at Techtronic Industries.

Listen to this episode here.

Thanks to our sponsor, Permiso Security

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube  to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Trina Ford, CISO, iHeartMedia.

Thanks to our Cyber Security Headlines sponsor, Vanta

Join us for the Cyber Strikes & Security Insights RSA Happy Hour!

If you’re looking for a night of networking, bowling, and games, then you need to join David Spark for our meetup in San Francisco to kick off RSA week. The event is free but you need to register!

EVENT: Cyber Strikes & Security Insights

WHERE: Lucky Strike Sanf Francisco, 200 King St, San Francisco, CA 94107-1702 (MAP)

WHEN: Monday, April 28, 2025, starting at 7pm

REGISTER HERE

Huge thanks to our sponsor, Vanta

Cyber chatter from around the web...
Jump in on these conversations

"Which cybersecurity roles seem low-stress but aren't, and vice versa?" (More here)

"What are the most absurd controls you have ever seen?" (More here)

"What was your top cybersecurity concern last year?" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [04-11-25] Hacking Social Engineering

• [04-18-25] Hacking the Evolving DDoS

• [04-25-25] Hacking Your Risk

 Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.