1.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn

2.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
An honest look at challenges related to finding
and retaining information security talent
Evan Francen, CEO
FRSecure and SecurityStudio

3.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Introduction
• So,I’m told thatwe haveatalentshortageproblemin ourindustry.
• I don’ttrusteverything I hear, andneither shouldyou.
• Dowe actuallyhavea talentshortageproblem?
• Regardless,whatarewe going to doaboutit?
Beforewedivein,letme introducemyselfandwho Iworkfor.Don’tworry,there’snosalespitch.

4.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)

5.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Idoa lotof security stuff…
• Co-inventor of SecurityStudio®, S²Score,S²Org,S²Vendor, S²Team, andS²Methese are“simple buttons” (because “easy
buttons don’t exist).
• 25+ years of“practical”information security experience (started as a CiscoEngineer in the early90s – 1st security gig was
cleaning bootsector viruses from Windows 3.1 systems)
• Worked as CISOandvCISOfor hundreds of companies.
• Developed the FRSecure Mentor Program; 6 students in 2010/530+ in 2019
• Advised legal counsel in very public breaches (Target, Blue Cross/Blue Shield, etc.)
Me. I look better
as a cartoon.

6.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
UNSECURITY:Information SecurityIs Failing. Breaches Are Epidemic. How Can We Fix This Broken
Industry?
Chapter10:Too ManyFewExperts – Theinformationsecurityindustryisbrokenbecausewehavetoomany“experts”butnotenoughexperts.

7.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
ME: Evan Francen, CEO & Founder of FRSecure and SecurityStudio
Just prepping you…
• I’m a binarythinker.
• Things Iappreciate:
– Logic.
– Simplicity.
– Truth.
If you like these things too,we’ll have fun here (andmaybe we should dosome worktogether too).

8.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Who I work for
FRSecure & Security Studio
This is best explained in adiagram…

9.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for

10.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Who I work for
I work here!

11.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
OK, nowlet’sdivein.

12.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Thesubtitle for this presentation is “An honest look at challenges related to finding
and retaining information security talent”.
• Thekeyword is “honest”, I think
• Otherimportant words are “finding”
and “retaining”.

13.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Honesty
• If youreadthenews, you’dthinkthatwe havenobodytodo securitywork,but is this true?
• Toanswerthe question,“Dowehaveatalentshortageproblem?”weneed toexaminefrom(at
least)threedifferentperspectives:
– Theindustryitself -We need talent.
– Thosewho are hiring -You need talent.
– Thosewho are seeking -You aretalent.
Who are you?

14.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Magazine– TheCybersecurityTalent Gap = an IndustryCrisis
– Byone estimate,therewill be3.5million unfilledcybersecurityjobsby2021.
– Lackofqualifiedstaff.
– Using underskilled practitioners.
– Securitytool sprawl.

15.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• Security Boulevard – TheGreat CyberSecurityTalent Shortage Continues
• According toaNovember,2018ISACA study,more than1,500cybersecurityprofessionals:
– 69%cybersecurityteamsareunderstaffed.
– 58%haveunfilledcybersecuritypositions.
– 60%cybersecuritybudgetis underfunded

16.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
• CSOonline –Thecybersecurityskills shortageis getting worse
• Morethan1/2oforganizationsreporta “problematicshortage”ofsecurityskills

17.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)

18.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Theproblem(s)
It’snowonderourbusiness leaderswanttodothis.

19.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.
How badis it really?
• It’s bad, but youhavesome options (coming later).
• Everyoneinthis industryhas a motive, usually to sell yousomething.
– The3.5millionnumberwasfromCybersecurityVentures,theygetmorecoverageandmoreclicks fromsensationalnumbers.This was
apredictionONLY.
– TheISACAstudywasasurveyof“cybersecurityprofessionals”.
– Thescarytitle“The CybersecuritySkillShortageEpidemic” came fromDeepInstinctandtheysellstuff(endpointprotection, mobile
security,etc.)

20.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
• It’s hard tochangea whole industry.
• Focus on you and your area of influence.
• What weneed:
– Moreeducationeverywhere(home,school,work,etc.)
– Awarenessofthe opportunities
– Makementorshipeverywhere. What you can
do to help?

21.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• FRSecure’s CISSPMentor Program -https://frsecure.com/cissp-mentor-program/
• SANSMentor -https://www.sans.org/mentor/
• Start yourown “mentor program”
• Volunteersomewhere
• https://www.safeandsecureonline.org/s/volunteers
• https://www.educause.edu/focus-areas-and-initiatives/policy-and-security/cybersecurity-program/community

22.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.

23.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
We needtalent.–Youcan help.
Someideas:
• Focus onyouandyourareaofinfluence.
• Gotkids? Talkto them.Talktoteachers.
• Free training& awarenessstuff:
• https://www.commonsensemedia.org/
• https://staysafeonline.org/
• https://s2me.io Start
somewhere.
So, we know we have a talent shortage
problem.
What does this mean to you if you’re in
the market for information security talent?

24.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
So, wehavea supply vs. demandissue.
• Demand is high, supply is low.
• This means you pay more,oneway oranother.
• Unless you havean unlimited budget, this means you better get it right, meaning:
– Youidentifytheright needs.
– Youget the right person (orpeople).

25.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.

26.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Theright needs.
• Whatyouneed dependsonwhatyouwanttoaccomplish.Makessense.
• If you’rein businesstomake money,whatyouwantto accomplishmustbealignedwith that.
Right?
• Defineyourinformationsecurityrolesandresponsibilitiesfirst,beforeyouhire.Need help? Get
help.
• Get yourexpectationsinline with yourneeds.
DO NOT:
• Hire just because you were
told you should.
• Hire just because others are.
• Copy a job description from
someone else.

27.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
Before you go there,
answer three questions
and write it down.

28.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
OK,so you’ve decided that you need someone.
1. Why do Ineed someone in the first place?
2. What needs will the person/people serve(specifically)?
3. What are myexpectations?
What you’ve written is
the start of your job
description.

29.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource
Each option has
pros and cons.

30.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#1- Buyyourtalent
• Pros
– Verifiable experience.
– Less wasted time/effort.
• Cons
– Expensive.
– Unlearning.
– More than you need.
If you buy talent,
culture fit must
be #1.

31.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#2- Buildyourtalent
• Pros
– Customfit.
– Loyalty.
– Cheaper.
• Cons
– Patience.
– They leave.
– Hard.
If you build talent,
take your time.
Support is key.

32.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.

33.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Option#3- Outsource
• Pros
– Customfit.
– Only buy what you need.
– Experience.
• Cons
– No in-house IP.
– Motives/bias.
– Accountability
If you outsource talent:
1. Make sure there’s mutual
accountability.
2. Measurement is important.
3. Use someone who’s product
agnostic.

34.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.Whatdoesthismean toyou?
Nowyou sort ofknowwhat you want. How are you going togetit?
You havethree options:
1. Buy
2. Build
3. Outsource Whatever option you choose, choose
the option that’s best for you!

35.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youneedtalent.–Most commonproblems.
Do you fit oneormore of the following?
• Wrong motivations.
• Misaligned needs.
• Poorexpectations.
• Can’t afford talent.
• Good talent vs. not so good talent.
Go back to:
1. Why do I need someone in
the first place?
2. What needs will the
person/people serve
(specifically)?
3. What are my expectations?

36.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Manyofourtalentseekersclaimthereisn'ta talentshortageproblem.
– They’re trying to get their 1st job in the industry and can’t.
– They’re very experienced and can’t get hired again.
– Expectations misalignment.

37.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’retryingtogettheir1st jobintheindustryandcan’t.
“YouWanttoGetintoSecurity”
Short(34 page), freee-book.
https://books.apple.com/us/book/you-want-to-get-into-security/id1457146083

38.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
They’reveryexperiencedandcan’tgethiredagain.
• My heartgoes outtothesepeople.
– Ageism.
– Stuckin yourways. Open yourmind to new approaches while figuringout new ways to communicate
the fundamentals.
• Hire one ifyoucanget one.Thewisdom aloneis worthit.

39.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.Keepat it.
Expectationsmisalignment.
• An educationexperience forall.
• Job seekers.
– Youmight not be worth as much as youthinkyouare.
– Takea cut, career path is moreimportant.
• Hiring people.
– Makesure youasking for what youreallyneed.
– All those letters look good, but do youreallyneed them all?

40.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
Youare talent.
Theshort eBook, five chapters:
1. Abundanceof Opportunity.
2. The RightPerson.
3. LandingYourFirst Job.
4. Becoming Good.
5. StayingHealthy. Read it. Share it. Give me
feedback. It’s free!

41.
October 28–30, 2019 | Minneapolis Convention Center
cybersecuritysummit.org | #cybersummitmn
Tackling the talent shortage problem
That’sit!Thank you!
• Email: efrancen@frsecure.com
• @evanfrancen
• @FRSecure
#S2Roadshow
• Blog - https://evanfrancen.com
• Podcast (The UNSECURITY Podcast)