Thanks everybody for coming, get comfortable. Um If you have any questions, um, while we ramp up, just drop them in the chat. Um, appreciate all of you coming to the cybersecurity skills gap. Um My name is KV Murphy, I'm the director of Security at Starburst Data.Um And when I was thinking about a topic for today's presentation, I feel like this one was kind of the most obvious because if you are here and you are not yet in cybersecurity or risk management, I have been where you have been. Um, when I first broke into the field about seven years ago, had no experience. Certainly do not have a computer science degree. I had never worked in tech. I was not an engineer. Um I was working as a bank teller and a waitress, but I'm gonna be honest, I actually really wasn't doing much of anything. Um, but I was so thrilled to be able to get the opportunity to move into the field and I think it's a really rewarding one and, you know, I want to welcome everybody into it. So, um I really like actionable advice and so I always really appreciate when I can go to a conference or a seminar and, or just like a, you know, a web conference like this and feel like I heard something that day that I can use immediately in my own professional career.

So it's my hope that I'll be able to do the same for you today. Um I think with all of that said, we're probably good to dive in again. Thank you so much for coming. It's so good to see all of you. Let's get started. So I start here with a quote um from a book I read earlier this year. Invisible Woman is um basically a collection of research and data of all the inequities that women face in both professional and personal settings. And I certainly believe that women belong in every room, but especially in cybersecurity and risk management because I feel like our combination of hard and soft skills really makes valuable um regardless of the industry that we're in. So what is the cybersecurity skills gap?

So why are we all here? So essentially what the cybersecurity skills gap is regardless of where you're located. If you're in the US, if you're in another country, it basically means that there are more security jobs open than there is for people to fill them. So obviously, this is causing huge headaches and roadblocks and challenges for companies regardless of what vertical they're in just because they're having a really hard time securing their products and their offerings. So what this means for us and the reason that it's a good thing is that there's an opportunity for people who don't have skills in the area or don't have previous experience to be able to jump into the field. So, um, certainly not necessarily a bad thing. It's tough for companies, of course, because it presents a lot of challenges relative to compliance and to governance, but it's also something that's a win if you are looking to make a career change. And what does this mean for you if you are not yet in the field? So, um I am based in the US, I'm based in Boston. Um So these links that I'm sharing here are based, you know, for those in America. However, if you are outside the US worry, not the cybersecurity skills gap essentially exists regardless of where you are in the globe.

So I encourage you to go to your local um government website because you will see job openings that are entry level or um for interns that don't have experience in the field. And so essentially these links that I'm sharing here, the US government is recognizing that there's a cybersecurity skills gap. They know that there's not enough people in the field. So they are willing to hire unskilled labor, they are willing to hire individuals who have no previous tech experience.

So these three links that I'm um sharing here, I encourage you to write them down if you do want to make a jump into the field, um especially the Department of Homeland Security website, they have kind of a cool set up where you can apply for multiple security jobs just using one application.

So it's kind of intuitive, pretty user friendly. I encourage you to take a look at any of those sites if you're looking for a job in the public sector. OK. So how do you actually move into the field? Like I said, I really like actionable insight. So this is meant to be kind of a breakdown of how you can apply your current role or your previous role to a job application for security or how to structure your resume so that it matches an opening for security or risk management. So these are the domains of cyber security um and of information security. So risk management, et cetera compliance, these are all kind of sub domains of the field as a whole. So this is how you wanna structure your resume and show that you have transferable skills. And when I think about transferable skills, I think about something that you already have. So you shouldn't have to go and um take a class for a transferable skill. You shouldn't have to go and take a college course or attend a seminar. Transferable skills are meant to be the things that you already possess that could be of use in another industry. So we'll take risk management to start. So if you have previous experience in a finance role, if you worked at a bank, if you worked at any sort of financial institution, this is something that is very relative to risk management. Um because we are always working with this equation of probability times impact.

And so math ends up being really, really useful here. So if in your previous role or current role, you've ever done any sort of repeated tasks that include numeration or calculation, any capacity. And yes, that does mean if you've just played around in Excel a lot because risk management is all, as I said, based upon an equation. So if you have that banking or that math background, it's gonna be very useful to move over. So write it as a transferable skill on your resume, moving on to compliance and auditing. So one of the maybe less fun parts of cybersecurity is that we do tons and tons of audits because we want to make sure that our security controls are operating effectively. So if in your current or previous role, you've ever been responsible for conducting any sort of repeated company inventory. I'm talking basic. I'm saying, have you worked in a restaurant and been responsible for evaluating the food and beverage inventory every single week on a check board, you can write down as a transferable skill because it shows that you've repeatedly done an audit of something over and over. And that's something that we do all the time in security compliance is huge for us. We always are just doing repeated checks to make sure that our risk management program is actually working, as we say it is working, turning on to the the next option here.

If you have a knowledge of federal banking regulations, that's also extremely valuable in the cybersecurity field because this is an industry that is heavily regulated. And so a lot of those regulations um really tie into security. There's plenty of them, plenty of these regulations that have controls related to data privacy and data protection. So if you have a previous knowledge of that, it's definitely a valuable transferable skill moving on to governance. Whenever I think of governance, I like to think of setting the direction for the company and for the security program. So governance is a subdomain of cybersecurity. Essentially, it's basically evaluating your security program and laying the foundation for how it exists at your organization.

So if your current role or your previous role, you've ever been responsible for um strategic planning or if you've been responsible for developing any sort of current state versus future state relative um to your industry or to the department that you're in, that's very valuable in security because we're always trying to do this thing which we call continuous improvement.

So looking at our security program as it exists now and where we want it to go in the future. So in addition to that relative to governance, if you've ever been responsible for conducting any sort of audit during tax time for your employer, that's also something that um is very transferable if you want to get into the field of risk management or compliance. Because as I said, we are always doing audits and security and tax time is definitely a time where there is heavy regulations and it also includes a lot of um, laws and steps relative to compliance and to data protection. So that's very valuable. And finally, if in your current role or your past role, you've ever been responsible for developing any sort of road map for your team or for your department, that is something that is transferable to information security because we are always looking at what is our security program look like now and what does it look like?

Five years from now? What's our ideal future state? So if you've done a road map in any other industry, you can easily do one in cybersecurity. It's all about planning and finally moving on to security and security awareness. So if you ever have had experience serving in a people management role, you will be very valuable in cybersecurity because in the engineering and tech space space, many people do prefer to be individual contributors. Um So it's all difficult to find people who are excited or enthusiastic about serving in people management roles. So if you've been an effective people manager in any other sort of industry. Hr finance, marketing, communications, et cetera, you are going to be valuable and likely very easily able to do it in tech. If you have a general interest in artificial intelligence, machine learning, Blockchain, crypto, et cetera, this is something that you can definitely write on your resume.

If you have a lot of knowledge about it. If you have a side hustle in it or if you've served in any of those roles previously, I know they sound really buzz worthy. But these are areas that require a lot of cybersecurity help. These are areas that are um emerging and they have lots of controls required in order for them to be safe for people to use. So, cybersecurity is much needed in those areas. Number three, in cybersecurity, we have something called security awareness. Basically, what that means is that you're telling people at your company, um what they are responsible for as an employee relative to security and compliance. So you're spreading security awareness. So everyone knows what to do. And the way that we do security awareness is quite literally by sending out emails to all staff, big newsletters, hosting large trainings, hosting big meetings. So if you've worked in another department where you've been responsible for doing any of those things, it doesn't have to be in security.

As I said, if you've done those in your finance role, or if you've been in an hr space and you've done any of those, that's something that you can do in security as well. It's just gonna be a different topic. It's gonna be on cybersecurity. And finally, if in your current role, you've ever been responsible for identifying any sort of gaps in your policies or standard operating procedures that your company relies on. That's something that's very useful in security as well because that's governance. That's basically the written documentation that we base security off of. So if you've ever been responsible for basically looking at a policy in your company and saying, here's what we're doing right. Here's what we're missing. Here's where we're falling short here so we can improve.

That's something we do tons of insecurity. So a very transferable skill for you to use. OK. So now you know how to structure your resume and um how to fill out your job application to highlight those transferable skills that you already have. What roles do you apply for? So as I said, the public sector, definitely in the US, but also anywhere else in the world posts, a lot of job openings that are entry level for security, you don't have to have previous experience. Um When you are looking at roles, you wanna focus on something with specialists in the title or if you wanna even get more junior, you can certainly apply for an internship. So something with intern in the title, there's nothing wrong with that. We've all been interns at one point in time, they are paid. So, don't worry. But if you prefer to kind of just dive into the private sector, um faster than that, you want to look for job postings with the phrases, analyst, auditor or consultant in the title. Those usually indicate that they're more junior roles and when you're looking at the job description, um and you're not quite sure if it's entry level or if it's something you can apply to with limited skills. Um Keep these phrases in mind because they usually indicate that it is entry level. So number one access management, we do a lot of this in cybersecurity. It's basically provisioning and deep provisioning access for employees or customers at your organization.

It's usually done by somebody who's new to the team. It's kind of like the basic foundation of security is access management. If you see anything on the um on the job posting that says threat, research, threat research quite literally is basically doing a lot of googling about the latest risks and security incidents that could impact the organization. Um It's just kind of a lot of online poking around trying to find more detail that's usually done by somebody who is junior level as well. And documentation creation also indicates that it's um somebody new to the group because as I said, that's how we develop the foundation of governance. We create new policies, we create new procedures. It's usually just a lot of writing a lot of hanging out in the word document.

So it usually indicates that the job posting is entry level. So keep an eye out for those keywords. All right. So now you know how to structure your resume. You know, what rules to look for. These are just a couple of general tips that I found to be useful when moving into the field. So number 11 of the cool things about security is that we have a million different certifications that you can get um million tests that you can take and then become certified in any sort of sub domain of security, whether it's risk management, compliance, governance, etcetera.

And because there's so many to choose from, I always encourage you to choose a certificate that actually interests you don't feel like you have to get the one that everybody else has, get one that actually excites you and that you don't get bored studying for. Number two, make sure that you're structuring your resume and your job application. So it meets the actual vacancy of the job posting. Um So what I mean by that is that tease out the keywords from the job opening and structure your resume so that it writes just like the job opening. Um You want the recruiter to be able to look at it and see that you're a match even if you haven't worked in the industry before. And this is definitely going to sound like overkill but, um, when I'm, I mean, it, when I say this, like I said, this might turn some people off. But if you're applying for 20 different cybersecurity roles, you should make 20 different resumes. It's a lot I know. But also keep in mind that you want the recruiter to be able to look at your application and know that you're the right fit.

Even if you have no experience in the field to the third point here, whenever you're writing a cover letter, keep it short, but try to make sure that it's focused on exactly one transferable skill that you have, whether it is hard or soft. So what I mean by this is that when you're writing out your cover letter, try to think to yourself. I may not have done this, but I have done that and then write the documentation which indicates the transferable skill that you have that will be of use to this new department. You're trying to tell the recruiter, I may not have done this that you said in the job application you need. But I have done this and here's how it's gonna be of value to you. Number four, make sure that you're using really strong action verbs um that indicate that you have had ownership over an initiative or a project that you worked on, just trying to show and demonstrate that you were in charge of something that is written on your resume. Show that you were the manager of it. You were the one who led the project and that you had some sort of ownership over a task that you did. It's always really valuable and it definitely makes your resume stand out.

And finally, here to the last point, um we follow a lot of security frameworks and security laws and regulations here in cybersecurity. Um We've all heard the phrases, hi, a high tech iso. So two, all those good ones, it's a huge part of the foundation of governance that we um base our programs on and learning about any of these laws and frameworks is quite literally as simple as just doing a lot of Google research and gathering information. You don't need to pay to learn about these new um cybersecurity laws or data protection frameworks. Just do your research on your own time because if you can show that, you know, one law relative to cybersecurity inside and out, you are going to be incredibly valuable to an organization even if you have no previous experience. All right. So work experience obviously very important.

But there are a couple other ways that you can bolster your resume so that it's really, really valuable and really stands out to the hiring manager or to the recruiter. A couple of different options here. Number one offer to write articles. So what I mean is reach out to security outlets or local news publications and offer to write about something security, privacy, compliance or risk management related that interests you. Because most of the time these news outlets and these security journals or newsletters, they don't really care if you have a foundation or a background in security, they just want really good content that people are going to read. And I think it's good to offer to do it for free for a little while. It's just great to write on your resume because it shows that you're going above and beyond that work experience to that same point, reach out to local working groups relative to security or to local conferences or webinars and offer to present for them on a security topic or to speak on one of their panels.

Um If it's something that scares you and you don't really love public speaking, that's OK. It's 2022. It's a little bit easier now because most of them are online. I'm quite literally in my office and my apartment right now talking to you. So it's definitely not as scary as it, you know, often is if you're in person. So I just encourage you to get your name out there offer because all panels and all conferences are always looking for people to speak. Number three, we have something exciting in security called C PE S. So essentially what this means is that you attend trainings or you attend webinars or sessions um relative to security and you get hours of credit for them it's just a good way to keep up with what's going on in the field. So prioritize getting those on a weekly basis. Number four, volunteering looks great on any resume. You don't have to volunteer in cybersecurity. Just volunteer, you know, on a weekly or monthly basis. Um, you'll feel good and it also just looks really great on your resume and job application.

And number five, always make sure that once you've landed that interview, that you're going in with an awareness of a recent data breach or a hack, a security news story. Um When I got my second job in cybersecurity, the last question, um they had in an interview that ended up landing me the job was tell us about a recent data breach. And I was able to point to something that had happened at Boeing earlier that week and that's how I got the job. And now whenever I do interviews, I asked that same question, it shows that you're taking time to learn about the fields outside of work. As I said, we have plenty of certificates in cybersecurity. You can take your pick. Some of them do require that you have hours of experience though, ahead of time. Um These ones do not. So I encourage you to take a look at them. They don't require any security experience in order to get the final certification. Number one certified Ethical hacker good. If you want to do pen tests to certified Information Privacy professional. If you love data protection. The P MP certification, the third one here, it does require hours of experience within project management, but it doesn't have to be security. And the last one here, number four, security.

Plus this is good if you want to have an, it focus in your role because it's pretty, it help desk heavy. All right. So, all good stuff here. Like I said, I hope it's been actionable. I hope it's been helpful for all of you. Again. I'm so grateful everyone came out today. This has been fun. I look forward to seeing all of you in the security field in the near future. Just a couple of highlights here. Look on your government website because there are a lot of opportunities for you to shift into the public sector even if you don't have experience. Um Number two, make sure that you're choosing a security certificate that doesn't require you to have hours or years of experience before they actually allow you to take the test and receive the certificate. Make sure you're taking your time to get those continuing professional education credits on a weekly basis. Number four, try to make a new resume for every job application you apply for. I promise it's super valuable and finally take some time on your own to learn a security framework or a data privacy law um that you can just learn about on Google. It's easy and you will be so valuable in security if you can do that.

I think we're at time right now. I'm so grateful you all came today. I hope you got something out of it and enjoy the rest of the conference. Thanks everyone. Bye. Have a good day. Thank you. Good to see all of you.