Cybersecurity Mentors Podcast

The Real State of Cybersecurity Careers in 2026 (ISSA Report Breakdown)

Cybersecurity Mentors Season 6 Episode 18

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 43:09

Send us Fan Mail and we can reply directly!

Is cybersecurity still a great career in 2026?

In this episode of the Cybersecurity Mentors Podcast, we break down the latest 2026 ISSA Life and Times of Cybersecurity Professionals report and compare the research to our own experience leading enterprise cybersecurity teams.

Based on feedback from 380 IT and cybersecurity professionals, we discuss:

• The best advice for breaking into cybersecurity
 • Why networking matters more than certifications alone
 • The growing workload facing security teams
 • Stress, burnout, and why many professionals have considered leaving the field
 • The leadership and culture that separate great security teams from struggling ones

If you're trying to land your first cybersecurity job, grow into leadership, or understand what the career really looks like behind the scenes, this episode is for you.

Come hang out with us in the Cybersecurity Mentors Skool community. It’s free to join.


Cold Open On Mentorship

SPEAKER_01

Could you teach me? First learn stand, then learn fly. Nature rules on your son, not the mine. I know what you're trying to do. I'm trying to free your mind, Nia. But I can only show you the door. You're the one that has to walk through it. What is the most inspiring thing I ever said to you? Don't be an idiot. Changed my life.

Why The 2026 ISSA Report Matters

John

All right, on today's episode of the Cybersecurity Mentors Podcast, we are going to cover the 2026 ISSA report of the life and times of cybersecurity professionals. And this is a very interesting report. They had a lot of data to back up some of the questions and percentages and information that we're going to share today. This was based off of 380 IT and cybersecurity professionals. This is the eighth edition of this research. The report focuses on job satisfaction, career challenges, skill gaps, uh retention, and ways to improve cybersecurity careers. Uh, and specifically talks about also recommendation for those trying to get into cybersecurity, which is which is great. I think you'll be surprised if you haven't read this report yet, on some of the data that comes out that we're going to going to discuss that might be a little less rosy than you might expect, right? Might be a little um, maybe a little shocking, and maybe people are being sold on a simple version of what careers look like. I think we do a good job of level setting what the day in the life of and what our challenges are and how it's changing with technology and and the um cultures of different organizations. I would say we don't sugarcoat it, and I think that is where this report backs up a lot of the things that we've been preaching. But I was even surprised at how some of the data, but so I'm not gonna, I'm not gonna spoil it. I'm not gonna spoil it, but we're gonna dive into it and and jump in to share with you guys our take on this report and why we think it's important.

Breaking Into Cybersecurity For Real

SPEAKER_00

Yeah, well, let's get started with breaking into cybersecurity. So, like John mentioned, they uh surveyed 380 IT and cybersecurity professionals. So they went ahead and asked those 380 professionals, what advice do you have for those people trying to break into cybersecurity? And these are some of the things that they came back with. And a lot of these things, a lot of the top things are the things that John and I have been preaching about since we got started. So here are a few. So some of the professional recommendations from people already in the field, successfully in the field, to those trying to break in. Now, this ranges from CompTest Security Plus, uh, any GAC, any basic entry-level cybersecurity certificate. That is what 59% of these professionals recommend. The second thing with 57% of the recommendation was networking online, going to actual events, and joining professional organizations. Um, in third place, with 54% seeking an apprenticeship, an internship, or a mentor that can help you and guide you, get some hands-on experience. Now, those were the top top three. And those top three are things that we preach every single episode to you guys. Um, number four was again seeking a mentor, uh, but for career advice, how to, how to tackle the latter, how to grow your your professional career. And then the last one was with 45% was developing business skills to understand how cybersecurity supports the business mission. Um, those are some of the top items that this report listed. It listed a few others, but these were some of the top ones that John and I agree that hey, this is what we've been telling you guys. This is what we've been seeing, uh, us as professionals as well. And this is what now, not only did John and I say this, but 380 IT and cybersecurity professionals are telling you the exact same thing. Yeah, I mean, we did not write this report.

John

We did not, we did not pay anybody for this report. We're just telling you from our guide, yeah, from our experience, what we think um is are the things that we would like to see and what we would recommend. Um, it is funny how mentorship and apprenticeship internship are really on there twice. One for obviously if you can get an apprenticeship, an internship to get some hands-on experience. Number three really is hands-on experience where possible, right? Um, and then number four, seeking a mentor for career guidance. Um, there are things in here about uh a degree program. You'd be surprised they're in the bottom of the recommendations or a trade school or closer to the bottom. Um, but yeah, networking, networking, networking, build your your get your fundamentals, network wherever possible, get hands-on as much as possible, find a mentor and coach. So um I I think it's great. I think it's also just you know, backs up what we've preached for sure.

SPEAKER_00

Absolutely.

John

Um, so one thing to think about that is in general, you know, are you going solo? Are you trying to figure this out on your own? Number one, do you do you have guidance? Do you have a mentor? But also are you do you have a community that you're plugged into to help you out? Right. So think about that as well as we preach, we preach on that all the time. All right, career growth is more than

Advancement Beyond Certifications

John

certification. So 55% mentioned that one of the most helpful actions for career advancement is attend more industry or training events. And that's also back to networking, right? If you are able to network with people, that usually helps you in your career either in your existing organization or uh you know another job down the line, right? Always be networking, always be networking. But training in general, attending Black Hat, DEF CON, RSA, SANS, whatever, um these responders of to the survey said that they believe that that's going to be one of the top ways to you know maintain and move in your career and advance in your career. The next one at another 55% is learning about advanced and evolving technologies to better understand. So just like we've talked about around AI or other technologies, you definitely have to understand going into this career and IT in general, is that you're always learning. Things are changing. There's always going to be a new technology. You have to adapt, you have to be adaptable. If you don't like keeping up with new things and shift new things changing all the time, then this career's not good for you. It's not going to be a good fit. So those top two things, attending more training events and then learning, which are really tied together to learning. And then number three is networking with other professionals. So 53% back to networking, which really is tied to number one, not only just you know, when you go to those training events, let's imagine you go to a sans course, right? And you sit down in a class, you've got 30, 40 other people in the class with you, you're going to get 10 books, whatever it is, right? You're going to get just a fire hose of information, which is good and does make you you're learning. You're there to learn, but you're also there to network. So while you're learning and you are networking, those things are really, that's why I agree with what they're saying here, is things that are going to help you further in your career. It might be just be someone you can call on when you have an issue or you they're in the same boat. If they're going to the same course or training event, they're usually in their same domain or same level that you are. They're trying to learn, they're trying to advance, right? So you can hit someone up and say, hey, you know, what are you doing here? How are you tackling this problem? Right. Um, but really a lot of it is building your network so that you have someone to call for whatever, an incident, anything, um, or you have another person that you could network with that when you're looking for a new opportunity, they you have that network to rely on, right? Um yeah, I'm just not gonna beat that one to death, but definitely always be networking. And then the I'll just share the top uh five. So the next one is joining a cybersecurity professional organization is 41% and rotating cybersecurity jobs to gain experience in multiple areas. I think that one's a good one. I think, you know, kind of where my path, a bit being a jack of all trades, I think that is uh isn't a bad, especially if you want to be a CISO one day and getting experience in different areas in ASOC, in GRC, in engineering, you know, across the board, different where different areas in cloud will make you more marketable, right? Um, and could open up more opportunities. Now, someone could say the the the uh adverse of that is the more specialized you are, the more you you can advance in that one path. But then again, that's one path versus multiple options. So just just uh you know, some recommendations there from career advancement. Steve, you got anything to add?

SPEAKER_00

I was gonna say a cert may help you get noticed, but your network, your reputation, your communication skills, and your ability to solve real problems help you move forward in your professional career. You know, it's all about the connections. It really is. I've mentioned it multiple times in different episodes. My own career journey, how that has evolved, and how I've worked in different organizations, different industries, different positions. So I myself have checked multiple items in this list to help me get to where I am today. So it works. You just need to have a plan and execute. All right, the next one.

Why The Work Keeps Getting Harder

John

Um this is where it's getting uh getting a little bit more gritty, right? How cybersecurity work is getting harder. Um, one of the strongest themes in this report is that what professionals feel and how they feel how the job has become more and more difficult. Uh Steve, what do you think?

SPEAKER_00

Yeah, I mean I found some of the reasons why job is getting more difficult in this study to be something that I have noticed or I I have had experience dealing with myself since I started. And even before when I was an intern, I would hear about the same issues. I mean, this was 2012, 2013. Now we're in what 2026? So a lot of these issues have not changed or have gotten worse. So some of the key items here we have was 55% said cybersecurity complexity and workload has increased. So cybersecurity is getting more complex, getting more difficult, and the workload that each cybersecurity professional is taking on has increased as well. 52% say that cyber threats to their organization has increased as the attack surface has grown. So as the organization grows, they're more of a target. Um, 36% say that security budget pressures. So again, the budget, again, having money, being able to provide the financial needs for hiring the right people, acquiring the right tools, just building the correct cybersecurity team that you need to be able to take action and help protect your organization overall. Um, those are kind of the same things that have been going on from day one, in my opinion, since I started in my career. Again, with 35%, the lack of investment in advanced training for cybersecurity professionals. You know, you mentioned it. One of the things that these professionals recommend for people to do if they want to advance their career in cybersecurity is to learn and stay up to date with what's going on in the world. Well, it gets a little difficult when your organization or the group you work for is not investing in that advanced training that you require. There's only so much you can do on your own. And I recommend that everybody do as much as you can on your own, there will come a point where you will need the help of the organization you work for. And if they're not investing in their people to get that advanced training, it's only going to hurt the organization as a whole. Um, let's see, I think we have some others, uh, 34% uh regulatory compliance has become more complex. So, in order for you and your organization to be compliant with whatever regulation you need to follow, it's getting more and more difficult. We see it when we're filling out the cyber insurance questionnaires, you know, in order for us to have the right cyber insurance that we require for our organization to be prepared for any incident. It's this questionnaires are getting longer. We're getting more of them. Questions are not just black and white anymore. Um, and then the last one here, 33%, was cybersecurity teams uh are understaffed. And that has been the story since I started my career. I mean, I started in a team where it was one manager and two analysts, and I was one of those two analysts. And that organization was a hospital, and that hospital was in existence for years, and they were just starting to actually have a cybersecurity team when I joined in 2014. So it's this it's the same story, in my opinion, and things are just gonna get worse.

John

Yeah, and I I think about our team, and there's a couple things here. One, we have our staff has definitely increased, which has been good. Um, I would say from a staffing standpoint, compared to other organizations our size, we're doing well. I don't I don't I'm not saying that we have we are completely, we have everybody we need completely, but compared to where we were, I mean we started out like you're saying, with like three or four people, and it's really grown. So we've been blessed to be able to staff up to a level that I think we're we're good. If you also if you include our student interns on top of that, that we've been able to take advantage of. It that's really awesome. Um and training, training is always a challenge. If I talk about the SANS courses, right, if you look at how much those have gone up in price every year, I mean you might go to one on in-person Sans course, and it could be close to $10,000 just for the one class. So if you have a team of 20, right, add that up. On everybody can't go to a SAINS course, right? Unless you have a huge budget, and most places don't for training, right? Or even for the security team. So you have to find, you know, ways to work around that and that constraint. So I mean, I don't have the golden ticket to to send anyone and everyone to every training they want to go to. I have to be able to make a good justification and try to make that. So I'm just giving you my perspective of I want everybody to go to training, right? I want everybody to have that opportunity. I didn't always have that opportunity, but I definitely feel how important it is and how much it helped me in my career. It's just not easy when you're trying to make the case. And then the other thing is most security teams are in the IT, they're under IT, right, in some way. So if they see the security team is spending $100,000 on training and they have no budget for the rest of the IT organization, then yes, it yeah, we want that, right? We want to get trained, but it definitely doesn't look good when you're sitting with your peers and they're like, oh, you're going to another conference? You're going to a training? It become it creates conflict, honestly, which is not great, but it's the truth. It's the way it looks like, you know, boots on the ground. Um, but this is a couple of just, you know, editorial comments from my perspective of where we've been, where we've come from, what our constraints are too that challenge us.

SPEAKER_00

Absolutely. One thing I will add is I've said this before in previous episodes. I'll say it again. You know, when you are, whether you're just starting, trying to land your first cybersecurity job, or you have already worked in cybersecurity for a few years and you're switching companies or going for another role in cyber, there's a lot of information you can get about that company and about how you, your experience will be in that organization at the interview process. There's all there's the perfect opportunity for you for you to ask about a training budget, uh, the workload, the size of the team, um, you know, things that, you know, this uh report is listing as reasons why cybersecurity work is getting harder. There are questions that you can ask at the interview process to help you answer some of these and say, hey, if I join this organization based on this report, is my life going to suck? Or is this a good organization to work for? Do they have the backing of leadership? They may not have all the funding in the world, but I can at least go to one conference or do one training a year. That's better than nothing, right? Are they are they overworked? Are they hiring me because the guy that left was doing two people's jobs and now they want me to come in and take that over and still do two people's jobs? So there's just a lot of information that you can get at the interview by you asking the right questions that can answer a lot of these um unknowns to help you make the right decision and then not regret it later on.

John

Yeah, I I we say this before interview, you should be interviewing the company. That it's a great point that use this information of where people in your industry are in the field that you want to be in as a gauge point of how do they feel? How how supported are they? What are their challenges? And then if you're networking with those same people that you meet and and want to connect to, ask them how is it in your role at this company? Do you feel like you have enough training? Do you feel like you're being supported? Do you feel like you're being stressed, right? And we're gonna get to that one next on uh stress and burnout as this issue. But interview the company, interview, especially when you are actually have the opportunity to get an interview because it puts you in the driver's seat versus feeling like you're being interrogated, put just it's just a mindset changer for sure. Um, because you don't want to land in that position and then you find out everybody's burnt out and stressed, and there's reasons why, right? So take this data from these boots on the ground people to back up and support what we're saying and how you should find out more information before you take the opportunity because everybody wants a job, it may not be the best job.

SPEAKER_00

Absolutely. All right, so next up is stress and burnout. And this report does highlight and say that they are major issues. Um, so the report does not sugarcoat it, that stress is a side of cybersecurity. A lot of people are carrying heavy workloads and constant pressure. You know, John and I joke about hey, when we hire somebody, we want to put you through the gauntlet,

Stress Burnout And Leaving The Field

SPEAKER_00

put you through through some pressure, because you will, you will be in those situations where, hey, everything's on fire, we got to stop the bleeding, like all hands on deck, sound the alarm. And um, yes, that that you will be stressed and too much of that, and if you're not Prepared and you're not doing the right things, you will burn out. It's not a matter of it of if, but when. So some of the top stressors that these 380 IT and cybersecurity professionals listed are. The highest one with 24% is overwhelming workload. So again, you're a small team of three and you're doing the work that a team of 20 should be doing, right? Like that, that is a lot and can be a lot. You could be Superman for all I care, but that'll get to you eventually. The second one with 23% was keeping up with security needs for new IT initiatives, including AI. John and I have spoken about it. AI is taking over everything. And that is like the number one thing we are working on and we are discussing and we're talking about. So AI, like John said in previous episodes, AI is causing more work for us. It's not taking work away. 22% fear of getting something wrong, such as missing an attack. I get it. I've worked in the SOC, I've been the first line of defense, uh, manage those guys. Yes, you got to be on your A game constantly because if you let something slip or you miss something, uh, yeah, it could cause a huge disruption. Uh you could miss it. It could be an attack that could turn into something huge. Um, but that's just part of the job. You know, you just have to learn to live with that and learn to accept it. No one's perfect, everybody's human. There'll come days where you have good days or bad days, but still, that is a factor of why people in cybersecurity are stressed and burn out eventually. Uh, the last two, so 20% constant emergencies and disruptions. So if you are in a team where you are just constantly, everything's on fire constantly, things are being disrupted, things are going down, and you are just always on the defensive and you don't have time to breathe, you will burn out. And then last, um, finding out about IT projects um when they've started without security oversight. That's the one thing I hate, but thankfully, it's not um, it's not too bad because we have the backing of our leadership and we can smack people around when we find out they've purchased something or they've started a project without asking us if it's okay. We can put a stop on it, or at least get them on the right direction so they can continue their project without us feeling like, hey, you know, we we're gonna have to just suck it up and go with what they've done because they didn't start working with us from the beginning. Um there was one part of this study that I look that I called bullshit on. Only 2% of the people said they don't feel stressed about their cybersecurity job or career. And my guess is because they're not doing enough and they're about to get fired. Uh, but that's just my two cents on that one.

John

Yeah. Um, I mean, I I don't disagree really with these, other than that 2% too. It's like, really? There's nobody okay, you you're like living in la la land. Um, yeah, I think all of these are accurate. I can't disagree. There's definitely times where there's overwhelming workload. There's definitely the always, you know, it's not every day is a constant emergency, but definitely emergencies happen. That's part of your job. You know, you are there, you're the tip of the spear, you're trying to fight these people. Um, I think that most of these, uh what I would say is that, you know, these are the things that stick out and that people put down on the survey, but it it's not enough where you're like always, I mean, maybe it depends on the environment. My experience has been yes, there's stress. Yes, there's times where you are being stressed, but it's not so much that you're like, oh man, I just can't do this job anymore. So there's some data here about people talking about leaving this profession. And 47% have at least occasionally thought about leaving their current cybersecurity job. 57 of those who are thinking about leaving their job has have at least occasionally considered leaving cybersecurity entirely. 57%. And the reasons are high stress is the highest, no clear advancement opportunities, 37%, poor work-life balance is 34%, and lack of leadership commitment to cybersecurity. So, you know, I'm I can't speak for all environments. I can't speak to what it's like, but I would say from our team and my experience, there are periods of high stress, but if it's a continual issue and you're always being stressed out, then I do think that is it's an environmental and a culture issue for that organization that you're in, probably because of that last one there, a lack of leadership commitment to cybersecurity, right? If you don't have that commitment and support for helping you in these times and all the other things that we've talked about previously, then yeah, you probably will have more stress because you have less people, because you have less training, because you have less resources, because you don't have the authority to tell people, hey, you can't do this, right? If you don't have that one, it it does, it really does make a big deal. So you're gonna keep rolling that roller coaster of, oh, here's another incident. Okay, here's another incident, and that is stressful. Um, it you're gonna have incidents, but if they're minor that you just deal with them and they're not major incidents all the time, then really the stress level is is minimal, right? Because if a major incident's happening all the time, you're definitely gonna have a poor, poor work-life balance because you're gonna be doing all that extra work and time and investigation and evidence gathering and working with the insurers and all that mess that goes with it. Um, those things are going to happen. And this also comes back to leadership commitment and support. When your leadership tells the board or the executive leadership, hey, we are going to have incidents. No one here is saying that we're not going to have an incident. We are going to have an incident and incidents. We're going to do the best to mitigate those and reduce the impact and resolve them as quickly as possible. Here's what we need to make that happen, right? And that's your continual communication to the leadership, then they're not going to be super surprised when something happens. Like, wait a minute, I thought you guys had this covered. I thought you, we gave you people, we gave you money. And you're, if you're not communicating that the right way, then you're definitely going to be stressed out when those incidents are happening and the the leadership doesn't support you because they feel like you've, you know, you've just dropped the ball, right? I mean, I'm very surprised by these numbers as far as the 57% thinking about leaving cybersecurity entirely. I can't say I've ever thought about leaving cybersecurity entirely, honestly. Steve, what do you think?

SPEAKER_00

No, man, I think out of the entire report, this was the section that really caught me off guard. There's been two times in my career where I've worked for two organizations where I was like, I'm not getting the support I need, and I'm gonna have to jump ship for the better of myself, my personal career, my my professional career, my personal life. I'm gonna have to jump ship. But again, that was after me trying to do my best to make things better. But it was that 33% in this report that says lack of leadership commitment to cybersecurity. It was very obvious to me that in those two instances, that was not going to change. So instead of me burning out, instead of my uh work-life balance being out the wazoo or worse than it was, I took it upon myself to move on and find something better. So I've been in those situations. But even when I was in those situations, I never thought about leaving cybersecurity in general. I just knew that, hey, this organization is not for me. I got to find one that is. Um, so yeah, so this section actually caught me off guard with how high those numbers are. Um, but I get it, man. I consider myself very lucky to work in the organization I work now, you know, to have the leadership uh backing us, to have that commitment to be an organization where the board of directors is involved, the uh the people top of the top understand the importance and they're committed to making sure that they do their best to provide us with what we need to make sure that we are not on news channel because we had a breach. Now, one thing you always say that I always repeat is don't let any incident go to waste. So if you are in those situations where something does happen, you know, you have to use every single opportunity you can to translate that into business speak to leadership, or or your leader or your CISO or your manager, they need to do that. That's their responsibility to make sure that they can use every single incident that happens to their benefit to get them better tools, to get them better funding, to get them more people, whatever it is that you need, whatever you find that the vulnerability was that that that screwed you over, like that is when you have to take advantage of those opportunities to get what you need to better your situation.

John

Yeah, and part of that in this survey, they asked the professionals what could organizations do to improve the culture, improve the environment for cybersecurity professionals so that you could reduce this potential exodus from cybersecurity. And and one of the things we have here is just how

Culture Leadership And Security Policies

John

important culture is and how much culture in an organization matters and security culture matters, which is I'll just talk about that for a second. It's very hard to influence culture without leadership support, right? So I'll give you an example real quick. Like I've seen the culture at our university improve in a cybersecurity risk-averse way over the years in a positive way to support it. And for example, if if a policy that is going to make people unhappy because it doesn't let them do everything that they want to do is approved by leadership, is written into policy, has executive level approval, then when the security team shows up and there's and they have to say, Well, look, this is policy. You can't do that. Or you, you know, I know you want to do this, but you have to follow this this procedure because it's the better, more risk-averse way, that culture shifts because the the big P policy is something that everybody has to apply to or adhere to in their job. So the more you get that buy-in from leadership, like if you did not have that buy-in and you did not have the big P policy to back you up, then when you go to say, hey, you you can't do that. You this is a problem. We're gonna put ourselves in major risk here. Well, why do they need to listen to you? And then so you're gonna be more stressed as a professional because you feel like your hands are tied, because you can't make them do the more secure option. There is something there about trying to be the office of no and also trying to be the hero. But in general, when you have the policy that you know is backed by leadership that you can enforce to say, look, I get it, but this is policy. We have to do it this way. Leadership understands and supports us that we want to be more secure here. That takes a lot of that burden off of you as a professional and also shifts the culture across the board. So the more people see that and are educated on it and understand why that's a policy, and but it becomes when it becomes official, then it it helps move the needle across the board, right? So you as a as a group, as the cybersecurity organization, you feel like you're being supported and you have they have your back, right? They have your back. So that makes a big difference to stay in an organization versus, I mean, I guess I'm flying solo here, right? I mean, nobody wants to be just trying to fight the fight, and you're the lone ship in the storm and the tsunami's coming, and it's not getting smaller, it's getting bigger, and you don't have leadership support. So talk about how culture and other things that that respondents said for ways that you could make people happy in the program.

SPEAKER_00

Yeah. So, first of all, out of the 380 professionals that they surveyed, 29% said that their cur their culture was advanced. I'm gonna take that as favorable. They were there was a favorable culture, a good culture that people actually enjoyed. 50% said average, they had average culture, 19% said fair, and 2% said poor. Now, here are some of the things that they themselves, these professional, said, hey, this is what I would recommend to help improve programs. So 42% said they would increase training for cybersecurity and IT professionals. 37% said they would invest in appropriate resources, including staff and tools. 36% said they would improve GRC. 35% said they would improve basic cybersecurity hygiene. 34% said they would create a better cybersecurity culture throughout the organization. And 33% said they would increase security awareness training for non-technical employees. So security cannot only be the team that says no, like it has to become a partner that helps the entire organization get to where they want to go from A to B in a in the most secure way possible. Um so for me, to just talk about my experience, I've been very fortunate to be in small work in small groups, work in larger groups, um, be be in two situations where I was one of three, that when I left, I was one of 15. And then I was like, again, one of a few. And then I was in a situation where I saw that team grow to where we are now. Um and it's all about making sure, in my opinion, it's all about making sure that you hire the right people to the best of your ability. Because there's only so much you can tell in an interview about how someone will work, how someone will perform, how someone will act, and how you and the rest of the team will get along with that person. Um, but it's hiring the right people, making sure that leadership is there for those people with whatever they need, as the best of their ability. Um, and making sure that everyone knows what the big picture is, knows what the big goals are, knows what they are all working towards and what they're trying to achieve. To me, I feel like those are some of the few of the things that have helped us create a good culture. Um, John, I think John something that he does great, that I tried to do myself is John overcommunicates. John tells you what you need to know and more, but that's a plus because there I've been in some organizations where leadership tells me just what I need to know to do that one thing they're asking me to do, but I don't know how that one thing they're asking me to do connects to the bigger picture. And but if and if I knew that and if I was aware, they would have have more buy-in from me, right? I would be more inclined to do more, or I could think of ways to do things better that would help the bigger picture, the bigger plan. So, so to me, those are some of the things that have helped improve culture and have helped to maintain a good culture in some of the organizations that I've worked for.

John

Yeah, the question comes back to if you're interviewing and you're trying to determine this question, you know, do does that organization have the leadership support for cybersecurity and to help the culture? And you can ask that question, okay, in the interview. Now you're gonna

Interview Questions That Reveal Support

John

get the interview answer. I'm gonna be honest with you, right? They're gonna say, yeah, and they're gonna say no. They're not gonna say, nah, this place sucks, and we got no support, right? Unless you have a weird interview. They're not gonna tell you the dirty details in an interview, especially if it's a group interview and you got five people in there and everybody's kind of looking side eyed at each other and like, uh, actually it sucks. Maybe you get a true answer, right? So you may have to be creative to ask specifics on well, what policies have been published and supported by the executive leadership team? Um, how do they enforce those policies? Are those policies enforced? Um how about how they are requiring all employees to take training or to go through a fishing exercise, right? Like, look for the evidence that backs up that the security team is getting supported by asking questions around what we just talked about, right? How what is the evidence that backs up that they are supported? Because they're gonna probably give you the rosy answer of like, yeah, yeah, yeah, they're pretty good, right? They're not gonna give you as much about it that might be as truthful unless you have a one-on-one type situation where you built some rapport rapport with that interview, interview um manager, interviewing manager that maybe they'll open up and be honest with you. But I would use this opportunity to, again, interview them and look for evidence that backs up that they this organization does support security. All right, that wraps up part one of this episode. We felt like this is gonna be there's some meaty, um, juicy data in here that we wanted to split it up across two different episodes to not put too much in one. So thank you for listening to this part one. Um, we're gonna go in the next episode. We're gonna go through the rest of the uh survey, and there's

Part One Wrap And Next Steps

John

there's some more interesting tidbits. So definitely tune in to the next one to find out more information. We hope you enjoyed this. This is just our editorial comments on this this data. I think it's helpful not to just read the data to get some, you know, real experienced uh professionals give you that advice. So thanks everybody for tuning in to part one. See you next time.

SPEAKER_00

Thank you for tuning in to today's episode of the Cybersecurity Mentors Podcast.

John

Remember to subscribe to our podcast on your favorite platform so you get all the episodes. Join us next time as we continue to unlock the secrets of cybersecurity mentorship.

SPEAKER_00

Have questions, topic ideas, or want to share your cybersecurity journey? Join our school community, the Cybersecurity Mentors, where you don't have to do this alone. Connect with us there and on YouTube. We'd love to hear from you. Until next time, I'm John Hoyt. And I'm Steve Higgeretta. Thank you for listening.