What Companies Need

There is a dearth of talent in the cybersecurity industry, and the talent that does exist tends to be very specific, with some skill sets being more rare than others. An IT guy with 15 years of experience in network engineering is not interchangeable with a skilled penetration tester (pentester), though these are both certainly needed skills for a cybersecurity program. For many companies, the lack of pentesters is a significant problem. And while there are a lot of pentesters working in the industry, there is still a shortage of exceptionally good ones.  What separates a mediocre pentester from a good or a great one, is not the number of tools or scripts memorized, nor how many certifications are listed on the resume.  No, it is by how cunning he or she is, and how shrewdly a pentester thinks. But even the really great pentesters still fall short in the expertise and mindset that a company needs when defending itself. 

What companies need is access to people with real world expertise, people who have a bit of a malicious mindset, and who have had the opportunity to perfect it – legally of course.  People whose skills and talent have been honed through extensive experience of planning and executing cyber attacks.  Essentially, these are people who have been advanced actors  working for the U.S. government against our nation’s adversaries.  In government parlance, these would be people with computer network operations (CNO) experience, computer network exploitation (CNE) experience, and operations officer (aka case officers).  The NSA and CIA are the premier proving grounds for this kind of experience, although there are a few other agencies that have a smaller portion of resources with similar experiences.