Episode 14 of The Cyber Talent Series is now live!
Join Thomas Rogers, Co-Founder of SkillBit (formerly MetaCTF), and co-host Phoebe DeVito as they connect with Kevin Woods, Director of Learning and Development at GuidePoint Security. In this episode, Kevin shares his perspective on bridging the cyber skills gap by building scalable training programs and creating structured yet flexible learning pathways. Kevin discusses the importance of being disciplined and proactive to building a cybersecurity career. The episode also explores how organizations can invest in entry-level talent and design learning programs that drive retention and long-term success in the industry.
Tune in now with the player below, or check it out on the MetaCTF YouTube and Spotify channels!
Phoebe DeVito (00:00)
welcome to the cyber talent series where we explore how organizations are closing skills gaps, accelerating onboarding and building high performance cybersecurity teams. name is Phoebe DeVito. I’m joined by my co-host Thomas Rogers. And today we are talking with Kevin Woods, Director of Learning and Development at GuidePoint Security. So welcome, Kevin.
Kevin Woods (00:18)
Yeah, thanks for having me. It’s pleasure.
Phoebe DeVito (00:21)
just diving right in, typically we like to start with asking folks to just tell us a little more about who they are and what they’re working on right now.
Kevin Woods (00:28)
Yeah. So as you said, I’m the director of learning and development. So as such, I get to work with a lot of people who are trying to upskill, trying to get into the industry, to do career changes. There’s a lot of different areas in cybersecurity. And so I think a lot of people are trying to pivot from one into another. And so just making sure that we have career paths laid out for them. I myself came from the cyber side to kind of a winding path to get there.
So I’ve seen some of these different ways that we can get into cybersecurity, the different skills that we have. And so just trying to help sure they have a good, successful career in the field.
Phoebe DeVito (01:02)
Awesome And I know you mentioned this winding path that actually was my next question So I’ve heard you talk a little bit about it on other shows and I think it’s a really cool story So any amount that you’re comfortable sharing would love to kind of give a little peek into that to the listeners
Kevin Woods (01:16)
Yeah, absolutely. I like to share it because it is a little unique, like you said here, goes back a little ways, but I studied biology in college. I really didn’t know what I wanted to do. I felt like I had to go to college just because everyone was doing it at the came time I graduated, didn’t know, still didn’t know what I wanted to do, but I actually saw a commercial for the Navy and they were taking a biologist at the time. went to
the Navy recruiter office, they were out at lunch, but the army recruiter was in. So I was like, all right, sign me up, join the army. And went through training was military intelligence. And it just so happened at that first unit I landed at, they didn’t have a security manager for their information security program. And they’re like, military intelligence, that’s kind of technical, right? You can take this over. And so I had no idea what I was doing. I had never taken any IT, comp sci classes, anything like that.
I just knew it was my first job in the military and I wanted to do a good job and impress the boss. So, went out, started researching it, started asking a million questions. I was in the shop like every day, just probably annoying them, asking them as much as I could. Cause I was trying to get us ready for a security audit. So at the time we were just trying to abide by different regulations on the federal side, a lot with access controls. And I just, didn’t really know a lot of the words or the terminology they were using, but.
decided I was going to figure it out and did a lot of research just after hours. And before I knew it, I was really intrigued. Like, why are we, you know, not just setting up these access controls, but how are they actually protecting us? Right. And, yeah, taught myself how to code, some raspberry pies, got a firewall, a router, and just started messing around and started playing in my free time. Did that for a few years. Hopefully, I did a decent job on the security management front.
then the army opened up a cyber operations branch and was taking volunteers to move into it. And actually the first round got denied instantly because they didn’t meet the educational requirements. They were only taking people with bachelor’s in cyber. But then round two, they dropped the educational requirements and went through a bunch of screening and assessments got picked up. And the army trained me a lot of what I know today in cyber operations and moved over.
eventually ended up taking over an incident response team. And that was kind of the last gig I had before getting into the civilian world. Guide point actually offered me an internship. did that when I was transitioning out and I fooled them enough to give me a full-time offer and became a security engineer over there. And then that’s how I got into cyber. and then a little side project of mine while I was doing security engineering was, Hey, you were an intern. Why don’t you help?
you know, us bring in other military people that want to be I took on the side project to create an internship program and we had five or six people coming out, joined that first year and it was successful. And before we knew it, other people were hearing about it in the company and saying, Hey, can I send my new hires through that? Or, Hey, I have a family member. I know this person in school that would love to go through this program. And it just blew up way more than we ever thought. And yeah, now today we’ve had.
Like 15,000 applications last year for this program. brought in close to a hundred people. So I’m getting to deal with hundreds of people that are career changers that are military transitioning, military spouses, kids that are recent graduate from high school, colleges, university. So it’s a lot of fun to, to share my story and to help them also get into the field. Cause there’s a lot of different ways to get into cyber. So yeah, happy to share.
Thomas Rogers (04:37)
That’s incredible. I feel like the theme of your background and story is just like action, like doing stuff, not waiting to be like, it okay if I learn how to code or, whatever it is, how does that shape the way you like run this program now? And also like how you design, upscaling, the teams at Godpoint.
Kevin Woods (04:55)
Absolutely. Right. Like that’s that’s what I’m looking for when I’m bringing people into this internship program. And that’s what we’re looking for in our employees is we don’t want you to say, hey, I need to learn this tool or I really like to learn this tool. If they say that to me, I’m like, OK, what are you doing to learn it? I mean, is anything stopping you from doing get a lot of things. Hey, I don’t even know how to install it. I don’t know where to begin. And I think that’s true for a lot of people, but sometimes you just have to start researching. And that’s what we want.
from our cybersecurity practitioners is that they’ll just get started and they’re gonna troubleshoot along the way. They’re gonna run into all sorts of issues, but that’s sometimes the best way to learn too, right? I’ve been there and hopefully can relate it to other people. like, hey, you just gotta figure it out sometimes, right? In a field that’s ever changing, I tell someone to spin up a web server and they go to YouTube, that video is out of date two days later.
Right? So like they’re going to run into an issue. They have to figure out a way to troubleshoot it and just figure it out. a lot of these vendor tools, they want to learn. There’s free licenses out there. There’s free trials out there. So just download it, mess around and don’t be afraid to make mistakes. Take some action and start
Thomas Rogers (06:00)
How do you blend, the sort of like hacker mindset of like, I’m just going to go figure this out with like actually giving them some structure of, yeah, how do you blend that?
Kevin Woods (06:10)
Yeah.
Yeah, that’s the difficult part, right? We talk about disciplined initiative in my program a lot because we want you to go out there solve it. but you do need some left and right limits for sure. Right. Because this is a field with so much information that it can be very overwhelming of where to even get started. And so usually we’re trying to figure out first, what are you looking to do ultimately? Is this something you’re passionate about? Is this just a requirement from your supervisor? What does it look like here?
and then go out and start figuring out what is the path forward, right? So how do you get to that goal that you’re trying to achieve? And we’ll say, Hey, you can do it X, Y, and Z. This is how we recommend, but it’s never followed these exact steps. It’s never these exact commands to set something up. It’s never somebody just holding your hand doing it, but it’s okay. Generally you’re going to want to set up a web server. You’re going to want to set up a SIM and then start attacking that web server and see if you can actually
catch it on that SIM. So you can get that data to trigger that SIM trigger and alert. That’s kind of the level we want to provide to our practitioners and then say, hey, go do it type of deal. Not this is the command to set up this leave it like that. We always want to set up scenarios too. So they have a bigger picture because at the end of the day, right, cyber is about people. People create risk, people manage risk, people mitigate risk.
And so you have to understand to the overall scenario, what type of team, what type of business you’re then be able to report on your findings or what you’re able to do. Cause you can be the most technical pen tester in the world and great at it. But if you can’t report how you got in or how to fix these problems, really it’s all for not right.
Thomas Rogers (07:44)
I feel like a lot of that depends on the stage of the learning, training, upscaling journey too. Because we see that a lot with our platform where now we have this big, vast library of the CTF style, the scenario based challenges. We have labs. We have learning modules that are more like traditional learning, so like text based and video.
And it’s like, could just say like, Hey, this is how you learn how to do something. Or we just say, here’s everything, like have fun. And really we’re trying to find now is like the in-between some people genuinely do just want to go in and like choose their own adventure. And some people want to, you know, start and be like, tell me where to go. but like, yeah, setting it up so that they have the optionality around like, okay, this is a topic I know nothing about. need to.
have my hand held for a little bit and then I can run. I feel like that’s such a challenge. It’s probably even harder for you because you have to create process and frameworks around it.
Kevin Woods (08:36)
Yeah, and you have to lean. So we do use a mentorship program here. So everyone gets a one-on-one mentor, which if any organization doesn’t have a mentorship program, highly recommended. It doesn’t cost anything. It’s pretty light on resources, but that’s what the there for. It’s somebody that’s a kind of a specialist in that field because they’re going to know the better triggers for how do we move. If we talk walk, run, that crawl phase might be, okay, yeah, we do have to kind of.
show you a few of these tasks, right? Ideally, what we like to do is, go learn the fundamentals for whatever field that you’re getting into. You can go through these different courses if it’s pen testing, wonderful. Go some of these different capture the flags or go through these courses that we have. But at the same time, let’s start shadowing that subject matter expert, see how they’re actually conducting it, watch their process that they’re doing. And as we move along, it’s like, OK, now the next time after you’ve shadowed
a couple of them, why don’t you take this piece of the pen test? You still have oversight with that mentor and you say, hey, you take that, the mentor still does that part of it and you kind of combine answers, right? You look at it, see how things are different and just constantly provide guidance and slowly you take on a little bit more and more and more for some of these people that are just getting into pen testing or if it’s a new area of pen testing that they’re doing. And we try to apply that to all the different areas that we in cybersecurity, right?
And yeah, it’s tricky, but I think relying on the mentors for us and the managers and the supervisors, the people who have also kind of taken people under their wing and develop them, that’s been huge because as one learning and development team, we can’t know all those triggers and when someone’s ready to kind of move on to the next stage.
Thomas Rogers (10:16)
Kind of a meta question, what have you done to learn about learning?
Kevin Woods (10:20)
Yeah, no, that’s a good question. yeah, I I try to go to different webinars, been to conferences, actually taken a class on it as well, but it’s, it’s different, right? It’s tricky because it’s so much more like the human element and human psychology of how do we train these people effectively? So for me, that was something I overlooked early early on. was like, okay, I’ll teach some of technical foundations, right? I’m comfortable in that area.
I’ll teach it. then it started turning into maybe I should get feedback on these things. Is this actually working and trying to figure out what metrics to collect? And then recently or past couple of years or so, it’s like, all right, maybe I should actually do some educating myself and I probably could do a better job at it. I know I do well if I’m in like a conference where I can actually see people talk and I can see things live that are happening.
and hear use cases and actual stories of individuals who have had success in their programs or failures too. can learn from that. for me, that’s been the best way to learn because it’s not really hands on in the sense that I can just hop into a Linux terminal and show somebody if I’m teaching them engineering. So it’s a little, little different for me for sure. It’s been an area that I’ve been trying to grow over the past few years.
Phoebe DeVito (11:26)
Awesome. Yeah. So you touched a little bit on this and I think you actually mentioned CTFs specifically, but I’m just curious your perspective on the importance of hands-on training when it comes to preparing and growing.
Kevin Woods (11:39)
Yeah, I mean, I think it’s pretty critical, right? There’s only so much you can learn in a book or watching a training course online. And I think most people realize the value in hands-on training, but they don’t always know how to get it or how to administer it to their people or even really even constitutes hands-on training. We kind of talked about this a little like if I see a training where somebody, we’ve had a vendor come in and they walk through.
some of our students and like, this is how we set up this tool, but it’s straight, just copy paste the commands. There’s not true understanding that’s happening there. And so again, you want to get to the point where they’re hands on in the sense that they’ve been given a goal to achieve and then they find a way to achieve it. Because again, I’m looking for people that can research, they can troubleshoot, they can get creative with their solutions. And I think a lot of our hiring managers are as well. We always talk about if
with some of my hiring managers here, if they’re hiring entry level talent, they’re looking for comprehension and natural curiosity and the ability to troubleshoot are some of the three biggest things they look for. You’ll notice those aren’t like technical skill sets because we can teach a lot of these technical skills. And I think that hands on piece of it is going to help them develop all that extra stuff. In addition to, yeah, obviously if you’re in a terminal all the time, you’re going to get a little bit better at doing that, but really it’s helping them.
especially like CTFs where you have to research and research and bang your head against the wall for a little bit. It teaches them to go through those frustrations and just find a solution.
Thomas Rogers (13:04)
I love your thinking on that, when you’re developing like learning plans, training plans, or just like trying to, you know, identify like, what are the kind of gaps or areas for opportunity for us? How do you think about like assessing as a part of that process, like using performance data or some sort of data to inform
like what you actually like train and build learning plans around.
Kevin Woods (13:26)
Yeah. I mean, if we could do it perfectly, that’d be awesome. Right. It’s super, it’s super hard to forecast. So, right. What is going to the most impactful to our organization, but for us it’s, it’s being heavily involved with leadership, understanding strategically where we’re going. recently we started getting more involved with like our HR teams that are doing employee experience. So they’re talking with managers, supervisors on what are the current skills gaps that exist? I know there’s tools out there too, that
Thomas Rogers (13:29)
He
Kevin Woods (13:52)
help in a lot of regards. I haven’t used a ton of them, so should probably look into some of those as well, right? But that can be really tricky to identify as an organization what skills we’re missing, because usually there’s not a ton of data or records around that. And so we’ve taken more of say, qualitative approach and asking a lot of our manager supervisors, what skills are you lacking and where are we going, right? Obviously 2025, 2024, we’ve seen a huge uptick in AI.
So it’s not just, okay, we need AI skills, but what also are we going to need with that? With AI comes a lot of data, right? And so how do we manage, control, and secure data effectively? And so we’re thinking through not just how do we train on AI overall, but how do we make sure that we’re prepared to handle all the data that’s coming in and make sure our customers are able to understand different security controls around the data on the back end that that AI is going to access? So hopefully that answers your question there.
Thomas Rogers (14:47)
It does. Yeah. And I mean, think the qualitative piece is like obviously important. Like what you said in interviews, it’s like you’re often trying to understand almost more about like, how does this person problem solve or like what level of curiosity do they have more so than do they have this, you know, skilled XYZ or do they know how to use this, you know, some tool that y’all use because you can teach, you can get them there. So
Yeah, I just find that fascinating, like combining that with like the hands on side. generally, I think it’s like, you know, you’re going to build training plans around like what people are interested in. Like you’re going to take that type of input, but, yeah, it’s just really hard to prioritize. Like, how do you what to focus on?
Kevin Woods (15:27)
Yeah, yeah, for sure. mean, that’s always difficult, right? And at the end of the day, we need to make sure our employees are passionate about what they’re learning about too. Like even if data security is our greatest need, if we have someone who just hates data and doesn’t want to do it, there’s no sense in forcing that person, right? But a lot of people will say, hey, I just want to learn a skill. You know, what’s, what’s available to me sort of deal. And they don’t even know what’s going to be an in-demand skill moving forward.
even though there’s tons of studies out there, I ISC square just dropped their cyber workforce studies and show all their top in need skills. we, look at all that industry data as well and try to match up and, start creating plans around that too.
Thomas Rogers (16:07)
How do you think about like on an individual or team basis prioritization? I’m sure guide point security, like engineers are very busy how do you like think about helping people prioritize professional development?
Kevin Woods (16:21)
Yeah, again, it comes from the top down, right? We’ve been fortunate enough that we have leadership support across the board that we’re going to encourage our people to do some form of professional development and let the mid-level managers, the supervisors figure out what does that actually look like in terms of hours, priorities? We’ll let the managers handle that. if they managers want to say, hey, take
three hours a week where you’re just doing professional development on a normal week. But if we have some weeks where things are a little bit slow, go take a course, to get a certification, go to an event. But I do think that needs to be at the manager level. So you get to support the buy-in from the leadership side. You have the L &D program who can provide any sort of guidance that manager needs. If the manager comes to us and says, Hey, I have a SOC analyst one, how do I get them ready to be a CTI?
analyst next. Like we have a career have different ways and resources for that person to develop them. Now it’s on that manager to understand the schedule of that individual contributor and make sure that they’re still getting their job done, but they have that opportunity to continue to develop. Right. And I think with some of that leadership buy-in, there’s again, tons of studies, tons of data points around if you invest in L and D, you actually have a higher amount of
higher amounts of productivity, higher amounts of revenue, I’m happy to share those data points and studies with you here. But yeah, on average you get about a 21 % increase in profitability if your organization is spending $1,000 or more on an individual learning and development, $1,000 per learning and development. So it’s huge, right? The returns can be huge if leadership buys in and then let the managers kind of
how they want to do it.
Thomas Rogers (18:03)
Good data. I feel like that’s the opposite of what, maybe not the opposite, but maybe not the first place. lot of people would think, you when you think about like, how much time should a person dedicate to, learning development or upskilling or, whatever. I feel like a lot of people go to like that individual, like let me look at my schedule, let me see, and you just try and fit it in. that’s pro tip.
Like you got to start at the top. It’s got to be supported across the whole organization.
Kevin Woods (18:29)
Yeah, the problem with the individual deciding is they might take on too much, too little, right? Like sometimes they don’t. And we’ve had to have that conversation that like, you probably shouldn’t be studying for a certification right now. You got a few engagements that are overdue or in the flip side, say, I just don’t have the time. I’m so overwhelmed and swamped with work, which I know is a big thing in this industry. Half these, sizzles we talked to these security offices say they’re understaffed. They don’t have enough manpower. So how can I possibly even.
fit all this stuff in. if we look for the reasons that they say they’re understaffed or why they don’t have enough people, the skills gap exists. They say the number one reason is because they can’t find somebody who has the right skills, not because of budgetary constraints, which is just fascinating. Right. So why not take the time to find that person and you get that ROI in the long term if you allow people to up skill you don’t fall behind and you don’t create skills gaps term.
Phoebe DeVito (19:23)
Yeah, it’s so interesting. wish I had a data point on like just the way that overlaps with even employee retention. I’m just thinking about think what I love about this that we do is, it’s a theme that comes up so much is like, whether we’re talking about cyber or anything else, like it is people at the end of the day. And I know like even for myself, when I’ve been in roles where I feel like there’s an investment in like, there’s the opportunity there. Should I choose to take it to continue to learn and grow?
it just makes it feel like such, you know, it’s a good feeling when you know, you’re in a place where people care about your development and it’s encouraging. and I think it just, even when we look at the numbers of how expensive it can be, when there is a lot of employee turnover, I do think that, you know, not in a way to fear monger, but just to say, like, I think when you encourage your teams and show you believe in them and, want to provide those opportunities, you know, so many people that we’ve talked to have seen a lot
growth come from that. So it’s awesome to hear that perspective.
Kevin Woods (20:19)
So 2024, the human resources journal reported organizations with an L and D program have 57 % greater retention rates. So basically employees stay twice as long for organizations that have L and D programs and the average cost to replace a cybersecurity engineer in this field. varies, but the rough range.
Phoebe DeVito (20:31)
Wow.
Kevin Woods (20:41)
average is about 60 to 80 % of their salary. So turnover is crazy expensive. I think most organizations realize that retention is critical, especially in this field. And so yeah, you have a direct link. There’s multiple studies that show it between having an L &D program, investing in your people and how long they end up staying too.
Phoebe DeVito (20:59)
That’s awesome. I love that. And so you mentioned the skills gap. That was actually something we heard you talk about on the Philip Wiley podcast. Thought that was a really interesting kind of conversation there. And so I think one thing that came up is we hear a lot of discussion about the gaps in the cybersecurity workforce from the perspective of folks who are trying to get hired. you know, there’s so much conversation about like how to break into the, industry.
And so on the flip side, think you made some great points there. Would love to talk about a little bit here, just about the importance of recognizing the impact on that for the industry as a whole. And I think we talked about that a little bit earlier, that kind of like it takes a village mindset, but would love to just hear your thoughts on that skills gap in the cyber workforce.
Kevin Woods (21:43)
Yeah. And the scary thing is it just continues to grow. If we look at these different workforce reports, like the skills gap is being reported more and more. And we’re seeing millions of jobs globally that are open, hundreds of thousands of cyber jobs just in the U S and it’s not cause the people aren’t there. Like I see hundreds of thousands of people looking for these jobs and we can’t necessarily blame the job seekers. There’s things they could do better, but there’s a lot of stuff to on the employer side. I think that we can be doing and that’s
Taking risk on individuals on entry level talent, think there’s ways we can get people experience through internships, fellowships, apprenticeships. We do academic co-ops as well. There’s a lot of way employers can start giving back in that way. And it doesn’t cost all that much. Again, we can talk about the ROI, but if you have an intern that you convert to full-time hire, it’s about five times cheaper than going and finding somebody out there in the normal job hunting, right?
And so as employers, we need to be willing to take a little bit more risk and bring in on entry-level talent because otherwise we’re going to run out of cybersecurity practitioners. talk to people all the time that have been looking for jobs. They think they’re doing everything right from what I can see, they’re doing everything right. And they get discouraged because they can’t find an entry-level cyber position. And some of them ultimately just bail on cybersecurity altogether. And these are talented, passionate individuals that can be contributing to industry long-term.
we just haven’t found a spot for. And so I do worry that a lot of the people that are in the industry that have tons of experience, they just kind of got started on their own. They took weird paths to get here, just like myself. And someone took a chance on them, right? I think because we had to, because it wasn’t an established domain yet, but now we don’t want to take a chance on others. Just sounds a little crazy to me. I understand it though, because entry level people, are a risk to an organization for sure.
But ultimately that’s what we have to do. I think academic institutions, sort of training programs too, need to do a little bit better job of actually showing tools that we use in industry. So that’s difficult again, because can train on open source tools. But when I pull up a resume, I see Wireshark on every single resume that I look at, Nmap, Kali Linux, wonderful. Those are great starting points, 100%.
When it comes down to if you’re gonna be a SOC analyst, there’s probably a few big name vendors out there you can think of that you’re going to be likely exposed to and using. And that’s what the company wants to see is somebody that knows how to use this tool that they’re actually using, right? And academic institutions just aren’t teaching that. And I think largely it’s due to licensing issues. And so for me, I think a lot of vendors would also benefit from offering academic licenses.
or even just allowing commercial free licenses and the educational institutions telling people, hey, go install this free version of this tool. Let’s get hands on. Let’s start messing around with it. And we can start getting experience on the actual tools we’re using in the industry. a lot of things we could be doing better across the board, I think from all parties involved. And I think we’re seeing a lot of right steps moving forward. it is a little scary because the threat is not.
getting smaller. don’t have a gap that exists. They’re just getting better, faster, using more technology. And unfortunately, did see a report earlier that actors were saying it’s just way more profitable and way easier to get down to the bad side of the house. And obviously, we want to kind of stomp that and level that curve as much as possible. And it’s scary because we’re really not doing it at this point in time.
Thomas Rogers (25:11)
so much there that I agree with and want to talk about. I want to talk about tools, but I’ll wait a second. So we friend and advisor of our company on a couple of weeks ago, Rob Fuller. And one of the things he talks about in hiring is over like 25 years, he’s workshopped like this rubric that he uses the interviewing. And so often
have a candidate that scores really well in his rubric, but doesn’t hit like the basic qualifications or preferred qualifications on the resume. And HR will be like, what the heck? This person’s perfect. And he is then able to like kind of counteract that because he’s like, I’ve got this rubric that’s tried and true and it works really well. And this person’s really curious and is going to learn and be a great resource. it sounds like that’s something that you.
agree with, you know, from a hiring perspective, like you have to, you have to find a way to be able to take chances on people that are not, you know, right down the middle candidates. have you been used as a resource historically to help? I mean, you clearly have like a very data driven approach to that. But yeah, like what have you seen that’s worked there?
Kevin Woods (26:16)
Yeah, we kind of have our own version of a rubric. I’ll again, it’s kind of at the team level. So all the higher managers are doing their own thing with that, but we have had several managers retrial. Like, how are you evaluating these people? How do you look for natural curiosity? How are you testing them on problem solving skills? I like doing technical assessments, nothing that’s supposed to trip them up, but I just want to make sure they can work through some basic troubleshooting skills.
for technical interviews, I actually give out my questions beforehand. say, I’m going to straight up ask you these questions or here’s a list of 20 questions I’m going to ask from these. And the idea is not that, you know, they’re Googling it during the interview, right? Obviously, but I want to make sure they have the chance to research these things. Cause a lot of times we don’t need you to know all the answers off the bat, but if you’re able to find them and have an intelligent conversation about them, I know you’re showing up prepared.
And you’d be surprised how many times I go into an interview and I’ll ask the very first technical question and the person doesn’t have any idea, right? They don’t know how to answer it. Like I gave these to you beforehand, right? And that just gets into the level of preparation and how much research you do beforehand. yeah, we’re, we’re always looking, especially on the technical assessment, we clicked a lot of data around that too, and how people perform, how long it takes them in different areas. And we started sharing that with some of the different teams here.
at Godpoint security too. I know some of them are using a very similar approach. I like that rubric style too, because it’s really tough. you go into an interview and you’re just not prepared to think of appropriate questions, or you might come out thinking like, that person was awesome without really looking at your notes. Or if you dive into the rubric, you’re like, well, actually they couldn’t do this very basic thing that they should have known how to do. And again, I do get worried with AI coming in.
to play, see it all the time, people trying to use AI in their interviews as well. And that’s probably going to shape some things moving forward, right? It’s going to be a little bit more difficult. So the more you can have your questions that you look for, answers that you look for for those questions, right? And try to interpret not just the direct answer that they’re giving you, but how they go about approaching that answer, that delivery, right? And talk to them just about their…
critical thinking abilities as much as possible.
Thomas Rogers (28:27)
I love the idea of giving them the questions ahead of time for the assessments. Definitely gonna make note of think too, the big misnomer with assessments is that the goal is to stump and like that’s definitely not, and also that it’s just binary. It’s like you solve it or you don’t. It’s more about the process. It’s like putting them in a situation to just see how they think. that’s the entire purpose. They’re not only gonna be judged by, you know, there was all this
blow back against like leak code and all these other things last year. And I just, it always infuriated me cause I’m like, this is not even like a whole picture of like how these companies are hiring. It’s just like one piece of a formula. yeah, I feel like that’s assessments have gotten like kind of a unfair of that stuff.
Kevin Woods (29:11)
And we’ve even had managers here, they’re like, why are you assessments? Because across the board, different people obviously feel different ways. But that’s because I think when they think of assessments, yeah, it’s like just stump the jump sort of thing or like try to find the most absolutely intelligent person you can in this one particular area. When in reality, we need social skills, conversational, emotional intelligence. Like there’s a lot of other areas other than just hopping into a terminal and finding an answer.
Thomas Rogers (29:38)
Cool, so I go back to tools because we talked about that earlier. really interested in this and it sounds like you have some good thoughts on it. So I’m curious your thoughts on how tools fit into like a cybersecurity professional just how to think about like tool-based learning development.
Kevin Woods (29:56)
We base a lot of our learning kind of around certifications. think certifications have good like pathways, natural training plans. So it’s a decent way to get started. I like having a foundation of technical knowledge that has nothing to do with a vendor tool. So start with that. You understand computer systems, operating systems, networking and basic security skills. Once you get to that point,
then let’s go learn a vendor tool, right? I think that’s how you approach it. I don’t think it’s just one or the other. I think you need to marry up the two because they’re both equally important. also run into people that all they know is just one tool. That is what they’ve learned and they can’t understand what’s happening in the background. They don’t understand why this tool is operating the way it is or even know how to interpret the data they’re looking at. So start with the foundations that’s going to make you a much better practitioner.
But then if you want to be hired, now we got to add in, level in some of those different tools that we’re actually going to use, right? So you know how to use them, but to me, it’s way easier to teach a tool, the buttons to click, and here’s the process of it. It’s way harder to teach people about risk management and understanding like where these different threats come from and how do we constantly evolve and adapt to those threats. Is that a similar thing that you had
Thomas Rogers (31:07)
wrinkle with that is because I’ve seen, you know, people in large organizations that are experts in one tool, but if it’s like Workday or Salesforce, like that’s fine, obviously, because every company is going to use that as kind of the gold standard in cybersecurity. It’s hard. mean, there are definitely, you know, some tools that are used by, you know, a lot of companies, but there’s also so many like emerging tools that are, you know, really cool. curious, like
Yeah. How do you think about that? Like, cause the tech stack is bigger than ever.
Kevin Woods (31:35)
Huge right? Most companies have dozens of cybersecurity tools, right? And so I think you can become an expert on one tool, but you have to be exposed to different areas, right? And you’re right. If it’s like Salesforce and that’s all you do and that’s where you live and you probably have a job in that area for a long time, great. But if you want to be a well-rounded cybersecurity practitioner, I’d say you need to understand the foundations. You need to know how computers are talking, how threats are attacking, how to defend against those different threats.
You can have your tool of choice. That’s like your, your primary, if you will. And that’s what you learn. That’s what you’re good at. That’s what you’re an expert at, but there’s so many other tools that are connecting into that. And we typically, if you’re unsure where you want to go, if you’re just getting started or like learn a SIM, nearly every single security operations center, that’s what they deal with. Right. so start there and then you can start looking at all these other tools. If you know, Hey, you want to get into data loss protection and prevention. Cool. Go learn.
those as well, right? But there’s a lot of adjacent tools are all communicating amongst each other. So we constantly have to be just learning newer and newer things. And that’s, that’s another part of upscaling. think a lot of people want to learn these new tools and we’ll say, Hey, maybe you already know like a few SIM tools. Maybe you should go learn like an EDR or something else, right? And kind of expand your, your knowledge here too.
Thomas Rogers (32:51)
So I think we’re completely aligned on all that. I’m also curious because we’ve know, a bunch of different types of training for vendor tools and it’s usually owned by the vendor, usually. And that can be kind of hit or miss depending on how much they invest in it. So you’re really like, it’s kind of out of your control. What we’ve seen that worked to go back to our earlier conversation works, you know, a lot of times is
Kevin Woods (33:03)
Mm-hmm.
Thomas Rogers (33:16)
Hands-on. like give, you know, give people like snowflake instance and like some actual data, give them like a flow of scenario, almost like CTF style and have them like go through, you know, those types of like hands-on challenges related to a tool designed to be solved by a tool. Have you seen stuff like that is it more just kind of the vanilla vendor training?
Kevin Woods (33:40)
Yeah, GuidePoint works with over 700 vendors now, which is nice for me, because I get exposure to a lot of these different vendor tools, which is cool, and a lot of their different training. And to your point, it’s across the board, right? Some have way more management systems and training courses built out. I’ll say, and we get the same a lot of our learners as they go out to them, the ones that do have the hands-on labs, like built-in.
Thomas Rogers (33:43)
Yeah.
Kevin Woods (34:04)
They get way higher scores. The people tend to pick them up, learn them a lot faster than we have some training. It’s just videos and some texts that you’re reading and they just, they’re not going to be on board and able to provide a value to their company and use that tool effectively nearly as fast as the ones that are actually going into the system and learning it hands on. And some vendor training that we have, it’s just
video and text, what we’ll do is we’ll spin up that entire environment just in a cloud environment or one of our lab environments that we have and say, hey, follow along as what they’re doing in the video, you do it as well. And it might be a little outdated, might have a different version. So it might look a little different. That’s okay. Research it, figure it out, but follow along into everything that they’re doing. And when we started, we made that transition for one of the vendor certs that we were studying for. saw just like a…
6x improvement on the number that we’re passing it and ready to actually provide those services. So yeah, to your point, it’s across the board. See all different variation, but the more hands on you can get, and you can start with video and text. Like I’m not knocking that at all, but at some point you have to introduce the actual tool itself and let people get hands on and start using them.
Thomas Rogers (35:16)
700’s a big number. That’s a lot.
Kevin Woods (35:19)
Yeah, a lot of vendor partners. I’m blessed to be at GuidePoint Security. They’ve been awesome company across the board, just from the leadership buying into the whole learning and development and the culture. But yeah, the vendor side is pretty nice too, because we deal with a lot of vendors who they just want to help out. A lot of them will volunteer to mentor or come work with like our interns and just teach them different courses and give us training environments and stuff like that But it’s allowed me to get some
certs too, so I get to some fun.
Phoebe DeVito (35:47)
Awesome.
Thomas Rogers (35:47)
Sweet.
Phoebe DeVito (35:48)
well so our wrap-up question is if you were starting your career in cybersecurity now, so knowing everything that you know now, is one thing you’d want to tell yourself?
Kevin Woods (35:57)
Yeah, I’d say the hardest thing about this industry is getting into it and getting started. So have patience, know there’s a lot of luck involved. People are gonna have to network, even if you hate networking and go into events, go out there and do it. But really the biggest thing is experience is huge. It’s experience way more important than any certification, any training, any studying you’ve done. I think those take you a long way, but at the end of the day, be willing to…
take whatever opportunity presents itself, whether it’s a little low paying or night shift or not exactly in the location that you’re looking for. Just get out there, start working, take action like we talked about, and that’s gonna open up way more doors and opportunities for you later on. And you might actually find that you really appreciate and like that opportunity that you started in. And so, yeah, take action.
Phoebe DeVito (36:43)
Awesome. Love it. Well, thank you so much for coming on today. It’s been a great conversation.
Kevin Woods (36:47)
Yeah, thanks for having me.
Phoebe DeVito (36:48)
awesome.
Thomas Rogers (36:49)
Thanks, Kevin.