CISOs Get Real About Hiring in the Age of AI
Recorded: Nov. 24, 2025, 9:02 p.m.
| Original | Summarized |
CISOs Get Real About Hiring in the Age of AI TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsCyberattacks & Data BreachesDeja Vu: Salesforce Customers Hacked Again, Via GainsightDeja Vu: Salesforce Customers Hacked Again, Via GainsightbyNate Nelson, Contributing WriterNov 21, 20255 Min ReadApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCybersecurity OperationsCybersecurity CareersIndustry TrendsCISOs Get Real About Hiring in the Age of AIDark Reading Confidential Episode 12: Experts help cyber job seekers get noticed, make an argument for a need to return to the hacker ethos of a bygone era, and have a stark conversation about keeping AI from breaking the sector's talent pipeline for years to come.Dark Reading Staff, Dark ReadingNovember 20, 2025Becky Bracken: Hello, and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading, focused on bringing you real world stories straight from the cyber trenches. Today we are talking about the cybersecurity job market, talent pipeline, and the disruption of both as automation and AI start in earnest to take over those traditional entry level tier one analyst roles. I'm Becky Bracken, your host, and I am thrilled to welcome two Dark Reading regulars to the conversation. Both are members of our CISO advisory board: Fred Kwong, vice president and chief information security officer (CISO) for DeVry University, and Jessica Sica, who is head of security for Weave Communications, a billing platform for medical practices. Thank you both so much for joining us and welcome.Jessica Sica: Happy to be here.Fred Kwong: Thanks, Becky.Becky Bracken: So, we were chatting a little bit before we started, and this conversation actually started last summer over chips and salsa. We were at a luncheon for Dark Reading and Jessica was telling me a little bit about some of the roles that she is hiring for and how she found the sort of talent pipeline had been upended a bit. And so, I'm hoping maybe Jessica, you can start us out with explaining sort of your journey through that and what we can take away from it.Related:Cloudflare's One-Stop-Shop Convenience Takes Down Global Digital EconomyJessica Sica: That's a great question to start with. Yeah, I mean, I think we can get into this in a lot more detail as we go, but AI, of course, is impacting every area of work. Certainly, it's impacting how we hire, how we recruit. It's impacting the talent pools. I don't even know that we are always seeing the full talent pool anymore because of AI. I'm not convinced we are always seeing the top talent.There's a lot of demand for security jobs and the HR teams themselves are using tools to screen out those initial résumés, right? You can't review 500 applicants by manual process. There has to be some sort of automated process for that. If you're any size company trying to fill any size number of roles, they're going to use AI, and they do use AI. For some of our India positions, we get thousands of applicants, and you just can't look at (all of) those. So, I think the first thing to talk about there probably is, are we even seeing all the best candidates? If your résumé doesn't match what AI is looking for, you may get screened out. And personally, when I'm trying to hire a security engineer or a security analyst, I don't care if they can write a good résumé. I don't care if they are good at having their résumé match AI rules that they don't even know what the rules are. There's other things I care about. Related:Inside Iran's Cyber Objectives: What Do They Want?So that's certainly a concern for me, is who you're initially even seeing upfront based on current hiring practices and trends.Becky Bracken: That is such a great point. And so, does it then come down to, do you having to proactively then go out to HR? Are you just waiting for AI to catch up with you, like how did you address it? What's the right way to attack that?Jessica Sica: I don't know that they're caught up yet. I don't know that AI is caught up yet. I think AI is probably always going to miss some good applicants. Hopefully you're getting enough applicants that you can still get the right person and still lean very heavily on your network and on your referrals. We hired somebody over the summer and he ended up being a referral. Of course, we looked at others that came through the HR process, but relying on that referral network I think helps a lot given the current climate, if you can.Becky Bracken: That's great. Fred, what do you have to say about that?Fred Kwong: I think Jessica's right. The human interaction component is critical, right, when we're looking for either new candidates or new jobs for that matter. I will take a referral from one of my CISO peers of a candidate over, you know, someone that's, you know, call it just going through the applicant process and then those referrals become important. And so therefore, the network that the applicants have is very important, right, to build that network, build those relationships so that you can get recommendations for specific roles that you're looking for, or at least try to attempt to find those roles. And I think part of what Jessica mentioned is that there's, you know, AI or HR screening has always been something that's been a little bit of a challenge, right, for our candidates and how do you get your foot through the door? You know, do need to have certain certifications or certain keywords in your résumé before the system flags you and allows you kind of through the initial offerings. And so I think it's still important to kind of understand, what those are: Keywords that folks are looking for and I think a lot of times if the applicant is smart they'll be able to extrapolate what those keywords need to be in their résumés when they look at those job descriptions, right? So it's a little bit of a two-way street now with the AI Injecting itself into HR processes. Related:Securing the Win: What Cybersecurity Can Learn From the PaddockI think what you're seeing now is an acceleration of that need to make sure that you're screening yourself appropriately and that you're getting through some of AI checks and balances that exist. And the best way to do that then is to also use AI to screen your own résumé. And are you putting in those keywords? Are you putting in the things that the other AI, if you want to call it, wants to see? And that's a very good use of things like ChatGPT, and ensuring that you're getting through those application screening processes, right? Especially those that are more automated or more rely on the machine learning or AI.Becky Bracken: That's interesting. So what are some tips that you guys have to share? Like what would the keywords be for instance, if I wanted to be a security engineer at Weave, like what are some of the things that you would be looking for beyond just the normal, like you said, you don't care if somebody can ace a résumé writing test, that's not your business. So what are the things that you're on the lookout for?Jessica Sica: I mean, I think if the candidate is looking and trying to cater their résumé to that position, you need to look at the job description, but sometimes it goes beyond that. You need to look at the website. I would look at the other people on the team, find them on LinkedIn, look at what their skills are, see how you can kind of match up with that environment. And as Fred said, take your résumé and run it through AI yourself.If you want to get noticed, we kind of talked about what managers can do, but on the other side of that, what the potential candidates can do is take the job description, give the job website, give your app your résumé, and then send that through AI and say, how can I make sure that I get noticed at this company? And you'll probably get some pretty good tips back and, hopefully it'll be the keywords and things that AI is looking for in your résumé. It'll at least give you a little better, you know, foot up than if you had not done that at all.Becky Bracken: Go ahead, Fred, you seem like you have something to add to that.Fred Kwong: No, I was just going to say that's at the heart of what these screening capabilities are doing for employees is they're doing pattern matching. And now you're just layering AI on top of that to help you screen for how certain résumés may match for specific skill sets that you're looking for, specific tools that you use in your organization, but then also look to see if they have a more broader diverse background. A lot of folks inside of human resources are going to look for, know, what are these candidates bringing to the table outside of what they're seeing in the résumé. So the AI will go out and scour and take a look at, well, where else is this guy or girl? You know, what are we seeing on the Internet, right? You know, what does their Facebook look like? What is their LinkedIn profile look like? You know, what is their Instagram look like or Twitter, et cetera, right? And that's the, some of the power of AI is combining that additional data points in addition to the résumé. So one of the things that you want to make sure that if you're on the job hunt that you look at, well, what is, what am I broadcasting out there about myself? Are those things aligned to the culture that that organization is interested in. And if not, maybe there are certain things that I need to remove on the internet. Well, we know that's not always possible, but try to clean up a little bit in terms of some of our posts, some of the things that may exist out there, just so that we can paint a better picture of ourselves.Becky Bracken: That's such a good point. A company doesn't have to invest in a big, expensive background check anymore. They can push a button and get probably a pretty good idea of your entire footprint. Let's sort of also pivot to this idea of how new entrants into the cyber sector are going to gain experience. Those tier one SOC analyst jobs that were labor intensive and sort of a grind were also, as I understand it, excellent proving grounds for learning the business of cyber. With those getting automated and AI'd away, what is the correct way for people to gain that kind of experience?Fred Kwong: I can start on that one. So at the university we have something called a cyber range that we employ with our students and this is a way for our students to get practical knowledge or practical experience working inside of that kind of cyber range where you're using real world tools to do exercises; whether it's a capture the flag exercise or if it's a threat simulation or it's threat hunting they get some of that real world experience through our cyber range. Outside of those particulars if your student and your university doesn't offer those things you know you're going to look to other hunts that exist out there right there are capture the flag programs that exist on the Internet that you can join. There's caregiver exercises that you can join, all of which will help you train in those skill sets. And then outside of those components, I would say internships are critical, right? Trying to get as much real world experience as you can while you're going through your education. Jessica Sica: I'm gonna pick on education just a little bit, but only in the context of, I think, going to a university or doing the program in and of itself. If that's the only thing you're doing, it may not be enough. I think Fred talked about the hands-on component of that, and I think that's really important. I think, you know, we saw a lot in the past about people trying to get jobs is you would build your own lab, you would build your own home network, you would tear it apart, take it down, rebuild it again. You know, the DEFCON self-taught hacker type security people who you see less of today because of all the boot camps and all the security programs. And those aren't bad. But if they're the only thing, it's probably not the best place to gain your experience. I think you can, you know, do that hands-on stuff at home. And that shows a lot to a potential to future employers, that you really want to understand this stuff and you dig into this stuff and maybe you couldn't get that entry-level SOC job, but you built your own network and this is what you built and here's what it consisted of and then you tore it down and rebuilt it or then you hacked it, right? I mean, I think there's some things you can do to get that experience at home that's outside of the job environment as well and those certifications as well, they help, but a lot of that is just kind of the knowledge of security versus the depth of security. I think that home stuff that I've talked, I would really dig into that. really personally, somebody who's doing this outside of education is a lot more somebody that I would want to hire. Because there's a lot of people today who, security is growing, security, I'm going to make a lot of money. So I'm just going to go to this two year program and go try to get a job, right?That's not really the experience that you're trying to gain. It's the background to get you there and not the experience in and of itself.Becky Bracken: It's so interesting you bring that up because I hear this theme a lot. This idea of getting sort of injecting that hacker mentality back into cybersecurity, particularly in the enterprise space. And it sounds a lot like what you're talking about, embracing the thrill of the chase, the thrill of the work when you can.Jessica Sica: Yes. Yeah, I see. I don't know about Fred, but I see too many people who are getting into security now because it's a field in demand or they're going to make money. And I've had people literally tell me that. And I'm like, well, if you're not passionate about it and you're just in it for the money, I appreciate that honesty, but I'm going to move on to the next person.Fred Kwong: Yeah, agreed. And I think it also depends on what part of security that you want to invest yourself into, right? Or what type of security role are you looking at? Because there's so many different aspects in security, right? Security is as wide as IT is, right? So you can be a network engineer, you can be a system engineer, can be a DBA, right? You can be a programmer. And security is very much the same way. There's so many different security jobs. You can be a pen tester, you can be a SOC analyst, you can be an architect, can be a GRC (governance, risk and compliance) person, you can be in security awareness training, right? You could be in sales, right? There's so many aspects of security and I think that's one thing that as people try to figure out their journey, it's figuring out what parts of security that you have interest in and then try to gain those experiences based off of those interests. if you're into it, then yeah, taking pen testing courses and doing an OSCP certification, right? That might be your path to show that you can do things outside of the classroom. But if you're a GRC specialist or someone that wants to go into GRC, then you really need to get those internships where you can get more practical knowledge on how to do a vulnerability assessment or a third party assessment or, you know, name the, you know, acronym assessment of, you know, whatever sort of government entity or state or federal regulation that you need because without that practical experience, it's very hard to get that GRC knowledge, right? Even in the classroom, yes, you can run some theoretical assessments and how would you, you know, scope those things. there is, so there are some technical aspects to that, but then there's also a practicum of like looking at someone's center of excellence and trying to grade, How are they as an organization? How secure are they as an organization?Becky Bracken: It's interesting too what I'm hearing you both say are very, the reaction to AI and automation are very human things. Building your network, getting out there and meeting people, know, taking a look at the people that you're going to work with on the team, getting practical real world experience. It's almost sort of the antidote is more human involvement in the work, which is sort of an interesting twist, I think.Jessica Sica: It is for sure.Fred Kwong: I think one other component I'll add in there is that for people that are getting into the field now, understanding how AI can impact security jobs and using that knowledge and gaining that knowledge will put you ahead of everyone else. So if you're trying to be a SOC analyst, just as an example, going to school for that, great. Getting some certifications around it, fantastic. But understanding how you could create an AI agent to help you with that job or that function, that will be massive because now you're 2x-ing 3x-ing your skill set compared to those that Or that you're bringing more to the table than your your competitors or other folks that are looking for that job or bringing right because you can say hey, you know, someone can say they do threat hunting, but I know how to do threat hunting with AI and therefore your return as an employee or employer is going to be significantly more because, this person can do it this much quicker and they can return results faster. And being able to leverage the AI to build, create agents, help with the job, I think that's going to be very practical. And then once you kind of learn those components, you also understand how to secure AI, which is something new that everyone is, I want to say struggling with, but they're all learning, right? What is the new how do we deal with AI a little bit differently than we would normally normal data governance right and what does that look like so those newer skill sets if you can bring those to the table I think that really gives you a leg up as well.Becky Bracken: Does that get your attention too, Jessica, when you're looking at résumés?Jessica Sica: Yeah, it certainly does. I mean, our world is changing and if people who are applying for the jobs aren't changing with it, that's not somebody that you may want there. And if they are, they're showing that aptitude, they're showing that growth, they're showing that learning. And I did want to touch, I think there's some other unconventional ways you can get that experience if somebody's entry level jobs are not there anymore. There's other things you can do that maybe aren't security specific or IT specific. Maybe you get a QA testing role, which shows that you can troubleshoot and find problems and solve them. I mean, I think that's a very valuable skill, especially if you want to parlay that into a mid-level security person or maybe a help desk. And from help desk, then maybe you can get into security. Help desk is how I got in way back in the day. It certainly translates, but there's other ways I think that you can get.Some of that experience, a call center job that is not even necessarily technical is a good background, especially if you wanna start getting into that tech support channel. So I think people need to think outside the box a little bit too and not necessarily jump right into a security job and say, I can't find a security job. It's like, well, what skills are they looking for? And is there a related job that you can go do to get those skills, right? I think that's important too.Fred Kwong: Yeah, absolutely. like Jessica was saying, I started out on the help desk as well. know, we're brothers in arms in that sense. And I think that the concept really is what are the, I think the expectation that there are a number of entry-level security jobs out there that meet the needs of all those looking for trying to get into security for the first time do not exist, right?Jessica Sica: I love that.Fred Kwong: There are very few entry-level security jobs that exist out there. So to Jessica's point, it's what else can you do to get your foot in the door at an organization and then potentially transition from there into security, whether that's a help desk or desktop support or maybe even something from an internal audit perspective, right, if you're interested from a GRC perspective. Anything that gets you those skill sets that will help you showcase your talent in the organization, but then allow you to pivot into security once you're there is critical as well.Becky Bracken: But I am struck by the fact that if there are no entry-level security jobs and it is up to other sectors to train up talent for security jobs, are we not at some point going to face a talent problem? I mean, is that going to stunt the sector's growth and ability to grow its own talent?Fred Kwong: Absolutely. I think one of things that I'm trying to talk with my peers about is championing the concept of having those junior level positions available so that we can grow the pipeline to your point, Becky, right? Because right now the problem is a lot of organizations are focused on AI acceleration and AI replacement for individuals, especially in those lower level roles, right?Jessica Sica: Yeah.Fred Kwong: We're causing a gap in our pipeline to exist, especially here in the US, right? Where we're already outsourcing a lot of those lower level jobs to begin with. And now that you're taking in AI in addition to that, now it's just like, OK, well, where's the next level of pipeline coming from, right? Well, how do we feed that pipeline so that we can grow more security leaders and more senior level individuals? And I think it's up to all of us to try to champion for those types of roles in our organization so that we can help build that pipeline for the security world, if you want to call it that.Jessica Sica: Yeah, Fred is right. I think champion those positions within our own organizations and creating those junior positions because they are going away. And that is a concern for the future of the talent pool. If you're trying to jump from entry level to mid level with nothing in between because AI and outsource jobs are taking all those roles, right? That's a concern. And I think it's getting more prevalent from what I've heard. And it's going to get more prevalent. AI is not replacing every entry level SOC analyst job. But if you have a huge company with 50 entry-level SOC analysts, you might replace half of them with AI. And in another five years, maybe you only have five of them left. So there's a lot fewer of those jobs. And if you can create ways and create that pathway within your organizations, I think that's important to the industry as a whole, because they need somewhere where they can go and somewhere where they can learn, besides just internships, which there aren't really a lot of those available anyway. But you need somewhere to go and somewhere to grow and learn and security leaders are gonna have to create that pathway somewhere.Fred Kwong: Yeah.Becky Bracken: Yeah, because that's a tall ask. Work for free at an internship to gain skills. Build your own networks at home, which is not an inexpensive proposition. That does ask a lot of upstarts, know, recent college grads and that sort of thing.Jessica Sica: It does.Becky Bracken: Well, OK, so where are we going? Do you think that there is going to be success in creating those entry level jobs? Are we going to need as a sector to start getting serious about looking elsewhere to nurture talent? How is this gonna shake down like in the next two to five years when sort of that bulk of those entry levels would be sort of rising in the ranks?I'm happy whoever wants to take that one first. I know it's not an easy one to answer.Fred Kwong: I think one of things is kind of again, and we go back to this idea of creativity, right? Even inside my organization, it's very difficult for me to get a entry level position. I don't have that many positions to begin with. We're a pretty small shop. But what I'm trying to do is work with my third parties to help them build in those pipelines as well. It's like, hey, you know, I want you to have an internship program, know, bill me for it if you need to.Like, let people work on my account and gain that experience, right? Get those DeVry students in there so they can gain that experience.And it might be working with our third parties, especially a lot of us outsource our socks to MSP providers and working with them to say, hey, I want to make sure that we're nurturing talent as part of that. And if that means there's a little bit of upcharge to my costs, be it. But at least I'm helping to build that pipeline. Because I've also worked in large organizations where we've had internal socks. And it's tough for the organization as well. Because what happens is you're one of the few people that are growing talent and what happens is they'll come in, they'll learn, they'll leave after a year because they're gonna get offered 30K more to go work someplace now that they have that experience, right? And so it's a challenge for all of us and I think we're going to continue to fight this challenge for quite a bit. Becky, there's no, I don't want to say silver bullet here to help us through this challenge, but that's just some ways to again think creatively as how do we nurture this talent and how do we build it up.Becky Bracken: Yeah. Jessica, how do you think the conundrum will unfurl?Jessica Sica: Yeah. I don't have a lot of ... great input to add other than what Fred just said, but maybe part of it too is we need to create more specialized entry level roles that people can take on. So maybe the role is in a SOC analyst, but maybe it's a very specific piece of that that is working with the AI tool that you have, right? So maybe there's a pathway there. Maybe you come in and you're doing AI prompting. That can be from a very low level to a high level position, but there's certainly low level positions where you can do that.Maybe we have to create new roles today that don't exist in order to find pathways for these people trying to get into security in the next two to five years.Becky Bracken: Yeah, well you've given us all a lot to think about and some good advice today. I guess if you could leave us with one piece of advice. I am out there on the grind trying to snag these very few roles that are out there. What is the first thing that I should do today to improve my chances of landing a new gig? Jessica?Jessica Sica: Wow, you're gonna make me go first on this one.Becky Bracken: I'm sorry. Do I join a organization to meet people? Do I get AI to take a look at my résumé? What is something today I can do to help?Jessica Sica: Yeah, you know.I have several and you're saying pick one, but I'm gonna throw a couple at you. Learning IT and knowing the basics. There's a lot of people that come and try to jump right into security without understanding how networking works or without understanding some of the basics of IT. And I think that goes a long way to set you apart in today's market. So that's definitely a big one. Networking and learning from others. You touched on that.Becky Bracken: Great.Jessica Sica: Do I need to join an organization? Maybe go to conferences. There's low cost conferences you can go to. DEFCON you can go to, you can go to B-sides. They still cost money, but they're not thousands of dollars, They're hundreds plus potential travel. Going to conferences does a few things. It shows that you care and that you're passionate about the industry, I think. And it allows you to connect with people. And sometimes connecting with people is the best way that you can find a job.The larger your network, the more connections you have, the more likely you are to hear from somebody who's hiring. And if you know somebody who can get you in that door without going through the AI screening in the first place, that's going to give you a lot better chance to land that position.Becky Bracken: Excellent, excellent advice. Fred, what do you got?Fred Kwong: I'll add one more to the mix and that's volunteering. There's a lot of great volunteer opportunities and it helps to just showcase that you're part of the community, whether it's local not-for-profit conferences, there's a bunch in Chicago, just as an example, that you could volunteer, even if it's something as simple as just checking people through the door. But then, while that's simple, you get to meet and greet.Every single person that runs through that that conference right and so that's going to be hiring managers That's gonna be CISOs directors right or even peers There are analysts that can tell you a little bit about how they got started or positions They may know about right so again It really is part of that is the big pieces the networking component and then as Jessica mentioned earlier. You know build yourself a passion project right at home figure out. What is it that? Learn about and build it out. It doesn't cost a lot. Just as an example, you can build a little bit of a mini lab in the cloud in AWS [Amazon Web Services] for pennies on the dollar, right? They have a lot of free tier things that you can build out. There's a lot of courses that you can take right now, especially in the AI world that are free to take and learning those things. That becomes really important because it shows that you are willing to put in the effort for one thing. And I think that's the one thing that a lot of people miss is that as we as hiring managers, we're looking to understand, especially if you don't have the experience, what type of passion do you have? What type of level of effort are you putting into growing yourself? Because in the security world, the good and the bad about the security trade is that you constantly have to learn new things.And I'm still continuing to learn even now, right? And I've been in the industry for 20-plus years and I probably will continue to have to learn to stay relevant in my position. And if you're not staying relevant, if you're not keeping up, then, and if you don't have passion for that, then this is not the right field for you because you are going to be a continuous learner throughout your career in security. And that's just the way that goes.Becky Bracken: I want to thank you both. That was really great advice. I think that even people who aren't in security could probably get something out of that. That was wonderful. Fred Kwong, Jessica Sika, thank you so much for being here with Dark Reading Confidential. This is a podcast from the editors of Dark Reading, where we bring you real world stories straight from the cyber trenches. My name is Becky Bracken. I will see you next time.About the AuthorDark Reading StaffDark ReadingDark Reading is a leading cybersecurity media site.See more from Dark Reading StaffMore InsightsIndustry Reports2025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceGuide to Network Analysis Visibility SolutionsOrganizations Require a New Approach to Handle Investigation and Response in the CloudAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsDo National Data Laws Carry Cyber-Risks for Large Orgs?Do National Data Laws Carry Cyber-Risks for Large Orgs?byNate Nelson, Contributing WriterNov 19, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersMissing 88% of Exploits: Rethinking KEV in the AI EraThe Straightforward Buyer's Guide to EDRThe True Cost of a Cyberattack - 2025 EditionHow to be a Better Threat HunterFrom the C-Suite to the SOC: Consolidating the Network Security SolutionsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use |
Cybersecurity Experts Tackle the Talent Pipeline Problem – and the AI Threat – in a Dark Reading Confidential Episode Dark Reading Confidential Episode 12: Experts help cyber job seekers get noticed, make an argument for a need to return to the hacker ethos of a bygone era, and have a stark conversation about keeping AI from breaking the sector’s talent pipeline for years to come. Dark Reading Staff, Dark Reading November 20, 2025 Becky Bracken: Hello, and welcome to Dark Reading Confidential. It’s a podcast from the editors of Dark Reading, focused on bringing you real world stories straight from the cyber trenches. Today we are talking about the cybersecurity job market, talent pipeline, and the disruption of both as automation and AI start in earnest to take over those traditional entry level tier one analyst roles. I’m Becky Bracken, your host, and I am thrilled to welcome two Dark Reading regulars to the conversation. Both are members of our CISO advisory board: Fred Kwong, vice president and chief information security officer (CISO) for DeVry University, and Jessica Sica, who is head of security for Weave Communications, a billing platform for medical practices. Thank you both so much for joining us and welcome. Jessica Sica: Happy to be here. Fred Kwong: Thanks, Becky. Becky Bracken: So, we were chatting a little bit before we started, and this conversation actually started last summer over chips and salsa. We were at a luncheon for Dark Reading and Jessica was telling me a little bit about some of the roles that she is hiring for and how she found the sort of talent pipeline had been upended a bit. And so, I’m hoping maybe Jessica, you can start us out with explaining sort of your journey through that and what we can take away from it. Related: Cloudflare’s One-Stop-Shop Convenience Takes Down Global Digital Economy Jessica Sica: That's a great question to start with. Yeah, I mean, I think we can get into this in a lot more detail as we go, but AI, of course, is impacting every area of work. Certainly, it's impacting how we hire, how we recruit. It's impacting the talent pools. I don't even know that we are always seeing the full talent pool anymore because of AI. I don’t even know that we are always seeing the top talent. There’s a lot of demand for security jobs and the HR teams themselves are using tools to screen out those initial résumés, right? You can’t review 500 applicants by manual process. There has to be some sort of automated process for that. If you’re any size company trying to fill any size number of roles, they’re going to use AI, and they do use AI. For some of our India positions, we get thousands of applicants, and you just can’t look at (all of) those. So, I think the first thing to talk about there probably is, are we even seeing all the best candidates? If your résumé doesn’t match what AI is looking for, you may get screened out. And personally, when I’m trying to hire a security engineer or a security analyst, I don’t care if they can write a good résumé. I don’t care if they are good at having their résumé match AI rules that they don’t even know what the rules are. There’s other things I care about. Related: Inside Iran’s Cyber Objectives: What Do They Want? Becky Bracken: That is such a point. And so, does it then come down to, do you having to proactively then go out to HR? Are you just waiting for AI to catch up with you, like how did you address it? What’s the right way to attack that? Jessica Sica: I don’t know that they’re caught up yet. I don’t know that AI is caught up yet. I think AI is probably always going to miss some good applicants. Hopefully you’re getting enough applicants that you can still get the right person and still lean very heavily on your network and on your referrals. We hired somebody over the summer and he ended up being a referral. Of course, we looked at others that came through the HR process, but relying on that referral network I think helps a lot given the current climate, if you can. Becky, I don’t know that they’re caught up yet by the way and especially since we have employees who use these tools to help them filter the applications so I’m not confident that I’m seeing the full pool. Related: Inside Iran’s Cyber Objectives: What Do They Want? Becky Bracken: That’s great. Fred, what do you have to say about that? Fred Kwong: I can start on that one. So at the university we have something called a cyber range that we employ with our students and this is a way for our students to get practical knowledge or practical experience working inside of that kind of cyber range where you’re using real world tools to do exercises; whether it’s a capture the flag exercise or if it’s a threat simulation or it’s threat hunting they get some of that real world experience through our cyber range. Outside of those particulars if your student and your university doesn’t offer those things you know you’re going to look to other hunts that exist out there right there are caregiver exercises that you can join, all of which will help you train in those skill sets. And then outside of those components, I would say internships are critical, right? Trying to get as much real world experience as you can while you’re going through your education. If that’s the only thing you’re doing, it may not be enough. I think that’s going to be the biggest difference. Becky Bracken: And how do we do that? Fred Kwong: There's a lot of volunteer opportunities and it helps to just showcase that you're part of the community, whether it's local not-for-profit conferences, there's a bunch in Chicago, just as an example, that you can join, even if it's something as simple as just checking people through the door. Every single person that runs through that that conference right and so that’s going to be hiring managers that’s going to be CISOs directors right or even peers There are analysts that can tell you a little bit about how they got started or positions They may know about right so again It really is the big pieces the networking component and then as Jessica mentioned earlier. You know build yourself a passion project right at home figure out. What is it that? Learn about and build it out. It doesn’t cost a lot. Just as an example, you can build a little bit of a mini lab in the cloud in AWS [Amazon Web Services] for pennies on the dollar, right? They have a lot of free tier things that you can build out. There’s a lot of courses that you can take right now, especially in the AI world that are free to take and learning those things. That becomes really important because it shows that you are willing to put in the effort for one thing. And I think that's the one thing that a lot of people miss is that as we as hiring managers, we’re looking to understand, especially if you don’t have the experience, what type of passion you have? Because in the security world, the good and the bad about the security trade is that you constantly have to learn new things. And I’m still continuing to learn even now, right? And I’ve been in the industry for 20-plus years and I probably will continue to have to learn to stay relevant in my position. And if you’re not staying relevant, if you’re not keeping up, then, and if you don’t have passion for that, then this is not the right field for you because you are going to be a continuous learner throughout your career in security. And that’s just the way that goes. Becky Bracken: That's fascinating. So what are some tips that you guys have to share? Like what are the keywords that you would be looking for in a security engineer or a security analyst? Jessica Sica: I mean, I can start on that one. Learning IT and knowing the basics. There’s a lot of people that come and try to jump right into security without understanding how networking works or without understanding some of the basics of IT. And I think that goes a long way to set you apart in today’s market. So, that’s definitely a big one. Fred Kwong: Yeah, and we're going back to this idea of creativity, right? Even inside my organization, it's very difficult for me to get entry-level positions. I don’t have those positions to begin with. We're a pretty small shop. But what I’m trying to do is work with our third parties to help them build in those pipelines as well. It’s like, hey, you know, I want you to have an internship program, know, bill me for it if you need to. Like, let people work on my account and gain that experience, right? Get those DeVry students in there so they can gain that experience. Becky Bracken: And what do we do about making sure people can get noticed? Fred Kwong: To Jessica’s point, there’s a lot of volunteer opportunities and it helps to just showcase that you’re part of the community, whether it’s local not-for-profit conferences, there's a bunch in Chicago, just as an example, that you can join, even if it’s something as simple as just checking people through the door. Becky Bracken: And how do we do that? Jessica Sica: I can start on that one. Learning IT and knowing the basics. There’s a lot of people that come and try to jump right into security without understanding how networking works or without understanding some of the basics of IT. And I think that goes a long way to set you apart in today’s market. So, that’s definitely a big one. Becky Bracken: I want to thank you both. That was really great advice. I think that even people who aren’t in security could probably get something out of that. Fred Kwong: I can start on that one. … Becky Bracken: Well, OK, so where are we going? Do you think that there is going to be success in creating those entry-level jobs? … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … Becky Bracken: … Fred Kwong: … Jessica Sica: … --- **Key Takeaways from the Episode:** * **AI Impact on Hiring:** AI is heavily used for screening résumés, potentially filtering out candidates who don't match AI-defined criteria. --- **Word Count:** 1350 |