Jamie Norton, Board Director at ISACA, shares how the organization is tackling the cybersecurity skills gap by focusing on career development, hands-on certifications, and community support for professionals at every stage. This episode explores how ISACA is aligning real-world workforce needs with practical solutions to help individuals enter, grow, and thrive in the field.
The cybersecurity workforce shortage isn’t a new problem—but according to Jamie Norton, Board Director at ISACA, it’s one that’s getting worse. In this on-location conversation during RSAC Conference 2025, Norton shares how ISACA is not only acknowledging this persistent gap but actively building pathways to close it, especially for early-career professionals.
While many know ISACA for its certifications and events, Norton emphasizes that the organization’s mission goes much deeper—supporting digital trust through education, community, and career development. One key area of focus: helping individuals navigate every phase of their professional journey, from new graduates to seasoned leaders. That includes new offerings like the Certified Cyber Operations Analyst (CCOA) credential, designed specifically to meet the growing demand for technical, hands-on skills in security operations roles.
What’s driving this shift? Norton points to employer demand for candidates who can walk into SOC and technical analyst roles with practical experience. The CCOA was created based on feedback from ISACA’s 185,000+ global members and a wide network of hiring organizations, all highlighting the same pain point: early-stage roles are difficult to fill, not because people aren’t interested, but because too many can’t prove their skills in ways hiring managers understand.
ISACA’s response is both strategic and community-driven. Certification development is rooted in large-scale data analysis and enhanced by input from members around the world, ensuring each program reflects real-world needs. At the same time, ISACA recognizes that certifications alone don’t create confidence. Community and mentorship matter—especially for those struggling with imposter syndrome or breaking into the field from non-traditional backgrounds.
Looking ahead, ISACA is investing in career journey tools, AI-focused certifications, and guidance for post-quantum readiness—all while continuing to support members through local chapters and global programs.
For those hiring, job-seeking, or guiding others into the field, this episode offers a grounded, forward-looking view into how one organization is equipping the cybersecurity workforce for the work that matters now—and what’s coming next.
Learn more about ISACA: https://itspm.ag/isaca-96808
Note: This story contains promotional content. Learn more.
Guest:
Jamie Norton, Director Board of Directors, ISACA | https://www.linkedin.com/in/jamienorton/
Resources
Learn more and catch more stories from ISACA: https://www.itspmagazine.com/directory/isaca
Learn more and catch more stories from RSA Conference 2025 coverage: https://www.itspmagazine.com/rsac25
______________________
Keywords:
jamie norton, sean martin, marco ciappelli, cybersecurity, certifications, workforce, skills, governance, community, careers, brand story, brand marketing, marketing podcast, brand story podcast
______________________
Catch all of our event coverage: https://www.itspmagazine.com/technology-and-cybersecurity-conference-coverage
Want to tell your Brand Story Briefing as part of our event coverage? Learn More 👉 https://itspm.ag/evtcovbrf
Want Sean and Marco to be part of your event or conference? Let Us Know 👉 https://www.itspmagazine.com/contact-us
From Certification to Confidence: The Future of Cybersecurity Starts with the First Job | A Brand Story with Jamie Norton from ISACA | An On Location RSAC Conference 2025 Brand Story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Marco, you start. Sean, I'll start. I always start. It's never a secret. What's the secret? Is what I ask, ask you or say to you
Marco Ciappelli: that I never know.
Sean Martin: You never know what that is. I
Marco Ciappelli: have become very, very good at you have, you know, you do respond thinking on my feet really quick. That's right. Because of you. That's
Sean Martin: a bit of improv.
Uh, yeah. Yeah. Forced by me.
Marco Ciappelli: But after 15 years that we do this together, you know, it can, I don't wanna say we read each other mind, but you know, I know where you're going. We have
Sean Martin: a feeling of what we're trying to do anyway, but not
Marco Ciappelli: all the time. Not
Sean Martin: all the time. And, and we're not doing it now. So look at that.
Even, even, this is different.
Marco Ciappelli: Yeah, absolutely. Everything is different. Well, but we're here. RSA conference.
Sean Martin: Exactly. And, uh, it's a good, good few days already. A few more coming. Uh, we knew it was gonna be rooted in community, rooted in collaboration, rooted in knowledge, didn't disappoint. No. We're gonna talk more about that today with, with, uh, the ice soccer team specifically Jamie Norton.
It's good to have you on. Good to [00:01:00] see you. Good to be here. Yeah. It's a pleasure meeting you other day. We had a, we had a good chat before the, before the show. Um, the work you and the team are doing really good. It's important for, for the community, important for business, important for society, which is why Marcos on with us.
Um, before we get into the membership of Isaka and certifications and all the stuff that you, that you do, maybe a few words about you, your role with Isaka and, uh. Why you're here this week. Let's talk about that too.
Jamie Norton: Yeah. So I'm, uh, lucky enough to be on the board of directors for Osaka. We're a, um, you know, global not-for-profit representing digital trust, so audit, cybersecurity, governance.
Mm-hmm. Uh, and, um, you know, I've, I've joined the board for the last, uh, since July last year. So still relat relatively early days for me. But, um, but I've been with Asaka, you know, for, for more than 20 years now, and it's just a fantastic association, a not-for-profit. Just dedicated to, to helping, uh, you [00:02:00] know, people with their careers in, in these areas, in these professions.
Sean Martin: Yeah. Many people probably know ISACA for the events. Yes. But there's much more to it than just the events, which we'll talk about. Um, but Marco, the Yeah. This,
Marco Ciappelli: well, you know, it's obviously the theme of this event, and even when it wasn't the theme, it was still the theme, like community, uh, hears many voices.
One community, isaka is a. Big organization chapters all over the world. So we, we talked about, we can talk about the global community and Yeah. We had
Sean Martin: Ion Mann,
Marco Ciappelli: but I, well, I, I wanna, I wanna start with the, with the, with the skill gap, because I've been in talking with Sean in this industry for about 12 years.
I still hear the skill gap and I don't know, I mean, what, what has it, has it changed something, has it improved? And what are we doing to actually make it better if we are.
Jamie Norton: Yeah. And so from, you know, Saka, [00:03:00] we, we regularly, you know, test and, and, and, and survey our, our membership and, um, and employers to understand, you know, the, the state of, I guess digital trust and the state of cybersecurity and, and audit and, and our other areas that we, that we, uh, that we work with it.
The problem is getting worse. I think it's a, it's a combination of, you know, just not being enough cybersecurity professionals, but as we've found most recently. It's, it's also that early stage career that we, you know, getting, getting graduates and getting, um, younger members into the, into their early professions, actually proving quite hard and they're, they're struggling a little bit to get those first roles and then their second role.
So we've, we've got this thing that we've developing around know, around career journey. We really want to help our members with their career journey, um, and, and what that looks like at each stage of their career, from, from early graduate, all the way through to, you know, to a seasoned veteran. So, um, that really is a strong focus for us and, and.
Yeah, we, uh, at this point in time we've identified that there is, uh, definitely skills gap in that younger, um, you know, two to three year experience area. And we want to really help our [00:04:00] membership to develop that through.
Marco Ciappelli: So maybe a few things that I've noticed. One, there was a joke years ago, there was entry level with 10 years experience.
Yeah. Which was a pretty high barrier Right, right there. Um, so I'm assuming there is different way to enter into the industry now. I know that there is different. A diversity of backgrounds that are actually welcome in the industry. So maybe you want to talk a little bit about, about that side.
Jamie Norton: Yeah. I mean, cyber and, and, and audit and assurance, they, they're, they are very diverse industries.
Um, increasingly, uh, we actually value, you know, diversity of thought, diversity of thinking, um, you know, not, not having everyone think the same way really contributes to that sort of, um, breadth of our profession. So, and an Osaka being a global, um, entity. You know, we have, we have people from all walks of life, from all geographies in the world.
Um, and, you know, all cultural backgrounds. So yeah, cultures, we, we really celebrate that. But, um, but I, yeah, I think the, that, um, [00:05:00] getting, getting more people into the profession 'cause we are seeing, um, you know, there is gonna be a, definitely a skills, yet we're seeing not enough cyber people, not enough auditors, not enough, um, people in those governance areas coming into the profession.
Um, so there is a gap and, and employees in particular. There's, there's been a marked increase in, in, uh, employers asking us for those early stage career professionals. So, um, it's that, that two to three year more technical discipline as well. We, we seem to find employers really value that ability to, um, you know, do, do some more technical roles or entry-level technical roles.
So, um, we, we wanna focus in on with, without some of our new certifications on enabling that, um, graduate to be able to pick up those skills and be able to,
Marco Ciappelli: and it's also an industry where you never stop learning, right? This is.
Jamie Norton: Absolutely.
Marco Ciappelli: So, you know, it's good to have a good head start to be able to put your hands on, but then you need to know that you gotta keep building your resume, building your experience and learning more.
It's,
Jamie Norton: yeah, it's a, it's continuous learning, uh, all the way through. And I think that's why [00:06:00] as Saka really has, um, starting to focus around this career journeys idea. We want to, we want to be there every step of the way, but also help our members understand, you know, what are the pathways. What are their options at different levels for, for training and for certification and for experience, um, and really help them be that partner throughout their career journey.
Sean Martin: Yeah. It's funny, I'm looking off to the side. I'm listening, but also looking off the side. Somebody, somebody out in the, in the hall. There was the person introduced me to Isaka Oh, wow. Probably 15, 20 years ago. Which is, uh, is pretty cool. But I want to, um, I want to, let's get down to brass tacks a bit here.
'cause the skills gap, you need to learn, you need to present yourself in a certain way. As an employee, the employers, not enough people. We need to, we need to fill these roles. We define those roles in a certain way. They don't align often. So how, how do you view the alignment of what the skills are, [00:07:00] how the employees gain them?
How they demonstrate them, how they map to what the organizations are looking for.
Jamie Norton: Yeah. So I think that, that, that critical context, I guess, Asaka, um, we're fortunate we have 185,000 members globally and, and 280 chapters as we mentioned. Mm-hmm. And, you know, we, we, we, we use those, that data and those insights to understand what, uh, both what, what our members, uh, are being asked for and what our awesome employees of those members are looking for in the market.
Mm-hmm. We do, do, uh, you know, some, some data driven, uh, analysis obviously across that, that, that wealth of data. And, uh, you know, at the moment a lot of that data's coming back and telling us it's that, um, you know, that, that that early stage, more technical disciplines that are in demand, right? Um, and you know, the, it's, it's an interesting time for us across, across many of our industries that we support because at a macro level, you know, the economy's not necessarily doing well in, in a number of jurisdictions across, across the globe, but, you know, cyber and, and audit and these other, um, uh.
Capabilities are, are definitely [00:08:00] still very critical. So, and, and growing. We're seeing growth in, in the number of, in the demand for these jobs. So sometimes there's a bit of a two speed sort of economy happening, but, uh, you know, we are, we are there to, um, provide capability and, and, and support for those members that are, that are, you know, at the coalface.
Sean Martin: And as you're, as you're talking, I'm thinking there, there's a point where it comes together in a certification, if I'm not mistaken, right? Yes. Where we actually wanna talk about the CCOA. Because I think that is, that is a way to learn and demonstrate in, in a way that an employer can understand somebody did this and they can show that they are capable or at least have an understanding.
Um, so talk to us about the, the CCOA and the work that's been done there.
Jamie Norton: Yeah. So our, our our, uh, brand new CCOA, the Certified Cyber Operations Analyst, uh, is, is really based on a lot of work we've done with employees and with members around what, what's required and. Uh, you know, as I said, that technical discipline and, and hands-on [00:09:00] experience as well.
So there's a, a real demand at, at particularly at that early stage career, to have hands-on experience in those technical disciplines. So be able to walk, you know, into a, into a SOC role or SOC analyst role, or maybe a, you know, penetration test or what some of these other types of roles where you need that, that, you know, hands-on experience in those technical disciplines to start you off.
So, um, so that's where we, we've gathered that feedback. And so the CCOA is, is very much a certification for. You know, a new graduate or someone early, you know, a couple of years into their professional life, um, and a's certification that gives them and, and their employer, I guess, confidence that they have those entry-level skills to, um, be able to work on a, on a security operations center or a, or as a tester or other techniques.
How,
Marco Ciappelli: how is the dynamic of deciding. You guys sit down and say, Hey, we need a new certification. Like, I mean, you, did you talk with employers and say, Hey, are we lacking something here? Yeah. Something new in the industry. Um, tell me a little bit about that.
Jamie Norton: Yeah, it's, it's, I mean, it's normally our certifications [00:10:00] across the board are very, um, we have a structured approach to developing those.
You know, it starts with, um, you know, really good data-driven analysis of the, the white space, I suppose in, in the market and, and what employers and our membership are telling us. So that can be through surveys, um, or, or direct outreach to employers and, and to members. So, um, we, we, we do all of that and, and at scale because of, as Sakas, you know, global scale, we do that across all of our geographies and, and get a really good sense of what's being asked for by the community and by the, by our, uh, by our membership.
So in this case that that's exactly what happened. Um, and then from that point, we then also, um, both, we have obviously a, a big staffing contingent in AKA that works these, but we also embrace our membership to help us with. The content for those certifications. So, um, nothing's, nothing's sort of done in isolation.
It's all very much, um, you know, there's community membership driven as well. Um, and it's the same with our, with our cism and our size of certifications, our two leading certifications there, there is, um, constant and regular, um, membership, um, oversight of those. And we, [00:11:00] we, we, we get harness the, the experts in our community to help us develop those.
So, um, what we end up within is a very fit for purpose, uh, very, um, you know, on point. Uh, certification that, that meets those demand areas. And in, in the case of CCOE, the, the feedback was that, you know, employers wanted those hands-on skills as much as they wanted, you know, a a sort of foundational expertise as well.
Marco Ciappelli: Very good. And I assume the geographic location, the data a little bit different depending where you collect them. Does it affect in the way that you actually structure the certification itself?
Jamie Norton: We, we certainly take that, uh, into consideration in terms of the data. Um, but, but you're right. There's. This, you know, certain geographies, uh, you know, will have, will have slightly different macro economics.
Um, you know, and, and you know, where I'm from in Australia for instance, you know, we are still, we're still reasonably strong as an economy, but we, we are in a, a bit of a cautious time. Mm-hmm. Um, people are, uh, you know, we haven't, we're, we've experienced a bit of volatility. We haven't necessarily seen a downturn [00:12:00] that's substantial, but there's a general concern and people are a bit unsure.
So, you know, where we're seeing that in the economy, uh, you know, that impacts on the professions that we support and, yep. Yeah. Um, you know, impacts on employers and what they're looking for and, and, um, I think that maybe talks to this desire around more early stage career and bringing people into the profession because employers, um, are looking to, to, to move down that path, uh, perhaps rather than, than, um, keep filling out the senior ranks, which is something we definitely saw come through in our surveying that Right.
Um, there's, there's more of a desire for, for younger or for less experienced talent come through.
Sean Martin: Yep. Can you, can you speak to the, the value of membership and the value of community? Beyond the training and the certification, um, to, to sit in an interview, right? Takes a mindset and a level of confidence that not, not that I just passed a certification, but I am capable, right?
Knowing that you're capable, knowing how to communicate that, um, [00:13:00] either to get a job or to enhance your, your career on your journey by gaining additional certifications along the way. Can you speak to. I dunno if you have any anecdotes of the, the, the confidence Isaka brings to the person by being part of the group and being part of, uh, and getting certifications.
I guess really.
Jamie Norton: I can, I can certainly talk to my, my experiences. Okay. And, and, uh, you know, I've been part of Osaka, as I mentioned for, for 20 plus years, but I, I started my journey about 2006. Uh, and like, like most people, the first thing on my mind, my first engagement was around the certifications. Um, and.
So I, I did my size and then my cism fairly quickly in, in that, in that sort of era. And the, the benefit that has been all the way through my career has been just, uh, it's, it can't be measured. It's just, uh, an amazing foundation, uh, for, for everything. And, and even now, I still have employers that request the cism and the sizer for different elements of my, of my career.
Um, but the, you know, the, the, the [00:14:00] confidence is one thing. I think that, um, I think the imposter syndrome in our profession is very strong. Um, and. You know, particularly when, when you, you tend to see that, you know, the figureheads and the giants of our industry are, you know, very experienced, very successful.
Um, and so coming into that, you look up to them, but at the same time you aspire to be them. And I think, um, having certifications been able to get that experience, particularly something like A-C-C-O-A as well, where you're getting actual hands-on experience, um, as well as the ability to, um, answer, you know, answer the, the quiz questions as well.
I think that just adds an extra depth that, you know, you can do the work. You've, you can do the labs, you've, you've got those insights so. Um, I think that can give you a level of confidence and it's certainly helped me and, and, and, you know, I'm a prime example. I've gone from, from, you know, entry level, you know, all the way through with Osaka, every step of the way of my career journey.
And, and now I've ended up from a, from a, you know, small country town in Australia to, to the, you know, director on the board. So
Sean Martin: that's phenomenal. Yeah. And I, I think outside looking in, we've talked about this for many years, [00:15:00] Marco, that it, there's an air of mystery. Hmm. Around cybersecurity? Are we going there?
I am going there. I love that. Yeah. And that only certain people have the skills and, and mindset, are you worthy? Well, it goes to the impostor syndrome. I, I think the industry's done that to itself. And I love hearing these stories where people can actually get the, get the skills, get the experience, demonstrate it, and be part of it a lot.
It's not. It's not a mystery, it's not magic. And
Marco Ciappelli: then is the, the business perspective. Right? Right. Like the other angle where I'm sure you can talk more about that, you have a little bit more peace of mind knowing that somebody come in already with the, with the right basis, the right knowledge. And then of course you can grow into what the specific of the business requires.
Um, but also I think to know that there [00:16:00] is this support. As you go, something new happen, new threats, new business scenarios. Ai. Ai. Alright, let's go in AI too, and knowing that there is someone that is preparing the, the new generation that come on. I guess, can you speak for that too?
Jamie Norton: Yeah, I, I mean there's, there's definitely certain elegance at a, at a certain stage of your career and, and with the foundation that you get from a psycho certifications where you start to back yourself in that you actually do know this stuff.
And, um. Having been fortunate to work as a CISO in some very large organizations, um, I firsthand experienced staff who are even mid, mid-career staff who tell me that they're, you know, they're, they're either not real cyber people or they're not technical and they can't do these certain things and they kind of shut themselves off.
Um, because we have this persona that as a cyber person, you know, maybe it's the Hollywood persona. It's like we are, we are hackers, or we have these massive technical skills and, and we are huge, huge brains basically. Then that's what [00:17:00] we do and we wear hoodies. Mm-hmm. Um, so, you know, I think the Osaka element has really helped with that foundation of that not everyone has that persona.
There's certainly that is a persona and there's value in those skill sets as well. But there's a whole governance piece of risk piece, insurance piece that many persona is, is absolutely critical. And it's the language of the board too. So as yo as you become more senior, you, you can let go of some of the technical skills, but you cannot let go of the, of the risk skills.
So that's, that's an absolute foundational key to success in my view.
Sean Martin: Yeah. Yeah. I'm so glad you went there and we'll, uh, I think that's a good, good closing point because I think we are,
Marco Ciappelli: oh, we got a couple minutes more. Do we have, okay. Yeah, let's talk about movies like hackers, movies. Well, no, I'm, I can see that.
I mean, I mean the representation is like somebody just brilliantly resolve Yeah. A little, like a riddle or something in a code in, in like two minutes and Yeah. You know, I'm sure there are those people and we need those. We do, we do, but we need a lot of people that growing. Alright, [00:18:00] let's, let's close
Sean Martin: with this then.
Let's close with, we'll give you the final word. Um, what's on the horizon for Isaka? And maybe a, a call to action for folks watching, either on their own journey, helping others on their journey, hiring people on their journey. Final, final message to folks
Jamie Norton: there, there is, is so much going on right now in terms of what's on the horizon.
I, uh, you know, we've just released, um, a survey results around quantum and, and post quantum cryptography. So, uh, the messaging there with the quarter of action is start looking at that now and start thinking about that today. Um, you know, we've got some AI certifications coming down the track as well, which are, uh, you know, also very nice and, and very much, um, you know, at the right time for AI's, you know, evolution, uh, around audit and around security of those, of that technology set.
Um, we, uh, we have that some career journey stuff we're working on as well, so I think that's gonna be a fundamental game changer around really. Looking, looking back to our [00:19:00] membership. I mean, at the end of the day, we are a membership organization and everything we do is about members and for members. So, um, you know, whether that be, um, helping them with their education and certifications or, or just helping them broadly across their careers.
So, um, we are really focusing in on that, and I think that will be a game changer, uh, you know, once, once that's released as well. So we have, we have lots happening. Um, sounds like it. I think at the end of the day, um, you know, if you're not an Saka member, there's almost certainly a local chapter. That you could go along and, and most of them you can, you can head along, you know, for nothing and see what it's all about.
Um, um, and then look at certifications and, and, you know, let's, let's, let's help, uh, all, everyone across the globe sort of get into the profession they want and, uh, and succeed.
Sean Martin: Yeah. Right. Rising, rising, tide rises, all those. That's it. And, um, well, I, I
Marco Ciappelli: think it tells a lot about the, the society is evolving technology.
Mm-hmm. Yeah, we are afraid that certain jobs are going away. Obviously with ai, if we want to go there, but also other opportunities come. [00:20:00] Absolutely. So it's good to have an organization that is, stays there and it, and it keeps the training going and evolving with time. We,
Jamie Norton: we've all gotta adapt, don't we?
And, and, and, you know, Osaka will adapt as well as, as AI keeps moving and changing and, you know, new things come in and out. So, uh, absolutely. It's all about changing and moving with the opportunities. Right. Awesome.
Sean Martin: I wanna say we are also organizing a webinar with the, with the team. So, uh, we'll be, we'll be announcing that.
So stay tuned to itsp magazine.com/webinars and, uh, please do sign up and participate. 'cause this, it's another chance for the community to engage and express what they are, what they want, and employers as well. So to join us all for a conversation. Absolutely. And, uh, I think that's it, man.
Marco Ciappelli: That's it.
Sean Martin: Awesome. I mean,
Marco Ciappelli: we're on time. We're not gonna be yelled by these guys here filming, so there's
Sean Martin: no exit, exit stage music in a play on. No. I say to
Marco Ciappelli: stay tuned because we're gonna have many more conversations. Yes. [00:21:00] Here at RSA conference 2025 and they can learn everything where? Sean itsp
Sean Martin: magazine.com.com/rsac two five.
Stay tuned for my chat with Rob Clyde, good friend of mine from Symantec days. Uh, we're gonna get a recap of, of this week. As well. So thanks everybody. Stay tuned, subscribe, share with your friends and enemies. We'll see you soon.