Security Education with Cyber Skyline – CF059

This week on Cyber Frontiers Christian and Jim interview Franz Payer, CEO of Cyber Skyline ( to discuss their platform for training and developing the next generation of security professionals in the industry. We discuss the current challenges in the security education market and explore where Cyber Skyline fills a critical gap across three products that help first-time participants and security practitioners alike up their infosec ability. We also take a look at the growing market segment for cyber education and discuss the evolution of Cyber Skyline into the company it is today. We cover the trends that are evident in industry with today’s talent pool and how non-traditional security roles are also greatly benefitting from a security-focused mindset. If you are curious what it looks like to train cybersecurity practitioners in today’s world you won’t want to miss this interview.

Cyber Frontiers is all about Exploring Cyber security, Big Data, and the Technologies Shaping the Future!   Christian Johnson will bring fresh and relevant topics to the show based on the current work he does.

Support the Average Guy:

WANT TO SUBSCRIBE? We now have Video Large / Small and Video iTunes options at

You can contact us via email at

Full show notes and video at

Podcast, Cyber Frontiers, cyber, assessment, platform, skyline, security, breach, competition, hiring, cybersecurity, cyber security, startup, students

Jim Collison  [0:00] 
This is The Average Guy Network and you have found cyber frontiers show number 59 recorded on December 10 2019.

Jim Collison  [0:18] 
Here on Cyber Frontiers we cover cyber security big data and technologies that are shaping the future. You have questions you can always send us an email Jim at the average guy TV you can catch Christian over there Christian, the average guy you know he’s a smart guy, so you probably want to send him the email. You can also follow me on twitter at @jcollison of course Christian is it @borgwhisperer. The Average Guy Network TV powered by Maple Grove partners get secure reliable high speed hosting from people that you know and you trust Christian I just did a bunch of updates at the average guy TV two weeks ago I broke some stuff in the process, but in doing it super fast, super reliable, reliable. I just I’m always surprised. I think we got a WordPress upgrade.

Christian Johnson  [1:01] 
Several upgrades the platform WordPress did come out with their five dot three, production release branch. So that’s out there big update. The Maple Grove platform has upgraded its head and bandwidth. So you should see even more performance for some of our large workloads. So better, better latencies more bandwidth we we keep it coming. Also running for our holiday special like last year if you use promo code, cyber frontiers, all one word caps you will get 10% discount at checkout for any of our plans or services.

Jim Collison  [1:36] 
Yeah, plan start as little as $10 a month in their WordPress optimize and greet for podcasters. I know that because I’m there as well. So there’s a platform

Christian Johnson  [1:45] 
for podcasters. So if you want White Glove service and and getting your community online and running where the place to do it, and that’s, you know, not limited to podcasting. We can support other types of web custom applications. So Chris I’m

Jim Collison  [2:00] 
gonna ask you to slow it down a little bit because I just don’t even believe it’s real. It’s so fast. So Maple some hops for you. Just Could you do is just slow it down. Okay now throw some ARM processors in there something Maple Maple Grove Christian, good to be back with you. We have a guest tonight as well. Why don’t you take a second and introduce him?

Christian Johnson  [2:20] 
Yeah, absolutely. So for our listeners who have been with us since the beginning, we have a returning guest to the show. Going back to cyber frontiers Episode Five. Franz peyer. Franz is the current CEO of cyber skyline, which friends Why don’t you kind of recap for us? What is cyber Scotland?

Franz Payer  [2:42] 
Sure. So that’s surprisingly big question. But in a nutshell, cyber skyline is a cybersecurity skills assessment platform. And our goal is basically to help people understand cybersecurity skills whether that is an individual practitioner no faculty at a school employers were really just trying to provide hands on you know, realistic scenarios so that you can understand your abilities and how that compares to the rest of the industry.

Christian Johnson  [3:10] 
And kind of walk us through from the start, right, that vision you just gave us now as a snippet is definitely a evolved vision from where you guys started the company. I think this is your fifth year of operation now. Correct as a startup?

Franz Payer  [3:22] 
Yeah, so we incorporated in 2014. So I think we’re at five and a half years at this point. But Originally, the company started as a just a normal, like competition platform. So when when we were in our service Kriti program back in Maryland, we were using that as a way for the rest of the students in our classes to just get some hands on experience. We just build our own challenges and stuff and then have everyone else do it. And then we found out that we could actually make this into a real product. There’s a huge need for being able to measure cybersecurity skills. You know, especially when it comes to hiring when it comes to validating, training all these different things. And so we took this little pet project that was working on the side and then, you know, graduated and made it a full time job.

Christian Johnson  [4:13] 
When do you have the crystallizing moment that you knew this was something you wanted to do more as a hobby, I guess? Like when did you know it went from college project to hackathon development to wait a second, we have a company on our hands. I mean,

Franz Payer  [4:34] 
I think it happened at the beginning of senior year, and my co founder, Toby and I were just driving somewhere in his car. And we’re like, Well, what do we do after college? Like what like, what are we doing? Because that’s about, you know, beginning of seniors when everyone’s like, okay, where am I going to work after college? A lot of people have that, you know, nail down by October so we only have a couple weeks. away. And then by that time we actually had been running large national competition. So we were running the National Cyber, the competition, which at the time had a couple thousand people per year. And the we also had the, the NSA day of cyber where we put through like 50,000 people through that, and it was good money for paying tuition, but then we’re like, well, let’s take the plunge. And it’s enough money to sustain ourselves at a college. And, you know, we this is a big thing that we could really make happen. And that’s kind of been our deciding factor is like, hey, it’s enough to pay the bills. I think this is cool. What else are you gonna do a start up? Let’s do it now. And that’s what we did.

Christian Johnson  [5:43] 
It’s It’s unusual, I would say for the majority of people graduating from a four year undergraduate program to want to take the risk to kind of start something completely from scratch. And I think most people would not have the appetite for that level of risk. What was the largest risk For you guys going into operating as a full time startup, I mean, money,

Franz Payer  [6:05] 
right? We had our existing contracts when we were in college, but it wasn’t at that time, it wasn’t enough to sustain the both of us. And that was kind of like the, okay, you know, are we gonna be able to generate enough money to, like justify us going full time on this, or we’re gonna end up on the streets and stuff like that. Turns out, we figured it out. We didn’t end up on the streets. It gets bumpy sometimes, but I mean, that that is by far the biggest risk, and especially when you’re going to start up when you want to hire someone else. You have a lot of situations where you get a contract, and it’s enough to hire, you know, a fifth of a person, you know, I can’t hire fifth of a person I gotta take on, you know, four of these things do like a lot of work outside of what a normal person would do. I do like, you know, like my effort plus an additional 80% until I finally get that last one where I can justify hiring someone full time and I don’t want to hire someone else, I can guarantee that I can pay them for the next year. And so that that’s the biggest risk is always like the cash flow coming in and worrying that, you know, you might end up on the street. Now thankfully, we set ourselves up for engineer salary and not what does it actually taped for me to keep my shirt on. So sometimes you dip a little bit under and it’s fine because you can still pay rent, but it’s kind of you’re missing out on opportunity cost, I suppose the biggest thing if I could take a stable job somewhere else, and not have to worry about oh, I might be, you know, 20% under my salary this year because something happened or something didn’t happen.

Christian Johnson  [7:40] 
Sure. And the company itself, the market that you’re competing in, obviously, cyber security as a large domain is a billions upon billions market. When we start looking at the specific market segment of kind of training, education empowerment for lack of a better word to put people on the path where they can have a successful cyber career. What do you estimate that market segment is for your business? And where has cyber skyline over iterations become a market? discriminator from your competition?

Franz Payer  [8:16] 
Sure, um, well, let me just start with kind of exactly what we do so people can understand better of like how we fit into the equation. But effectively what we do on the, you know, hiring slash HR side is we provide cybersecurity skills assessments that employers can send out to candidates, and automatically that validate the skills that they may have. So there are a lot of different products like this in the computer science space. So big one, I think is hacker rank, which just test your coding ability and we provide a similar service for cybersecurity. Additionally, with with the recruiting side is we have the ability for a company to launch public challenge to source candidates. And so we can bring in some candidates, we can push them on social media and attract candidates that way. And then, and then, you know, companies can then convert them over and save a lot of time and energy, especially with engineering time doing the interviews, we kind of provide that first layer of screening so that recruiters aren’t just passing over completely unqualified people to engineering and wasting their time. And then the second thing that we do for companies is we provide them with you know, same type of assessments, but using this for pre and post training, you know, what was the value of that training course? Did my skills actually improved? So we fall in multiple different segments, even on the enterprise side with some of the budget coming in from recruiting. And then you know, some of the other budget coming in from training, where we kind of fit in in all of this is we primarily target companies that have very large cyber security teams, primarily financials, government contracts. Managed cyber security providers, those are the big ones. And the way that we distinguish is that there actually there, there aren’t too many companies doing this right now, there’s some companies doing the computer science side, like I mentioned with hacker rank, but not a whole lot of companies doing this in cyber security. And there’s starting to be a little bit more competition there. But I think the big way that we differentiate is kind of a lot of the data and the analytics. So we don’t just give you a, you know, 80 90% score, we’re actually saying, Hey, your top 10% of industry or your bottom 10% industry or whatever that is, and we can do segmentation on that and all that stuff, and really drive home a lot of the business value there by saying, you know, these are insights that actually help you higher and D riskier, your, your odds of making that higher. And so, I tried to put a number on it, you know, in terms of how big the market is, I don’t know if I really could and to be honest, because it’s still not quite a defined market, but you’ve got a multi billion dollar market for just, you know, tech engineering, hiring and HR and all that. And we’re a piece of that pie

Christian Johnson  [11:08] 
and kind of talk through for our listeners, what is the core aspect of the cyber skyline platform? Right? So, you know, as a broad narrative, there are related companies that might call it like cyber gamification, right, where you’re playing a game or competition. But cyber skylines a little bit different. What makes it unique?

Franz Payer  [11:30] 
So if Yeah, if I try to simplify exactly what we do, just imagine LinkedIn for cyber security, but instead of everyone’s self reporting their skills, they’re actually going through hands on technical screening assessments that measure their ability to get to fashion. So fundamentally, we’re not just an assessment, or a network and a platform for facilitating that. So unlike hacker rank or any other product where you just go and take one When you get one score, everything that an individual does on our platform feeds into their overall profile. And they can use that as you know, my personal profile, my personal timeline of growth that can prior to employers, they can use that in their classes to figure out how they can improve and all these things. And that’s the real value is the fact that it’s not just a one one and done thing. It’s a living, growing profile, that, that I’ll stick with you as you you pursue your career in cybersecurity.

Christian Johnson  [12:29] 
And how would you say the experience translates or is different between someone going on to a LinkedIn like platform and having their skills ranked in assessed versus when someone comes into a hosted cyber skyline competition where you’re hosting a competition, maybe for something like Maryland’s National Cyber League?

Franz Payer  [12:49] 
Yeah. So stuff like LinkedIn. A lot of those assessments right now are primarily just knowledge based. So all those automated assessments, your Getting either your self reporting your skills, or you’re doing multiple choice questions or fill in the blank. And we’re very much focused on the hard skills. So we will actually set up an environment. Let’s just say you’re screening for someone who can do incident response. So all those other assessments that are the traditional providers right now are just going to ask you, what would you do in this situation? You know, we got breached, what’s the next step that you would take, which is a hypothetical. And we actually take it one step further, and we say, here are all the friends, it’s data. Here’s the forensics evidence of what happened from a breach. We did a case study with Capital One where we actually simulated the target breach, someone broke in stole credit card information, and we were like, here’s some, you know, forensics logs. Tell me who their hacker is, how did they get in? You know, what, what vulnerability, what services? What if we should do this still all these specific tasks that you would need to perform on the job, if you got hired to do incident response. That’s what we’re having you do, and your proof Those technical skills it’s not hypothetical. And so that’s the big difference. And when you put that in, in a competitive team environment, it makes it a lot more enjoyable, especially when we do stuff with teams. And and the biggest feedback that we get from from players is that they actually enjoy the going through the assessment. It’s not like you’re taking a test at school where everyone kind of hates it. We have a 93% satisfaction rating with our, with our assessments. And it’s, it’s because it’s gamified. And is it more interesting than just Hey, you know, let me fill in the blank

Jim Collison  [14:35] 
for untidy stay up to date. I mean, there’s a lot of changes going on all the time. And it’s it’s a moving target. I mean, to keep the assessment fresh to keep the scenarios fresh. How do you guys stay on top of that with with everything that’s going on and kind of stay current?

Franz Payer  [14:52] 
Yeah, I mean, that’s a good question. We get that all the time. It’s actually rather simple which is we just listened to the News and security fees. So whenever there’s a new, you know, the mariadb breach target breach, like I mentioned, you know, we actually look at what happens in those breaches. And we build basically a sandbox environment and we’re like, here’s a scenario that replay replicates exactly that. So, you know, Capital One got breached couple months back, because they’re leaking s3 buckets a lot of companies getting breached. That way. We haven’t s3 bucket scenario within our platform. At the end of last year, eBay, Japan got breached because they were leaking their, their get repository on the website by accident. And just like two months before that, we saw that as a as an emerging threat on different feeds. And we’re like, okay, we’ll build a center for that. And then one week after we push that out to our users, East Asia, Japan got compromised exactly that way. So just by listening to the feeds and seeing what’s happening out there, we’re able to stay relevant without having to put in a whole lot of resources. You know, chances are when you see a big breach Like with Capital One Are you day, other companies are wanting to make sure that they’re defending against that. So we just, you know, cater to that and build new challenges.

Jim Collison  [16:08] 
That way. In some sense, you built the learning management system, right? users can log in, they can keep track of things you have, in some ways, you have a resume builder, because you’re allowing them to come in and kind of build their resume based on skills that you’re doing. How do you balance just as a developer, as an owner, as a as a CEO? I’ll call you that. Can I do you guys? have you got? Have you given yourself that title? Yeah. nicly. I’m technically CEO, and awesome. All right, I got the title. Right. That’s awesome. How do you balance the platform build out? Because that’s one thing, right, making sure the platform works. That’s not necessarily cyber security. And it says in it is maybe in some ways, but but there’s the platform built out with all the cybersecurity work that you have to do as well there. There’s a little you know, those are kind of two different skills. How do you find as with the two of you, how do you guys how do you kind of balance that out to make sure both the platforms being built, and you’re staying up to date with cybersecurity pieces.

Franz Payer  [17:05] 
I mean, it’s it’s definitely a big challenge we basically the way that we do is we do a lot of the sourcing for the for the cyber security stuff on our free time because we’re just generally interested in the space so we’ll be looking on you know reddits net sec you know, subreddit, looking at Twitter looking at all these different feeds just figuring out what’s out there on a free time. And then what happens is most of our time is actually spent on the the developer side, and then we specifically allocate cybersecurity, you know, content development time enough within our schedule. And then of course, when a customer comes along and says, Hey, I want you know, x y&z then that gets plugged into the, to the schedule, but for the most part, it’s primarily driven by the needs of the technical capabilities. And then the cyber security component is just the content that feeds into the engine. So we’re constantly trying to figure out, you know, how do we build a better, better Engine. And then when someone’s like, Okay, I need you to go for then we figure out, you know, how do we build the fuel that we put into the engine. And that’s kind of, you know, filling that as a as an as you know, as needed basis. And we just make sure we have enough stockpile so that we’re never left in a situation where there’s no new content going out to our users.

Jim Collison  [18:17] 
It’s kind of sad that we live in a world where that content so easy to get ahold of right, and you never run out of scenarios. You never run out of right. There’s always a breach happening of some kind. There’s always opportunities of things that went wrong to use as an example, right? You kind of mentioned that with the Japan eBay breach. That’s it, they’re happening. Christian, maybe at a more frequent rate these days then before or do we see him backing off low, but

Christian Johnson  [18:45] 
I think it’s a little hard to say I mean, certainly from 2017 would have been the height of data breach years just by volume reporting for a year so we’re definitely in 2019, or overall data breach rate is much lower. However, I don’t think the impact of a company getting breached or the mechanisms in which they can get breached has lowered at all. If anything, attacks continue to get more targeted and more sophisticated now that the low hanging fruit has largely been plucked off the tree over the last five years. But I don’t think the financial damage or impact to companies has that that threat model has not changed much for an organization. So in terms of the the scope of what it means to deal with a data breach where we’re still in the same playing field, I would say the overall volume though, being lower indicates two things one, the level of advanced persistent threats as increased because of the level of difficulty going up and to the overall organizational effectiveness. Properly managing it resources and platforms has allowed to, quote unquote, data breach count to go down.

Jim Collison  [20:03] 
Front. Have you seen in the years you’ve been doing this and you kind of have to program these scenarios? Do you? Do you find students getting smarter with these than when you started four years ago? Or has it has the student kind of always just maintained similar quality? Are we getting better at training and educating our students? Or is it just maintaining or getting worse?

Franz Payer  [20:29] 
Um, yeah, that’s a very tough question to answer. Because I think as a whole, I don’t think that there has been a huge change in student ability. And it’s primarily driven by the fact that we have so many new people going into the field and you’re just getting way more beginners and it’s kind of you know, the average goes down when you have a bunch of beginners coming in. Because I think you know, the people who have been in you know, in different academic programs have been learning about sorry. Katie for a couple years now, their average skill level is going up pretty well. So something that we see within the National Cyber League competition that we operate is that on the high end with the, with the schools that have kind of a very consistent program, they have the same students competing in this year after year, they have developed better strategies for learning new technologies on the fly, for working together as a team. And that’s demonstrated through you know, their ability to solve these challenges that we offer with higher accuracy rates and quicker times. However, like I said, on the low end, you have a bunch of new people coming in and it’s their first time and they don’t quite know what they’re doing. So I think we are producing more and more qualified people. But it really depends on where you’re looking at. I mean, you have a lot of different four year universities, which don’t do a good job of giving enough applied cybersecurity skills. I don’t know Christian, I don’t know if you took the cybersecurity course back at On the 414 Yeah. So if you were calling them like a vast majority of the class that no clue what the hell they were doing correctly, it’s just a people, bunch of people who are in a 400 level class, their junior or senior, they should know all there is to know about, you know, the basics of how, you know, different operating systems work and Linux and all these things. And you have people asking how do I change directories from the command line? And you’re like, Whoa, this is a 400 level security class you know, this is so foundational that like, but I mean, we also have kids from community colleges. I mean, I said it’s a hesitate to say kids as well because you have a lot of, you know, people who’ve been in industry coming back to get cybersecurity degrees. And, you know, they get kind of left behind by big employers because they’re not from a big brand and university, but a lot of the people who are not from the more you know, well known schools, actually learn a lot more of the necessary skills to perform on the job tasks. And, you know, you cannot basically I think what you’re getting from four year universities, a lot more theory, and what you’re getting from the other schools are is a lot more practical stuff. It’s applied. Yeah. And it’s applied. And it’s great to know the theory. But if you’re not getting the apply stuff in your classes, you got to get the apply stuff elsewhere. And, you know, some people like like Christian and I, we got those, because we were actively seeking those. I think schools should be doing a lot more to encourage their students and facilitating ways for their students to build up those technical skills, those applied technical skills, because if they’re just covering the theory, then you’re going to have you know, these exact same situations where you have people graduating from, you know, a top 20 cyber security program in the US, and they don’t know how to change directories from the command line. And it makes no sense at all.

Christian Johnson  [23:55] 
Yeah, and I mean, I guess one of the things that interesting to me is how We’ve started creating a culture within the industry to where in order to be a software engineer, you’re not required to not necessarily be a full scale security engineer. But you’re also usually not required to have basic opsec security fundamentals as part of your training. So we put software engineers out that in theory, know how to write performance, scalable, Reliant code that meets a specific customer need feature asked and working back from that to produce an end result. But a lot of times, writing code that is bug free, somehow doesn’t also fully translate to writing code that is raising the bar on security, right. And it starts to not scale well because the larger the industry gets a population of software engineers, for example, Who don’t think in a security oriented mindset when developing their code, it lends itself to additional work and additional industry presence required in the IT security space in the cyber security space, both offensively and defensively. Because not all software engineers are equal when it comes to Dev, versus, or for lack of a better word dev sec, right, like a software engineer who understands the code that they’re writing and what security implications is has. Have you guys found in any of the work that you’ve done so far, what is the level of interest from companies with respect to training pure thoroughbreds, cyber security practitioners that are, you know, using applied cyber security skills versus training, you know, people like software engineers who need to have some of these skills even if they don’t live and breathe security so that they’re not adding to the problem.

Franz Payer  [26:00] 
Yeah, that’s a very divisive question, depending on where you go, because there’s, we’ve seen people on both extremes where they, they’ll they’ll live with live or die by either the two paradigms. So the one paradigm where we should train all of our developers to be security conscious, and keep them accountable for the security, and then the other paradigm of let the developers be developers have one dedicated security person there to clean up the mess that might happen. And I think it really comes down to incentives. And a lot of companies right now are trying to figure out how can we best incentivize people, because if you try to go down one paradigm, but you don’t have the right incentives, and you have a lot of mess. So for example, developers are not being in many companies are not being assessed on their ability to write secure code. There’s no metric for for for doing that right now. What they are being assessed on is how quickly can you push out new features. So if you’re going in with the minus said that all of your developers are going to be trained for security and that they’re going to be stakeholders in the security posture of the company, but they are only being assessed on their ability to write new features, then you’re not going to have an effective program. Because even if put them through all the training, it’s not going to stick until there’s some incentive that makes it relevant to them. And security becomes just this thing that bogs everything down. So we’ve seen companies just decide, hey, I’m going to have a dedicated security person, they’re going to do look at all the code reviews, you know, stop anything bad from going in there. And then, hopefully not build up to it too much animosity between the developers who want to push out features and the security people who want to slow things down. So I think it really comes up to management and their responsibility of saying, well, we didn’t make the process incorporate security, you know, earlier. So that’s not an afterthought. And I really don’t think right now there’s a, you know, definitive program that I can point to, and maybe there is one but I haven’t seen it yet, where they’ve got it down 100% um, you know, but I’ve seen companies do it both ways. Some are successful, some are not. And it really comes down to, you know, listening to the developers making sure that there’s a security culture and that no one’s feeling like they’re being held back because of security. And, and adding it earlier into the process. If your security person on the team is just there to help with the code review, they’re not able to help with the architecture and the design process. And when they find something bad in code review, it’s, you know, really expensive to go back and fix it.

Christian Johnson  [28:42] 
Sure. And I mean, in terms of the like level of scale to it also causes challenges when you have now teams of software engineers or herds, I like to call them herds of cats that are all developing and working on different parts within the company and then having to have secured Engineers not only be experts in their field of security, but then be experts on each of these different architectures or services or products that these teams are responsible for. Right? And so that the human model probably doesn’t scale too. Well. They’re over time as industry moves forward. With respect to your platform, like a lot of it right now is kind of b2b from your business model or, or kind of gaining exposure to the masses through these competitions, like NCL, can you talk a little bit about? Where is the business going direction wise in terms of like an individual, like myself being able to go sign up and do challenges as an individual without being a part of any formal competition or talent screen? Or is the model really going to be more focused on those kind of peer to peer interactions at the business level?

Franz Payer  [29:50] 
Right. So I mean, we actually do have a b2c product offering right now. We have a subscription that people can sign up for right now. Now we’ve kind of just left it open for students who do participate in our competition. And it’s just an annual subscription where you can imagine it’s like, like Code School or plural site or something where you pay a subscription, you get access to all the content year round, we add a new content every single month. That’s a very simple b2c model. And our plan is to in the future, continue adding in value there. But I I think that where we add the most value to people is not by just giving them the keys to the content library, and then letting them roam free. Because what we found is that levels of engagement are rather low, when you just have access to everything and no limitations. You don’t know where to start. And we like doing a lot more structured things. So you know, we kind of offer the individual BTC thing to get people on the platform, keep them engaged, but we want to continue basically providing individual experiences through our BTC camp. paynes so whether that’s running additional competitions in person or online or with the screening and stuff, what we want the future to be is you have a, you know, a subscription on our platform that allows you to practice all your skills continuously, continuously throughout the year. But that’s not the only way that we want people to be engaging on our platform. We want you to, you know, have that thing so you can practice and, and build up the skills but you also do the other competitions and help help, you know, allow us to help you when you’re trying to get a job.

Christian Johnson  [31:33] 
Sure, got it. Jim, I kind of think of gallop only from the sense of Gallup does a lot of talent assessments and what are your top five strengths and a lot of related products in a weird way? How much similarities or dissimilarities Do you see with gallops approach to measuring a person’s talent and specifically here trying to measure success? talent.

Jim Collison  [32:01] 
Yeah, well, if you know understanding the product and we’ve been looking at this for the last couple years with friends as we talked about this way back when they were first thinking about this and through the years you know, the the talent assessment that we use a gallop really has hundred 77 questions where we pair them against each other, say, Are you more like this or like that? And it’s really a self assessment, you’re kind of determining who you are based on your own experience. Franz, you can correct me if I’m wrong, as I’m looking more at your product. It really fits in a role of I need you to do something to show me that this talent is there, right? Give me some what go through these logs do these things. It’s more of a there are some specific and in you know, so it’s kind of a specific role based tool where it’s like, hey, in cybersecurity, you’re gonna have to do these kinds of things. In this role, where Clifton strengths is more a general tool looking for some general talent themes. In other words, when I Think about things or when I do things. I generally do them in this way I think out loud or I think internally, I approach things based on relationships, or I approach things based on execution. Friends, I think in maybe you can kind of talk to this a little bit really more rules base or skills based and saying I can do these specific skills. How correct Am I an assessment of your tool?

Franz Payer  [33:25] 
Yeah, I mean, I think that’s pretty spot on. We’re, I think we’d be pretty complimentary to that. So we basically, we don’t focus on EQ at all with a lot of the assessments that we’re doing, um, sometimes when you’re in teams, we can do some EQ there, but it’s not really. That’s not really something we’re objectively measuring. We just say, hey, this team did better because they were better. They’re able to work together better. But yeah, we’re very complementary to those products because we’re focused very much on the technical role based skills. And then we are so reliant on you know, a Clifton strengths assessment or, you know, normal You know, recruiter, technical recruiter, phone screen or something like that, where they kind of measure the, the thinking of the person, the way that they work together all those different things that would be important things to know about an employee before you hire. And so we’re just focused on the

Jim Collison  [34:18] 
technical side work style, you know, some of those some of those working Christian, you know, we also have a selection tool that helps us pick based on right fit to the organization. And so that’s kind of another level and is your work style one that fits well in the organization, too, are we getting you assessed into the right roll? This is where France fits in. And this really, I think, where these technical assessments are shine, you know, years ago, they weren’t very good, I think, where they’re getting really good now and what they can do and what they can assess. And then of course, CliftonStrengths would help with how you go about to do that role. What kind of style Are you going to have, how are you going to fit well on a team, what kind of what what additional talents are you going to Bring to that so I think that’s a good in front I think you’re right i think they really are they very they complement one another really well kind of based on the the the dimension of the person that they’re looking for

Jim Collison  [35:15] 
that makes sense christian

Christian Johnson  [35:17] 
i think so I’m rocking it taking I’m taking a moment of silence

Jim Collison  [35:22] 
you’ve taken them all to make sense yeah bronze Have you had Christian go through your heavy I had him actually go through a

Franz Payer  [35:28] 
Christians been through many of them he’s all these competitions Do you ever got a smartwatch or something for one of our

Christian Johnson  [35:35] 
dead in fact

Jim Collison  [35:35] 
I leave it on my desk. Really? I have the

Christian Johnson  [35:39] 
it’s a little bit interesting lately I’ve been having problems with it but my my android smartwatch here, the Motorola one. And then of course I defected to iPhone. So shame.

Jim Collison  [35:55] 
What kind of feedback have you been getting from employers after the fact you’ve run some Just recently, you’ve run some kind of big engagements. What are you hearing from them? And what kind of feedback Are you getting from the employers on that side?

Franz Payer  [36:09] 
Yeah. So I mean, the majority of the feedback is that it’s just like the huge time savings. Every time we talked to the engineering team, after we do one of these things, it’s just like, wow, like, why are we doing this sooner? Because a lot of the times you have candidates who are, you know, typically lying on the resume to get through a lot of the recruiter, you know, screening because recruiters don’t know how to measure all these technical skills. And then it gets passed on to the crew, to the engineering team. And the engineering team is wondering, why is everyone so unqualified, and so we have this problem where the most, you know, reliable, ethical people are not going to overflow off the resume. They don’t look as good in comparison, and engineering. Just get stuck with all these, you know, liars basically, and so on. hard, it’s so time consuming to go through that. And we were talking to a couple of customers that was asking, Can we just like bypass the recruiter, and then go straight to the results of your assessment, and then start picking people from that. And, you know, we tried to play this role, where we’re just empowering the recruiter to make decisions faster. The recruiter should only be really focusing on is this person a good fit for the team? Do they work well, with other people focusing on the human components of things, rather than the technical skills? And so yeah, we always hear, you know, from the recruiter side, they’re happy because the hire gets made much faster, it makes their metrics look a lot better. You know, obviously, if they can fill more candidates in a shorter period of time, that’s what they’re being measured on. And, you know, engineers are never thrilled to be wasting their time interviewing someone who’s completely unqualified

Jim Collison  [37:53] 
to have you had engineers kind of question your assessment. You know, they’re they’re also like, well, maybe I’m the best Doing this as opposed to outsourcing it. Have you had kind of that pushback from an organization feeling like, you know, I know you you think you’re doing a great job? Are the engineers? Have you gotten pushback from engineers on what you guys are doing?

Franz Payer  [38:14] 
Once in a while, I think what it really comes down to is, you know, they have their understanding what they’re looking for within the organization. And they might not think that we match that. Typically, in those cases, we actually support the ability for them to take their, whatever assessment that they have and import it into our platform. And we’ve done that a couple of times, and it’s not a huge deal. But I mean, at the end of the day, I think a lot of people, you know, really feel that they have a better assessment, but if they’re going to be spending hours upon hours or days just sifting through all this noise because they have to mainly grade it or they don’t have a better process for it. Eventually they relented, they’re like, okay, you know, maybe you’re not perfect, maybe I like doing things my way a little bit better, but You know, if it’s going to cost me an arm and a leg to, you know, maintain it myself and all this time, then it’s not worth it. And I can do my additional screening on top of what you’re doing. But if I can at least help cut down a lot of the noise for them, you know, it’s added value to them.

Jim Collison  [39:14] 
Are you able to customize your platform based on engineer feedback? In other words, if they gave you some feedback, like, we’d really like these kinds of scenarios, or were in our areas, we see a lot of those things. Are you able to kind of customize what you’re throwing out the students? Are your assessment, taken into account their kind of needs?

Franz Payer  [39:36] 
Yeah. And that’s actually part of our content creation process is, whenever you know, we had that time set aside for creating new content. We look at the priorities and the priorities are always driven by you know, number one, what the customers are asking for the number two, what the users are asking for. So you know, big example is we’ve we’ve gotten a lot of requests from customers to push more into IoT and push more into Cloud Security. He’s little bit harder to, to assess over the internet. But there are still ways of doing that. But big thing with cloud security, that’s when we started doing stuff like the s3 buckets. And building those challenges that way, you know, a bunch of different things are being driven by the feedback. So it’s a matter of Do you have something in mind that you specifically want? If so that we can import that into the platform, if you just have a generic idea of, hey, I want more cloud security stuff. We just add that to our roadmap, and then that gets pushed out on a regular basis.

Jim Collison  [40:33] 
You’ve got some great help or friends, let’s say coming out of the asis, program that around you. Do you guys lean on, you have an outside kind of advisory council or a group you talked about you kind of just keep your ear to the ear to the rail on what’s going on cybersecurity, and cyber security. But do you guys have an advisory group that you’ve built around you a little bit to get, you know, some additional help or advice with folks around you on what’s going on?

Franz Payer  [41:00] 
Um, so you mean in terms of just what’s going on in cybersecurity? Yeah, just for

Jim Collison  [41:04] 
the business, just having some outside counsel on other people’s opinion, like, you know, say a Christian of from from time to time getting some folks together. What are you guys hearing? Have you leveraged any any kind of groups like that?

Franz Payer  [41:16] 
I mean, we haven’t, we have a couple of different ways for doing that. So I mean, we, of course, have all the guys from college. You know, we catch up every once in a while we share whatever’s know going on. We also have, basically our own little group of people that we talked to who had been on our platform, so users of our platform, who have graduated a little bit out of college, and then now they’re an industry but they still like being part of our competitions and our platform. So they give us feedback and we’re constant contact with people. Through the National Cyber League. We actually have this group called the player ambassadors, but it’s basically another group of alumni. And they’re more geared towards specifically the competitions rather than the rest of what’s going on with the company. Um, but they provide, you know, feedback on what what do we need to be building? What’s going on? What’s new? How can we adapt to what’s going on? And of course, we have our own advisors and mentors with for the company. So, you know, we have people from the military or people from the financial industry, people who have run their own startups as well, that we go to as resources as we build everything out.

Jim Collison  [42:24] 
Good. Yeah, I, you know, I know it’s important to get that kind of board of directors feel so to speak. So you’re not feeling alone out there. I think you’re pretty well connected in those communities. And that sounds, that sounds pretty great. Just you’re not at this alone, right that you get some folks.

Franz Payer  [42:41] 
See, I think that’s kind of the biggest struggle when you are starting a company right out of college is the fact that you don’t have a lot of those relationships from the get go. I mean, you just have the people, whoever your family knows, and whoever you met from school, that’s what you got coming out of college. That’s all you got. And, you know, my family’s in big into Cyprus. Security. And now there’s my co founders family. And so we kind of just had what we had out of school and what network we can build on our own. And that was probably one of the biggest difficulties we had other than, you know, cash flow, and how do we figure out, you know, the money and how to pay ourselves. But how do we get advice because we’re going to this blind. When your startup, you know, everyone says that you learn through failure, you only get so many failures, as a startup before you burn, you crash and burn, right? You can get you can get a couple, but if every single thing that you do is a failure, and you might be learning along the way, that might be great for you personally, but it might not be great for the company as a whole. So it’s always better to learn from someone else’s mistakes. And we basically spend, you know, I got we spent like a whole year just trying to figure out how do we build that network? And how do we meet new people who can provide us the advice and mentorship that we need? And I think that’s why people who actually have startups all have 1020 years of experience in industry first, that whole, you know, College Dropout that’s in a startup is a huge misnomer. When we when we, when we set out for this, we started joining some accelerator programs and we were like the youngest people there by far, like easily, like 1015 years younger than everyone else there. You know, I have not really met anyone else at these accelerate accelerators least on the east coast. that have been our age. I mean, West Coast is a completely different ballgame. But I think, you know, what is normal for the rest of the country is people who have a lab, you know, many, many years of deep connections and mentors and people that I can talk to and that’s something they decided to create a startup.

Jim Collison  [44:43] 
Yeah, we it’s so Gallup, we have an entrepreneur, a tool to help people do this, do what you’re doing right from scratch. And in part of the exercise, one of the exercises, I think it’s the fifth one you do is kind of building that board of directors around you and you have to call it that. But those people that kind of get that advice from and I think you’re right i do think the on the East Coast it skews a little bit older as opposed to the west coast I don’t know that for sure. But it does seem like you know it’s a little it’s a little less risky that way right you said being industry for a little while, jump out and do a start up as opposed to on the West Coast at me. You know, she you guys may be West coasters as opposed to coasters, but

Christian Johnson  [45:27] 
West Coast and plants and the East Coast.

Jim Collison  [45:29] 
There you go. Well, the fact of the matter is, this is now kind of an established because you guys were working in school for so long. You got a three or four year head start on a startup and a pretty safe environment at school where you could kind of fail maybe a little bit more, although I don’t think that you have you guys had a major failure, so to speak, in it where you went, Oh, that really didn’t work. We should have done this. Have you run into those?

Franz Payer  [45:59] 
I mean, not come Wouldn’t but so far nothing to date? I mean, we’ve been very, very cautious to make sure that all these different contingencies have been thought of. And I think that might be our security mindset. You know, as a good security practitioner, you’re always thinking, all right, what can go wrong? And if it goes wrong, How bad is it going to be? And what can I do to mitigate the damage? And that mindset has allowed us to avoid making a lot of, you know, potentially catastrophic mistakes?

Jim Collison  [46:26] 
Yeah, well, we’ll let Christian be the judge of that. Have you? Have you? Have you? Have you had anybody try to, you know, students who may not have been so happy with the results, try and come back and maybe break into your to your own system. You know, have you had any kind of your own cyber security attacks on your system?

Franz Payer  [46:50] 
Well, we constantly have people attacking us, the biggest one is that people are just running automated scanners and they just throw it all these alerts. We we We recently, we recently started a vulnerability disclosure program. And so we now have ways for people to report any vulnerabilities of the fine. But a lot of them are kind of just like, you know, if 10 different things happen and you know, very circumstantially then I could potentially get someone’s session like okay, well then I guess you can submit answers on their behalf. We’re really lucky in the sense that there there isn’t a whole lot of risk that we have in terms of what like you know, what you can get with any single users account um, you know, the big thing that we protecting so data that’s that’s the main thing but you get access to someone else’s account, you hack into their account. There’s not a whole lot you can really do to mess with them.

Jim Collison  [47:46] 
You’re not collecting a lot of PII and other right,

Franz Payer  [47:49] 
yeah, I mean, we have to go through vendor onboarding. It’s like what PII do store name and email address. And that’s, that’s all there is. Maybe some people really want to keep this score. Private. Occasionally, we do actually have people you know, not wanting to be listed and stuff and we give their the give them the ability to use a pseudonym, so that they’re not showing up with their name publicly on leaderboards and stuff. So, you know, I guess you could figure out you can reveal the top people on the leaderboard and what the who their identities are

Christian Johnson  [48:18] 
about the push to go international. Is there any market that you’re looking at for running cyber skyline internationally? And if so, what privacy laws might you have to take into consideration with respect to GDPR? And otherwise?

Franz Payer  [48:33] 
Great question. So right now we are actually looking at doing stuff in the UK. Europe’s a little bit tricky with skills assessments. I know Germany has very strict laws about it. So we have to be very selective with kind of how you can use skills assessments for hiring and HR purposes in Europe. But in the UK, it’s okay. And we have to Yes, we have to be GDPR compliant. That hasn’t been too bad because we don’t have a lot of different vendors. And so it’s just a matter of, you know, disclosing what data do we do we have and how do we use that data. And then we also have to worry about Privacy Shield. So that basically just allows us to keep the data of European citizens within the US. And those kind of the two big things that we have to be worried about right now.

Jim Collison  [49:25] 
Have you considered just setting up a separate instance, in Europe that’s completely separated from the US and just maintaining two systems?

Franz Payer  [49:33] 
We have considered it um, it’s, it’s something that we don’t really want to separate the data per se. And it’s also a situation where we have some customers who are multinational. So they don’t want to have different systems to log into every single time. So we just want to have it as one unified system that they don’t have to worry about.

Jim Collison  [49:53] 
It’s a real problem with the GDPR. And in that, and what you’re saying is it all sounds great when you think about Well, okay in Germany, so to speak, will Haven’t you know, for them, we’ll build it this way. Then the company comes in, and they’ve got people all over the place. And it’s like, oh, okay, and now we have to integrate this separated virtually however you going to do it, it has created a kind of a, you know, a challenge in that area of exactly where data sets. And I don’t know if GDPR has been necessarily completely tested in court. So there while they have laws, we know, those are all testable, right? They all have to really go through the court systems to start being tested. So there are people who are like, what does that really mean? And I’m not sure we have necessarily all the solid definitions down. Pat, we have some great ideas, certainly. But But I think there’s some challenges that still are out there of exactly what that means. So we grapple with it. And I think everybody’s kind of grappling with that. There was a whole industry that grew out of GDPR of people just trying to do that. We’ve many of them at the deadlines, but we’re Kind of in that sweet phase right now where people are actually using it, and then they’ll be test, you know, I think we’re going to start seeing GDPR and hearing, well, not here, but in California as well as the way the rest of United States goes, I think we’re in that phase as well or that’s going to kick in here pretty quick. And then of course, that’s going to go to court and it’s really really important to see how the courts interpret then what laws have been passed. We’re in the early phases of this I mean, if we think GDPR is a known thing, we still got a ways to go before before we really know what it means.

Christian Johnson  [51:33] 
Yeah, definitely. Yeah.

Jim Collison  [51:35] 
It’s it’s complicated. It’s super complicated. Yeah, for sure. Christian What else?

Christian Johnson  [51:39] 
Um, you know, I’m just trying to think where we I mean, company wise, I feel like our listeners have a pretty good sense I think I may have neglected to say you guys are Point of Presence online is cyber skyline, calm. All one word. frons what is the next year look like like, what is 2020 look like for cyber skyline, where the big focuses for you and then the direction you guys want to move.

Franz Payer  [52:11] 
Yeah. So big focuses for us are basically helping more companies run different recruiting programs. So that means going to more conferences, running more competitions. We were at the women in cyber city conference last year, we’re going to be at the women in cyber city conference again, this upcoming year. There’s no expansion. I can’t say anything too much about specific conferences in the works right now. But we do have bigger conferences in the works as well. Also working with companies to basically run large public challenges. We just wrapped up one for Lockheed Martin, back in October, where we ran a large public challenge where there’s a URL that people can go and start an assessment if they were one of the 20 different schools that Lockheed Martin was hiring from. They’re aeronautics division. And we’re looking to doing more of those. So really helping students find employment and helping employers find qualified talent. And we’re doing a lot of that in the college space. So expect to see a lot more with getting more college engagement with industry.

Jim Collison  [53:19] 
conference, define universities, I would think, you know, their career development centers and stash site and such would be kind of incented to use a platform like this to get their students on it and employable define the universities are approaching you guys at all, or is that a market where they’re coming to you?

Franz Payer  [53:39] 
curiously enough, with the with like the, you know, the with those offices, it’s, it’s not something that we’ve been getting because I think they’re kind of hesitant to spend money in that regard. But we have been getting inquiries from schools are with actual academic programs rather than the career offices where They are interested in supplementing their curriculum because they see a lot more value. In a very, I guess, rightfully so easily with the idea where I teach a class of the now I can have some hands on technical, real world experience as well supplement that. So we actually have a couple of classes that are using our assessments as a capstone. And the professor will teach to whatever curriculum they have. And then at the end of it, you know, students do an assessment on our platform. And so we’d be getting more inquiries in that regard, and how do we, you know, integrate with LMS and help them build out some of their curriculum as well. And that’s something that we’re, we’re, you know, vaguely taking a look into, and how do we support all of that, but I expect to see in the future as we get more and more employers on the platform like, like Lockheed Martin, maybe the career offices will start reaching out a little bit more.

Jim Collison  [54:48] 
And do organizations pay per seat do they pay per event? What’s a quick rundown on a pricing model?

Franz Payer  [54:55] 
Yeah. So what we charge and employers is basically we just look at their They’re required the hiring needs for the year how many people that they need to fill roles that they need to fill and then we just charge them an annual license just based on that number and then you know, obviously it’s going to vary a little bit more if you want additional challenges and features but it basically comes down to a per higher per year price point.

Jim Collison  [55:20] 
Okay, good. And if folks want to contact you if they have they want to get more information employers want to do that how do they do that?

Franz Payer  [55:27] 
Sure. So you can reach out to us on our website cyber sky com we have a Contact Us form on there. You can also reach out to me directly via email my email is my first initial last name at cyber sky calm so that’s f p A ye AR at cyber sky calm

Jim Collison  [55:44] 
I think sales at get you there as well

Franz Payer  [55:47] 
to their contact at gets you there. We’re very accessible

Jim Collison  [55:51] 
or anything at cyber skyline calm probably comes to you right on Twitter on,

Franz Payer  [55:55] 
you know, at cyber skyline. You know, we’re We’re everywhere. You can find it

Jim Collison  [56:02] 
frosted we miss anything. Anything else that you’d like to kind of highlight before we wrap it

Franz Payer  [56:07] 
up? No, I mean, I think that that was a great conversation I you know, Thanks for the invite. Thanks for having me back after all these years, absolutely. Always love chatting with you too and talk about the state of where everything’s out right now.

Jim Collison  [56:19] 
You remember that day we were down in the basement of the asis? Yeah. It’s really good so long ago good to see like for me great to see those days. Watching you guys kind of go through this and this has always been a project that’s kind of been on the side for you guys. I’ve watched you and Toby do this over the last you know, half decade in it kind of wondering where it would go and and I don’t know I always kind of thought it would just be a product. I thought you guys would launch something and it’d be great and and you guys had a good you’ve always had a really good project and a very good product and so fun to see. it big time at this point and I know you guys want to make it bigger. But it’s fun to see it out in real and people using it you’re having great success. So congratulations on getting it launched congratulations on being able to pay yourself that’s for entrepreneurs right Listen, that’s a big that’s a big freakin deal for for a lot of startups so being able to pay yourselves and and be able to make you know payroll so to speak. You get that done. So friends, congratulations on doing that.

Franz Payer  [57:28] 
Yeah, I appreciate it. All the kind words and thanks for having me on again.

Jim Collison  [57:32] 
Christian, any final words from you before I wrap it?

Christian Johnson  [57:35] 
Now I just gotta say, it was amazing to me to look up today that you know, when was frons last on in terms of representing cyber skyline? And it was Episode 520 14. And like, dang, yeah, sick coming up on like six years of just all things related to this. So pretty cool. I get a Excited about cyber skyline because I see the amount of challenges and problems that are going on with the cyber education industry. And I think that it is still as as developed as the cyber security industry is this is still a huge area of new and uncharted territory where people are trying to refine and make their stake in the ground and I think cyber Scotland has a unique approach to doing it that scales really well. So I’m I’m kind of glad to get the digest of where France and Toby are in their journey here and hope to see it scale in the years to come.

Jim Collison  [58:36] 
Yeah, good stuff. With that will remind folks don’t forget the average guy TV power, just another startup Maple Grove partners, get secure, reliable high speed hosting from people that you know and you trust this guy down there. And if you want to get information on plan starzl is $10 a month Maple Grove be if you want us to cover anything or you got it’s really Christian He’s a smart guy here. You can contact us send us an email Jim at the average or really just send it to Christian Christian at the average guy TV at j Collison at Borg whisperer. Want to thank you for joining us tonight. A couple of you out there in the chat room and many of you listen after the fact. And we appreciate you guys doing that. We’ll be back with 60 we made it personal at least made it to 60 we keep going well thank you for joining us and thanks for listening with that will say goodnight. Goodnight

Transcribed by

Contact Christian:

Contact the show at

Music courtesy of Ryan King. Check out the Die Hard Cafe band and other original works at: is powered by Maplegrove Partners web hosting. Get secure, reliable, high-speed hosting from people you know and trust.  For more information visit