CyberWire Daily - Cyber Talent Insights: Strengthening the cyber talent pipeline apparatus. (Part 3 of 3) [Special Edition]
Episode Date: April 26, 2024Join us for this special three-part series where the N2K Cyber Talent Insights team guides you through effective strategies to develop your cybersecurity team, helping you stay ahead in the constantly... changing cybersecurity landscape. In this episode, we center our conversation around the Cyber Workforce Pipeline. We discuss where the next great wave of talent is going to come. We talk more about these sources of new talent, such as K-12 programs, higher education, and trade school programs, transitioning military, and other initiatives and programs focused on cultivating the next generation of cyber professionals. Explore Cyber Talent Insights N2K’s Cyber Talent Insights provides security leaders measurable and actionable insights on your organization’s current cyber roles and capabilities to maximize your talent investments and build a business case for better hiring, developing, maintaining, and retaining your technical talent pools. Learn how at n2k.com/talent-insights. Connect with the N2K Cyber Workforce team on Linkedin: Dr. Sasha Vanterpool, Cyber Workforce Consultant Dr. Heather Monthie, Cybersecurity Workforce Consultant Jeff Welgan, Chief Learning Officer Resources for developing your cybersecurity teams: N2K Cyber Workforce Strategy Guide Workforce Media Resources Strategic Cyber Workforce Intelligence resources for your organization Cyber Talent Acquisition Woes for Enterprises Workforce Intelligence: What it is and why you need it for cyber teams webinar Setting Better Cyber Job Expectations to Attract & Retain Talent webinar Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
Hello and welcome back to Cyber Talent
Insights on the N2K Cyber Wire Network.
I'm Jeff Welkin, and I'm joined once again by my amazing colleagues, Dr. Sasha Vanderpool and Dr. Heather Monthe for this special three-part
series sharing our insight on the complexities of the cybersecurity workforce.
Heather, can you remind the audience what we focused on in our first episode?
Yes, absolutely, Jeff. I'm so excited to be back here today. First, we highlighted the state of
the cybersecurity workforce from a supply and demand perspective.
And then we shift our focus on the enterprise perspective.
So looking at the importance of using cyber talent intelligence to help make informed
decisions related to the cyber workforce management lifecycle, which includes things like job
roles analysis, talent acquisition,
upskilling, reskilling, and workforce retention. Awesome. Thanks, Heather. And Sasha, how about
episode two? Do you mind giving a quick recap of that for our listeners?
Of course. So for episode two, we continued the conversation by really focusing on the
cyber practitioner, what it means to take a market-driven approach to cyber career
development, personal branding, certifications, and why a company's workforce management program
is really important to get correct for those cyber professionals.
Thanks, Sasha.
And for today's episode, we want to center our conversation around the cyber workforce
pipeline.
We talk about where the next great wave of talent is going to come. We examine sources of new talent, such as K-12 programs,
higher education and trade school programs, transitioning military, and other initiatives
and programs focused on cultivating the next generation of cyber professionals.
Cyber Talent Insights from N2K Cyber Wire will be right back after this.
All right, let's get started by talking about cyber
as it relates to K-12.
And for the purposes of today's episode,
I really want to shelve the conversations
around the importance of cyber safety,
cyber hygiene, et cetera, and center in on career awareness and cyber skill education.
So we've actually had Tatiana Bolton, a security policy manager at Google and senior advisor to U.S. Cyberspace Solarium Commission, as a Solution Spotlight guest not that long ago.
I think she frames up the topic really nicely for us.
So let's just take a moment and take a listen to that. The K-12 piece is really critical because if you don't have enough of a population that's even knowledgeable about the basics from an early age,
then they're not sort of inspired to go into cybersecurity and fix these problems, right?
If you're not even seeing cybersecurity professionals
until you're older, you're not really thinking about that as a career path. Like, there's not
enough cyber experts to go into every school in America and say, hey, I do cybersecurity for a
living. What does that look like? You know, what does that even mean? The teachers also, you know,
you can't put it on them. They're, like, massively overwhelmed as it is, K-12, not having enough focus, not having enough resources.
All right. So, Sasha, let's unpack this a bit.
Can you elaborate just a little bit on the constraints and limitations of primary and secondary education systems as it specifically affects the cyber workforce pipeline?
Yeah, absolutely. I think Tatiana makes a good point that a lot of the
schools, unfortunately, nowadays just don't have enough resources. So those school resource
constraints, that includes limited funding, limited access to advanced technologies. Of course,
there's teacher shortages, there's limitations, and a lot of conflictions when it comes to
standardizing curriculum.
And that kind of affects all subjects, but especially when we're talking about STEM, especially when we're talking about cybersecurity.
So as far as the cyber education curriculum, incorporating hands-on interactive learning experiences, all of that, and just the exposure to what a career in cybersecurity could even look like, that's what we're really lacking in the schools.
And I think that it's especially prevalent, again, all of these limited resources, unfortunately, in the more racially diverse and socioeconomical disadvantaged communities.
So we're seeing that if in these communities, they're not even being exposed to it at an early age, that that's possibly causing what the correlation is that we've seen in the field today, where we have professionals not coming from diverse backgrounds and not being inclusive to women, people of color, people from different socioeconomic backgrounds. I think it's starting from that early age. Yeah, it makes total sense. And it's certainly a challenge that is not an easy one to
climb. But there are some organizations we'll talk about later on in this episode too that are kind
of moving towards that. Heather, I didn't know if you had any reactions to Tatiana's comments here,
if you wanted to weigh in on this as well, as it relates back to like constraints, limitations, and primarily focused
on primary and secondary education systems. Yeah, absolutely. I think that one aspect that
when I'm working with a school and they need some help, like, you know, I want to start a
cybersecurity program, where do I get started? It's important to note that every school system has their own IT department. They have their own,
you know, cybersecurity teams, and they're going to have their own policies and their own
constraints and maybe some possible limitations for what can be taught in the schools. So certain
pieces of software might not meet the acceptable
use policy, so they can't necessarily install software on a computer. If something is web-based,
the privacy policy might not be aligned with something that can be used in K-12 schools,
particularly if the students are under 13. Here in the U.S., there's some privacy laws for children under 13. So I
think that when we're thinking about bringing technology into the classroom to teach
cybersecurity is that what we've got to do is sort of find this happy medium around, you know,
we're teaching students how to do particular skills, but we're also not, you know, violating
any sort of policies or procedures that the IT and security
teams at that particular school district has in place. Yeah, great point. So I think, you know,
in episode one, we really talked about like the state of the talent gap. And this is why, you know,
getting an early start is so important. You know, the total job openings right now
in the cyber space is around 570 to 100,000
according to cyberseek.org.
So it kind of leads to my follow-up question
here on this is,
in addition to just kind of looking at the pipeline
and the gap there,
why is it important to cultivate curiosity
in cyber careers this early
on with students? And then Sasha, I'll pass it over to you. Yeah, I think it's, you know, kind
of showcasing that there's this opportunity for them to even have this career. I think, you know,
like you said, we're not talking about necessarily, you know, being safe on the internet. That's a
whole other conversation.
But just understanding that this is even a possibility and the avenues and the career paths that are even available in this field and being able to expose them from an early age, being able to see what a day in the life is, having guest speakers, having job shadowing opportunities.
All of that can really help them paint that
picture for them.
So that way they can kind of get an idea, okay, even if I'm interested in some element
of cybersecurity, maybe I'm not sure what path or track I want to go down, that's fine.
But then I can start exposing myself to different hands-on experiences and opportunities to
not only familiarize myself with the knowledge and skills and training that I'll need, but
then I can even align my actual curriculum with that.
Especially as you get a little bit older and like middle school and high school,
when you have these electives that you have the opportunity to choose
or actually follow down like a career track,
they can start getting that experience early on.
I think more and more, especially these career academies
that are IT or maybe cyber specific,
they're giving these students
the opportunities to get certifications
in high school
or maybe dual enrollment.
And again, you're not even able
to set yourself up
to have that opportunity for success
if you don't even know
if it's an option.
And a lot of the times
these decisions are having to be made earlier and earlier, like
middle school, and then to go into that path for high school.
So the earlier the exposure, the better for sure.
And the space is super competitive too.
I mean, I remember when I was in, you know, we know that the cybersecurity industry is
extremely competitive, despite the number of job openings that are out there, which
is ironic in itself.
But, you know, if you think back when we were in high school, I don't know about both of you, but
it was like our exposure to computers for me was like typing, you know, like with a typing class.
I went to like a rural school, so there wasn't, you know, a ton of budget there. But today,
you know, like one of our Urban Alliance interns, telling me just the other week that his goal before he leaves high school is to get an A-plus certification and an AWS certification.
So kids coming out of K-12 programs are coming out credentialed in a number of cases.
So it's really just kind of a different dynamic, a mental shift for someone, you know, like our age and as we think back on those K-12 experiences.
Heather, I think you probably have a lot to share here too.
So I'll just kind of turn it over to you for a sec.
Yeah, I have tons of stories I could share here.
I think that what's really important about exposing young people to different cybersecurity careers is looking at it sort of from the perspective of cybersecurity is a relatively new field. It's not like going into teaching. It's not like becoming
a doctor. It's not like going to law school, becoming a lawyer. These are professions that
have been around for a while. And a lot of parents can really help guide young people into a career.
We know that in order to become a teacher, you've got to do these things. If you want to become a nurse, you've got to do these things. They're very well clearly defined pathways
that have been around for any length of time. And when we're talking about cybersecurity, oftentimes
parents aren't familiar with it. Even really anything in tech, sometimes parents aren't
necessarily familiar with it. They don't know how to guide their students or their children.
When they come to mom and dad and say, hey, I'm interested in this.
I want to learn more about it.
And then they're like, I have no idea how to help my child learn more about this particular profession.
So I think that's why it's really important for different types of training organizations, colleges, universities, vocational schools, community colleges, et cetera, that have these sort of pathway programs where you've got things like summer camps and weekend camps,
things like that, where it's really showing students what a career in cybersecurity can
look like. And it's helping parents guide their children on a career that might be interesting to
them. Absolutely. I'll just also just add really quick that I think too,
for them to have that hands-on experience in high school,
like participating in these clubs and boot camps and competitions,
I think that is just not only just a cool experience to be a part of,
but is really what's going to help them set them aside
and stand out amongst that competitive market,
whether they are trying to enter
into a specific higher education program
or they're looking to go directly
into working after high school,
it's a really great opportunity
for them to set themselves apart
and get that experience early on.
Yeah, great points.
And I know in a little bit here,
we'll talk about industry partnerships
and collaborations but i i do want to take a moment to to make a quick plug um you know for
uh the camden dream center and the ceo over there pastor keith davis is doing some really great work
um for working on uh getting exposure to um young individuals as it relates to STEM programs, especially for underrepresented
groups there and sparking that curiosity from a really young age. So there are, in addition to
the K-12 programs, like community programs that are really getting involved in this space too,
or even like social clubs that kids can kind of participate in to get more exposure
beyond what the school itself may be able to provide. So those are really exciting to see
kind of crop up. But I think to wrap up this section, I just want to focus in on one last
question for both of you is, are there any other strategies that you are aware of for sparking interest in cybersecurity careers among young students through engaging in interactive learning experiences?
Heather, why don't you go ahead and go first on this one?
Yeah, there's a few.
There's many out there.
I'll just mention a few that I'm personally involved in.
just mention a few that I'm personally involved in. First is the AZ Cyber Initiative, which is a nonprofit here local to Arizona, where we run boot camps for teachers and students learning
about cybersecurity. Teachers learn how to teach cybersecurity. Students learn about careers in
cybersecurity. It's been so successful that we're starting it now as the U.S. Cyber Initiative to
help bring this to other states to help train K-12 teachers on how to teach cybersecurity, but then also get more young people interested in careers in cybersecurity.
And similarly, there is the GenCyber Program.
That is a collaboration between NSF, NSA, and some other entities.
But these are grants that are provided for various organizations, colleges, universities, nonprofits, training organizations.
And what they do is they offer up something very similar.
They're training boot camps for K-12 teachers to learn how to teach cybersecurity and to feel more confident teaching something that they might not necessarily feel super confident with that particular topic.
feel super confident with that particular topic. And then also bringing more students into some of these boot camps as well to give them some hands-on experience of what a career in cybersecurity might
look like. So those are a couple of those organizations that I've personally been
involved with that I think are doing a really good job with just working to develop that talent
pipeline from an early age. How about you, Sasha? Anything in particular as it relates to kind of
engaging and interactive learning experiences focused on a younger generation?
don't have the resources.
And there's a lot of limitations that are beyond the teacher's control,
even the school,
sometimes having to go through the district
and all those rules and regulations.
So a lot of the times,
I think that if as a parent,
you're seeing that your student,
your child is expressing
that they are interested in this,
there's other ways that you can go about
within the community to look into these,
like we talked about these kind of boot camps or these kinds of clubs that they can join at the community level
that you don't have to necessarily wait to see, you know, what the school gets approved or,
you know, the resources that they have or that they don't have, which I think is really neat
for parents. Then of course, you know, just the technical age that we live in and, you know,
with things online as far as, and different podcasts and things like that,
that you can find out some additional resources as well.
But I think that, of course, we want the schools to be better equipped.
We want them to have more standardization, have access to more resources.
But I think it is nice that there are a lot of community-based organizations out there, especially those ones that are, you know, focused on diversity and inclusion and really kind of going into those underprivileged communities that don't have access to these things and being able to be that opportunity of exposure to those young students to spark their interest, I think, is always a great way as well.
Yeah.
And sometimes you just have to meet people where they're at, too.
Especially when we're thinking about young individuals.
Sometimes you need to find the connective tissue with them on what's kind of in line with their own interests
and how that relates to something beyond high school.
And one organization I'm just kind of really fascinated by
and interested in lately is the work that Microsoft's doing
with Minecraft education, targeting high school students here.
So I know Layla Bow bullman she's one of the
executive producers there is doing some pretty great work with high schoolers and teachers
using minecraft as a game but as a teaching tool for stem which is pretty fascinating if you think
about it um great so i think um let's pivot just here quickly and move over, move the conversation over to adult education and training in that particular landscape.
For adults, there's clearly a lot more options to consider.
Higher ed, whether that's universities, cyber centers of excellence, community colleges.
We also have trade schools, technical schools, accelerator programs, job transition programs.
So there's a lot to consider in this particular bucket for adult learning.
But knowing what to choose can be really an important decision for adults kind of looking to or building their career in cybersecurity.
in cybersecurity. What are some of the unique challenges, needs that adults are seeing and what route considerations should they keep in mind when making the choice to learn? Heather,
I'll kind of pivot over to you here on this one. Yeah, I think that it's really important to
understand that if you are an adult who's got some experience in another field, and we've talked about this previously as
well, that you've got transferable skills. So don't feel like you have to go back to school
and spend another four years to get a bachelor's degree to pivot your career into cybersecurity.
There's a lot of programs out there. There's a lot of schools out there. There's a lot of
nonprofits. There's a lot of training organizations out there that have created sort of shorter training programs specifically for people who are trying to transition into cybersecurity.
So these are, you know, if you look at a traditional college degree, you've got all of your, you know, sort of your technical courses.
But then you've also got, you know, the professional skills, so writing and presenting and that kind of thing.
And oftentimes
people who've got experience in another field, they've sort of got that down.
And so we just need to learn the technical pieces to a cybersecurity role. So some of
these shorter training programs really focus in on those technical skills that are needed for
a cybersecurity role. One other thing that I think is really important too,
to note if you are somebody who is transitioning into a career in cybersecurity,
is that, you know,
looking at different certification options,
we've talked about certifications
in a previous episode as well,
that there's a lot of different certifications
that are available out there.
And that just try to find, you know,
if you're working with a college or university
or training program or some sort of organization,
maybe you're learning and development team
within your organization,
perhaps they have some sort of pathway
to find out with regards to certifications
and trainings and things like this
to get into a specific role within cybersecurity.
But then from the flip side,
I also think that
from the employer's standpoint is that there's a lot of really good people out there that have,
you know, they're probably over 35 years old. They probably don't have a degree in cybersecurity.
These are new-ish degrees. So a lot of people don't have degrees in cybersecurity. So, you know,
I think that a lot of organizations are starting to lighten up on the
bachelor's degree requirements for cybersecurity with that understanding that there's a lot of
different pathways into this particular field. And it's not always a traditional, you know,
four-year bachelor's program for the adult student. Yeah, great points. I don't have a degree in a
cybersecurity field, but, you know, I'm in the fringes of it. And a lot of people my age rode that wave into the field back in the earlier parts of the 2000s, 2010s.
transitioning professionals,
especially when you think about military.
We all have degrees of separation to
military here. I know both of you are
married to a service member.
I am a veteran as well.
And Sasha,
your last place that you worked was at
Cyber Florida, which really focuses on a demographic
here around transitioning
professionals into cybersecurity.
So what are some
unique challenges that you've seen as we're talking about adult learners who are coming into
this space and in particular coming out of maybe a very different type of career?
Sure. I think that, you know, for any veteran, making that transition from their military life and career into the civilian career and lifestyle is a challenge.
But I do think that most veterans have this innate need to protect and serve. And so I think it's a very natural transition to go from whatever
branch of the military that you might've been in to kind of continue that protecting and serving
and just do it in the interweb of cybersecurity. And so I do find that there are a lot of
programs that are dedicated specifically to helping military veterans transition into
cybersecurity, which is great and
awesome. But I do think it's still very overwhelming. And I think, you know, veteran or not,
when you are a career changer, that is very overwhelming to begin with. But I do think that
when you are a career changer, you're thinking about what are those transferable skills that
I'm bringing over? What can I take from my previous experience into this field?
But you're also still learning about the field.
And I think one thing that we all know about cybersecurity, it is the wild, wild west.
And so there is not the same standardization as far as curriculum or pathway to get into the field.
And just like Heather just mentioned, there's so many different routes that you can go.
to get into the field.
And just like Heather just mentioned,
there's so many different routes that you can go.
And unfortunately, I do think that what we have seen with some of these accelerated bootcamp programs,
a lot of them are like, get your certification
and in three months and you can do this
if you pay, I don't know, $50,000.
And it's just can be really expensive.
Again, really just like, okay, what path do I choose?
Who do I follow as far as certifying body?
There's so many different certifying bodies out there when you are going the certification route.
So it can be a lot.
And I definitely think that, you know, we talked about in our last episode, making the connection with those people who already are in the field, finding out about how they got into their path. And again, you know, making those collaborations with those who are already in the
industry and trying to have those partnerships or, you know, working with your professor. If you do
go the traditional education route, trying to get some guidance, I think can be helpful, but I think
it is important to recognize just how intense it can be, but there are so many different paths.
And so for those career changers, you know, we want to make sure that we are supporting them to the best of our ability.
Cyber Talent Insights from N2K Cyber Wire will be right back after this.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes!
With savings of up to 40% on Transat South packages, it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and
securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company safe
and compliant.
Yeah, and I think something to consider here, too, you know, there's lots of choices and choices are going to be hard here.
You're not going to find this perfect solution.
There are, you know, kind of going back to the theme of the episode here around, you know, pipeline and organizations that kind of help with the pipeline in a variety of ways.
organizations that kind of help with the pipeline in a variety of ways. I think one of the considerations any individual and any adult learner may want to consider here is they're
looking at programs that are options to consider or looking for programs where they do get some
hands-on skill sets too, because employers are looking for that, the demonstration that you can do the thing
that you say you have knowledge on, right?
So I think for anybody listening
who's kind of thinking about the field,
see what all the options are,
weigh those out with what your tolerance is,
whether that's a financial tolerance or a time commitment
and weigh those options out.
But definitely think through
the hands-on experience. And if you're not getting it from a program, like a training program,
you know, look another places too that where you might actually get some of that,
the application of the knowledge into the task itself. Kind of in line with that, Heather,
I'm sorry, Sasha, do you want to add anything to that?
I know. I just want to say that's a really great point.
Okay, great. Kind of adding to that, I'm going to pivot back over to you, Heather, for a second, because you were a dean at a college.
And, you know, we're talking about hands-on programs, and that is certainly a challenge for any institution that's training or teaching.
But what are some of the challenges that you noticed for educational programs or training programs that are trying to keep up with fast-paced nature of technology, new cybersecurity practices?
NIST just put out a new cybersecurity framework.
As things kind of change so quickly in the industry, how does that impact the institutions that are teaching the next generation?
I think I could do an entire podcast episode on just that topic.
We might.
What are some of the challenges of teaching cybersecurity?
And so I think that going back to what I mentioned earlier in the K-12 world, it also happens in the collegiate world where every college, university, school out there, they've got their own IT department.
They've got their own cybersecurity team.
So you've got to work within the boundaries and the constraints that they've put in place for their network.
Their job is to secure the enterprise network.
In that instance, the enterprise network includes school labs and the
Wi-Fi that your students are connecting to. So my suggestion right there is always just become
really good friends with your IT and security teams and get to know them and work with them
versus looking at it from the perspective of they're not letting me teach my students what
I need to be able to teach. The other aspect to that is that a lot of the software that's out
there that's being used in the enterprise is expensive and schools don't have the budget to
be able to teach those particular pieces of software. So what I always recommend to students
is you're learning this particular tool, right? And you can talk about how you have used that particular tool. It might
translate very well over to a different tool that does the exact same thing. So the analogy I always
use is if you're taking an art class and you're learning how to use a purple colored pencil,
it's not teaching the students how to use a purple colored pencil. You're teaching them how to create
something new, create artwork using a purple colored pencil with the idea that they can take everything that they've learned and
now come over here and do it with red watercolor. That there might be some different techniques,
changes, and some different things that might operate a little bit differently,
but sort of that thought process and that coming up with
that creative design is very similar. So it's, again, going back to transferable skills, that
you're learning something on one piece of software that can certainly translate to a different type,
a different vendor that does the exact same thing. And really the third thing that I think is
important is to, from an educational standpoint, we're really
working with students to become problem solvers, to become creative thinkers, versus how to click
here and do this thing on this particular tool. It's the bigger picture. You've got this issue
that's sitting in front of you right now. How are you going to solve that problem? And, you know,
how you do that is we work
with students, giving them different types of case studies, giving them different projects to work
through. And ideally, and a lot of colleges and universities are doing this now, ideally,
the students will come out of a program with some sort of a capstone project. And the idea there is
that they'll have artifacts that they can bring to a job interview to show you,
if you're a hiring manager, they can show you, this is what I have done.
This was the project that we did, and here's how we did it.
I worked in a group, and we used this particular tool, and here's the design.
And maybe they've got a video of how they actually created something.
But a lot of the training organizations that are out there now are
really recognizing that employers are looking for that hands-on experience. So we've got to get
students that experience while they're in that training program. And you do that through different
project-based learning, capstone projects, et cetera. We could also talk about things like
internships and volunteering your time with
nonprofits, things like that. But I'll save that for a future episode.
Well, that's wonderful. I think we certainly work with a number of colleges and universities on the
practice test side, kind of working with them to give access to students to those practice tests
so they can go through and earn those certifications. But in conversations with
various CISOs at colleges and universities, one of the things I'm always excited to hear about,
and there's a number of higher ed institutions that are doing this, is around those internships,
but internally for the cybersecurity teams there for the college or university. Because you think
about a lot of the big universities, they have so much data to protect, not just like student data enrollments, but payment data.
A lot of times there's a health center.
So there's HIPAA considerations, healthcare data, and they're complementing their workforce through cybersecurity graduates or program enrollees who get hands-on experience doing real-world defensive security
operations and then rotating out of those internships. And it serves the college and
university really well too because they have limited budgets. So finding talent, paying for
talent, it can be challenging. So I think it benefits everybody there. I love hearing those
stories. So I did something very similar to that. When I was in the university setting, I worked with our CISO and our CTO to develop a program
where students could go through an eight-week sort of rotation on each team within the IT
team and also within the security team.
So they'd work on the NOC, they'd work on the SOC.
They'd have a different eight-week rotation and they'd have to give a presentation on
what they were doing.
But it was really helpful for this CIO, CTO, CISO,
et cetera, because they were getting access to some of the really good talent. But on the flip
side, my goal was always, I want students coming out of a program with experience. I don't want
them to come out and now we're trying to get the first job after we graduated. I want them to get
that experience while they're in that program.
So I think a lot of universities and colleges are seeing that there's sort of this untapped talent pool within the students that are in their academic program.
For sure. So capital C, cybersecurity, super complex. You can almost think about it as a
complex or complicated biome or ecosphere where all these separate systems are at play.
You know, private industry, government, education certification bodies, nonprofits.
The list goes kind of on and on here.
Simone Petrella, she's our president at N2K, recently sat down with Camille Stewartloucester while she was working as Deputy National Cyber
Director at the White House, who described it this way. And then the last imperative is really
focused on building ecosystems, because we have found through all of that engagement that I talked
about, that ecosystems, regional, local, that can really tailor to the needs of community, but also create these networks of
feedback that can help inform how training happens, how education happens, how employers
find their workforce are really vital to a thriving cyber workforce. So when employers
can inform academics on what the education and training apparatus should look like. And when those same academics can ask for skills-based opportunities for their students, you know,
and we can engage the community, you get a more robust dialogue that not only solves the workforce
challenge, but solves a number of other challenges. The federal government has the smallest piece of
implementing this strategy. We can provide funding, we can work
on the federal workforce, you know, we can work on some strategic things and provide support.
But the private sector, academia, state and local governments, non-profit partners all need
to drive implementation. Launch a collaborative effort with academia, private sector, and a number
of others to have a conversation
about what a cyber workforce ecosystem looks like there, what their needs are, how the state and
local governments can continue to support them. If you are an academic organization, if you are a
nonprofit, if you are eligible to get grant money from them focused on some of these cyber workforce
initiatives, if you start to do work that is implementing this strategy, I encourage you to reach out to partners like National Science Foundation, CISA, NICE,
that have money and resources or can be a conduit to getting some. We are not the only source of
funding. There are funders and philanthropists who are doing this work. There are private sector
organizations that are doing this work as well. And so there's a lot of opportunity for funding.
I encourage folks to start to reach out to those organizations that have made themselves available for them to get the resources.
Our goal is to pull folks together to help with resource sharing and to catalyze action.
What I don't want to be is a bottleneck.
So I want organizations, I want regions, I want locales to feel empowered to go do this work with or without my or the office's involvement. But where we can support, where we can bring organizations together, where we can help spark a cyber workforce ecosystem, I want to do that as well.
All right, great. Sasha, so what are your thoughts or reactions here? Camille had a lot of points to highlight here. What do you have to say about all of that? I really like how she described it as a
cyber workforce ecosystem. And I really think that that's what it is. So, you know, we've mentioned
quite a few different organizations. And again, the list really does go on and on. But I really think that that's what it is. So, you know, we've mentioned quite a few different organizations.
And again, the list really does go on and on.
But I really think where the power in these organizations and really having an impact on the pipeline comes from them working together.
And, you know, we can list the challenges of, you know, schools not having funding.
But it's another organization that comes in and can provide the funding.
And then it's them working together that can help overcome these challenges and the needs that we're facing. And I think it's not only just that, but it's identifying kind of where different federal government organization. You can be just a consultant.
You can be a practitioner kind of early on in the field
and you can share your knowledge and wisdom
and kind of, again, sharing your path
on how you got to where you are today.
Volunteering your time, working directly with the schools
and being that example for them,
helping them with developing curriculum.
That might be something that's a little bit more time consuming.
There's different ways that you can kind of get involved.
And I think being respectful of, as an individual,
everybody has a busy schedule and different things going on.
So it doesn't have to be that you're spending 24-7,
helping out and working together.
It can be an hour of your time.
It can be a week.
It can be different things.
But it's really all about coming together and establishing these partnerships that are going to help influence one another.
And so the industry can help influence the curriculum that
schools are teaching. But then also the schools can help make an understanding that, hey, the
expectations that, you know, these employers are looking for aren't really realistic in just the
space that we're in. And so I think increasing that communication and that collaboration is just super, super important.
Yeah, it makes total sense.
You know, Heather, you had mentioned a couple of really great, you know, initiatives in Arizona specifically, right?
That are working to bring this, you know, create their own ecosystem and bring different people, organizations together in one place.
Are there any others that have really kind of caught your attention and why?
What makes any of those ones that you might have in mind unique?
Yeah, I think I'll speak probably a little bit more generally here because, you know,
like I said earlier, I mentioned a few that are happening here locally and also nationally.
But I think that to echo on Sasha's point about creating this
ecosystem. And when we look at that, we're looking at industry, academia, and government,
and how do those three sort of work together to develop this talent pipeline. And so if you,
I come from the higher ed background. I've worked in education for 20 plus years. So that's really sort of my perspective on this.
And the way I look at it is that there are universities in every major city.
There's colleges, there's community colleges in every single state.
Every single one of them that has any sort of a cybersecurity program, technology program,
it doesn't matter.
They have a sort of their own
local ecosystem. Okay. So they've got partnerships with employers. They've got advisory boards that
include people from industry and government. They've got a network of faculty who are really
passionate about helping people start careers or grow their careers in cybersecurity.
They've also got some really good teaching experience.
So I think that if you are looking at yourself saying,
you know, I want to figure out a way that I can, you know, be more involved,
I would really start with your local community college,
vocational school, university,
and look and see what kind of academic programs they have
there around cybersecurity or even just, you know, tech, like IT security. And, you know,
see how you can get involved there. Can you join their advisory board? Can you help influence
curriculum? Can you help, you know, whether it's showing up for an hour for a guest speaking
opportunity, can you provide input on curriculum on a particular
class to make sure that the university or the college is approaching it from the way that
the employers are looking for those particular skills? So I think that when we're talking about
this ecosystem, it happens at the national level, but I really think that there's a lot of opportunities at the more local level for people who want to get more involved.
And looking at it from that perspective of that's a partnership between industry, academia, and government.
And if I were in industry or government, that's where I would start is looking at my local schools to see how I can get involved there.
Yeah, there's a lot of benefits to the partnerships.
my local schools to see how I can get involved there.
Yeah, there's a lot of benefits to the partnerships.
Sasha, you know,
can you weigh in on a little bit of the benefits and how they contribute positively
kind of back over to this,
the whole concept here of pipeline, right?
And the need to create the next wave of talent.
Absolutely.
So I think, you know,
to Heather's point that she just made
and some of the things that we talked about earlier,
the great thing is, is that you don't have to wait for the school system to, you know,
or the school district, I should say, you know, to approve of additional funding and things like
that, you know, tapping into that local community, those advisory boards that have actual professionals,
they can be the ones who come in as a guest speaker, who can be there for a career fair,
who can provide a workshop to these students,
who can maybe volunteer their time
to be a part of a cybersecurity club or a competition
and provide that real world,
this is what's happening in the industry today,
knowledge and insight.
In addition to, like we said, you know, the curriculum input, maybe internship opportunities,
job shadowing. I mean, there's so much that I think that obviously when you're talking about security, there are just some natural limitations and talking about, you know, bringing too young of kids, you know, involved there.
But I think there's definitely ways to get creative and to work around it.
And again, that can honor the time limits that some people do have.
those who are coming from diverse backgrounds to be able to go to these local communities and these impoverished communities that, you know, don't even know that there are people that look
like them that can be successful in this field. And I think that, you know, these diversity and
inclusion organizations that focus on cybersecurity and IT-related careers, they do a really good job as far as how we can expose and diversify the
incoming talent pool to make sure that the industry is more representative of women,
of people of color, neurodivergent people, and of course, military veterans and career changers,
and those from rural communities as well. We need to make sure that we are showing that,
you know, having a variety of perspectives and voices
and, you know, different people
from all different backgrounds
is what's gonna help stay on top of this
ever-changing and evolving field.
Yeah, and there's obviously, you know,
from what we just highlighted,
there's a lot of stakeholders involved here,
a lot of organizations that play across these, you know across this biome or ecosystems that sit within it.
I think that's one of the things that FIU, Florida International University, is doing with NIST and hosting and putting on their annual NICE conference and expo, which this year is coming up in June in Dallas.
and Expo, which is this year's is coming up in June in Dallas. It was a really good conference to bring in educators and government and industry together around this issue. So I'm always excited
to go to that. On a personal note, opinion, and this could be controversial for some,
maybe not everyone agrees with me on this, but I think that, you know, the collaboration, these ecosystems are necessary,
but they're kind of created out of necessity because everything has been operating in their
own little silos. So we create these ecosystems to kind of bring things together. And sometimes
because this industry is so vast and complex, those ecosystems become their own little silos.
So I think one of the frustrating things for me
more recently is we kind of like look across
this interconnected system of organizations
and industries kind of coming together
is that there is no governing body for the profession,
you know, in the same way that doctors pursue with like the Board of Medicine or lawyers, you know, have to kind of get licensed.
kind of have a national association for cybersecurity professionals of some sort that kind of oversee that ecosystem to kind of say, yeah, these training providers or these certifications
are good and you as a professional in this field are licensed, ready to go to do identity
access and management or licensed and ready to go at a mastery level to do cybersecurity defense.
So I hope that we can continue making some headwinds there, though I don't think the work
is light. I think there's a lot of red tape, a lot of politics involved, but I think at some point
we need to kind of address that and maybe do a whole deep dive episode on that idea as well.
That's it for this episode of Cyber Talent Insights.
For additional resources from today's episode,
check out our show notes.
Feel free to connect with Heather, Sasha, or me on LinkedIn.
Send us a message. We're happy to talk more about cybersecurity workforce intelligence.
For additional resources from today's episode and our LinkedIn profiles, check out our show notes.
Please join us for the other two episodes in this series where we cover cybersecurity workforce intelligence from the perspective of employers and recruiters in episode one, and for individuals entering the field of cybersecurity, or perhaps making a transition
from one career to another in episode two. We'd love to know what you think of this podcast series.
You can email us at cybertalentinsights at n2k.com. Your feedback ensures we deliver
relevant information to develop effective cybersecurity teams in the
constantly changing landscape of the industry. We're privileged that N2K and podcasts like
Cyber Talent Insights are part of the regular routine of many of the most influential leaders
and operators in the public and private sector, from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment,
your people. We make you smarter about your team while making your team smarter. Learn more at
n2k.com. This episode was produced by Liz Stokes. Mixing, original music, and sound design by
Elliot Peltzman. Our executive producers are Jennifer Iben and Brandon Karpf.
My co-hosts are Dr. Sasha Vanterpool and Dr. Heather Monti.
And I'm Jeff Welgen.
Thanks for listening.