CyberWire Daily - Cybersecurity moneyball: First principles applied to the workforce gap. [CSO Perspectives]
Episode Date: May 22, 2023Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, the cybersecurity workforce skills gap with N2K’s President, Simone Petrella regarding how security professionals migh...t learn from the movie “Moneyball” about how to train their team in the aggregate about first principles. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. This is typically a Pro exclusive, so be sure to subscribe to Pro to get access to new episodes airing every Monday.
Visit thecyberwire.com slash CSOPro, all one word.
That's thecyberwire.com slash CSOPro to explore the benefits of Pro and to subscribe.
Hey, everybody.
We're back.
We're back.
In our old backyard. We're back. We're back. In our old backyard.
We are back.
Welcome to Season 13 of the CSO Perspectives podcast.
The Cyber Wire staff, including me, has made it back from the big RSA conference in San Francisco,
and we have tales to tell.
Oh, yeah.
And the interns have successfully closed down the alternate Sanctum Sanctorum
located under the San Francisco-Oakland Bay Bridge for another year.
And I believe they all made it back safe and sound to the main underwater sanctum near Baltimore Harbor.
Hey, did we ever find Kevin the intern?
No?
Well, at least most of them made it back.
You know, I hear the waters near Alcatraz are shark infested.
You don't suppose he tried to swim for it, do you?
Well, that's a problem for another day.
For this season, we have lined up a number of interesting shows.
We're going to dive into Zero Trust in an app-centric world.
We're going to talk about the implications of quantum to the network defender community. We're going to do some best practices for
MITRE ATT&CK mapping. And we're even going to bring on Dave Bittner, the voice of the CyberWire,
to discuss cyber metaphors. We're going to talk about some of the new vendor tools that we saw
at RSA that will help us forecast risk. And because we have to have at least one history
lesson to annoy my pal, Steve Winterfeld, the Al Borland to my Rick the Toolman, we're going to talk
about the evolution of DDoS and what we can do about that attack vector today.
You're welcome, Al.
Really?
More history, Rick?
But for this first show in Season 13, we're going to talk about cybersecurity workforce
development because, as you might expect for this podcast, the way that our community hires and trains its people
does not adhere to any kind of first principles.
So, hold on to your butts.
Hold on to your butts.
This is going to be fun. My name is Rick Howard, and I'm broadcasting from the CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A.
And you're listening to CSO Perspectives, my podcast about the ideas,
strategies, and technologies that senior security executives wrestle with on a daily basis.
The InfoSec community has been talking about the cybersecurity workforce gap for well over a
decade. And what I mean by workforce gap is the number of unfilled cybersecurity jobs
that exist at any particular time. The earliest mention I could find of network defenders'
awareness of the problem came from a report by the Center for Strategic and International Studies,
CSIS, in 2010 called A Human Capital Crisis in Cybersecurity, a report of the CSIS Commission on Cybersecurity for the 44th presidency.
In that report, the authors claimed that the shortfall was between 9,000 and 29,000,
depending on how you counted the jobs, and that was just for the United States.
In 2022, the International Information System Security Certification Consortium, ISC Squared,
said that the global cybersecurity
workforce gap was 3.4 million people. That's over 116 times the number calculated by CISIS a decade
ago. Clearly, we have a problem finding qualified people. And it's not like we haven't tried to fix
the problem. I mean, it isn't like we weren't aware, there has been a steady drumbeat in public forums
since 2010 of the situation getting worse each year. Still, academic and certification programs
have responded. It feels like most colleges today, compared to 2010, offer some kind of learning path
to cybersecurity and have been churning out graduates for a while now. And there are more
potential certification classes available today than there has ever been.
If that's so, then why is the workforce gap continuing to grow?
And why have we all heard the horror stories where a newly minted cybersecurity graduate can't find a job?
The problem, as I see it, is that we continue to hire cybersecurity talent and train our existing teams
in the same way we
started doing it back in the day, say early 2000s. As with that old chestnut, insanely, we expect to
close the gap with this same approach, even though the evidence is telling us that the problem is
getting worse. Oh no! Our hiring and training method is simple. We focus on the individual.
When we hire, we're looking for the all-star, somebody with 25 years' experience,
a technician with 17 certifications, and an employee willing to work for $1.50 an hour.
No wonder we can't find anybody.
Oh, no!
When the organization trains its own people, leadership is generally all for it, but we send the individual.
We pay upwards of $3,000 for an employee to attend a class or a conference to get up to speed on some new thing.
Most times we ask the individual what he or she wants to learn, not as a training task, but as a perk for being part of the organization.
We don't really have a team training strategy at all.
With these tactics, we struggle to bring on talent with the skills we actually need.
And we are surprised when the training impacts one employee, not the overall organization.
In other words, after the conference, we have one employee who understands the basics of chaos engineering, let's say, a first principle tactic supporting our resilient strategy.
But the InfoSec team is still mostly in the dark.
And one bad side effect is that the all-star coming into the organization and the all-star we create are prime candidates to be pilfered by some other organization who is willing to pay more money.
Sending individuals to training then seems like a losing strategy, and yet we continue to do it.
If we want to implement one or more of our first principal strategies,
zero trust, intrusion kill chain prevention,
resilience, risk forecasting, and automation,
perhaps we need to shift our focus away from the individual
and towards training the team.
Let me introduce my boss.
So my name is Simone.
I feel like I'm waiting for a polygraph test.
Simone Petrella, president of N2K Networks, and I have worked here since the very beginning.
So full disclosure to the listeners, as I said, Simone, you're my boss and you and I have known
each other for years. But for our listeners who are just now hearing about you, can you describe your path and how you became the president of N2K?
Sure. So my path into cybersecurity was via the DOD and the intelligence community.
I actually started out my career as a counterterrorism analyst, so not a cybersecurity professional.
Well, that's not the weirdest thing we've ever seen, getting into cybersecurity.
It's pretty close.
It's parallel, I guess.
Yes.
In fact, the reason I got into cybersecurity was in late 2005, early 2006, there was a
small shop that was focused on computer network operations and looking at information warfare
and adversaries' intent to use information warfare to disrupt DOD activities.
And they couldn't find, irony of ironies, qualified talent to do both analytic work and understand the technical issues.
And so they essentially, I was kind of given the assignment to be like, terrorism is a transnational issue.
This whole information warfare thing seems to be like, terrorism is a transnational issue. This whole information warfare thing
seems to be transnational.
I bet there's some parallels.
So I dove right in.
I'm sensing a theme.
Yeah.
But, you know, like all joking aside,
did not come from a technical background,
but all of my kind of career in the next 10 years
in the intelligence community
was around translating technical topics
and understanding them,
but being able to synthesize information
and communicate it to decision makers
so that they could do something actionable
with what the risks were at that time
to predominantly like Department of Defense assets
or operations.
Well, that's my entire career.
You know, yes, cybersecurity, but really my job has been to explain really technical things
in this domain to people who are really smart, but maybe not have not been in the domain
for a while.
So, yeah, I totally understand that.
So, you know, I did that on the government side forever.
And then I actually transitioned into commercial consulting
to take a lot of those principles around cybersecurity
and what we've learned in optimizing teams
and the Intel process into the commercial sector
and did it with financial and retail clients.
And the path to N2K really came down to the founding of CyberVista,
which obviously formed a component of N2K,
I lived this problem. I spent the entirety of my career trying to identify qualified talent to
fill these technical cybersecurity roles, but also be able to communicate, articulate them in a way
that was connecting the dots and make them actionable for decision makers. And so I was essentially living the dream
of identifying talent, giving them opportunities
to train on the job, send them off to training.
And then 18 to 24 months later,
someone would come into my office and say,
thank you so much for this opportunity.
I have gotten a job somewhere else for 35 to 40% more.
And I'd be like, great,
good for you. I can't pay you that much. And I'd start all over again.
The story of my career. Okay. That's exactly what's happening.
So I turned that story into a startup and that's how Cyber Vista was born with the idea to try and tackle that problem from the other side of the fence as the industry and the employers,
as opposed to relying on the individual. And came together and merged with the Cyber Wire
here this past October to create N2K, News to Knowledge Networks. So it's been a very exciting
journey to come here today. And it's a real honor, Rick, after all these years to finally get to say that
I get to tell you what to do. We should tell the story of how I turned you down coming to work for
you before, right? It's true. I did. I tried to convince Rick that he should solve this talent
issue by fangirling the cybersecurity canon, of which I am still a huge fan,
and seeing if he would help proselytize
where we were going on workforce.
And Rick said, no, I'm not doing it.
I don't think so, yeah.
Well, there you go.
That's just fate, Simone.
Okay, that's what that is.
We need to get in here and fix this problem.
Actually, it's karma, Rick.
It's karma.
You mentioned the merger of the CyberWire and CyberVista.
Can you talk about the thought process of taking the CyberWire,
which is best known for its cybersecurity podcasts and newsletters,
and merging it with CyberVista,
a company that specializes in enterprise-level cybersecurity training?
What was the thought there to push those two things together? Yeah. So when we first
started to have conversations around the synergies between CyberWire and CyberVista, we originally
talked about the connection between the requirements to get people up a knowledge
curve quickly, but then that continuous learning that's part of the daily education and diet
around current events, industry news, something that essentially, how do you play those two
together?
And as those conversations progressed, what became the aha moment for us was the reality
that we were both, from different perspectives, shooting to create a world where the workforce
gains knowledge and skills as quickly and as
adaptively as the technology that they're leveraging does. And we anchored on this
concept that at the end of the day, we were both providing strategic workforce intelligence,
whether it was through working with customers and companies to make them smarter about their
workforces so they could make better decisions, or what we were doing independently to make the workforces themselves collectively
smarter. And it seemed like just such a powerful combination to be able to do both. Because
really, the industry is usually tackling one side or the other, but not looking at it holistically.
And that seemed like a really magical opportunity for us to come together and do something
that really combined the power of true news to knowledge.
I really like the idea of workforce intelligence
as opposed to how we've done it in the past in cybersecurity.
We've mostly focused on individual training.
My peer group have not really focused on everybody,
the team benefiting from some sort of group training.
So I really like that.
Yeah, well, I mean, I'm sure you've had this experience
in justifying like budget and technology spend
or when you're trying to put together tools,
you're ultimately trying to optimize your investments, right?
And we do that in the, at least in the cybersecurity industry,
as long as I've been in it. Naturally, when we're talking about the technology spend, we're going to do the processes we're going to put in place. And yet, for all of the years that we've been around, we don't do it for the largest operating expense that we have in our budget, which is headcount. It's people.
Paul. It's so true. We've known for years about this problem. We've been complaining about the cybersecurity workforce gap for years. My observation is that the InfoSec community
doesn't really do team training as a first principle strategy. You know, we're, we're not
against training per se, but we focus, like I said before, on the individual and we're enamored with
the superstar. We're looking for people with 25 years experience and 17
certifications, and we continue not to find them. And I'm wondering how team training, what we're
advocating here with CyberVisa at the enterprise level might solve the problem. Yeah, well, I think
even taking a step back, you know, it's not even so much that we're advocating for team training.
All that's a component of it, but it's even knowing what you need before you make the
investments in those training activities.
Yeah, I didn't mean to imply that.
I thought it was just we're going to put everybody in a room and train at the same time.
Just that you actually know what your team is good at and what they're not so good at
and work to fix those gaps, right?
Oh, completely.
And it really strikes me, you know,
between conversations I've had over the years,
I know you've been part of these conversations, Rick,
when you talk to security, you know, CISOs, CSOs,
and the activities they're doing to solve this problem,
it really still hits a chord with me
that 15, 20 years later,
we're still espousing all of the great work we've done
in creating an internship program over here. And it brought in 10 people. And then we have done a
university collaboration and that's going to bring in 20. You start doing the math and you go,
look at the numbers based on this ISU squared report. Like you're not going to, we're not going to get there by factors of 10.
You're right.
I've been involved in lots of those programs, right?
And then we patted ourselves on the back by, you know,
wandering down to the local university and bringing on three interns who
showed some promise.
But you look at the numbers, 3.4 million, and that dog doesn't hunt.
Okay.
It doesn't scale.
So we need to do something different.
And this enterprise level idea,
I think has a way to fill the gap.
Yeah, and it really comes down to having a bit,
just a shift in mindset to be more deliberate
and strategic about the way that we think
around our investment in people.
And so, you know, to me, the real key,
I know you make this great analogy, Rick,
to the book Moneyball, which I laughed at you about first.
Simone is talking about one of my favorite movies,
Moneyball, starring Brad Pitt and Jonah Hill,
released in 2011 and based on the 2003 book
of the same name by Michael Lewis.
Lewis tells the story of how the Oakland A's, an American Major League Baseball team,
adopted a radical new approach to fielding players. In 2002, the A's had a payroll of
approximately $42 million, while the New York Yankees, their arch nemesis, had a payroll of
around $126 million. That meant that the Yankees could their arch nemesis, had a payroll of around $126 million.
That meant that the Yankees could buy the best players in the game and the A's could hardly compete.
As a response, the A's general manager, Billy Bean, played by Pitt in the movie,
adopted the sabermetrics model invented by Bill James.
Before sabermetrics, professional baseball teams chose players solely through observation.
They use scouts, people who have been involved in the game for years, to subjectively evaluate potential players based on the scout's experience.
They look for intangibles like bat speed, power, home run potential, attitude, personality, and whether or not the player had a good-looking girlfriend.
personality, and whether or not the player had a good-looking girlfriend.
In the movie, Jonah Hill playing Peter Brand, a player analyst working for Pitt with a background in economics, says,
There is an epidemic failure within the game to understand what is really happening.
And this leads people who run Major League Baseball teams to misjudge their players and mismanage their teams. And I believe that a
similar situation has been happening in cybersecurity since the beginning. We're enamored with the
superstar, those 17 certs and 25 years experience, and not with the aggregate skill set of the team.
The sabermetrics model uses data and statistics to find the exact skills that a team might need. And Billy Bean reduced his
problem of how a low payroll squad like his can't compete with the high payroll teams like the New
York Yankees down to one atomic first principle. The most valued skill is not home run percentage
or whether or not the player has a good looking girlfriend, but players getting on base. He decided to build a team on that first principle.
In the movie, Hill tells Pitt, Okay, people who run ball clubs, they think in terms of buying players.
Your goal shouldn't be to buy players. Your goal should be to buy wins. And in order to buy wins,
you need to buy runs. And in order to buy runs, you want players who routinely get on base.
In the cybersecurity world, you don't want to buy the superstar.
You want to buy and train an aggregate team proficient in our first principles.
Not one person who knows everything, but a team that can collectively do it all.
Prior to the 2002 season, Major League Baseball teams with large payrolls
stole the A's top three players in terms of perceived talent and actual salary.
Jason Giambi went to the New York Yankees, Johnny Damon went to the Boston Red Sox, and Jason Isringhausen went to the St. Louis Cardinals.
Most pundits in the sports world wrote off the A's season believing they couldn't recover from the losses.
But Bean had a different idea.
In the movie, Hill tells Pitt,
I think it's a good thing that you got Damon off of your payroll.
I think it opens up all kinds of interesting possibilities.
You're trying to replace Johnny Damon.
The Boston Red Sox see Johnny Damon and they see a star
who's worth $7.5 million a year.
When I see Johnny Damon and they see a star who's worth $7.5 million a year.
When I see Johnny Damon,
what I see is... an imperfect understanding of where runs come from.
The guy's got a great glove.
He's a decent leadoff hitter.
He can steal bases,
but is he worth the $7.5 million a year
that the Boston Red Sox are paying him?
No. No. Baseball thinking is medieval. They are asking all the wrong questions. In one movie scene,
Pitt is sitting around the table with his collection of old guy scouts. They are still trying to pick players based on their intuition. Pitt pipes up in frustration. He says that the
scouts are still
trying to replace Giambi and the others with similar players with corresponding high salaries,
and he knows there's no way to do it with their payroll. But what they might be able to do is
replace them in the aggregate. The three departing players' average on-base percentage was 364.
What they should be looking for are three relatively cheap players whose on-base
percentage is the same. In the cybersecurity world, the relatively cheap player is the newbie
cybersecurity employee just coming out of college or the government worker transitioning to the
civilian world. It's also the relatively low-level employee already on the staff. All have little
experience compared to an all-star, but most have an aptitude
and a desire to learn. Instead of hiring the superstar with 17 certs for a lot of money,
or training one of your existing superstars to be even more super, we could instead make the entire
InfoSec team better by hiring and training the needed skill sets in the aggregate, just like
Billy Bean did with the A's. And at this point, you're asking
yourself, did Saber Metrics work for the A's? Well, according to Garrett Chandler at the Modern
War Institute at West Point, the A's finished their 2002 season with 103 wins, one more than
they did the previous year with their three superstars, Giambi, Damon, and Isringhausen.
And although it's true that they haven't won a World Series
since they started the program,
they have been in the playoffs 11 times in the past 22 years,
from 2001 to 2021,
tied for fifth most in the league
and have constantly put themselves in a position to win.
And I would say that they did this against teams
with a much bigger payroll and a league of teams
that started using the same
sabermetric methodology after 2002 because the A's success with it. That's extraordinary.
Further, another low payroll team, lower than the A's payroll, that uses a similar system,
the Tampa Bay Rays, have made it to the World Series twice in just over a decade.
They lost both times, but they made it to the show.
There's no question that the sabermetric analytical system has made lower payroll
teams more competitive in the league. I believe it's time for the network defender world to take
it for a spin. The way that InfoSec leaders train existing employees today, they focus on the individual's needs.
When they acquire talent today, they ask potential employees if they have 25 years of experience and 17 certs.
As Jonah Hill said in the movie, we're asking the wrong questions.
If that's true then, what are the right ones?
What is the cybersecurity equivalent of the A's buying runs and not people?
equivalent of the A's buying runs and not people. I was talking to my friend Joe O'Brien about this recently. He's the co-founder of Orion Cyber, where he helps organizations identify, quantify,
and prioritize cyber risk. He said that from his perspective, security leaders should seek to buy
down risk, not buy superstars.
When I heard that, the entire idea locked into place for me. As you have heard me say in this
podcast and now in the Cybersecurity First Principles book on sale at Amazon, link in the
show notes, the ultimate cybersecurity first principle, the thing that all of us are trying to
do, is to reduce the probability of material impact to our organization
due to a cyber attack. When it comes to training and hiring, the network defender's goal shouldn't
be to buy and build superstar players. In order to buy down risk, you need to enhance the team's
ability to pursue the ultimate first principle. It's a subtle distinction, but an important one.
The team's skills you need to accomplish that are different depending on the follow-on stages you adopt, like zero trust, intrusion kill chain prevention,
resilience, automation, and risk forecasting. But the ultimate goal should be to reduce risk.
Here's Simone. How do we even have people effectively work within the tool sets and
controls that we put in place unless they're qualified to do those roles. And the mindset shift that's required is to have organizations actually understand what is
needed from a role perspective. If you understand the roles, then you need to understand the skills
that are required to be successful in those roles. And then you need to compare that with
the workforce you have
and where do they meet that male and where do they not. And then make some determinations
around how you're going to fill those gaps. Those gaps could be filled through team training,
through identifying other sources of talent, maybe not picking up the unicorn for an absurd salary,
but someone with a lot of aptitude and promise.
And how do you sort of bring them up?
Or how do you find people within the organization who could transition into roles?
It just allows you to have a strategic mindset and how to build that kind of capability without just using it as a money pit.
Simone, that's why I'm a big advocate of rethinking cybersecurity
in terms of first principles. To be honest, until just recently, I hadn't even considered that team
training, of course, has to be part of our first principle strategies. You can't pursue the
intrusion kill chain prevention strategy, for example, unless your team is proficient at it.
If we're trying to improve the organization in terms of reducing the
probability of material impact due to a cyber event, surely our team has to be trained to do that.
And that idea has never even hit our community's radar screen. My peers, including me, from the
beginning of our history, have focused on the individual, like you said, the unicorns, the
superstars, not the team. But this requires a change in mindset by security leadership,
because now we could build a set of team skills based on the aggregate of each individual employee.
Yeah, so I think that's why, that's actually why I am such an advocate for calling it workforce intelligence,
because you need to have the intelligence about the needs from the roles,
and that comes down from doing an inventory.
That is something that is incredibly critical from a baseline perspective to understand the roles.
And you can do that in an efficient way to get the profiles of those roles and really inventory everything you need. And then when you look at the staff that you have,
you gain intelligence on where they are as a barometer relative to those roles.
The way that we have kind of done it,
and I think what has provided a really good data point
and a data-driven way to make some of those decisions,
is by producing assessments and giving assessments to those team members,
looking at the team as an aggregate, it is not a performance measure.
It is a decision-making tool that allows you to identify,
what do I need? Where are people?
Now let's determine how I actually invest money in particular training avenues,
again, hiring strategies, you name it.
So that's the baseline. And then the
beauty of it is you keep having to evaluate that because your workforce is going to change. People
are going to learn more. They're going to move into other roles. You want this continuous
thermometer or temperature gauge or health meter on the maturity of how it goes. And you want a
way to also measure the investments you're making in their development as a workforce, you have to be able to identify which things are working and
which don't and adjust course. So you give an assessment to the individuals, right? But that's
not what it's for. We're not trying to assess how the individual is, you know, good or bad.
You're putting all that information into an aggregate evaluation of your team.
Yeah.
And then making decisions of what the team needs to be good at later down the road, right?
Exactly, because at the end of the day, we all want a well-rounded team.
You know, we're not all, not every company has the luxury of working in some of the organizations we worked with,
where there's hundreds of cybersecurity professionals that are all specialized.
But there are organizations that fall on that spectrum
where identity and access management
requires a different skill set
than the people doing governance, risk, and compliance.
It's not fair to judge an individual
based on the requirements of a role
that they're not actually going to be performing.
And he did just that. In a game out in Oakland,
Kathy butted to Milner and about 20 feet from the bag, slid under Milner's tag.
Think of your InfoSec team as equivalent to the Oakland A's in terms of talent acquisition and training. The thing that the Oakland A's and all the Major League Baseball teams have going
for them is a deep treasure trove of player statistics going all the way back to the beginning of the league in 1876.
When you have that kind of data store, there are all kinds of ways to slice and dice the information that might provide useful insights to the ultimate first principle.
For the cybersecurity community, though, we don't have that.
According to Statistica, there were approximately 4.6 million
InfoSec professionals in the world in 2022. Unfortunately, we don't have a database that
shows what skills each of those players has. The network defender world is so new the last 30 years
and the technology we use to do our jobs changes so fast that it's tough to get a handle on
everything that everybody is doing.
The closest we have come, I believe, is the Workforce Framework for Cybersecurity,
the NICE Framework, developed by the U.S. National Institute of Standards and Technology,
NIST. NICE stands for the National Initiative for Cybersecurity Education,
and the framework is a reference taxonomy, that is, a common language of the common cybersecurity work and of the individuals who can carry out that work in cybersecurity.
The framework groups the kinds of cybersecurity jobs we all have in big overarching categories.
Oversight and governance, design and development, implementation and operation, protection and defense, intelligence, and cyberspace effects.
It provides typical job titles, work roles, job descriptions, and the knowledge that a network defender must have in order to do each job.
NIST publishes a comprehensive spreadsheet for all that information on their website.
The link is in the show notes.
That work product by itself is invaluable as a reference tool for security leadership when you're writing job descriptions or employee performance reviews. Why create
everything from scratch when you have a ready-made consensus collection of the job descriptions and
associated tasks already available? At least you can use it as a first draft to modify it later.
That said, if we're indeed trying to buy down cyber risk by improving
the team's skill set, the first task would be to map the nice categories to our first principles.
We would want to identify all the job categories and tasks associated with the first principle
strategies and tactics that we're pursuing. I haven't done that yet for all the nice categories
and for all the first principle strategies. That's a future project for me for the summer of 2023.
But if you're playing at home, you could use the roadmap of the first principles book website
as a handy cross-check visual.
The link is in the show notes.
For example, from the roadmap, I can see that for our zero trust strategy and the tactic
of vulnerability management, the nice framework lists the vulnerability assessment analyst, PR-VAM-001. That employee performs system and network assessments
and identifies where they deviate from acceptable configurations. From the NICE spreadsheet,
there are 36 knowledge areas that apply, 12 specific skills, and four described abilities associated with that
job. My future task then is to identify all those items for each tactic described on the first
principles roadmap. That's the first step. The second step is to evaluate the team against the
knowledge areas, skills, and abilities. Assess how good the team is at everything. Once you have that data, you can
then prioritize the team's training agenda that will buy down the most risk. That all sounds like
a lot of work, and it is. Oh no! But it's work that needs to be done. If you buy into the whole
cybersecurity first principle idea as applied to workforce development, this is the entire reason
using first principles is
important. Up to this point in our collective cybersecurity history, team training hasn't even
popped up as something that we all need to do. Instead, we have focused on the individual as a
superstar for hiring purposes, insisting that we only consider the most highly qualified people
available. For existing team members, security
leadership has, for the most part, abdicated any kind of team strategy in favor of improving
individual superstars. When you consider the problem of 3.4 million and growing open positions
in the cybersecurity workplace today, clearly those strategies aren't working.
What I'm advocating is learning from the example of
Billy Bean's Oakland A's, building a team designed to win games. He realized that the first principle
for building competitive professional baseball teams was not to buy all-star players, but to
build an all-star team in the aggregate using relatively cheaper and overlooked players,
and concentrating on using on-base percentage as the stat to rotate on.
I'm suggesting that security professionals can do the same thing by rotating on first
principle strategies and tactics. The implication, though, is that we have to adjust our mindset away
from hiring and training those superstars and be willing to field a team in the aggregate.
That means tapping into the pipeline of new graduates coming out of college with no experience.
It means taking a chance on a young potential employee with no certifications but lots of aptitude.
It means developing a well-thought-out and consistent training plan for your team,
a workforce development strategy that will allow you to buy down risk.
And it means creating the team training tactics
that will support that strategy. After all, you can't really implement a first principle
zero trust strategy without a team that knows what that is and how it can work most efficiently
within your organization. If we can do that, then the workforce gap will begin to shrink,
not only internationally, but for each of our specific organizations.
If we are training to make the team better in the aggregate, then the number of specific open jobs will start to go down. Let me give you one last shot, Simone. What's the Twitter line here for
workforce intelligence? If you want one message you want to give to security professionals out
there, what is that? It would be, you need to be smart about
your workforce so that you can make decisions to help make your workforce smarter. Excellent.
That's a good way to close this off. So thanks, Simone. Thanks. I think that's probably the most
I've done in Twitter in like the last 10 months. You and me both, I drop Twitter like a hot potato right in the middle of COVID.
Yeah, take that, Twitter.
And that's a wrap.
The first episode of Season 13 is in the bag.
And don't forget, you can buy copies of my new book,
Cybersecurity First Principles,
a reboot of Strategy and Tactics.
You can order it now at Amazon.
Also, we'd love to know what you think of this podcast.
Send email to cyberwire, the at sign, n2k.com.
Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.
Thank you. eminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, people. We make you smarter about your team while making your team
smarter. Learn more at n2k.com. The CyberWire's CSO Perspectives is edited by John Petrick
and executive produced by Peter Kilby. Our producers are Liz Ervin
and senior producer Jennifer Eibman.
Our theme song is by Blue Dot Sessions,
remixed by the insanely talented Elliot Peltzman,
who also does the show's mixing,
sound design, and original score.
And I'm Rick Howard.
Thanks for listening.