CyberWire Daily - Interview Select: Will Markow, VP of Applied Research from Lightcast, is talking with Simone Petrella about how to use data to make strategic workforce decisions.
Episode Date: July 3, 2023This interview from June 16th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Simone Petrella sits down with Will Markow, VP of Applied Resear...ch from Lightcast, to discuss how to use data to make strategic workforce decisions. You can also view the video of the full interview here:Â Simone Petrella and Will Markow discuss workforce management. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
There's a strange mix of forces at play in the cybersecurity workforce.
Many companies are hiring, some
companies are experiencing layoffs. And yet, overall, there's still a sense that there are
many open positions out there waiting to be filled. Which is all to say it's more important than ever
for managers to take an evidence-based approach to hiring and retention. Will Marco is VP of
Applied Research and Talent at Lightcast.
My N2K colleague, Simone Petrella, spoke with him about using data to make strategic workforce
decisions. Just to give you a little bit of background about Lightcast and the work that
we do and how it intersects with the cybersecurity world, Lightcast really strives to be the global
authority when it comes to information
about the job market. We provide data and consulting services through a mix of advisory work,
software tools, and APIs that really help companies, educators, government officials,
workforce development officials, and others better understand what's happening in the job market and
in their workforce at any given point in time,
they can use that information to really make better decisions about the workforce.
And logical question is, okay, so why are we involved in the cybersecurity space? And that's
because the cybersecurity workforce really faces some of the most intractable issues that we see
across the entire economy. And so there's really been a deficit of good information and good data about
the cybersecurity workforce historically that we've really tried to come in and fill that gap
with more up-to-date and more granular and actionable data. So really excited to get into
the discussion about some of the data and some of the things we're seeing in the workforce, but
I think that will probably come later in the conversation. Yeah, great.
We've talked about this in the past and certainly have very similar viewpoints on how organizations and companies can take a more strategic perspective on how to think about the cybersecurity workforce shortage, how to actually identify and make good decisions based on what they need to do. What are some of the common misperceptions that you view your clients, people that you work with having about this particular topic? Great question. And I think
there are a few misperceptions that are pretty common in the market. First misperception is that
it is just a skills gap. And I think there definitely is a skills gap in cybersecurity,
and we can talk about that a little bit later. But I think that there's also an expectations gap,
that a lot of employers don't realize that they are contributing to some of the hiring challenges
that they have by asking for certain credentials or certifications or skill sets that may or may
not be important in the
roles that they're asking them for. So I'll give you a concrete example, which we see more often
than you would think, is that take a CISSP. This is a certification, which is a great certification,
and it has its place, and it's important for people who are more advanced in their careers
to consider getting a CISSP. But we see a lot of employers asking for
a CISSP, which requires minimum of five years of prior work experience to qualify for a full
CISSP, asking for this credential along with no more than two years of prior work experience,
which it's impossible to have the two. And the hiring managers, it's not their fault. They know
what a CISSP is. They know you have to have five years of work experience. But there's something in the internal process and the communication between the
hiring manager and the HR team building that job requisition that results in a disconnect.
And so I think that one big misperception is that either it's just a skills gap or it's just
an expectations gap or hiring managers don't know
what they're asking for. The reality is hiring managers know what they're asking for. The reality
is there are people out there who could fill some of these jobs, but there is a breakdown in
communication in that process of building those job requisitions. So that creates that expectations
gap. That said, I also hear a lot of people saying,
oh, wait, there is no skills gap. What are we talking about? That's also not true. There also
is a deficit of workers. When we look across the cybersecurity workforce, we see that we only have
about two-thirds of the workers we need to fill all of the jobs that employers are demanding.
So that effectively means we're
stepping onto the cyber battlefield, missing a third of our army. So there's also a talent
shortage. There's also a skills gap. And I think anybody who says it's just one or the other
is contributing to some of the misperceptions in the market and is contributing to some of the
information gaps that are exacerbating some of the talent gaps and the expectation gaps in the market and is contributing to some of the information gaps that are
exacerbating some of the talent gaps and the expectation gaps in the field.
Yeah, I can totally see where that comes into play. I know we've seen that ourselves in the
expectation gap. What is your recommendation? How do you propose that we kind of solve that expectation gap?
Since job recs are one of those interesting areas where it's in the domain of HR, but the hiring managers do it, how do we improve that process?
The first thing that you need to do, which I think you started to touch upon, is you need to break down silos. If you're in the cybersecurity world,
if you're a CISO or a cybersecurity manager, you need to view HR as your friend and partner,
not your rival, which I think is the culture in a lot of organizations. HR is also trying to work
with cybersecurity managers to get the best job requisitions out there. And you need to figure
out how can you work together in a more
collaborative fashion. And I tell this to HR folks all the time as well, is that one of the first
things you need to think about when building a job requisition is how is this supporting
the stakeholders that it most needs to support? And how is it driving business value within your
company? So the first thing you need to do, be collaborative.
Second thing you need to do is you really need to define
what is it that this person in this role needs to do,
not just at a job title level,
but at the underlying skill level.
A lot of people call it skills-based hiring,
which is a very amorphous term.
And it means a little bit of one thing to one person, something different to someone else. So sometimes I stay away from that
nomenclature, but it really is a manifestation of skills-based hiring is understanding and
inventorying what are the skills associated with each role within your team so that you can build
your job requisition around those skills that people need, not just the credentials or degree requirements
that people have used as imperfect proxies for those skills. And once you do that, you can then
start to figure out, okay, which skills are going to be most critical to include in the job
requisition when we're going out and hiring for people versus when we're training those people
internally, and which of those skills are need-to-haves versus nice-to-haves
when somebody's walking through the door?
I'll give you a concrete example of this in practice.
There's a financial services company we worked with
that was trying to right-size
some of its job descriptions around the skills,
not the credentials, not the certifications
that were most important for proficiency in that role.
And they were able to identify a few things
that they could just take
out, like a bachelor's degree requirement, or a certification requirement, or some emerging skills
that were really nice to haves and not need to haves. And by just making a few simple tweaks
to their job descriptions, they were able to reduce the average hiring cost by over $10,000 per hire,
and they were able to expand their candidate pool by over 60%. So sometimes just making those
slight tweaks to the skills you're asking for and the credentials you're asking for
can have huge benefits to companies when they go out and hire for cybersecurity workers.
Yeah, we see that a lot too. One of the, I think, natural follow-up questions,
especially for organizations who have a desire,
you know, as leaders to have a more skills-based approach,
they want to understand what they're actually looking for in the roles.
What are some of the things that you often work with
or recommend to clients to do
if they're starting this process on their own?
Great question. And we find that most folks do not know where to start. They hear the term
skills-based and they have no idea what that actually means in practice, where to start,
et cetera. So we generally find that there are four pillars to becoming skills-based in your
hiring and talent management practices.
And the first, which we always emphasize should be the first, is business value.
How are you driving value to your business by taking a skills-based approach?
And there are different ways you can implement that.
The simplest is just figuring out what are my strategic priorities for the next six to 12 months or
beyond, and what skills will my team need in order to execute those strategic priorities?
So we always say that's the first pillar.
If you don't have any idea how you're driving business value, don't do something.
Beyond that, though, we also recommend that you have a pillar around skills-related strategy and governance. So this
is really how are you thinking about implementing skills within your team? Is it that you want to
have a common understanding of who has what skills? You need to take a baseline. Is it that you need
to understand what are the future-ready skills you're going to need to train your existing people
in? And really, what is your skills philosophy? And how are you going to make sure that you're consistent in how you're rolling
out that skills-based approach? Beyond that, we also recommend that you think about the data side.
How are you capturing that information? If you can't measure something, you can't manage it.
And so you need to have a good idea for what types of data can you use to baseline your existing team skills, but also to track how
skill requirements are evolving in the future so that you can upskill your team and build
those capabilities as they change in the market.
And then the last thing we say is think about which stakeholders you're going to need to
engage with internally.
It's not just an exercise to be isolated to the cybersecurity team. It's not just an exercise to be isolated to the cybersecurity team. It's not
just an exercise to be isolated to the HR team. It's something that requires your entire organization
to work together, especially in a field like cybersecurity that impacts the entire organization
and to have line of sight into what the rest of the organization is doing.
And so we always say, don't neglect that stakeholder management component. Make sure that you are reaching out proactively to the other business heads,
to the folks in HR, the business partners, et cetera, who you need to work with in order to
implement this more of a skills-based approach across your team. And because you also need to
know what skills does your cyber team need to have, but also what skills does the rest of the organization need to have when it relates to cyber?
Because you're probably going to be the ones who have to help teach them.
That's a really great point, because what you are in essence saying is when it comes to a people strategy and understanding building a cybersecurity program,
you need to be effective at building a business case to justify what that strategy is going to look like,
as much as you build a business case to implement tools or technology improvements or process changes
as you implement controls on the entirety of the cybersecurity program.
So that really resonates.
Going back, though, when you think about the data, and obviously,
Going back, though, when you think about the data, and obviously, Lightcast is a, or, you know, you guys actually are a repository and capture really helpful to understand what exactly type of information are you capturing about skills? How do you do it?
And I think to your point about emerging skills, what are some of the emerging skills that you all
are seeing and how are you capturing those? It's a great question. And I'll take a step back just
to give you some idea of how Lightcast is capturing data on skills in the market. And we found that
historically, the data on skills in cybersecurity or the rest of the job market for that matter
was very limited. Government data only gave an incomplete picture of the skills and the
capabilities that were
needed across different roles.
And so when we started to try to capture skills across the market, we turned to two different
data sources beyond just government data.
The first is online job postings.
We're going to tens of thousands of different job boards every day.
We're capturing job postings, pulling them down, running them through an artificial intelligence engine that extracts information about what skills are being demanded
by employers in different roles, different industries, different locations across the entire
economy across the globe. The second place we look are worker histories, such as professional
social profiles, resumes, which give us line of sight into what somebody has done in
their career up to this point, what the career trajectory looked like, and what skills they've
picked up along the way. So using these two sources of information, one on the demand side for skills,
one on the supply side for skills, we can build a very detailed portrait of the labor market
in terms of the underlying skill sets that employers
demand and that people have. And we can use this to track things over time. We can track skills
in more real time to see what emerging trends are occurring. And we can also use it to start
to project out what are some of the skills that are going to be increasingly important in the
future. And that leads us to the second part of your question of, okay, what are some of the skills that we're seeing that are emerging in cybersecurity especially?
And I'll say cybersecurity is one of the fields that has the most skill evolution at the most rapid pace anywhere in the market.
In just the past two years, we've seen that about 24%, so around a quarter of all skills required by cybersecurity professionals, have shifted.
So that means every two years, you're having to re-up a quarter of the skills that you have just to continue to do the job you're already in.
And that skill evolution is primarily being driven by three different types of skill change.
One is just different types of cybersecurity frameworks and processes that
people are increasingly using. So we're seeing rapid growth in things like threat hunting. We're
seeing rapid growth in things like different risk management frameworks and tools. That's one of the
places where we're seeing some of the most rapid skill evolution. We're also seeing very rapid
evolution when it comes to regulatory frameworks, though, and standards such as those coming out of NIST.
Every time there's a new NIST framework or an update to an existing framework, that changes the skill sets that your people need to know.
There are changes to privacy frameworks, et cetera.
But then the last and the one that most people talk about is technological change.
most people talk about is technological change. And for cybersecurity, this is especially important because virtually every new technology has a digital component, and every technology with
a digital component must have a security component baked into it. And that means that there's a
constant flood of new technologies that cybersecurity professionals have to engage with,
have to interact with, and have to learn how to keep secure. And this has certainly
been exacerbated recently with all of the talk around chat GPT and generative AI and how that's
going to lower the barrier to entry for the bad actors as well as the good actors who are trying
to combat them. And so we see that this type of technological innovation is definitely driving
much skill change for cybersecurity
workers. And beyond just AI, which everybody knows is disrupting things, I'll also call out
that one perennial technological shift that is constantly, constantly changing skills that are
needed for cybersecurity professionals is cloud. And it's every year we think, okay, maybe this
will be the year that finally cloud isn't as big a deal.
It isn't as growing as fast.
It isn't as hard or expensive to fill for cybersecurity professionals.
That still hasn't come.
Maybe one day it will.
But the cloud is just evolving so fast.
Every new technology also has some interaction with the cloud now.
And we also see that cybersecurity professionals who have cloud security skills, they are harder to find,
they command higher salaries, so they're more expensive for employers. That's great news for people who have those skills. We definitely recommend that companies be very thoughtful
about how you build those cloud skills in your teams, because almost certainly it's going to
be cheaper for you to think about training existing workers in those new technologies,
as opposed to going out and hiring someone on the spot market for talent with those skills.
It's interesting, though, because when you think about the evolution and that statistic around the
sort of two-year mark and how that actually is what's constantly shifting, it seems to indicate
that this is not a one-time inventory that needs to take place. It's a continuous requirement to stay on top of the skill requirements. But to your point on even only two-thirds of the positions are full,
and we still do have an actual talent shortage, you have to compensate with that by saying it's
a continuous evolution because no one has a 100% retention rate. So you're going to be
off-boarding employees, onboarding new employees,
having to upskill, having to identify where you're going to find those pools of talent.
So looking at both sides of the equation, it's a never-ending process.
It's so true. And just to make the situation sound even more dire, the macroeconomic backdrop
of all this is that we have declining birth rates, we have declining immigration
rates, we have declining labor force participation rates, all of which are going to lead to long-term
talent shortages across the entire workforce, not just cybersecurity. And that means that these
talent shortages are probably going to be persistent for a long time to come. And that
means that we're going to have to figure out how do we wring as much value out of the people we've got
for as long as we possibly can.
And that requires that companies do exactly
what you just described.
You have to take a continuous process
to understanding how is the market evolving?
How are the skill needs of my team evolving?
And how can I make sure
that I'm continuously investing in my people
and the skills that they have
so that they don't become stale.
And that actually has benefits, though, to retention as well.
Because when you invest in your people, your people are going to be more invested in you
and your company.
And they're not going to say, well, if I want to advance my career, I have to look elsewhere.
And so taking that continuous view of externally what's happening in the market and then translating that internally to how do I reinvest in my people doesn't just have benefits in terms of keeping your skill sets up to date, but it also can have benefits in terms of team morale, retention rates, and other follow-on benefits. Given the state of the direness that you described, let's shift to maybe some good news.
Do you have any examples, and you don't need to name names, of any companies or organizations that at least are on the path to getting this right?
And what does that look like?
Yeah, great question.
So the good news is there are some bright spots.
Some companies have been proactively trying to address some of these challenges.
And I'll give you a couple of concrete examples. There was a large manufacturing firm whose CIO
was working closely with their security team and other technical teams and said, you know what,
we know that we're going to have to constantly reinvent ourselves. We're going to have to
constantly figure out what skills do we need to drive business value and to keep pace with technological change. And they first said, let's take an inventory of what do we have.
So they figured out what were the skill sets that they currently had across their security teams and
other technical teams. And then they said, let's compare that to what we're seeing in the market.
Let's look externally to see what do our competitors have in terms of skill sets on their security teams.
They said, let's look at what other companies
and other industries have in terms of skills
on their security teams.
And let's look to see what are the trends,
which of these skills are growing the fastest
and are costing the most for employers
to hire in the market
so that we can use that information to
prioritize which skills we train for internally versus which skills we try to hire for externally.
And they essentially built these skill profiles for every role within their teams that said,
what are the skills you need to have today? But then what are the skills that are more future
looking? These future ready skills that you can build
with internal training that we'll provide for you
that are really going to help us remain future-ready,
but also going to help you as an individual
remain future-ready.
And this CIO was, I think, very good at engaging the team
and talking to the team and explaining to them,
this is why it's important for you. This
is why we are investing in you as individuals to grow your career in a direction that helps both
you and the company. And they were able to build reskilling plans for every individual across the
technical team. And they had much higher engagement rates than you typically get with assessments
because the head of the department, the CIO, actually went
out and said, this is important. It's a strategic priority, and we are doing it to invest in you
because that helps our company as well. And it was, I think, a great example of how a business
leader was able to align this skills-based hiring and reskilling strategy with all of the things we
talked about earlier.
There was stakeholder engagement.
They were aligning it to business value and giving transparency to their team of how it aligned with business value.
They had a data plan in place, and they just had a broader philosophy
of how they wanted to roll this out that really resonated with the team.
And so I thought that was a great example of how to do it.
And the outcomes were great, too.
They were able to identify millions of dollars in talent acquisition savings. They were able to increase retention rates. And again,
they were able to reap many of these follow-on benefits that we've been talking about.
That's fantastic. So maybe we'll conclude with this. This sounds a little daunting to those
that are listening and saying, how do I even get started on this? And I just want to see what's available out there in the public domain to at least get my feet wet. What are some places that people can start? I know
that Lightcast and your team in particular have done a lot in providing some of this information
out in the public domain. Absolutely. So I would say the first place that you can look for this
type of information is a website called CyberSeek.org.
If you're unfamiliar with CyberSeek.org, it's an interactive portal that provides data on supply and demand for cybersecurity jobs in states and metro areas across the United States.
It also provides a career pathway that allows you to see what the opportunities are for individuals to
enter into and advance within the cybersecurity field. And it also provides information about
where there are training providers across the United States that you can go to in order to
build the skills that you need to enter into the field. CyberSeek leverages Lightcast data.
It's actually something that was built in partnership between Lightcast, CompTIA, as well as NICE, National Initiative for Cybersecurity Education.
And it's a completely free tool open to the public, and it can give you up-to-date, actionable information about the cybersecurity workforce.
I'm also very excited to say that we'll be putting in some new data to CyberSeek in early June. We're also going to be adding some features to CyberSeek that will
provide more historical data so you can see how trends are shifting across the cybersecurity
workforce and anticipate what will be happening in the future. You can also use some of the new
features as an employer to improve your job descriptions and to take more of a skills-based
approach to writing job descriptions that align with the realities of the market.
So that's a great place.
There are also many other resources out there.
Lightcast has released some reports in the past about cybersecurity workforce, even just going to NICE and their website.
They have fantastic resources, and there are many others out there.
There's no shortage of free information about the cybersecurity workforce.
So I would definitely encourage folks
to go to CyberSea, go to NICE
and other websites with great information on the field.
That's Will Markow from Lightcast
speaking with N2K President Simone Petrella. Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company
safe and compliant.