CyberWire Daily - Solution Spotlight on the 2024 NICE Conference: Business Roundtable.
Episode Date: June 2, 2024As part of our series on the 2024 NICE Conference, we turn our focus to the Business Roundtable. This year’s conference theme “Strengthening Ecosystems: Aligning Stakeholders to Bridge the Cyberse...curity Workforce Gap” highlights the collective effort to strengthen the cybersecurity landscape. By joining forces with key partners, we can foster a more robust cybersecurity ecosystem to bridge the workforce gap. Business Roundtable is an association of chief executive officers of America’s leading companies working to promote a thriving U.S. economy and expanded opportunity for all Americans through sound public policy. The Business Roundtable launched its Cybersecurity Workforce Corporate Initiative in December of 2022. In coordination with its members and inputs from experts at Department of Commerce’s National Initiative for Cybersecurity Education (NICE), it recently released a Cybersecurity Workforce Playbook to help employers create entry points to cybersecurity careers and strengthen cybersecurity talent pipelines across various industries and sectors. Simone Petrella, N2K President, speaks with Erin White, Business Roundtable's Senior Director, Corporate Initiatives, about the Cybersecurity Workforce Corporate Initiative, the recently released Cybersecurity Workforce Playbook, key takeaways for the private sector, and how the Business Roundtable and NICE are working together to support these initiatives. Find out more about the The Workforce Framework for Cybersecurity (NICE Framework) (NIST Special Publication 800-181, revision 1). Stay tuned for our coverage of the 2024 NICE Conference. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn special edition N2K Cyber Wire podcast.
In this featured Solution Spotlight episode, N2K President Simone Petrella is talking to Aaron White
about Business Roundtable's Cybersecurity Workforce Corporate Initiative,
the recently released Cybersecurity Workforce Playbook,
and the collaboration between Business Roundtable and NICE
to strengthen the cybersecurity workforce ecosystem.
So, the Business Roundtable, it launched its Cybersecurity Workforce Corporate Initiative
in December of 2022.
But recently, with coordination from members and inputs from experts at the Department of Commerce's National Initiative for Cybersecurity Education and others,
you recently released a cybersecurity workforce playbook to help employers create entry-level points to cybersecurity careers
and strengthen talent pipelines across those various industries and sectors.
So Erin, thank you so much for joining to chat with us about this study and some of the other
work that Business Roundtable is doing in workforce and cyber workforce specifically.
Thanks so much. It's great to be here today.
Before we dive into the study, can you share a bit about what inspired Business Roundtable to create this initiative in the first place?
Yeah, absolutely. And I think sort of stepping back, it helps to understand the context of the Roundtable and what we're all about and why that led us to focus on cybersecurity workforce. So VRT is an association of more than 200 CEOs of
large U.S.-based companies. And these CEOs lead companies that support one in four American jobs
and drive nearly a quarter of our GDP. And they develop and they advocate for policies to try to
promote a thriving U.S. economy, but also expand opportunity.
And we believe those two things go hand in hand.
But in addition to policy, the CEOs and their teams work together on practice.
They want to solve workforce challenges that to some extent are within their control to solve. There are things that they can do in thinking about the talent lifecycle,
how they hire, promote, and retainains talent that they can control, you know,
aside from policy. And so that's sort of what we do is we think about ways that the companies can
come together to solve these common challenges. And, you know, certainly cybersecurity is a field
with tremendous workforce challenges. You know, whether given the day it could be 700,000 open
roles or 500,000 open roles, it almost doesn't matter how many hundreds of thousands of open rules. Every open rule is a risk, not just to business operations, but to national
security, to overall economic competitiveness. And this is an issue that matters for every company,
not just technology companies, but for retailers, manufacturers, energy, transportation, airlines,
you know, infrastructure, so much more. And so our members really care about this workforce shortage, not just for themselves, but for the broader communities in which they operate, for their supply chains.
Recognizing that if they can't fill a role, it's highly likely that a local school district, hospital system, energy infrastructure utility, they can't fill a cybersecurity role.
system, energy, infrastructure, utility, they can't fill a cybersecurity role.
So they wanted to come together and say, what are we seeing that's working to solve these workforce challenges? How can we create more entry points to cybersecurity careers? Because
these are great careers that pay well and create opportunity. How can we create more entry points
to those careers for not just for talent that we consume, but talent that will support the
nation's security infrastructure as well.
So that was really what was behind kind of launching this effort.
One of the things that I know struck me immediately in learning about the effort,
but also seeing it borne out in this study is I have gone on record for years now,
kind of pointing the finger at the private sector saying, there is this false expectation
that the industry is somehow supposed to create these people
and that the private sector will just absorb them.
And so to see this concerted commitment to know,
like we want to be part of the solution here
and here's what we can do to actually internally
help make that change in workforce is just such a, that's such a step in the right
direction, in my opinion. So it's really exciting to see so many large-scale companies who have the
ability to like push that needle forward to come together and commit to doing that.
Absolutely. And I think, you know, so many of them realize we can't have a chief information
security officer in two years if we don't have more entry-level staff today.
And so this need will only continue to grow.
You know, I don't have to repeat the number of threats that you see in the news almost every day.
And so recognizing that this is a cybersecurity is a critical skill.
It's not a need that's going to go away anytime soon.
We have to create a pipeline that
serves that need today and tomorrow. And not just a pipeline, but we're increasingly talking about
pathways. This idea that a pipeline is one narrow line, but pathways, there are multiple pathways
into the cybersecurity workforce. And that's really what this playbook document codified,
was the companies sort of coming together to recognize that there are many pathways into cyber. Yeah. One of the things that I know comes up a lot when people discuss this
issue is, you know, is it a talent or a workforce gap or is it an experience gap? And you just
pointed out, rightly so, that you can't make the numbers work. The math doesn't work in supply and demand if you're not willing to grow someone from
entry level or a mid-level role into those senior roles.
You can't create overnight experience.
And so what are the discussions that you all have been having or what was reflected in
the playbook as we start to get into that conversation?
How are your members thinking about that kind of reality where you have to invest in some entry level or other pipeline
entry points of talent in this field? Yeah, absolutely. I think there's some of things
that employers can control. There's some things they can't control in the world,
but we wanted to look at those elements that an employer could control. So they can look at what are they requiring for
cybersecurity roles at all levels of the organization. And we identified a couple of,
you know, potential barriers requiring a college degree when two-thirds of American adults don't
have a college degree. And some studies of cyber hiring managers have said, hey, the degree doesn't
necessarily translate to your ability to perform as a cybersecurity professional.
So looking at degrees, understanding what types of degrees are necessary, where and when.
Also looking at certifications, you know, cybersecurity is a field that where jobs often demand certifications at much higher rates than other IT professions.
much higher rates than other IT professions. And so, you know, for example, hearing anecdotes of entry, supposed entry-level roles requiring a CISSP, which you can't receive unless you can't
even sit for unless you've been in the industry for five years. So things like that, really looking at
degree requirements and certifications, but then also thinking about experience and recognizing
that, you know, for an entry-level role, by definition, that individual may not have experience in cybersecurity.
So what can employers do to overcome those challenges?
Certainly, they can strip some of those requirements out of job descriptions, but they can also look to bridge those gaps for individuals.
So we have some companies who are saying, hey, come in with an English degree, some aptitude and interest in cybersecurity.
companies who are saying, hey, come in with an English degree, some aptitude and interest in cybersecurity. We'll help provide some of the hands-on keyboard technical training, you know,
for you to skill yourself into a cybersecurity field. Or maybe, hey, we want to give college
students or two-year students or students in a nonprofit training provider program some hands-on
keyboard experience who will support a cybersecurity challenge or competition,
you know, ways to help bridge some of those gaps for the workforce at different stages.
So that's really the kind of conversation we've been having.
Right, which is really interesting because there is truly a gap between the formal or informal education someone might receive or even the training they get.
And there's a difference between that and being job ready.
And I think what you're describing is how do we create a job ready cybersecurity workforce,
not necessarily just a pipeline of people who have cybersecurity expertise.
Yeah, really well said.
And job readiness is partly on the job seeker, but it's also partly on the employer.
And our employers recognize that,
and they are large employers, and they do a lot of learning and development programs.
And so they're increasingly willing to lean in and say, you know, if someone comes in,
again, with interest and aptitude, can I help provide them with that additional skill set?
And we had a really interesting conversation one day among sort of 10 companies
about this problem. And someone said,
we don't expect almost any other role, someone to show up ready 100% hit the ground running on day
one. When I think about my first day of the business roundtable, I was still, you know,
trying to find my way down the hall to the office, right? So I wasn't job ready on day one.
So why would we have that expectation for cybersecurity professionals? Even though,
of course, you know, the risk is high. And we know that there is a real risk. If you don't have
people with the right skills, it's a business risk and a security risk. But I think there's
a willingness to say, how can we help that person get more ready for the role once they're in the
door with, you know, 80% of what they need? Yeah. Veering away from the study for a second, what do you think
has kind of spurred this kind of mass recognition upon employers at this point? Is it like what in
the set and setting of this particular time and moment that there's this recognition of
we have to come to the table and help the workforce become job ready here too?
I think stepping back, you know, we're at the landscape right now of consistently
record low unemployment for year over year. So that means there's not as many people who are
looking for work who can't find it. We're just overall across industries, a smaller pool,
whether we're talking about healthcare or infrastructure or, you know, welding or any
other sort of discipline. So we see this as a labor shortage.
And I think in a labor shortage, companies are, and just employers in general, public
and private sector, they're more willing to get creative and experiment.
And so there's sort of a supply side problem across the board.
Alongside that, over recent years, employers have been getting more creative.
The skills-first hiring movement is several years old now.
This idea that we hire and promote for skills rather than for years of experience or degrees.
There's a willingness to explore new populations who historically have been overlooked or kept out of the workforce, like individuals with criminal records or others.
So I think there's sort of this movement of employers increasingly recognizing how they have to grow talent pools alongside just the reality of a labor shortage.
Now, that's sort of generic workforce writ large.
How about cybersecurity?
You know, change healthcare breach.
Like, there are so many incidents that just continue to increase.
And while, you know, we get really excited about the potential of new technologies like generative AI and the potential to make the workforce productive.
We also recognize that that creates more threats.
And so I think our employers, again, they see this landscape, they see the threat landscape changing, and they're just more willing to be creative and experiment and are seeing great results, by the way.
It's not that they're experimenting.
It's not paying off.
They're seeing great results as far as bringing in new folks, bringing in more diversity of individuals from different
backgrounds. And these are individuals who are then staying with the company and contributing
year over year. We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection
across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows
like policies, access reviews, and reporting,
and helps you get security questionnaires done
five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives. Thank you. and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
You touch on in the playbook some of the more, like,
more widely applicable recommendations that other employers can use
if they're dedicated to really trying to make an employer-focused dent in the cybersecurity
workforce kind of shortage. What are some of those main takeaways in particular that you guys
found in your kind of committees and results that made its way into this playbook
if someone else is looking at their company to really implement a job-ready program for
cyber workforce? You know, it really starts with taking a look at the suite of roles and breaking
them down into the knowledge, skills, and abilities required to be effective. And a number of our
companies have used the NICE framework, the NICE cybersecurity workforce framework,
as one sort of taxonomy of skills,
basically just a way to bucket the types of jobs,
the types of roles, the types of skills.
So when you break down jobs into that,
then you can start to get a little more creative
in how you map that.
And lots of folks have been really strong in this.
JPMorgan Chase has done this.
Leidos has done this.
Guardian Life Insurance.
I'm just naming a few from across industries that sort of started with, let's just
step back and understand what are the roles, what are the skills and knowledge needed, and let's
consider removing some of those degree and certification requirements. So that's sort of
step one is looking at the workforce. But then there's this opportunity to really try a suite
of practices. And I'd say there is no one practice that if you
just do this, you'll solve your shortage. Rather, it's a holistic approach. And Guardian, under the
leadership of CEO Andrew McMahon, has been a real champion for this. And in part that, you know,
they're a 150-year-old insurance company. They have a lot of data. They have a lot of data that
they want to keep secure. And so they've thought sort of 360
degrees about their cyber workforce program. They've thought about the degree requirements.
They've thought about innovative hiring partnerships with nonprofit training providers
like NPower. They've thought about partnerships with HBCUs, with community colleges. They're
offering students work-based learning who are in four-year programs, but then they're looking
inside their company and they're providing employees with opportunities to grow technical skills on internal platforms,
to do gig assignments and rotations, to try and experiment and grow. I think that's the sort of
strategy that, you know, ultimately more of our employers are starting to embrace that they can't
just do one thing. It's sort of multiple things at play at once that help them really solve their workforce challenge.
Oh, it's incredible. You know, taking that on the side, because a lot of listeners are certainly
employees and represent companies, but there's also a fair amount of individuals who are
looking to either enter the field or, you know, progress in their own fields.
What do you think is the impact that
this could have on that supply population? Like, is this, do you think this will actually create a
more even-keeled opportunity for folks to actually enter the cybersecurity field or
profession if that's something they're interested in doing? Well, certainly we'd like to think so.
You know, we hope that employers, and not just really large employers or business roundtable members, but all employers sort of embrace a more sort of creative approach to workforce. You could be a career changer. You
could be a mid-career professional who wants to move into this high-growth occupation.
And maybe you see an opportunity for yourself because you recognize, hey, you know, Visa,
for example, is partnering with a local community college here in the Northern Virginia region
for a payments processing credential. So maybe I can get that credential alongside my cyber
certificate and transition into this high-growth field. Or maybe I can get that credential alongside my cyber certificate and transition into this high growth field. Or maybe I'm a transitioning military veteran and I have some
technical background, but I have a mission orientation and I can see myself in one of
these fields. So what we're trying to do is just expand the number of people who see themselves
in cyber and then create more on-ramps within a given company to that pathway. And I'd say for those who are listening who are currently employed, I mean, a lot of our members are looking at their own workforce.
If you understand a company and their brand and their landscape of operations economically, you probably understand the risks they face.
the risks they face. So we have examples from Walmart of frontline retail associates who,
again, interest and aptitude are able to go through an internal academy training and transition to technology workforce, ultimately to cybersecurity roles, because they understand the brand,
they understand retail, they see the risks. And so I think there's a real opportunity as
employers increasingly look at their own workforce and say, hey, you're in a role,
technical or not, we're going to help provide you with the opportunity to move into this
incredibly critical position for our company. Yeah. Well, and what's so powerful about that
from my perspective is if you start with that kind of data-first driven understanding of,
hey, what are our roles for our company? And then where do we have, like,
where's our needs? And then what do we have today? Then the doors of possibility of kind of how you
want to solve that, frankly, do become very specific and unique to that company, their culture,
their risk profile, that threat landscape, the way that they kind of view themselves. Like,
you know, there are some retailers like Walmart that are very invested in and take a lot of pride in the cashier to
executive, you know, model. So that can fit very well. That might look totally different than,
you know, what a financial services, you know, company is going to do. Like you can make those
decisions. They're not a one, it's not a one size fit all. And I think that one thing that stuck out
to me in the report is it's accounting for that. Know where you are and where you're going first, and then decide
what programs or things you want to put in place to help you get there. Absolutely. And a number of
our member companies are providing this type of training opportunity, not just to their own
employees, but to the field. So Cisco, CEO Chuck Robbins is chair of the business round table.
And Cisco has a nearly 20 year track record
of their networking academy,
which skills millions of people nationwide.
And 95% of the learners on that platform
leave that training opportunity all online
with either a job or a step
towards another educational opportunity.
So in IBM, same type of idea with their skills build platform. all online with either a job or a step towards another educational opportunity. So, you know,
in IBM, same type of idea with their skills build platform. So these are also open platforms that provide learners with no cost or low cost learning opportunities to help, you know,
augment their skills and maybe even say, hey, is this kind of field of interest to me? Is this
something that I might want to move into? Yeah. One of the other things that stuck out to me? Is this something that I might want to move into? Yeah. One of the other things
that stuck out to me towards the end of the report was a bullet that advised other companies to
provide the time and the training resources to enable the staff that they have, whether IT or
otherwise, to transition to cybersecurity roles. And I think that that's such a kind of powerful conclusion to come to as you think about the
economic realities and I'm my kind of question to you on that is you know my interpretation was oh
that's like an economic recognition that there is in a there is an incentive and advantage from a
it makes business sense to create that time and investment as opposed to like paying for the town
or expecting it to come in is that am I reaching too far there or did I make the right read between
the lines? Yeah, I think that is a right read between the lines. It's a reality of, look,
either we go out to the market and try to purchase the talent off the open market, which by the way,
we already talked about supply, wage premiums, et cetera. Maybe I can't
even afford talent. Maybe we keep poaching the same people from each other. Or I invest internally.
And that return on investment is incredible, particularly if you're thinking about retention
and turnover costs. Our businesses, they want to keep their great employees. They want to keep them.
And cybersecurity does have a retention challenge.
So some of this is about your existing professionals
and providing them with opportunities
to learn new skills, to practice new skills,
to take on new roles.
Hey, I'm in the SOC today.
I want to try some kind of analysis tomorrow.
I want to go into governance.
It's providing those opportunities
to keep your existing cyber employees,
but also then recognizing
the payoff is huge to just invest internally in workers and, you know, give them, no matter where
they are within the company, the opportunity to grow their skills. Because that just, again,
that definitely pays off in the end. You mentioned at the very beginning that many of your members
have leaned in the NICE framework and the NICE cybersecurity
workforce framework to inform the way that they've kind of done their inventories on this.
And I believe that Business Roundtable, as well as some of your members, will be
working and representing your interests at the upcoming NICE conference. But can you share a
little bit more about how Business Roundtable,
your membership and NICE are working together
to kind of jointly tackle this?
Yeah, absolutely.
We have a number of member company staff
from whether human resources
or cybersecurity leaders
who are engaged within various NICE committees
and initiatives,
whether it's about apprenticeships
or work-based learning opportunities or talent management.
So they're really trying to inform from
a private sector perspective some of
what the great work and resources that NICE is producing.
But for the conference itself, we're very excited.
We have a workshop on day one where
business roundtable members will come together,
senior leaders from cybersecurity and human resources,
to share more real-life
examples.
I've just given you a flavor, but there are many more about what's in the playbook.
So it's a chance to kind of dive in, speak with business leaders and learn more about
what they're doing.
And hopefully they can learn from the audience and from each other.
So we have a pre-conference workshop.
We're also very excited that the
head of cybersecurity, the chief information security officer for United Airlines, Deneen
DeFiori, will be giving a keynote talk at the conference. And Deneen calls herself sort of the
accidental cyber executive. She has a great story. And United, again, a great company. The United
Airlines CEO, Scott Kirby, is the chair of our Educational Workforce Policy Committee.
And so we're really excited to be able to have her share some insights.
There will be other members throughout the conference, but it's just a way we feel like, look, this is an all hands on deck problem.
The conference this year, the theme is around partnership across the ecosystem, which means business, public sector, nonprofits,
education at all levels coming together
to solve this problem across sectors
because it can't just be on any one of us.
It has to be all of us, you know,
working together to solve the problem.
Well, really looking forward to the workshop
coming up here in June,
as well as Deneen's keynote.
And we're going to have an opportunity
to chat with her coming up soon as well. So Erin, thank you so much for joining me today and really looking
forward to seeing where this goes with Business Roundtable and all of your members.
Excellent. And I'd be remiss if I didn't end with a quick plug for the playbook.
You can access it at our website, brt.org. Encourage you to dive in, share it,
let me know what you think.
We'd love to continue this conversation.
Thanks so much.
That's our special edition N2K Cyber Wire program.
Thank you all for joining us.
And thanks to our special guest, Erin White, for sharing their experience and insights.
all for joining us and thanks to our special guest, Aaron White, for sharing their experience and insights. Remember, N2K's strategic workforce intelligence optimizes the value of your biggest
investment, your people. We make you smarter about your team while making your team smarter.
Learn more at n2k.com. Our mixer is Trey Hester with original music by Elliot Peltzman.
Our executive producers are Jennifer Ivan and Brandon Karp.
Our executive editor is Peter Kilby.
And I'm Liz Stokes.
Thanks for listening.
We'll see you back here soon. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com. That's ai.domo.com.