CyberWire Daily - Solution Spotlight: Progress on the National Cyber Workforce and Education Strategy. [Special Edition]
Episode Date: June 28, 2024On this Solution Spotlight, guest Seeyew Mo, Assistant National Cyber Director, Office of the National Cyber Director at the White House, shares the nuances of the White House's skills-based approa...ch (and how it's not only about hiring) with N2K President Simone Petrella. Seeyew shares a progress report on the National Cyber Workforce and Education Strategy nearly one year out. For more information, you can visit the press release: National Cyber Director Encourages Adoption of Skill-Based Hiring to Connect Americans to Good-Paying Cyber Jobs. The progress report Seeyew and Simone discuss can be found here: National Cyber Workforce and Education Strategy: Initial Stages of Implementation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, of the National Cyber Director at the White House.
Our own N2K President Simone Petrella recently caught up with C.U. Moe.
Here's their conversation.
conversation. All right. Well, I am so thrilled to have CU Mo from the White House here today.
And for context for everyone listening, in July of 2023, so just about last year this time,
ONCD, the Office of the National Cyber Director, put out the National Cyber Workforce and Education Strategy.
So, Siyu, to kick things off, we're about a year in.
How are we doing on progress on the strategy?
Well, good to see you, Simone.
I really admire your work.
I've been following your work for quite some time now.
So I really appreciate being here. I'll take the compliment every time.
Well, I really appreciate the opportunity
to kind of talk about what we're trying to do here
at the White House on cyber workforce and education.
And you were right, time flies.
I mean, the strategy has been out for almost a year,
not quite.
And we are really excited to kind of give
like a progress report about what we're doing, how we're doing.
But I can't stress enough that I say this all the time.
I want to be repeating again is that the White House Office of National Cyber Director, ONCD, is not the first office that is trying to solve the cyber workforce and education issue.
A lot of people have been doing a lot of good work throughout the years. So I just want to stress that we're not the only ones,
and we're not doing this alone. It's just always good to start off by acknowledging
all the good that's been done, and then talk about how we can collectively move everything
forward together. So I think one of the things that I'd love to sort of kick off on is that there is,
you know, a progress report that you are all looking to release here in the coming days.
Can you tell us a little bit about what we can expect to see as that report becomes public?
Yes. Yeah, for sure. The report essentially reaffirms that the foundation of solving the national
stable workforce and education issue is sort of like tips all of us. We are talking about
what we are doing as part of the national stable workforce and education strategy,
which I will call, it's a mouthful, which I will call the strategy from now on.
It's a mouthful, which I will call the strategy from now on.
So what the strategy is prescribing is that there are three broad issues in what we're facing today.
Non-American Americans are considering a career in cyber or cybersecurity.
They either don't see someone like them in the field, or they don't know anyone who are in the field or they always assume that it's a narrow and technical role.
Like, you know, there's the old cliche of like the guy in a hoodie, you know, hacking and defending in the dark room kind of thing.
Right. So that's one issue. And the second issue is training and education opportunities have not been able to keep up with the demand, right?
So that's the second issue.
And the third issue is the idea that we don't have enough locally driven collaboration to connect people to jobs,
connect people to training, or provide wraparound services so that workers can get the support that they need to actually pursue a cyber career.
So what you will see in this report is sort of like a narrative on some of the progress
that we have made on all of these three areas, right?
I can go into more detail later on, but just to sort of like frame the conversation here
is that, you know, from the federal government standpoint,
conversation here is that, you know, from the federal government standpoint, ONCD is coordinating with 34 other federal agencies so that we are all doing this collectively. And then we are also
working with non-federal government organizations, right, like private sector employers,
academia, state, local, and territorial governments to actually move the ball forward together.
And we have commitments from over 100 organizations.
So I can go into a little bit more detail,
but what folks should see is some progress
on those three broad areas,
and then a narrative on what are some of the priorities
that we have in the future in regarding to those three
areas. One of the things, and see, you know, this is very near and dear to my heart, but from the
spring, there's been a lot of releases coming out of the White House and then subsequent reporting
on the emphasis on a skills-based approach for employers, but also the federal government. And I was hoping you could sort of provide
a bit of explanation and clarification
on what does it mean to do a skills-based approach in cyber?
And what does that mean from an ONCD perspective?
Sure.
Yeah, I think many of us always relate
a skills-based approach to only skills-based hiring, right?
I think I want to kind of put a stop to this and say, hey, it's actually more than hiring.
But oftentimes, the work starts at hiring, right?
Because when we think about skill-based approaches, we have to think about the skills that are necessary to do a particular job, which lends itself to changes and updates in a job description, for example.
It lends itself to changes in qualifications, right, and all these different things.
But what I want to kind of take a step back is to sort of ask the question, okay, why are we doing skills-based, right? The reality is a lot of Americans have certain skills and they have
acquired either from a job or from a training, but they might not have an official certification
or degree, right? So when you focus on skills, what we're doing is that we are making sure that
we are removing and lowering the barriers without lowering the standards.
Right?
So that allows us to actually build the best team possible to achieve the mission that we want.
And that makes a lot of sense.
I mean, it makes a lot of sense because, you know, if you don't have that understanding of your requirements to begin with,
how do you actually start the process,
continue the process?
Like you can't implement it for anyone without doing that sort of foundational workload.
That's right.
So when we think about skills use approach,
it has to start from the very top, right?
From a strategic level about
what are the skills that we need
to accomplish the mission?
And let's figure out who, you know,
what level of employees and, you know, that has, like what kind of role should have what skills, right?
So that, we believe, gives you a more flexible way of thinking about talent and the pipeline, right?
So now, we're not going to get there right away, right?
right away, right?
And I think, you know,
and I totally understand it.
As you're trying to promote skill-based approaches
all across the country,
we realize that the federal government
has to lead by example.
And as you know, Simone,
like making changes
in federal government is difficult,
but there are areas
when we kind of get
a lot of people together.
And that's why we, you know,
worked with Office
of Personnel Management, OPM,
and Office of Management
and Budget, OMB,
and our 34 other federal agencies to sort of like, hey, but there's a way for us to sort of get going,
right? Get as much of the processes converted to skill-based approach. Let's do it. And that's
what we announced in April of this year at the White House Convening for Good Paying Meaningful Jobs in Cyber is than 60% of cyber workers in the federal government
is covered under the 2210 information technology management theories.
So what we have decided collectively is the administration will modernize the 2210 occupation
theories into skill-based approaches, right? So that means, you know,
we're going to try to go as far as we can,
right, starting from
minimum qualifications, right,
looking at roles and all these different things,
right? Now, I don't want to sort of
prejudge the
actual outcome, you know,
but to know that, you know,
it's more than just hiring, it's the whole approach
itself, right?
And the staffers are currently working really hard
because we have a deadline of getting this done
by the summer of 2025, right?
But I hope folks will see a lot of the,
we're trying to adopt a lot of best practices.
OPM is talking to the interagency.
We are talking to interagency
as we try to set this up.
You know, given the deadline
that's coming up for summer of 2025,
you know, just to maybe dispel
any concerns that anyone listening would have,
that obviously sounds like a big deadline.
But what's the volume of job descriptions
that we're talking about here?
Just because I want to kind of
be able to make clear to an audience that, you know, it might not necessarily take you a year, even though the
federal government for, you know, 100,000 docu-patient series positions. Well, what I
will point out is a lot of all this work are ongoing right and this is just like the
culmination of it and
it's what I would say about
you know about that and then like
for those who are listening
when you're making policy changes
like that we have to remember this is you know
people's likelihood right
and like you know we want to
do it right we don't want to
rush we don't want to rush it and we want to make sure that we follow the processes that we have in place. And then also, we're, right, like the takeaway here is if an organization as large as the federal government is willing to do this, right, I think all of us, right, organizations big or small all across the country, not just in Washington, D.C. or the tech capitals around the country.
the tech capitals around the country.
My hope is everyone kind of comes together to really look at how they can take advantage
of the benefits of skill-based approaches
and provide, right?
Think about the business objectives that you have,
the mission that your organization is trying to deliver.
Think about the skills that you need
as you come up with a workforce strategy, like a
talent plan that you have.
And then, so I think about
how you can kind of create a pipeline
set up for like the
workforce mixture that
you need, right? Like not everyone has, you know,
not everyone has to have, you know, not
everyone has to be the most senior and technical
person. It might be like, you know,
a mix, a combination of like most senior and technical person. It might be like a combination
of some senior and true level, right?
So I feel like when you start thinking about skills
in that sense,
that opens up how you think about your workforce
and then in turn,
change how you'll go about recruiting
and retention,
reskilling and upskilling, right?
So that's like the key thing here
that we're trying to push for is,
yes, it's more than just about
removing a degree requirement, right?
I happen to believe that degrees are extremely helpful.
And, you know, I have a degree myself.
This is more about how can we take a more agile approach
in thinking about skills and talent and workforce.
And the benefit is it opens up pathways for more folks
who might not have the right technical degree.
You know, like Simone, you and I,
we've seen some of these famous or popular cyber people.
They are like philosophy majors or like music musicians.
So, you know, if you think about like, hey, we need, you know, CS degree only,
then you kind of miss out on all this other talent, right? That's what we're pushing for.
I mean, I just want to like emphasize what you said right at the beginning. I think the takeaway
is if the federal government can embark and sort of lead truly by example as the largest employer in the United States,
then we should be able to do it in our own organizations too
and take that step and invest in it.
Yeah.
And then if you look at the way the federal government in defense,
so here's the second takeaway for everybody, right?
As the federal government and the Biden-Harris administration is making
tons of investments across
the country, right?
Across, you know, Ships and Science Bill,
Inflation Reduction Act, right?
And the bipartisan
infrastructure law, right?
Just know that,
you know, we also have complementary
efforts to make sure that
the American workers, right, the workforce are equipped to actually deliver on those investments.
And as part of that mixture, what we have done in the implementation strategy is to align cyber workforce and education needs with all these investments.
with all these investments, right?
When you think about it, right?
As the world's getting more digitized,
if we're making an investment into like clean energy, right?
Battery manufacturing,
we're going to need cyber folks to help protect those manufacturing plants.
We're going to need, you know,
we're thinking about charging stations.
We're going to need cyber security
in charging stations, right?
Same thing with chips and signs.
Same thing with, you know,
building a new wing in an airport. It will be cyber consideration, right? Same thing with chips and signs, same thing with building a new wing
in an airport. It will be
cyber consideration, right?
So as part of that,
ONCD is
working in integrating and aligning
this workforce strategy with all these
other workforce efforts that we see
from the federal government. And
a couple of things I would point out,
to go on the skill-based approaches
that we talk about is,
you know,
the Biden-Harris administration
has invested about $440 million
in registered apprenticeship.
Now, not all $440 million
is for cybersecurity.
It's also for like, you know,
all these other high demand
and demand industries.
But cybersecurity
is one of the categories
that we are pushing for, right?
And that type of on-the-job learning, right,
on-the-job training
in which workers can earn and learn at the same time.
And that's just like a variation
of how we can provide quality pathways,
but also another way to think about skills.
Because when you think about skills,
then you realize, wait a minute, there are some skills that I really need when somebody starts
working, and then there are some skills that I can help develop once they join the organization.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak.
Learn more at blackcloak.io.
One of the disconnects and challenges that, you know, I see and we see in some of our work,
and I think the apprenticeships are like a great example of it, is we've started to make real
progress on the entry-level side, you know, and we had some recent data that was released
out of CyberSeek that shows that we've actually, for the first time, started to see a surplus
in entry-level candidates. But, you know, is that because we've actually, for the first time, started to see a surplus in entry-level candidates.
But is that because we've actually created
more entry-level candidates
or are we actually not providing them enough opportunity
to get into those jobs?
And so-
We ought to ask that question, right?
Because, no, that's the missing middle,
what we call it the missing middle issue here
in the White House.
And so I just want to kind of point out,
I want to thank
LICAS for
releasing that report
because
and you will see in our
initial implementation
report that is coming out
is that
LICAS made a commitment to
the White House that they will be creating this
ill support as part of their support of um the strategy right so that's by the way i just want
to kind of make sure they get the call out because that's one example of you know the government
cannot do it alone it takes all of us and in this case we made a very deliberate approach
when we release the strategy to know like hey, we do need more metrics.
We do need to know more why there are folks who have certifications and yet they haven't been able to get connected to a good pathway into a job yet.
So kudos to LightCats for delivering on the talent report for all of us, for the benefit of the whole ecosystem.
So I appreciate that.
Now back to the original sort of like what you were saying, like, hey,
we have to ask the question, are we creating so much more candidates for entry level now?
Or are we artificially changing the work roles to sort of say, hey, we actually need, instead of one person with, I don't know,
two to five to eight years of experience
with this skill,
and then everyone is going
for that small pool of candidates.
And this is what I tell companies
all the time, or I know that all the employers,
private and public, is that
the entry-level
employees today
is the senior technical employees of the future.
If we do not continue to grow
and develop our entry-level employees,
then the missing middle problem that we have,
right, it will continue to grow.
So you kind of have to think about,
you know, you have to kind of balance like what you need today and also what you need two five two to five years from now
because you can already see what the trend line is where the thing's gonna go so what we want to
push what scooby's hiring and approaches is like do you consider changing maybe your entry-level roles, right?
Should you kind of move your roles,
be more flexible
in how you think about your roles
so that there's a way for you
to get more of these entry-level folks,
there's a pathway for them
to get new skills,
then they become the next-level
senior talent that you need.
And then also perhaps
you need to kind of reassess
your current senior talent role right
are they doing too much you know are they um is it reasonable right are you looking for the unicorn
right which you know based on data so far seems like by and large companies are looking for that
unicorn right because we see this is like because you know the fact that people are getting paid
a lot of compensation to move from like one sector another, that's a proof point right there that after someone hits that two to five year experience mark, they get recruited to everywhere else.
That's a sign for companies to be like, okay, we need to rethink this.
And we think skill-based approach is the way to do it.
this and we think skill-based approach is the way to do it coupled with things like registered apprenticeships, cyber clinics, right? All these other stuff that we're doing to get more hands-on
learning. But there's also a limitation on those programs, right? In terms of like
those hands-on approaches we can do to get folks to the level that you need.
On that skills-based approach, I wanted to also emphasize something you just said, because Rick Howard and I have this theory about how cybersecurity is actually, we're at the beginning parts of the analogy to Moneyball, when the Oakland A's baseball team had to field a team with a budget that was significantly less than the best teams in the world, like the Yankees. And so you can't buy your unicorns at that point. In fact,
they lost all their unicorns, their A players. And, you know, in cybersecurity, I think that
the kind of the challenge that companies often struggle with are, you know, they're not all
fielding the same amount of players. And so the positions are all slightly differently defined if
you like break down the skills, but we sometimes sometimes forget that has to then get tied to their business
objectives. And that's an opportunity that we have. Because then you can say,
what are the skills I need for my business objectives? How many people am I actually
creating to actually build out this capability? Now let me think about how I can actually fill
those with talent that either is in the pipeline, is existent in my workforce that I have to upscale, whatever else it may be.
And that's the opportunity, right? I know we talk about the hundreds of thousands of open
jobs right now. They're like, I don't know, tens of thousands in manufacturing, tens of thousands
in healthcare, tens of thousands in utilities, right? The opportunity here is if you
do those analysis of what you need
for your sector, that's
the competitive advantage right there because
then you can kind of put the mixture together,
right? Perhaps you don't need
the sort of like super senior
pen tester that
some sectors might need.
Depending on your sector. But there are some skills from pen testing that some sectors might need. Yeah. You know, depending on your sector.
But there are some skills from pen testing
that perhaps you need.
But then you're building up a profile
of the people they are looking for
or a group of people they are looking for
that are not necessarily the same people
that you're competing against.
I think that's why, you know, in our strategy,
we sort of talk about
90% of the jobs
will require
some form of digital skills.
And I think that
you can take that analogy
further by saying
more and more jobs
will require cyber skills.
And even your job,
you know,
let's say you're
like a water utility,
you're like, you know,
a water engineer or whatever.
There might not be a cyber in your title or your job description, but we think that you will have to do some of those work.
On the flip side, it's like software engineer.
You're not a cyber engineer, a software engineer, but you get what the you get, you know, like what the National Cyber Security Strategy
was saying,
like we need to build
more resilient,
secure stuff.
So in this way,
like software engineer
is, well,
they're not cyber
security focused people.
They can start doing
things that are more
resilient as well, right?
Calling things
that are more resilient.
So you can see
a lot of all these
analogies everywhere.
I think that's it, right?
Like when you think about
the key point, like the key point
of what we're trying to do here, and you see this in this recording,
the administration is taking a
coordinated approach, a whole-of-nation approach
because these jobs
exist in all different sectors,
not all in technical or not
technical in the way that you envision it. They're technical
to be in a water utility technical,
right, or energy pipeline technical work there,
but they're not the guy in the hoodie anymore.
So that's the headline.
So if that is what's happening,
what are we doing to help?
Well, we're elevating field-based approaches.
We're leading by example in the federal government.
So you should do it too.
And we're cooperating and partnering
with private sector, academia, local government, nonprofits, all these different organizations to all collectively get there.
Skill-based approaches, hands-on learning.
Think about reading about your work roles.
How are you creating a pipeline and on-ramp
so that we can remove barriers and broaden pathways
for folks to join in?
Then we talk about individual or regional differences, right?
Like a job in Tampa, Florida,
very different from San Antonio, Texas,
very different from Washington, D.C.,
very different from like Boise, Idaho.
So, you know, when you take a locally driven approach,
you think about collectively, what do we need?
What kind of skill sets are necessary in your region?
Then that permits to, at an organization level,
what are the skill sets that I need for my business objectives,
for my mission?
Then it permeates into, oh, what are some of the on-ramps that we can get? Or perhaps I need to partner with my local two-year college or maybe even K-12 school districts to kind of figure out how can we get some of these foundational and basic training so that you have a pipeline of entry
level employees and then you think about oh are we asking too much from our middle or senior level
technical people how do we readjust that and how do i be a part of the training and education
solution right like as company or as employer you you know, should I maybe partner with my
four-year for certification or should I
partner with my trade association
that are collectively on the smaller side? You don't have
resources, you're busy, right?
So perhaps the trade association
has a work stream
that can kind of support all the
smaller players in a way that
is beneficial for everybody. So you
can kind of see the through line of all the skill approaches, but they are emanating
in different ways.
And all we do in the White House is we're convening, we're pushing on the same vision.
But really what we have found is that many of the better solutions, good solutions come
from businesses.
They come from locally driven partnerships, right?
Like, you know, I didn't go
tell, you know,
anybody to kind of merge
water and cyber.
Any one of my team, all the administration,
but some universities
saw the opportunity and they're kind of like forming
it. But what we do is
we are spreading the gospel.
Now, more schools are seeing like, oh, water and fiber.
Interesting.
Every county has like a water treatment plant, you know.
So that's something that is, so that's like the exciting part of the work.
And I hope that like, you know, the people who read our report will see the direction that we're taking and kind of join us in this work.
Since when this is published, the report should be available.
Do you have a placeholder or a link where people can go access that report yet?
Or is it a TBD?
Go to whitehouse.gov forward slash cyber workforce.
That's where you should track all work.
That's where all the commitments live.
That's where all the strategy lives.
And the report will be on there as well.
And then there's also a way for all of you to reach out to us.
If you scroll down to the webpage, there is a form there.
So if you have any ideas that you would like to pursue
or any on your project that you think is very aligned and you want to talk to us about it,
we always look for projects to highlight and elevate just because, you know, other people might be thinking about the same thing.
And if they see an example working in a different region or in a different sector,
they might try to replicate it in their sector or in their region.
And then collectively, we're that much better when we do so.
Awesome.
Well, Suy, thank you so much for sharing updates on where things are with ONCD
and the progress of the strategy.
Exciting things to come.
Thank you so much. And for those who are
talking to your friends, make sure that they consider Korean cyber. It's just saying it's
meaningful and then you will be helping defend the nation. Thank you. There you go. Thank you.
That's C.U. Moe, Assistant National Cyber Director in the Office of the National Cyber
Director at the White House, speaking with our N2K president, Simone Petrella.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable. Thank you. AI agents connect, prepare, and automate your data workflows, helping you gain insights,
receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.