Ask us anything: Developing security talent and teams (part 2)

[00:00:01] CS: Welcome to today's episode of the Cyber Work with Infosec podcast. For 12 days in November, Cyber Work is releasing a new episode every single day. In these dozen episodes we'll discuss hiring best practices, career strategies, team development, security awareness essentials, the importance of storytelling in cyber security, and as you'll hear today, we'll answer questions from actual cyber security professionals and newcomers. In episodes four and five we talked about the importance of upskilling and employee engagement and retention and building stronger security teams by training for career progression, not just immediate tasks. For today's episode, the guests of these two episodes; Jessica Amato of Raytheon technologies, Romy Ricafort of Comcast business, Katie Boswell of KPMG Cyber and Jason Jury of Booz Allen Hamilton get together to answer some questions posed to them at our Infosec Inspire online event on September 22nd.

Jessica, Romi, Katie and Jason discussed finding and recruiting new and novice cyber talent, methods of making diversity a robust part of your hiring strategy, some best practices for the always scary process of moving between different career tracks and a lot more. We hope you enjoyed this 30-minute discussion with Jessica, Romy, Katie and Jason along with moderator Jeff Peters. And if you want to learn cyber security or move up the ladder in your career, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills, which is aligned to the work roles knowledge and skill statements in the NICE workforce framework. Be sure to use the code cyberwork when signing up. Details can be found in the episode description below. Catch new episodes of Cyber Work every Monday at 1PM Central time on our YouTube channel or wherever you like to get your podcasts. And without further ado, let's start the show.

[00:01:47] JP: So yeah, let's jump right into it. We have a question that came in during Katie and Jason's session on building stronger teams, career path development strategies. We talked a lot about developing talent, but Jennifer is wanting us to go back one step further. In particular, she's asking about for some insight into how you all are finding and recruiting that cyber pool of talent. So maybe, Katie, we could start with you. Can you talk a little bit about how KPMG is finding new recruits?

[00:02:17] KB: Yeah. So I think a lot of our finding new recruit starts at a campus level by being really engaged with the right schools and the right teams to make sure that we're fielding the right talent with the right skillsets so when they come in and join us they're able to really get rolling outside of our campus team. We rely on a really strong team of recruiters to help us go find those people with the niche skillsets at the particular levels we're looking for.

[00:02:53] JP: Great. And, Jessica, what's your experience like at Raytheon with recruiting?

[00:02:57] JA: So we take on several different avenues there. One very similar to Katie in terms of leveraging our partnerships with our universities and such, but beyond that, we work very closely with our talent acquisition organization to make sure they understand priority and skillsets to ensure that they're sourcing the best talent. And then we look to do invitational events to get kind of wide aperture, exposure for qualified candidates as well as the section managers that align to those in those roles.

So we spend a lot of time making sure that we understand the skillsets we need, the skill level we need. So everything from an intern to a new college higher to a professional hire. And then wherever we can host um virtual events, we find that there's a large lift in being able to look at those in a group fashion.

[00:03:46] JP: Yeah, that leads right into another question that came in during Jessica and Romy’s section, our session earlier today. Emmanuel, he's wondering if Raytheon or Comcast partners with any colleges or universities for internships or other opportunities? And it sounds like you do, Jessica. You brought that up.

[00:04:04] JA: Yep. So we do partner with several uh universities across the entire United States as well as international opportunities. We take on foreign national students that are stuttering here in the US. The best advice I can give on how to pursue or how we pursue that is we typically are posting our internship reps really at the beginning of the year so that all the offers are done and released and out and accepted by April.

So in December, January, if you want to look for intern opportunities, that is the best time to look. We partner with the organizations and often do invitational events for the top candidates. And they feel really special being invited to come apply for either a new college higher position to really start with Raytheon or to start building their service years as an intern early on. That's really kind of our richest pipeline. We can work on clearances and such while they're interns so that by the time their new college hires, they're really seasoned Raytheon technology professionals.

[00:05:04] JP: Yeah. And Romy, do you have any college recruits on your team or any thoughts on how those really help filling your roles and engagement and retention and all that stuff?

[00:05:15] RR: Absolutely. Now, we work with our talent and acquisition teams as well with an internship program. So that way our business is multi-faceted. So it's not just about me and sales engineering and people with technology. Our talent and acquisition people are working with universities for finance, HR, all sorts of different positions where we can start to bring people in early, like Jessica said, to start to get to know the business and figure out, one, if the company is for them and the culture is for them.

Pre-COVID, we were all fighting for the most talented people with outgoing personalities. And so I think with these programs and having those relationships with talent and acquisition with those universities, it's really important, as Jessica said, to be out there early, because people are looking early and they want to make their decision. The best will probably have multiple choices of which internship program they want to take, because I've interviewed some people and I look at what they've done in college and amazed these days about the things that they're able to complete. But yes, it's very important to be able to work with people early on and teach them about your company and your culture and then have them lean into wanting to be partnered.

[00:06:29] JP: Yeah, great. So while we're on the topic of recruiting, we did have a couple questions come in related to diversity and if Booz Allen Hamilton CyberCore, or KPMG Cyber Academy has any built-in programs or initiatives to support building diverse cybersecurity teams. Jason, we can start with you.

[00:06:47] JJ: Sure. So I would say with our CyberCore program, we've been pretty fortunate, because without actually nominating individuals, we've had just over 50% of our participants representing minorities and around 35% representing women in cyber. And so in addition to that, we also have designated cohorts that are sponsored, fully sponsored through our DNI initiatives, and that includes everything from the hiring all the way to building that cyber capacity within the firm.

[00:07:24] JP: Great. And Katie, do you have similar programs or similar initiatives in place for your program?

[00:07:29] KB: Yeah. So I don't have a specific initiative in place. I think that diversity really has to be at the heart of your organization. And it can't be something where you're trying to fit, kind of horseshoe into a situation, right? So I do think that KPMG as an organization is very good at making sure that diversity is a part of everything that we do. And we definitely take that into account when we are looking, when we are working with teams to determine which trainings that we're going to run. We make sure that that's a diverse group of people that we're talking with. So we're getting the input of a diverse group that will also support our broader community. And then also when it comes down to trainings that we might be building internally, making sure that that same diversity flows into those people that are instructing our courses. We all want to see in those people that we're interacting with, right? People who are similar to ourselves. And we want to make sure that we're getting a very diverse group just across the board. So I'm very proud that that's something that's really a part of what we do.

[00:08:41] JP: Yeah. And we have another question here from Neil, who would like some advice on transitioning into his next job as a full stack cyber security professional. That's one of the most common questions we get here at Infosec is people looking to transition into cyber security or transition from company to company or within company into different roles. And everyone seems to have some anxiety around that. So I'm hoping we can spend a few minutes getting to your thoughts around that transition. Romy, maybe we can start with you. Has your team dealt much with people transitioning into a sales engineering role and do you have any advice on job transitions in general?

[00:09:15] RR: Yeah. The biggest advice I give people, and now that we've developed the framework of what each role expertise needs to be. And I there was a breakout session today on some of the cyber security frameworks for jobs that are out there today. The advice I give people is don't wait for somebody to push you to do it, right? What I always tell everybody is if there's a position you want to go after, figure out what that framework is as a company. Me as a leader, I try and build that framework for them. But it's up to you to be ready. And I think I used to the quote earlier with Jessica. It's better to train for an opportunity and not have one than have an opportunity and not be prepared.

So it's up to you as an individual to go through the learnings, to go through the books, to go through the training so that way you have a fundamental understanding of what it is that that role does. Network, work with people who are in the industry to figure out, “Hey, how did you get there? What are the steps that you took?” Because cyber security itself isn't a solo person game, right? It's a team sport and there's always – Everybody on this call I think is looking for teammates to help their companies. And so it's really important for people to network and to start to really figure out what exactly a Booz Allen Hamilton or a KPMG or a Raytheon are looking for. And that way they can start to take the initiative on their own to learn how to be a cybersecurity person or at least be considered for one of those roles.

[00:10:51] JA: And if I could just add three things to that, is that okay?

[00:10:55] JP: Sure.

[00:10:56] JA: So really, Romy and I are definitely – Our organizations are functioning a lot alike, but Raytheon really pushes you to drive your own career. You're in the driver's seat. So there're three key factors you need to know. Just like when you start a car for the first time, there're a few things you need to know to drive that car. Your career is no different. You need to network. So you need to know that early on those first connections you make, that ambassador that helped you first day, that's the first starting foundation of your network. Your network is key to helping you answer those questions.

The second piece to that is Romy said don't wait. Don't wait to be told. Go seek the information. Be hungry and be passionate. And then third is if you see something you think you might like you're not sure and you really want to understand, “Is this the next right run for me?” Go talk to people that are doing it. What do you like? What do you don't like? And then bring that back to your mentor and have that open mentorship conversation to really understand if this is a fit for where you should go and then the rest should be laid out for you curriculum-wise and what things to go study. But you got to answer those first three things before you can go driving your career. And those are the key attributes to really being successful and happy in what you're doing.

[00:12:13] JP: Yeah. And Jason, have you seen anything or any advice in terms of either individuals transitioning or even at like the organization level in terms of how that helps?

[00:12:23] JJ: Yeah. I think this is probably one of the most common questions that I get um, and not just that work. This is from family and friends that know that I work in this field, right? They come over for a meal and I'm not the sales guy, but I'm the L&D guy. But yeah, I think I'll give you a perfect example. We hosted an event called Start a Career in Cyber at Booz Allen, and it was open to everyone, and we had over 300 existing employees that were not aligned to a cyber role raising their hand saying, “I'm really interested.” And these are people who are developers. These are people who are doing like physical security. And so what we realized was that was a way for us to really start to actually help that pipeline. And so we developed different sites that helped them out. But going back to what Jessica and Romy said, the individual really needs to take the initiative. And I always ask people when they say, “I want to get into cyber.” I say, “What role?” And most of the time they don't really have an idea, or it's networking or hacker, and there are so many different roles. And so I always ask them that. And once they say, “Okay, I want to be a sys admin.” “Okay, have you looked up what a day or a night in the life of a sys admin looks like?” We have a lot of those videos on our internal portals, but there's a lot of that out there already. So I just always encourage you to explore, ask questions, which is part of what Jessica said with networking, and really try and answer as many questions as you can before you start knocking on doors and just realize that you could have the certifications. You can have the experience. But if nobody knows that you're that talented, then no one's going to come and knock on your door. So it is really driven by the individual. But yeah, I think it is a very popular and relevant question.

[00:14:22] JP: Yeah. And Katie, do you have any thoughts on transitioning?

[00:14:26] KB: No. This group covered it really well, I think. I mean, if you're not speaking up and telling somebody, “I'm interested in doing this,” then nobody is going to know to help you. And I think looking at it from the lens of the organization, you need to make sure that you have a structure in place that's going to allow people to raise their hands and say, “Hey.” Just like Jason was saying, they had an event that does this, right? If you have in your organization a system that allows people to safely raise their hand and say, “Hey, I've heard about this thing called cyber. I'm really interested in it.” Then you're going to get very strong candidates who already understand your organization, especially if they're already an employee. They understand your organization. They understand what it takes to be successful, their track record as a team member. So it's a really sound investment in your time to then go invest in helping them get the skillsets that they need in order to make that transition, because you'd much rather have them transition to an internal role within your own organization then go, “Well, it's easier to find something externally. I'm going to go answer that email from that recruiter.” So it's a sound investment from that standpoint I think.

[00:15:42] JP: We have another question that came in from Jessica – Or it's from Angelie to Jessica. Angelie wants to know if the cyber security training and upskilling programs at Raytheon that you discuss dovetail at all with any other professional development or engagement initiatives managed by other departments like HR, L&D, and just kind of some general thoughts on how those work together, or I assume they work together?

[00:16:07] JA: Yup. So the alignment is just that. We are directly connected even as part of the DT organization with our HR talent acquisition, diversity and inclusion and other groups across RMD, because it's important that we don't just build programs that support DT. Some folks that start in DT end up as software developers. Folks that are software developers end up in DT. So we do have programs, curriculums and paths like that that do exist. Additionally, for new college hires, we have a learning development program which gives them 18-month rotation in three to four different roles so that they can try out different things as part of that leadership development program.

And so there're multiple avenues to pursue that, but we do have those things laid out and we are in complete partnership with the organizations that help support those so that folks can get a fully-rounded experience to make not only the best of the role that they land in, because now they're taking just not only their training in school and whatnot. They're taking real life experiences in different roles in different parts of the business, which makes them stronger in whatever funnel positions they end up in. So the leadership development program is one avenue. And really, that open discussion with your boss on where you want to go. Are you on a technical track? So we track the talent pipeline on understanding who's got to track and interested in leadership and what's that look like versus ones that want to be fellows, and what's that look like from a technical perspective versus a leadership perspective. So we do have those laid out at Raytheon.

[00:17:41] JP: Yeah. We had another question come in around employee feedback, and particularly you were talking about surveys during your sessions. I think during both sessions. And so the question is just they'd like to know more about like how these surveys work and how that really fits into your employee feedback. Is that the best way to get employee feedback? Obviously, it sounds like that's a really important piece in terms of the programs overall. So yeah, Romy, I know you were talking a bit about surveys. Is that your primary method for getting feedback or where does that fit into your program?

[00:18:15] RR: No, it definitely is. It's one that we've worked to an every two-month cadence on checking employee satisfaction. We have an ENPS score. And so that net promoter score is whether or not they recommend, one, our products and services. Two, or would they even recommend Comcast as a place to work. And with that though, they have the ability to provide what we call verbatims or feedback that they'd like to give. And I really, one, we look at the scoring. But the scoring usually trend lines the same depending upon the month and if there's a major change unless you're trending downward and then you'll have to find a way to figure out what's happening. But a lot of that comes from employee feedback. And the feedback is where we really look to make business process improvement, right?

A lot of the things that the echoing that happens between the employees are things that we can improve a lot of times, right? I mean you can't fix systems tools and processes quickly, but you can at least find guardrails or to make things easier for them to do their their work and their job. And it's really important for us as leaders to really listen and lean in instead of look at them and say, “Hey, all right. There's a lot of complaints here.” They're not really complaints. They're ways to actually improve processes for the business and make everybody a lot happier when it comes to being able to eliminate those barriers. So for us, it's important for us. The happy employees have better interactions with our external customers as well. And also happier employees make better connections internally at the same time. So we need to, as leaders, make sure that we're well connected of how our employees are feeling.

[00:19:53] JP: Great. Yeah. And Jason, do you have any advice around getting employee feedback? Whether it's through surveys or other methods that you find the most useful?

[00:20:01] JJ: Yeah, I think it's a mix. We do a lot of real-time feedback during our sessions. We also have a social platform. So in some cases we use Slack or Yammer. And so we're constantly seeking their feedback. It may be through a quick survey. It may be a random call from myself or one of the individuals on my team. But definitely, we take all that feedback in with each cohort that we run and then we slowly evolve and make it better and better with each and every one. So definitely, feedback is very important for us. We capture that a few different ways. We break it down by the boot camps that they've attended and also some of the other events that they attend as well where it might be more of like a fireside chat or career advice or something like that.

[00:20:49] JP: Yeah. And COVID and the pandemic came up during both of your guys' sessions, and we have a question that came in from Jeff. It’s kind of interesting related to that. He's wondering if any of you think that the interest in IT and IT security jobs is increasing due to some people trying to get into a job that can be done remotely rather in person. Yeah, Jessica, I know you a lot of hiring. Do you get the sense that that that's a major driver?

[00:21:17] JA: I have not seen a low, let's put it that way. But also the growth in our business has also driven our seeking. So I’m looking for more people. So folks that are interested in IT and cyber roles, we do have several positions open. But I definitely do have seen a very large uptick on the cyber side of things. And I think that COVID drove some of that. I think the state of our union, our government has also driven that and the realization of what damaging things can be done with that little bit of information. And then how do folks get their hands on it and how do I become a defender of that. So I've definitely seen an uptick. It's probably been more in the cyberspace, but I've also seen an additional interest in learning it in folks that didn't traditionally go to school. They maybe went and got an MBA because they didn't know and now suddenly have an interest in IT.

I think COVID maybe drove some of that, but I think it's also the nature of our world. I mean, we hold little computers in our hands that do everything from navigating from A to B, to doing my banking, to taking phone calls even still and then also being able to check emails from school on the road. So I mean, I think all of those things have really fed into an uptick and there certainly hasn't been a lack of growth from the need side. So not only do we have supply, but we also have demand.

[00:22:43] JP: Yeah. And Katie, have you seen any change in terms of that supply and demand due to the pandemic that's going on?

[00:22:50] KB: Yeah. I think definitely the organizations that we work with at KPMG, they're looking to respond to be able to accommodate their workforces and the needs that they now have. So people who were typically able to go into an office previously to work, now they're trying to figure out ways to do their job remotely. So we definitely see an increased demand in cyber professionals to help solve these problems in a secure manner. So the demand has definitely gone up from that perspective. I don't know that I've seen that demands in positions necessarily go up. I do think though that they're more important than ever, right? That we have the right skillsets to be able to go out and deliver the work that we have. So it's made the learning and development and being able to be agile with our learning and development programs even more important, because we can't just say, “Oh, you know what? Since we can't have that in-person training, we're just going to put that off until the end of COVID,” because we don't know when that is. So it's causing us to have to be agile in conjunction with our clients and make sure that we're able to have the skillsets to deliver the work that the demand is there for.

[00:24:05] JP: Yeah, that's interesting, Jason, what she said, because it seems like this pandemic could go on. I know some companies have already announced like work at home like throughout the coming year. So is that something that you're actively thinking about? If this continues to go on, how you're going to – I don't know, make any changes? Or do anything in response to it?

[00:24:25] JJ: Yeah. So I will say I'm really happy that we actually – Our initial program was blended. It was a little bit of instructor-led and then some virtual, and then we slowly realized that if we wanted to scale our program. And actually, all of our training programs now. We had to convert them to virtual instructor-led. And so we actually had that up and running before COVID came. And what we found is that there have been some improvements that we've made. But definitely, just really continuing to evolve on even like little things like breakout rooms and just becoming more familiar with a lot of the technology that we're using.

I think one of the challenging areas for us is when you start to actually use labs, because having the ability to look over the shoulder of an individual. And we are working with different vendors that offer labs that allow you to do that virtually. But it's just the little things that you don't really think about until you're put into that screen and you say, “Oh my god! How am I going to get this score? How am I going to provide this person with recommendations.” And then there're other things that you have to consider too, like having a producer for your events, because it's unfair to have a facilitator doing everything; managing the chat, also teaching. So yeah, definitely we're continuing to make changes. But happy to say that we had that in place before all this hit us.

[00:26:07] JP: Yeah. And then Romy, as someone who's managing a team of engineers, is there anything that has really changed in the terms of the day-to-day job duties or training or anything like that?

[00:26:19] RR: Yeah. I mean, the three things we focused on as we've made all the decisions since COVID started have been our people first, and then our customers. And then third, making smart business decisions to maintain our trajectory as a business and to remain in the position, a fortunate position that we're in. When we think about what's changed for sales engineering, it is somewhat in the virtual piece. And one of the things, here being Infosec, or being with you, Infosec, the programming that you guys have available from a training perspective is something that our SCs really leaned in on. We have places where their commutes, people's commutes were two and a half, three hours a day to get to their jobs in California or even Houston. And people found the time to be able to now take training and to fulfill like some of that extra time. They weren't just watching Tiger King.

I actually watched the uptick. And Jessica is laughing. But I loved watching the engagement that our employees had in knowing where we're going as a company still. Leaning in into Infosec and security skills training and network training, but also – We also in our breakout session, I talked about LinkedIn learning, and my leadership no longer lets me call it soft skills. They now call it essential skills. But it's learning how to communicate, learning how to present. And it's things that you can start to learn virtually. I love a time when I can visit markets again and really see people up in front of a room and presenting live and in-person versus over a video camera, because you don't always get to see some other things that are happening. But no, we really have leaned to how can we do things virtually. We're still looking at what re-entry looks like into the marketplace at some point, especially with our folks being sales-focused and customers who actually want engagement from our vendors as well. So we're making those decisions and we're not making them haphazardly by any means. And if you focus on your people first, keeping them safe, and then your customers second, I don't think you can really get wrong.

[00:28:35] JP: Great. Yeah, it looks like we're just about out of time. Got a couple minutes left. Seeing that this is the last public session here at Infosec Inspire, I think it's probably good to close on some general takeaways. I know we didn't really get a chance to ask Katie or Jason that during their session. So everyone is obviously always looking for that secret sauce to building a successful program. So what would be the best piece of advice that you've gotten that's helped you with the programs that you manage? Katie, we can start with you. Do you have a nugget of wisdom to share?

[00:29:06] KB: I think make sure that as you're looking to build teams and build learning and development programs that you're engaging your key team members as much as possible. You're engaging those people who are really plugged in to your broader community. Make sure you're asking people's opinions. We talked about surveys a little bit. Get direct feedback. You can't just be thinking about where you as an organization want to go, but you also need to be thinking about where individuals are looking to go with your careers. You can't assume that those are going to be the same things, right? But if you have the right input from both sides of that scale, then you're going to end up on a path that is mutually beneficial, right? And I think that that's been really key for us, and building a program that gets good feedback is – It takes it takes everybody's needs into account, from our customers, to our internal team members, our leadership team members. And that's how we really find a path forward.

[00:30:10] JP: Great. And Jason, I'll let you have the final words. Any advice that's helped you or that you've learned along the way you'd like to share?

[00:30:16] JJ: Sure. So I would say there are so many amazing self-paced options, labs, things that you can assign people. But what I've learned is you can't assign people long, long list of courses. You need that human intervention. They need somebody to talk to. They need somebody to ask questions. They need a mentor. And so I think when you're building a program, you want to have those checks and balances and you want to have a nice variation of practitioners, the L&D folks, the mentors who have gone through the same program. Yeah, I would just say while it's very convenient to assign a lot of self-paced training, just keep that in mind, that people are still required.

[00:31:08] CS: Thanks for checking out this ask us anything episode with Jessica, Romy, Katie and Jason. This marks the conclusion of our series; Developing Security Talents and Teams. Tomorrow we begin our second track all based around security culture and security awareness. You can join us then for our first episode; Storytelling Cyber Security: The Impact of a Great Story, with speaker Sarah Moffat.

Cyber Work with Infosec is produced weekly by Infosec and is aimed at cybersecurity professionals and those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. To claim one free month of our Infosec Skills platform please visit infosecinstitute.com/skills and enter the promo cyberwork, all one word, all small letters, and you can get a free month of security courses, hands-on cyber ranges, skill assessments and certification practice exams for you to try.

Thank you for listening, and I'll see you back here tomorrow for more Cyber Work. Bye for now.