Ask us anything: Developing security talent and teams (part 1)

[00:00:00] CS: Welcome to this week's episode of the Cyber Work with Infosec podcast. For the next 12 days in November, Cyber Work is releasing a new episode every single day. In these dozen episodes we'll discuss hiring best practices, career strategies, team development security awareness essentials, the importance of storytelling in cyber security. And as you'll hear today, we'll answer questions from actual cyber security professionals and newcomers. In episodes one and two, we talked about flipping the talent funnel and using the NICE workforce framework to customize your company's security training.

For today's episode, the guests of these two episodes, namely Danielle Santos, program manager at the National Initiative for Cyber Security Education, aka NICE; Leo Van Duyn, cyber security and technology workforce development strategy at J.P. Morgan Chase; and Karl Sharman, head of cyber solutions and consultancies at Stott and May get together to answer some questions at our Infosec Inspire Online Event. Danielle Leo and Karl discussed mentoring as a method to upskill less experienced members of your team, the unseen training cost of employee churn, and a lot more. We hope you enjoy this 30-minute discussion between Danielle, Leo and Karl along with moderator Megan Sawle.

And if you want to learn cyber security, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills, which is aligned to the workforce, knowledge and skill statement in the NICE workforce framework. Be sure to use the code cyberwork when signing up. All the details are in the episode description below. Catch new episodes of Cyber Work every Monday at 1PM Central Time on our YouTube channel or wherever you like to get your podcasts. And now let's start the show.

[00:01:47] MS: So let's go ahead and just get started to make the most of this next 30 minutes. The first question actually came in from Neil, and he is wondering if there are any initiatives from NICE for free open certification programs or scholarships. And Danielle, I know that you've done some work on this. I'll let you take this one.

[00:02:06] DS: Yeah. Thanks, Megan, and thanks for the question. NICE, led by NIST, we don't have any certification programs or training programs ourselves , but we do try to share the word about other programs out there. So one of the things we've created recently is actually a webpage on our site, nist.gov/nice. It's labeled free and low-cost online learning resources. And this is where you'll find a wide variety of free or low-cost courses that can teach you a skill, from general awareness, to very detailed cyber security skills in a certain area of cyber security. we also have another page on our website, our frequently asked questions page, where we talk about scholarships and programs for veterans either free or low-cost programs that might provide a learning stipend, plus kind of a living stipend. So there are all kinds of resources on there as well. So I encourage you to check out both the free and online learning resource page as well as the FAQ for those.

[00:03:15] MS: Excellent. Thank you, Danielle. And the next question, it’s actually more of a comment, but I thought it was really thoughtful. It comes from Nadia. She dropped a really good comment about developing mentoring programs, specifically in the context to help upskill younger or more junior inexperienced staff people. And so I'm curious if – Karl, you've seen some of the organizations that you work with implementing something like this, kind of taking advantage of some of those more tenured employees to help bring the rest of the team up to speed.

[00:03:48] KS: Yeah. Firstly, I don't know why you wouldn't. I think when we talk about that, that talent shortage, I don't like the term, as we previously said. But I think it's about upskilling. That's huge. And I think development is a huge part of the reason why people stay. And I think ultimately that aids to productivity and aids to performance, which is what people are looking for.

So I think the types of things that we see is the standard, I suppose, older and less experienced or more experienced and less experienced, I should say, people working together. But that doesn't mean that we can't have a collaborative environment where that goes both ways. And secondly on that is why can't you have people at the same level, like the same – With less experienced, you can bounce ideas off each other. Because they're going to be more willing to communicate with each other, because they're on that same level. So they're going to be a little bit more honest. A little bit more talk about their emotions and what they're going through, but also they both come from normally different backgrounds depending on how we're – If we're going down the diversity pathway of where people have come from, their types of education, etc. They have different experiences. So people see things differently. So there're a lot of different benefits, a lot of different ways of doing it. But I do encourage more companies to take this on and really lead with this.

[00:05:09] MS: Yeah, that's excellent. I know here at Infosec, we just started like a brand new initiative to help you know women leaders in the company mentor others, because, yeah, you don't need to reinvent all this stuff yourself, right? Talk to other people that are walking in the same shoes as you. Danielle, curious if this is a topic that comes up in any of the NICE working groups or other discussions that you help facilitate.

[00:05:31] DS: Yeah. Before I answer that, I did just want to add too though that in my own organization, it's not always called mentoring right out. We have just a women in stem community group in our organization. And through that, those kind of organic mentor/mentee relationships develop. And so I think that's a – If you're not able to find the resources to develop a formal mentorship program, you can do something like just a casual get together group with certain demographic groups within your organization and then see if that kind of works itself out.

But to your actual question about some of the working groups that we have, absolutely. In particular, we have a workforce management public working group as well as a group that focuses on apprenticeships, and both of them quite frequently talk about this this notion of reskilling. And especially if we're taking people who are already in the workforce, but maybe not in cyber security and trying to figure out how to best position them to get into a cybersecurity role, mentorship has definitely come up in there. Several organizations out there that are at the top of my head, nonprofits come to mind, that are creating mentorship programs that span across the US so that we can kind of create this bigger pipeline not just within specific organizations. Like you mentioned, you have your mentorship program at Infosec.

[00:07:10] MS: Yeah, excellent. And so this question came in from josh. I think this is interesting. So Karl, in your session earlier this morning you mentioned the cost of hiring and developing new staff as being a really good reason to like kind of sit down and take a hard look at your recruiting strategies and the way that your team is structured to make sure that you're kind of preventing that churn at any step. And so have you actually – Do you have any cost figures around that? What is the cost of churn at an organization? I’m really curious like what it takes to get someone in the door and ready to go in a new job to be successful.

[00:07:47] KS: I think I mentioned about the level of churn that are in the industry, and I think that's a really scary figure. I think I said to you like the average tenuring, let's use instant response where there's high burnout and high churn right now, is collapsed between under the 18 month mark. So that means you've got a limited product or life cycle that you're going to have with these people before they're going to want to look elsewhere, unless you can do something differently. So I think that’s the first thing.

I think, secondly, when it comes to costing, is there's a lot of different initiatives that you can do. You can do anything from depth charts and making sure that if someone leaves you have someone ready to go and under, i.e. internally, or identified externally. Or secondly, you can already have these talent pools being built by your tenant acquisition team to make sure there's already someone in. And that's going to save you time. And time at the end of the day is money especially if you're revenue generating or if you're a cost center, depending on how you're seen in the business internally. But I think you do have to be wary of how these costs sit, because if you think about it, you've got that first three months in the business where there's a chance that person is going to be using your time as a hiring manager, but also time taken away from others. And that's really critical. So if you've got to spend a lot of time with this person, that is costing you money. And if there's a cost then to utilizing other people's time or this cost of using agencies or whatever it is, that starts to mount up. So it does change per position. On average, we're seeing costing anywhere between sort of 6 to 16 thousand dollars per replacement right now, but there's potential of that scaling depending on the size of the firm and size of the position.

[00:09:44] LVD: I have something I'd add on if you don't mind. So this doesn't actually – This doesn't deal with the costing piece of it. But when you start talking about churn, one of the ways to reduce cost, as Karl mentioned, is to keep your resources internal and have a pipeline built. So one of the things that we're starting to discover as we analyze our workforce using a common taxonomy approach is where their skillsets are. And because you can leverage that approach across multiple different functions within an organization, once you have those skill profiles built by your employees and you have the expectations of the role defined so that you can look for where their strengths are where their baseline is and where their areas of opportunity are, you can apply that for mobility options as well. So that employee could look at any other role that has those performance expectation sets and see how their skill profile levels them for another career. So instead of those people in a high-turnover role leaving the company, maybe they can find where their skill sets are better suited in a job that speaks to what they want from a work-life balance perspective. And that in and of itself will reduce cost, because they're already familiar with the company, how you behave the policies. They've gone through the fundamental training. And you're empowering them to take control over their own career or/and explore the options that your company has at the ready.

[00:11:14] MS: What about the other way around, Leo? Like if you're sort of taking an inventory of all the talent to your organization, can you also apply that approach to fill open cyber security roles from people that already or maybe working at your organization?

[00:11:29] LVD: You could. In theory, if you hire based on the same methodology that you assess against, so if it's apples to apples, you could do it internally or externally. You could have somebody come against your role profile. You could look at their skillset. You could collect their data, even though it would probably be kind of a binary effect, and you could put them against the role that they're interested in and see how they are now.

Now here's the other benefit. I'm sure most of us have interviewed for jobs before, you get a job interview and it doesn't go well and they give you the, “Sorry. You don't meet what we're looking for.” Well, what if that note was then changed saying, “Sorry. We don't think you're fit for this job, but we've applied your skill profile. We think we would like you to apply for these four jobs. Why don't you go and check those out?” If you do that internally or externally, your candidate pool is going to be much more interested in you as a company because you're giving them something that relates back to their profile so they can see themselves working at you maybe in a different capacity. So I agree with you. We're not there yet, but it is an approach that you could take.

[00:12:38] DS: Also, presumably, if you take that same approach, you could – If you're doing an assessment of their skills, you could identify the skills that maybe they're lacking. And then if you've already got that kind of training and pathway model set up, you could say, “Hey, we could put you into this role, but we already know you're going to need to take this training right off the bat to get upskilled into it.”

[00:13:02] MS: Yeah, that's a great point. And I think, Karl, you talk a little bit about this in some of the work that you've done where getting some of this out of the way in the hiring onboarding process just makes that transition to a productive employee way faster. What have you seen working, Karl?

[00:13:18] KS: Yeah. No, I really like that. I really like both points actually. I think it all comes back to what we spoke about, Megan, about processes. Like you have to have your processes aligned before you go out there and search. It can't just be a stab in the dark. It can't be that you need to identify what you have internally then identify where the gaps are and then put a plan in place, and that comes from the interview processes. So how are we going to interview to better identify if this person is the right fit? Because all the times, you're trying to mitigate any risks that go in there and you can't mitigate them all. So you need to put in processes in order to get it to a place where you feel comfortable you're going to hire this person after three or four stages.

And one of them things to come back to Both Leo and Danielle’s point is that you can actually do skill assessments. You can review in terms of culture fit and stuff like that. And if that person is ticking a certain amount of boxes in certain areas especially around culture, like that is definitely a way that you're going to have to try and work in order maybe we can get this person and train them. And there's so many different things that you can now do to improve this process, but I think it's sitting down with your HR and actually security professionals pushing back to HR and saying, “What are we doing to identify people? What are we doing in our processes to make sure they're having a good experience and we can identify people that, okay, might not be right for us now, but could be right for us in six months if we do A, B and C.” And it's them sort of conversations that I'm pushing the CSOs and other security professionals to actually go and have that partnership with talent acquisition and HR in order to better prepare for these processes, because that makes everyone's job a little bit easier.

[00:15:06] MS: Yeah, absolutely. So this question could be for any of you three, honestly, and is has to do with how industries are a little bit siloed when it comes to cybersecurity roles and the work that they do. And obviously this is one of the problems that the NICE framework is trying to solve for, right? Like get everybody on the same page, speaking the same language about what it is people do and what they need to be responsible for. So I'm curious if any of you can speak to the trends you're seeing across industries. Is an industry are the early adapters of this? Where are you seeing the most progress? What are you guys seeing out there?

[00:15:43] DS: I'll take a shot first. So maybe two years back now, almost two years, a group called the Aspen Cyber Security Group, which is a public private forum came out with what they called principles for growing, sustaining the nation's cyber security workforce. And in these set of principles they've identified the NICE framework as a resource or model that organizations who signed on to abide by these principles might use to help standardize the way they're talking about their workforce, look at creating pathways within their workforce and the training piece as well. And I think to-date it's something like 30, maybe just above 30 very large organizations, people like Google, or Raytheon, Northrop Grumman have signed on to be supportive of these principles and start using the NICE framework as part of those principles to help identify their workforces.

Obviously, Leo, from J.P Morgan has done really great work identifying his own cybersecurity workforce there, and I think we're seeing more and more growth across industry sectors in doing that. One sector, which i know we've identified as wanting to grow a little more, which is the more operational technology , things like energy sectors. We're starting to try to think about how we can reach those groups better. But I think we are slowly seeing more and more adoption, as you know, those numbers we all know very well, the million, two million number of jobs unfilled. As that continues to grow, I think more people are paying much more attention to it.

[00:17:39] LVD: So one of the other things that I'd add on to that, obviously as common taxonomy approaches start to take hold, more industries will move towards them. One of the things that I discovered early on when we were looking at NICE as a possible framework to work with, even though it said cybersecurity, if you really look at the way that it's compartmentalized, you can actually apply it a lot more broadly than just cybersecurity. If you look at the way that they're reformatting sp-800-181 in the newest revision where they're going to have what they call competencies, which are groupings of like tasks, skills and knowledge statements, you can start using that framework more broadly across your organization. At least from a technology perspective, it's most easily adapted. So you're not only looking at the cyber component. You can start looking at your architects, your software developers, your engineers for networking. So you can grow it across a larger scale in your organization. And then you could take those best practices and look at different silos within your organization.

As a bank, we have an investment side. We have a retail branch side. So could that same concept be applied? I think it can. It would require some curation of the taxonomy that you want to apply. But if you have a taxonomy across your organization and you’re a financial industry, you could start collaborating with other financial industries, and that just strengthens our ability to understand how we stand as an industry and what we should focus on as an industry to secure our infrastructure, right? And those can be shared across continent as well for international companies. So when you look at that type of approach, look at how you can scale it in one fashion, and then it will start taking traction and other footholds in your organization.

[00:19:43] KS: Yeah, absolutely. I agree with Leo there. I think everything that we discussed, everything that we ever talk about is the same things that majority of industries are struggling with. Everyone is having talent shortages in their own right. And I think that's got more complicated as we've got more global in the working world. But I think it's just about changing, like it's just about being open to new ideas. And I think that's what Aspen and a few other groups have tried to do. Like they've tried to break them biases or break them barriers that have previously been there, such as making degree is not as essential. Something that's so simple that people constantly go to as an anchor. People need it. People feel like you can't have anyone, no one can work here who hasn't had that. Well, that's unfair for the people that decided to go out to work and actually train themselves in some cases, especially in cybersecurity.

So it is about breaking down them barriers and breaking down them challenges. And I think my challenge with some of my clients is can we do this without a job description? Can we do this without seeing a resume? How about we get to that point where we would eliminate all biases in that perspective in terms of seeing a resume and judging someone off that? That is never enough to be able to judge someone fairly. It's a great way of funneling out talent. But there's so much more to a person as we all know, but we're still not doing that. We're still using an automated system to check for a resume, and that person could have biases. And we've got to try and eliminate that to be more open to a diverse workforce.

[00:21:24] LVD: So I'm going to keep this going, because Karl brought up a really good point. So one of the executive orders that was issued under our current administration deals with an interoperable learning record. So it's actually using the NICE framework to try and solution set this. So how can you take somebody's education, whether it's on the job experience, whether it's university study, whether it's credentials that they've gotten through a certification and apply that universally so that they can showcase what they want for a company and have them see kind of the real them. And it's not just I went to a university. I have this degree. It's truly what skills have I curated over my lifetime and how can that be analyzed and utilized to provide you more opportunities in industry?

So I think people are thinking about that concept and they're trying to definitely move towards there's an aptitude and attitude concept that we need to look at. There are people that will have certain curated skills over their lifetime based on their own curiosities that don't have a degree. We need to put those into the consideration matrix.

[00:22:33] MS: Yeah, that's a great point. And Karl, you mentioned bias and eliminating that in the hiring process. And I know there's been a lot of work around this lately, and I know NICE is actually taking a look, right? Danielle? At the framework and the language used in it to make sure that we're weeding out any common language around whether it's biases or maybe hard to understand topics that don't need to be in there. So can you guys speak to what you're seeing happening right now at different organizations or just through different initiatives to make sure that we don't have this like sort of bias we're injecting into job descriptions as well as the hiring process itself?

[00:23:14] KS: Yeah, of course. I think, firstly, language is such an important subject, because people really undervalue that just because we've been able to speak and write since a young age. We just assume that everyone's on the same page, and obviously we all learn differently and understand words differently, and certainly interpret words with digital communication differently now. And I think you see that more evidently with job descriptions. Often, HR and hiring managers have had their interpretation and it's got changed three or four times, and the hiring manager then sees it go out in public and it's not the same thing. And that's because everyone has their own interpretation of what that means. And from my previous experience of working in the soccer industry, when I would talk to a manager about a transfer target, if our words weren't aligned, we would have different interpretation about how that fits in our system. And you get that a lot in terms of when you're trying to interview with companies that have got eight, nine different interviewers. How are you then streamlining that to eliminate biases along that by making sure that everyone reports the same way? Has the same language? Has the same understanding of what's required and what good looks like? And I think unless you define that at the start, which certain companies have got better at in terms of this is how we report back on interviews, and these are the wordings.

I'm going name one company, a company called Crypsis, a consultancy out of uh out of Virginia who recently sold to Palo Alto, and they did this very well. They redesigned all their processes where they had the same people interviewing consistently over three or four stages using the same reporting tools and the same language and the same grading systems, as well as the same way of doing it by video calls, etc., and this this process eliminated a lot of their biases and de-risked a lot of their hires, where their attrition rate fell and their success assessing revenues was able to be visible through their growth. And I think like once you have what good looks like and how you're going to measure that, i.e. the objectives of the business and you align all of this, you start to actually getting everyone on the same page, but that starts by a framework. And this obviously can give you that as a starting place.

[00:25:33] DS: So I guess my kind of response to this is a two-part, first, with the actual NICE framework. In our process of doing review and updates right now, we are looking at the different knowledge, tasks, skill, statements and trying to make sure we're pulling out any bias that included in those. We definitely try to avoid using any kind of specific software or programs or not referencing any kind of companies specific things, because we want this to be as flexible as possible so that all organizations can use it.

To Leo's point earlier about the international piece and people outside of the US potentially using this framework as well, we're going through and looking at things like does it say cybersecurity workforce for the nation? Because that's probably something we want to delete so that we are being more inclusive of other countries. Referencing specific legislation or executive orders and things that would only really apply to people in the US, removing stuff like that too so it is, again, as flexible as we can make it.

And then part two, just kind of more generally speaking of what we're seeing in the broader community, is that definitely echoing everything Karl just said about the consistency and making sure you have continuity in the questions you're asking during interviews and how you're going through that whole process. And then when it comes to gender diversity, I've seen a couple of interesting studies of companies that really look at their hiring practices and using a case study of looking at the number of people that they hire if they remove all names, if they remove maybe it's schools that they went to or other specific language that might call out any demographic that they might have. And then seeing on the other end what happens because of that and the diversity that you can change in your workforce by going through some of those practices.

[00:27:58] MS: Yeah, that's super interesting. I know we have about four minutes left, and this is a great question. Wanted to make sure we got to it, and I'll start with Leo, because I think he has some really good experience when it comes to actually mapping these job descriptions in the real world. And Leo, I know you can't speak to specifics, but the question came in from Stacy, and essentially she's wondering like if an organization is about to do this for the first time, take that framework and map their job descriptions to it, do you have any advice for her on resources or things that maybe you wish you would have known when you first started out doing this?

[00:28:36] LVD: I wish we had had a better data dump from our HR system as to the skills that we were collecting. Something that was kind of parsed out that I could put into a table and do some data visualization instead text, just sentences. I think when you go through this effort, you kind of need your HR to be on board. You definitely want your management to be on board. But the real benefit is NICE gives you a starting point. So they have work roles. They're going to reintroduce competencies. So you'll be able to look at it at different levels. You'll be able to kind of carve it up to see what makes sense for you. But the real benefit is when you engage your subject matter experts. Once you have your approach tentatively defined, then you can go to your subject matter experts and you can say, “Okay, these are the job roles that we've pulled from HR that we want to work on.” And maybe you're just going to focus on the high-volume ones, the high-turnover ones. Maybe you want to get an understanding of those, right? So the ones that we have even people at risk of leaving. So things that we might need to start backfilling it.

Once you kind of understand the parameters of what you want to solve for, then you engage those subject matter experts and you work through the taxonomy to say, “What work roles equate to kind of the work that you do? Maybe we parse it out using that.” Or you go modular and you say, “What competencies really relate to the work we do? Maybe you take programming languages and operating systems.” And then once you've done that, you can determine which KS and Ts you want to associate to that profile so that employees can see themselves in that competency? That's really the lesson that I learned the best, was understand the scope of what you're going to start with. Engage the right resources. Do a little bit of pre-work, so that when you come to your subject matter experts they don't have to absorb the entire taxonomy, because it's too much. You want to bring it down to where they can see themselves saying, “Okay, we want to choose these pieces to make the role.”

And then you can work with them to establish, “Are we doing this at each pay grade? Are we doing this for individual functions within the role? How do you want to associate that back so that it can be integrated into HR? As well as how do you want to integrate that into your learning systems? Because that's the next big hook, is once you've defined the role, once you've established the proficiencies and you can do the gap analysis, how do you empower them to take control over their development? How can they add those into their development plan? So then engaging your learning team to understand how to make those hooks in so that learning can be suggested and curated or presented to the employees as they either look at a mobility option and/or a linear development option within their own career.

[00:31:23] CS: Thanks for checking out the first Ask Us Anything episode with Danielle. Leo and Karl. Join us tomorrow for our next episode, Upskilling to Deepen Engagement with guests Jessica Amato, operations manager at Raytheon Technology; and Romy Ricafort, senior director of sales engineering at Comcast Business. Hear their success stories as they explain the powerful role that full investment and skills development had on their employees’ engagement in their roles.

Cyber work with Infosec is produced weekly by Infosec and is aimed at cybersecurity professionals and those who wish to enter the cybersecurity field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. To claim one free month of our Infosec Skills platform, please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word all small letters to get a free month of cybersecurity courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.

Thanks for listening, and I'll see you back here tomorrow for more Cyber Work.