[00:00:00] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. For 12 days in November Cyber Work is releasing a new episode every single day. In these dozen episodes we’ll discuss hiring best practices, employee engagement, career strategies, security awareness essentials, the importance of storytelling in cyber security and answer questions from actual cyber security professionals and newcomers. For our fourth episode entitled Upskilling to Deepen Employee Engagement and Retention, our guest speakers are Jessica Amato, operations manager at Raytheon Technologies; and Romy Ricafort, senior director sales engineering at Comcast Business.
Jessica and Romy know firsthand the powerful role and investment in skills development can have in engaging their employees. They’ve designed security training programs around empowering their staff with an emphasis on career progression, not just short-term problem solving for the company. In this talk they will share the strategies that have helped them develop and strengthen employees. We hope you enjoy the 30-minute discussion between Jessica and Romy along with moderator Jeff Peters. And if you want to learn cyber security, all Cyber Work listeners can get a free month of access to hundreds of courses and hands-on cyber ranges with Infosec Skills, which is aligned to the work roles, knowledge and skill statements in the NICE workforce framework. Be sure to use the code cyberwork when signing up. You can find more details in the episode description. Catch new episodes of Cyber Work every Monday at 1PM Central on our YouTube channel or wherever you get your podcasts. And without further ado, let us start the show.
[00:01:34] JP: Let’s have each of you quickly share your role within the organization and just maybe give us a brief overview of the security and training and development program that you both manage. Romy, why don’t we start with you?
[00:01:45] RR: Oh, well. Thanks, Jeff. And thanks for having me. Jessica, hello, virtually as well. I’m Romy Ricafort. I’m the senior director of sales engineering for Comcast Businesses West Division. I roughly have about a hundred employees that focus on sales engineering and leadership for customers from small to medium businesses, the Fortune 1000, and then government and education as well.
As we think about the security and training and development program that I’ve put together here at West Division, it really is three different parts. The first is how do you get foundational about how do you do your role? How do you become aspirational and how do you find ways to be able to upskill yourself to be ready for higher level positions? And then number three, how do we foster an environment that allows for people to be curious and then to pursue what they feel is interesting when it comes to technology?
[00:02:40] JP: Awesome. Awesome. And that’s similar for your program there, Jessica?
[00:02:46] JA: It is pretty similar. So um as an operations manager I’m involved with planning. So that covers pretty much everything for the digital technologies organization related to staffing, hiring, retention as well as learning, which includes a platform of experience similar to what Romy spoke about. So from a digital technologies perspective, we are an organization of over 900 technical folks that are both supporting the business as well as direct programs. So there’s a lot to be said there from a technical learning perspective as well as the other experiential learning opportunities that we like to provide, which supports career growth and development as well as retention.
[00:03:31] JP: Awesome. Yeah. So let’s dig into those programs a little bit. Specifically, I guess they need to not only provide security and tech skills, but you also need to engage and motivate and ideally retain the talent within your organization. So I’m really interested in diving into those details a bit around how your cyber security upskilling program is structured. And in particular, what has had the most impact when it comes to developing that more long-term employee engagement? We can start with you Jessica.
[00:04:01] JA: Certainly. So the cyber component of our organization is actually critical and that we have several technical folks that are supporting classified areas. And in that we have to meet the DoD 857(a) requirements which Infosec has been really great in helping us do that. It’s a foundational part of our program allowing our folks not only to learn and grow their skills, but also to certify in areas that allow them to work in these areas. Without those certifications, they would be able to work in the closed areas. So it’s a really critical component of both making sure that we have a learning and growth path for our folks, because that’s important from a retention perspective, but also that we are able to foundationally build on that leveraging our partners like infosec.
[00:04:54] JP: Nice. And Romy, your experience with your training program?
[00:04:58] RR: Yeah. No. And I think you really touched on it when you talked about long-term employee engagement. And Dale Carnegie Training Foundation had a stat that 60 of employees will leave their company if there was poor training. And so it really does. You really do have to be thoughtful in, one, as Jessica said, how do you become foundational in your role? How do you have everything that you need to outperform what you do? And then how you actually are able to interact with your customers? But two, how do you have a path? A career path that allows you to look at, “Hey, if I wanted to become this type of sales engineer or if I wanted to be a subject matter expert in security per se, here are the skillsets that i’m going to need past my role to be able to move forward to.”
And then again, right, we need to foster that environment where people can be curious and really go after a consumption-based model that they’re interested in. I know how to do my role. I know how to be aspirational. But hey, what if I’m really interested in becoming a person who pen tests, right? And so some really cool things that partners like yourself at Infosec have that environment to build the framework and then also have people be curious about their learnings as well.
[00:06:15] JP: Yeah. I’d like to talk a little bit more about that balance between like self-starters and like having that career path. I know here at Infosec we did a survey I think it was last year around 800 cyber security professionals. And the big split that we found in the data was those who had a clear career path for those versus those who didn’t. So for example, I think it was 60% of the respondents who had a clear career path who rated their technical skills and knowledge as above average. But that number dropped to just 33% for those who didn’t have a clear career path.
So you talked, Romy, a little bit about the self-starter aspect. Curious how you balance that with providing that more structured career path as you talked about for all employees versus how much you rely on just them to kind of drive that.
[00:06:59] RR: Absolutely. You have to give them what their role is and what knowledge they need in order to be able to be successful at it. And you have to have that framework of this is what you need to know about networking. This is what you need to know about security based on the type of customer that you would consult and interact with on a daily basis. And that’s key. That’s key for everybody’s role. And I’m not surprised that the stat had said people who knew right what the skillsets required were able to be higher from a job satisfaction rate with those that were in a role and they didn’t know, right? “Hey, what do I need to know to be successful in this role?”
So but then again, you have to have that way for them to be able to see what other jobs are out there. If I were going to want to build my career three, five years down the road, what are some of the things that I need to be studying now versus trying to obtain a role and having not started that study?
[00:08:01] JP: Yeah, and your thoughts on that balance there, Jessica?
[00:08:08] JA: Yeah. So one of the things that we’ve learned and used to develop our program over the last years is the voice learner. So one of the things we did was to really gain an understanding of what types of learners we had out there. I have learners that don’t take anything away from virtual training. I have other learners that don’t want to go to a virtual class, don’t want this classroom. I don’t have time for that. Just give me the book. So really listening to the voice of our learner and understanding that through an employee engagement process really kind of elevated us to really inadvertently understand what other kinks our learners had, whether it’d be the time it takes to do that. Having time to break away from your program to spend that time learning. It was recognition of the fact that we had different learners across the organization that evaluate and learn in different ways. But there was also understanding how many folks out there – And you could be in your career for 20 years and not still know what the next five steps or what the next five years look like. It may be a case where I really need to go through some experiences to understand where I go next. I really need to evaluate and have some more learning to understand what path I want to take. Because as you know in IT or security, in either of those realms, you can go in six different directions. You can start out as a network engineer and become a cyber-ethical hacker, but you have to know what the path is. And the path is not well laid out from an industry perspective. So we really need to help them stitch that together and provide those – I keep talking about this experiential learning. It’s providing those opportunities to use those skills that they’ve just developed in those learning opportunities.
[00:09:54] JP: Yeah, to follow up on that. I’m curious if you have any sort of like structural or process advice. It sounds like you guys are doing some interesting things. But do you have like meetings that are a structured approach besides kind of that – I’m not sure how you got that data, whether it was by interviews or surveys or whatever. But just curious any advice for people who are listening who they kind of want to do similar things that you want to do but they maybe want some rails so they know how to follow along there. Let me start with you, Jessica.
[00:10:24] JA: As you can imagine with an organization of 100 people, a survey isn’t necessarily going to be the results that need it. So I leveraged the section managers. I leveraged individualized interviews. I kind of used a blended approach to collect the information and then really kind of looked at where were our gaps. Where were the opportunities where we as the leadership team could expand upon that to make it easier for a learner or an individual to understand what path to take?
So over the last two years we’ve probably spent a lot of time really kind of building up the program in terms of providing those opportunities, but also the identification of those strategic learning – Those strategic career paths. So we even restructured parts of our organization that so a sys admin could actually aspire to become a strategic architect and actually see what that path looked like and what those roles were to get there. So we really looked at ourselves inward from a structural perspective in the programs that we’re supporting and the different projects we’re supporting as the strategic lift and then how do we – We leveraged our leadership teams to really help us collect that information as well as leveraging direct opportunities to interface with our individual learners. I really felt that the time I’ve had with them was critical to really understanding a lot more from an employee engagement perspective. It was not only, “Gee! What are the things that I’m going to tell my manager? Versus one of the things I’m going to tell this person that just really wants to know how I feel about my learning path? How I feel about role development.” And we really leveraged all of those pieces put together to build this program.
[00:12:05] JP: Yeah, awesome. And Romy, do you have any kind of similar advice in terms of structure or process for people who are looking to implement this?
[00:12:13] RR: None, and really comprehensive. Awesome job that you guys have done there at Raytheon, Jessica. We took a similar approach and we worked cross-functionally here within the company of getting HR to lean in. Getting our L&D group to lean in. But we also took third parties into account as well and talked to them about where is your industry going and what are the trainings that your people are taking in order to stay up with the current technology trajectory.
And so Infosec, I, mean you all have been a really good partner when it’s come to as we’ve laid out what an SE1 does through an SE5, our most senior positions . How do we map that to what outside world looks like? And then how do we start filling out coursework of here’s where we are presently, but here is where the marketplace is going. And then we have to be able to map right what expertise sets are going to fit within each of the five organizations and be able to lay out class work especially in a portal-like infosec and be able to prescribe some of that and then be able to say, “Hey, if you want to go after a particular role, here are some of the things that we’ll want you to train early on to be able to prepare yourself for that.” And it brings me to a quote that I always give to my sales engineers, which is it’s better to train for an opportunity and not have one than have an opportunity and not be prepared. And so as leaders, we have to be able to give people that avenue to be able to study and know that, hey, as Jessica said, this is what it’s going to take to get to this type of role in the company starting at a systems analyst level. And then give them the ability to self-start and start doing that work on their own.
[00:14:06] JP: Yeah. Yeah. That’s great advice. I’d like to dig in a little bit. Obviously this whole session is about engagement and retention. So it’s one thing to have that cyber security training and those clear career paths. But curious if you guys have any other professional development opportunities that help contribute to that engagement and retention beyond cyber security training? Let me start with you, Jessica.
[00:14:30] JA: Yes, we do. So we actually have an in-depth employee engagement program. And what that program does is folks walk into the door very beyond technologies on day one and they go through new higher orientation. Teaches them kind of all things you need to do to get through your first week. And then they start their on-job training. It might be some shadowing. It might be taking on some quick opportunity depending on the situation. In some cases they might be waiting for clearance. So you got to give them some work to do. Those shadowing opportunities allow us to do that. But really what we do is we pull them back in after they’re 30 days, usually within their first 90 days. And I use the word assimilate for lack of a better term, but really try to connect them with the function of the organization they’re working in.
So it goes far beyond the employee orientation and really kind of brings them into, “Gee! I’m working in one directorate out of nine in digital technologies.” So how and what do the other directorates do and how do I interface with that?” We bring a leadership team in for a panel discussion. Raw, open panel discussion. People can ask direct questions and get some face time with their leadership. We bring in the organizational change management. Different components around digital technologies to help folks that might be a sys admin who’s working in his lab and doing his thing, but now I’m going to understand how this directorate and that directorate help me piece together a solution for customers. So it really helps them connect the dots in the organization they work in and really defines different components and pieces they’re hearing from their leadership team and flow down on what the difference between a buzzword and something that’s actually actionable that I could can take. We, at the same time, leverage those employee engagement opportunities to again learn about our people. It’s really a people-first focus and understanding how do we keep the best and retain the best talent. Well, you do it through employee engagement. You do it through really understanding and listening to the voice of your people and then also using that as an opportunity to provide these natural networking opportunities.
So at Raytheon, you’re coming through the door and you’re learning your job and you’re drinking from the fire hose. We’re then taking you back and realizing this is a lot to take in. Let’s help you understand the next piece to the puzzle. Let’s help you understand what it means to drive your own career and when you hear HR talk about that. And I want to pull a thread on something. Romy said it’s not only critical that the folks like Infosec that we’re working with or our partners, but that we also have that partnership within the functions of our organization. That’s leveraging talent acquisition. That’s leveraging our HR business partners. That’s leveraging with folks in the different mission areas to really help us bring these people up to a point of comfort. So they’re six months in and they feel like they maybe been here for a lot longer. They’re not still drinking from the fire hose at that point. They’re not trying to swallow the acronym soup as we joke here. But really acclimate them and engage them with natural networking opportunities. Understanding who their partners are and then really understanding their organization as a whole and how they fit into that organization.
[00:17:40] JP: Yeah. Yeah. That’s great advice. Curious to hear your perspective on that, Romy, if you have a similar approach, if you do anything different?
[00:17:47] RR: Yeah. I mean, functionally, I don’t cross a lot of different organizations when it comes to the people that I build the programs for. But when I think about sales engineering, there’s two aspects of it. One is the engineering part, which we’ve been talking about for most of this webinar thus far for. But there’s also what we call essential skills, or a.k.a soft skills. My leadership team told me to ixnay soft skills and only call it essential skills moving forward. So you guys let me know what you think.
But the essential skills piece helps round out the sales portion of the sales engineer, and it really is what is your business acumen? Financial acumen? How do you communicate with other people? Ho you have presentation skills and do you have executive presence when you’re in front of a Fortune 500 CS level type leader? And those are the kinds of other pieces, right? It’s not just about can I build a network? Can I secure the network? Can I consult my customer into things that they haven’t thought about yet and what they need to be thinking about to run and secure a network? But it’s how do I resonate with them? How do I interact with them? How do I interact with other employees? And so those pieces, we partnered with the Linkedin learning to be able to provide sort of coursework, prescriptive coursework but also in those pieces of ways to find your own curiosity and how to be a better writer or how to be a better presenter or a storyteller for our folks to move after.
And Jessica really touched on something. We also take our sales engineers through something called insights. And what insights does, it’s a very long survey that makes you look internally. But it gives you blind spots and it gives you the ability to know, “Hey, this is my natural tendency. And my natural tendency is sometimes more to be very analytical or very outgoing or not very data driven about the things that I’m going to go after, but I’m going to go after it with a lot of zest and gusto. And so as you work with other people and you figure out you’re going to team people together, it’s good to get perspective of you can’t have all data analytic people in a particular pod to get something done. You need different types of people to be able to make sure that the team works there and that you’re thinking of the way other people think. Not just how similar people think about how to solve a problem. And those are some of the things that we’ve launched here besides the technical training aspect as well.
[00:20:21] JP: Awesome. Yeah, you brought up data driven and maybe I’m one of those data driven people, because I’m always really interested in like the metrics around the success. We talked about a lot of interesting ways to engage and retain employees, but you put these out there, you implement them. How do you track that? Are you regularly reporting it? Are you tracking certain things? Any advice there? We could start with you, Romy.
[00:20:44] RR: Yeah. I think Jessica mentioned the voice of the employee. And so we take a regular survey. We call it net promoter score and we have ENPS. So that’s the employing net promoter score. And it goes through just checking in on your employees and making sure they fulfilled in their roles. And if they’re not, what are some of the things that you can do to start to react? Is it small in nature or does it seem widespread? That’s one place to look. We’ve worked with our L&D partners and we’ve created a portal that allows people to be able to check off when they’ve finished some of their foundational training and aspirational training as well. Has links into Infosec, and infosec’s administrative portal is great. You get to see how much time people have spent in the portal. What trainings they’ve taken? And so that marries with what we’ve done with learning and development. And then ultimately you measure retention. I measured a hundred retention. Am I keeping my employees? Because it’s really expensive to onboard somebody new. And so it’s your job as a leader to make sure that if people are leaving, they’re not leaving because they’re unhappy here. They’re leaving because they’re being promoted into another organization. They’re leaving because you upskilled them and now they’ve left for a different company, hopefully not a competitor. But those are the things that we look at as exit interviews happen is why are people leaving or are they leaving? What is your attention rate for your employees? Especially pre-COVID was a very competitive market.
[00:22:20] JP: Yeah. And Jessica, do you have any particular metrics that you monitor?
[00:22:25] JA: Yeah. We look at a lot of those metrics. Not only do we really look to have an understanding of diversity inclusion across our organization. And that’s not just a metric or number of, “Gee! How many this diverse group but versus another diverse group did we hire?” It’s where are we looking for the talent. Where are we pursuing the talent to ensure that we have the best talent across the board? In addition to that, we’re looking at our attrition and retention rates, but we’re parsing it out. We’re looking for trends and specificities. Obviously somebody with the current pandemic situation we’re in, somebody needs to move back Texas to be with their family, and that’s not something we can resolve. Somebody that’s looking to retire and go to the next echelon of their life. Not something we can resolve. What we can do is look at and understand trends, and we use our change advocacy network, which is a culmination of both change advocates and frontline leaders or frontline strategists to really understand the underlying things. The things they don’t tell HR. Don’t tell their managers. Or change advocates is another leadership group that is really looking to bring down the flow down. Help people understand the flow of where we’re going as an organization or a function. And the front line strategists are really our folks that are – They’re the boots on the ground. They’re your peers. They’re working with you day-to-day. But if they start hearing about issues around. They’re bubbling that up to the leadership team. That’s what they signed up for as frontline strategists .
Again, we’re leveraging our people. Surveys are great and usually go out once a year maybe after particular information that day. But we really want to hear the voice of the people. We really want to understand when there’re moral issues that we want to get in there and we want to fix it. We want our leaders engaged in those activities. So the metrics we use are kind of a series of different metrics. We’re looking at how long does it take to onboard. How long does it take to hire? And making smart decisions about leveraging that information to make different decisions about the approach we take the hiring. Whether we do a virtual career fair as supposed to individual hiring for the number of requisitions we might need to fill that particular month.
[00:24:34] JP: Great.
[00:24:35] JA: So really it’s pulling. The last thing I want to add to that is it’s really not just having your data driven metrics. It’s how those metrics tell you that the health of your organization and what’s the story you’re trying to convey? If the stories we’re trying to convey is that, “Gee! We have a lot of internal churn because people are being promoted and moving on to new positions because they have a role development path.” That’s great news. If the story and the metrics are telling you that you’re losing good people, talented people for something you could have avoided, then there’s a problem and we address it.
[00:25:10] JP: Yeah, that’s great practical advice. We have about five minutes left here. So I want to make sure we get to some good takeaways or practical advice that people can take to implement into their own program. So curious if there’s any kind of aha moments you’ve had or lessons that you’ve learned along the way or maybe one thing you wish you’d known when you started your program that you’d like to share with people? We can start with you, Jessica.
[00:25:37] JA: So I think our big aha moment was really that there’s nothing more powerful than the voices of our employees. And in making sure that they have a safe vehicle to voice their concerns and voice what their wants and needs are. And then what do we do with that information? So it’s no good if you collect the data and then you do nothing. So it’s really listen to your people and then take actionable things even if they’re small things. A little bit of change is better than no change at all especially when it moves in a positive direction. And then check back in.
So if you don’t check back in to see if you pick the right thing or you took the right path, you’re going to miss that opportunity, and those opportunities are going to be more powerful than what anybody’s going to put down on paper.
[00:26:24] JP: Great. Any great uh advice from you, Romy?
[00:26:27] RR: No. I love that. You definitely have to keep employees first, right? When you think about your organization and what are your priorities. When the pandemic started for us it was employees, then our customers, and then let’s make smart decisions for the business. But when I think about training programs and I just think about development in general, the mindset I like to bring and the mindset I like to bring to my team is it’s not a destination. It’s a journey. And once you figure out – And I always challenge my employees. You finish this training. And I go, “Well, what’s next? Congratulations. I love it that is amazing.” But you’ve disciplined yourself to be able to take the time to get something awesome underneath your belt that you can put on your resume or be great at your job at. But now that you’ve done that, what’s next? Learning shouldn’t be, “Hey, I did it.” Or like, “Now I know security. Woohoo!” There is no end. And I think what people have to realize and is what leaders have to realize is that we always have to be planning for the future. We always have to be looking to see what’s next. Where the marketplace is going? Are we prepared for where the market’s going? Because if we’re not, then we need to start putting the things in place now to be able to compete in that market space, because technology changes very quick. And if we can’t pivot as an organization quickly with it, we can move to irrelevancy fast. And so I think as people realize that, “Hey, just learning is a journey. It’s not a destination.” That’s sort of not the aha moment, but a great moment to continue to know uh throughout your career.
[00:28:10] JP: Great. We just have a minute or two here, but I wanted to touch briefly on some of the changes potentially due to the coronavirus or the pandemic. You guys both brought that up. Just curious if you have anything that’s changed with your program or any challenges or takeaways related to how obviously you’re implementing these engagement and retention programs currently? Romy I want to start with you.
[00:28:32] RR: Yeah, I’ll make it brief since we don’t have a lot of time, and I’d love to hear what Jessica has to say. We had a program to work on essential skills. We’re going to go out to each market and have each of the cities, engineers work together. But we can’t do that now with a pandemic. And what we’ve decided is instead of doing virtual classes of people who already know each other, it gives us now the ability to mix and mingle cohorts in different cities to get to know each other and see what the talent level is like in some of the other cities in our west division. So I’m really excited about that and being able to bring other engineers who haven’t gotten to work in the past together to work together now. So it’s going to be a great journey. Lots of other things we’ve done since the pandemic, but definitely want to hear what Jessica has to say.
[00:29:16] JA: So I think one of our big wins this year in terms of what we changed in working through the program is we were able to actually carry out a full internship program with 90% of those interns being remote. And with a lot of fear, several were afraid the intern program would be cancelled much like their peers, but we actually carried out a successful program. We were able to bring folks on remotely and even keep some of them on part-time where their schooling, going back to school, was going to be remote. And so one of the things that we took away from that was ensuring that you still provided virtual networking opportunities. You kind of pivot and change what the state of how things are. And we were able to pivot pretty quickly and carry out a successful program. And from that, we learned a bunch from them. They learned a bunch from us. Really, they still got to work on some pretty great projects and do some really, really impactful things that support the businesses and support our program. Really, again, leveraging the current state of things and how we approach that, again, listening to our people and understanding what their concerns were and embracing that in the end when they came back to present to our leadership team. Ask them openly to share concerns and what the risks or what they felt about COVID being an impact and potentially being remote. And some of them being juniors. Some of them being freshmen and sophomores in college. Still being able to carry out what they felt was a meaningful internship was a huge win for us.
[00:31:00] CS: Thanks very much for checking out Upskilling to Deepen Engagement with Jessica and Romy. Join us tomorrow for Building Stronger Teams: Career Path Development strategies with guests Katie Boswell, director of KPMG Cyber; and Jason Jury, lead associate at Booz Allen Hamilton. They’ll discuss strategies for building your cyber security talent internally and providing staff with progressive career path opportunities.
Cyber Work with Infosec is produced weekly by Infosec and is aimed at cyber security professionals and those who wish to enter the cyber security field. New episodes of Cyber Work are released every Monday on our YouTube channel and on all podcast platforms. To claim one free month of our Infosec Skills platform please visit infosecinstitute.com/skills and enter the promo code cyberwork, all one word, all small letters, to get a free month of security courses, hands-on cyber ranges, skills assessments and certification practice exams for you to try.
Thanks for listening and we’ll see you back here tomorrow for more Cyber Work.