CSO Perspectives (Pro) 5.22.23
Ep 104 | 5.22.23

Cybersecurity moneyball: First principles applied to the workforce gap.


Rick Howard: Hey, everybody.

[ Music ]

We are back! Welcome to Season 13 of the CSO Perspectives podcast. The CyberWire staff, including me, has made it back from the big RSA Conference in San Francisco and we have tales to tell.

Tim Allen as Tim Taylor: Oh, yeah. Ha ha ha!

Rick Howard: And the interns have successfully closed down the alternate sanctum sanctorum located under the San Francisco-Oakland Bay Bridge for another year. And I believe they all made it back safe and sound to the main underwater sanctum near Baltimore Harbor.

[ Cheering ]

Hey! Did we ever find Kevin, the intern? No? Well, at least most of them made it back. You know, I hear the waters near Alcatraz are shark infested. You don't suppose he tried to swim for it, do you?


Rick Howard: Well, that's a problem for another day. For this season, we have lined up a number of interesting shows. We're going to dive into zero trust in an app-centric world. We're going to talk about the implications of quantum to the network defender community. We're going to do some best practices for MITRE ATT&CK mapping, and we're even going to bring on Dave Bittner, the voice of the CyberWire, to discuss cyber metaphors. We're going to talk about some of the new vendor tools that we saw at RSA that will help us forecast risk. And because we have to have at least one history lesson to annoy my pal, Steve Winterfeld, the Al Borland to my Rick the Toolman, we're going to talk about the evolution of DDoS and what we can do about that attack vector today. You're welcome, Al.

Steve Winterfeld: Really? More history, Rick?

Rick Howard: But for this first show in Season 13, we're going to talk about cybersecurity workforce development because, as you might expect for this podcast, the way that our community hires and trains its people does not adhere to any kind of first principles. So -- hold onto your butts!

Hold onto your butts -- butts -- butts --

Rick Howard: This is going to be fun.

[ Music ]

My name is Rick Howard and I'm broadcasting from the CyberWire's secret sanctum sanctorum located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis.

[ Music ]

The InfoSec community has been talking about the cybersecurity workforce gap for well over a decade. And what I mean by workforce gap is the number of unfilled cybersecurity jobs that exist at any particular time. The earliest mention I could find of network defenders' awareness of the problem came from a report by the Center for Strategic and International Studies (CSIS) in 2010 called "A Human Capital Crisis in Cybersecurity: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency." In that report, the authors claim that the shortfall was between 9,000 and 29,000, depending on how you counted the jobs and that was just for the United States. In 2022, the International Information System Security Certification Consortium (ISC Squared) said that the global cybersecurity workforce gap was 3.4 million people. That's over 116 times the number calculated by CSIS a decade ago. Clearly we have a problem finding qualified people, and it's not like we haven't tried to fix the problem. I mean, it isn't like we weren't aware. There's been a steady drumbeat in public forums since 2010 of the situation getting worse each year. Still, academic and certification programs have responded. It feels like most colleges today, compared to 2010, offer some kind of learning path to cybersecurity and have been churning out graduates for a while now. And there are more potential certification classes available today than there has ever been. If that's so, then why is the workforce gap continuing to grow? And why have we all heard the horror stories where a newly-minted cybersecurity graduate can't find a job? The problem as I see it is that we continue to hire cybersecurity talent and train our existing teams in the same way we started doing it back in the day, say early 2000s. As with that old chestnut, insanely, we expect to close the gap with the same approach, even though the evidence is telling us that the problem is getting worse.

Tim Allen as Tim Taylor: Oh, no!

Rick Howard: Our hiring and training method is simple. We focus on the individual. When we hire, we're looking for the all star -- somebody with 25 years experience, a technician with 17 certifications, and an employee willing to work for a buck fifty an hour. No wonder we can't find anybody

Tim Allen as Tim Taylor: Oh, no!

Rick Howard: When the organization trains its own people, leadership is generally all for it, but we send the individual. We pay upwards of $3,000 for an employee to attend a class or a conference to get up to speed on some new thing. Most times we ask the individual what he or she wants to learn, not as a training task but as a perk for being part of the organization. We don't really have a team training strategy at all. With these tactics, we struggle to bring on talent with the skills we actually need and we are surprised when the training impacts one employee, not the overall organization. In other words, after the conference we have one employee who understands the basics of chaos engineering, let's say, a first principle tactic supporting our resilient strategy, but the InfoSec team is still mostly in the dark. And one bad side effect is that the all star coming into the organization and the all star we create are prime candidates to be pilfered by some other organization who is willing to pay more money. Sending individuals to training then seems like a losing strategy and yet we continue to do it. If we want to implement one or more of our first principle strategies -- zero trust, intrusion kill chain prevention, resilience, risk forecasting, and automation -- perhaps we need to shift our focus away from the individual and towards training the team. Let me introduce my boss.

Simone Petrella: So my name is -- it's like I'm -- I feel like I'm, like, waiting for a polygraph test. Simone -- Simone Petrella, President of N2K Networks, and I have worked here since the very beginning.

Rick Howard: So -- full disclosure to the listeners. As I said, Simone, you're my boss, and you and I have known each other for years. But for our listeners who are just now hearing about you, can you describe your path and how you became the President of N2K?

Simone Petrella: Sure! So my path into cybersecurity was via the DoD and the intelligence community. I actually started out my career as a counterterrorism analyst. So --

Rick Howard: Oh!

Simone Petrella: -- not a cybersecurity professional.

Rick Howard: Well, that's not the weirdest thing we've ever seen getting into cybersecurity. Pretty close. It's parallel, I guess.

Simone Petrella: Yes! In fact, the reason I got into cybersecurity was in late 2005, early 2006, there was a small shop that was focused on computer network operations and looking at information warfare and adversaries intent to use information warfare to disrupt DoD activities. And they couldn't find -- irony of ironies -- qualified talent to do both analytic work and understand the technical issues. And so they essentially -- I was kind of given the assignment to be, like, terrorism is a transnational issue. This whole information warfare seems to be transnational. I bet there's some parallels. So -- dove right in.

Rick Howard: I'm sensing a theme! Yeah.

Simone Petrella: Yeah! But, you know, to -- like, all joking aside, did not come from a technical background. But all of my, kind of, career in the next ten years in the intelligence community was around translating technical topics and understanding them, but being able to synthesize information and communicate it to decision makers so that they could do something actionable with what the risks were at that time to predominantly, like, Department of Defense assets or operations.

Rick Howard: Well, that's my entire career. You know, yes, cybersecurity. But really my job has been to explain really technical things in this domain to people who are really smart but maybe not -- have not been in the domain for a while. So, yeah, I totally --

Simone Petrella: Yeah!

Rick Howard: -- understand that. Yeah.

Simone Petrella: So, you know, I did that on the government side forever, and then I actually transitioned into commercial consulting to sort of take a lot of those principles around cybersecurity and what we've learned in optimizing teams and the intel process into the commercial sector, and did it with financial and retail clients. And the path to N2K really came down to the founding of CyberVista, which obviously formed a component of N2K. I lived this problem. I spent the entirety of my career trying to identify qualified talent to fill these technical cybersecurity roles, but also be able to communicate, articulate them in a way that was, you know, connecting the dots and make them actionable for decision makers. And so I was essentially living the dream of identifying talent, giving them opportunities to train on the job, send them off to training, and then 18 to 24 months later, someone would come into my office and say thank you so much for this opportunity. I have gotten a job somewhere else for 35 to 40% more. And I'd be, like, great! Good for you. I can't pay you that much. And I'd start all over again.

Rick Howard: The story of my career.

Simone Petrella: Yeah!

Rick Howard: Okay. That's exactly what's happened, right?

Simone Petrella: So I turned that story into a start-up and that's how CyberVista was born with the idea to try and tackle that problem from the other side of the fence, as the industry and the employers, as opposed to relying on the individual. And came together and merged with the CyberWire here this past October to create N2K -- News to Knowledge Networks. So it's been a very exciting journey to come here today. And it's a real honor, Rick, after all these years to finally get to say that I get to tell you what to do.

[ Laughter ]

Rick Howard: We should tell the story of how I turned you down coming to work for you before. Right? So --

Simone Petrella: It's true! I did! I tried to convince Rick that he should solve this talent issue by fangirling the Cybersecurity Canon of which I am still a huge fan, and seeing if you would help pass the ties where we were going on workforce and Rick said, no, I'm not doing it.

Rick Howard: I don't think so. Yeah. Well, there you go. That's just fate, Simone. Okay? That's what that is. We need to get in here and fix this problem. Right?

Simone Petrella: It's karma, Rick. It's karma.

Rick Howard: Oh, you mentioned the merger of the CyberWire and Cyber Vista. Can you talk about the thought process of taking the CyberWire, which is best known for its cybersecurity podcast and newsletters, and merging it with CyberVista, a company that specializes in enterprise-level cybersecurity training. What was the thought there to push those two things together?

Simone Petrella: Yeah. So when -- when we first started to have conversations around the synergies between CyberWire and CyberVista, we originally talked about the connection between the requirements to get people up a knowledge curve quickly, but then that continuous learning that's part of the daily education and diet around current events, industry news, something that -- essentially, how do you play those two together? And as those conversations progressed, what became the a-ha moment for us was the reality that we were both from different perspectives shooting to create a world where the workforce gains knowledge and skills as quickly and as adaptively as the technology that they're leveraging does. And we anchored on this concept that, at the end of the day, we were both providing strategic workforce intelligence, whether it was through working with customers and companies to make them smarter about their workforces so they could make better decisions, or what we were doing independently to make the workforces themselves collectively smarter. And it seemed like just such a powerful combination to be able to do both because, really, the industry is usually tackling one side or the other, but not looking at it holistically. And that seemed to be a really magical opportunity for us to come together and do something that really combined the power of true news to knowledge.

Rick Howard: I really like the idea of workforce intelligence as opposed to how we've done it in the past in cybersecurity. We've mostly focused on individual training. My peer group have not really focused on everybody. The team benefiting from some sort of group training, so I really like that.

Simone Petrella: Yeah. Well, I mean I'm sure -- I'm sure you've had, though, the experience in justifying, like, budget and technology spin or when you're trying to put together tools, you're ultimately trying to optimize your investments. Right? And we do that, at least in the cybersecurity industry as long as I've been in it. Naturally, when we're talking about the technology spin, we're going to do the processes we're going to put in place. And, yet, for all of the years we've been around, we don't do it for the largest opportunity expense we have in our budget which is head count. It's people.

Rick Howard: It's so true. We've known for years about this problem. We've been complaining about the cybersecurity workforce gap for years. My observation is that the InfoSec community doesn't really do team training as a first principle strategy. You know, we're not against training per se, but we focus, like I said before, on the individual. And we're enamored with the superstar. We're looking for people with 25 years experience and 17 certifications and we continue not to find them. And I'm wondering how team training, what we're advocating here with CyberVista, at the enterprise level might solve the problem?

Simone Petrella: Yeah. Well, I think even taking a step back, you know, it's not even so much that we're advocating for team training, although that's a component of it. But it's even knowing what you need before you make the investments in those training activities.

Rick Howard: Yeah. I didn't mean to imply that I thought it was just we're going to put everybody in a room and train them at the same time --

Simone Petrella: Right.

Rick Howard: -- just that you actually know what your team is good at and what they're not so good at and work to fix those gaps. Right?

Simone Petrella: Oh, completely. And it really strikes me, you know, between conversations I've had over the years. I know you've been part of these conversations, Rick, when you talk to security -- you know, CSOs -- CSOs and the activities they're doing to solve this problem, it really still hits a chord with me that 15, 20 years later, we're still espousing all of the great work we've done in creating an internship program over here and it brought in ten people. And then we have done a university collaboration and that's going to bring in 20. You start doing the math and you go look at the numbers based on the ISC Squared report. Like, you're going to -- we're not going to get -- we're not going to get there by factors of ten.

Rick Howard: You're right. I've been involved in lots of those programs. Right? And we pat ourselves on the back by, you know, wandering down to the local university and bringing on three interns who showed some promise. But you look at the numbers, 3.4 million, and that dog doesn't hunt. It doesn't scale. So we need to do something different. And this enterprise level idea, I think, is a way to fill the gap.

Simone Petrella: Yeah. And it really comes down to having a bit -- just a shift in mindset to be more deliberate and strategic about the way that we think around our investment in people. And so, you know, to me, the real key -- I know you make this great analogy, Rick, to the book Moneyball, which I laughed at you about first.

Rick Howard: Simone is talking about one of my favorite movies, Moneyball, starring Brad Pitt and Jonah Hill, released in 2011 and based on the 2003 book of the same name by Michael Lewis. Lewis tells the story of how the Oakland A's, an American major league baseball team, adopted a radical new approach to fielding players. In 2002, the A's had a payroll of approximately $42 million, while the New York Yankees, their arch nemesis, had a payroll of around $126 million. That meant that the Yankees could buy the best players in the game and the A's could hardly compete. As a response, the A's general manager, Billy Beane, played by Pitt in the movie, adopted the sabermetrics model invented by Bill James. Before sabermetrics, professional baseball teams chose players solely through observation. They used scouts -- people who have been involved in the game for years -- to subjectively evaluate potential players based on the scout's experience. They looked for intangibles like bat speed, power, home run potential, attitude, personality, and whether or not the player had a good-looking girlfriend. In the movie, Jonah Hill playing Peter Brand, a player analyst working for Pitt with a background in economics says --

Jonah Hill: There is an epidemic failure within the game to understand what is really happening, and this leads people who run major league baseball teams to misjudge their players and mismanage their teams.

Rick Howard: And I believe that a similar situation has been happening in cybersecurity since the beginning. We're enamored with the superstar, those 17 certs and 25 years experience, and not with the aggregate skill set of the team. The sabermetrics model uses data and statistics to find the exact skills that a team might need, and Billy Beane reduced his problem of how a low payroll squad like his can compete with the high payroll teams like the New York Yankees down to one atomic first principle. The most valued skill is not home run percentage or whether or not the player has a good-looking girlfriend, but players getting on base. He decided to build a team on that first principle. In the movie, Hill tells Pitt --

Jonah Hill: Okay. People who run ball clubs, they think in terms of buying players. Your goal shouldn't be to buy players. Your goal should be to buy wins. And in order to buy wins, you need to buy runs.

Rick Howard: And in order to buy runs, you want players who routinely get on base. In the cybersecurity world, you don't want to buy the superstar. You want to buy and train an aggregate team proficient in our first principles. Not one person who knows everything, but a team that can collectively do it all. Prior to the 2002 season, major league baseball teams with large payrolls stole the A's top three players in terms of perceived talent and actual salary. Jason Giambi went to the New York Yankees. Johnny Damon went to the Boston Red Sox. And Jason Isringhausen went to the St. Louis Cardinals. Most pundits in the sports world wrote off the A's' season believing they couldn't recover from the losses. But Beane had a different idea. In the movie, Hill tells Pitt --

Jonah Hill: I think it's a good thing that you got Damon off your payroll. I think it opens up all kinds of interesting possibilities. You're trying to replace Johnny Damon. The Boston Red Sox see Johnny Damon and they see a star who's worth seven and a half million dollars a year. When I see Johnny Damon, what I see is -- is -- an imperfect understanding of where runs come from. The guy's got a great glove. He's a decent leadoff hitter. He can steal bases. But is he worth the seven and a half million dollars a year that the Boston Red Sox are paying him? No. Baseball thinking is medieval. They are asking all the wrong questions.

Rick Howard: In one movie scene, Pitt is sitting around the table with his collection of old guy scouts. They're still trying to pick players based on their intuition. Pitt pipes up in frustration. He says that the scouts are still trying to replace Giambi and the others with similar players with corresponding high salaries. And he knows there's no way to do it with their payroll. But what they might be able to do is replace them in the aggregate. The three departing players' average on-base percentage was 0.364. What they should be looking for are three relatively cheap players whose on-base percentage is the same. In the cybersecurity world, the relatively cheap player is the newbie cybersecurity employee just coming out of college, or the government worker transitioning to the civilian world. It's also the relatively low-level employee already on the staff. All have little experience compared to an all star, but most have an aptitude and a desire to learn. Instead of hiring the superstar with 17 certs for a lot of money, or training one of your existing superstars to be even more super, we could instead make the entire InfoSec team better by hiring and training the needed skill sets in the aggregate, just like Billy Beane did with the A's. And at this point you're asking yourself, did sabermetrics work for the A's? Well, according to Garrett Chandler at the Modern War Institute at West Point, the A's finished their 2002 season with 103 wins, one more than they did the previous year with their three superstars, Giambi, Damon, and Isringhausen. And although it's true that they haven't won a world series since they started the program, they have been in the playoffs eleven times in the past 22 years, from 2001 to 2021, tied for fifth most in the league, and have constantly put themselves in the position to win. And I would say that they did this against teams with a much bigger payroll in a league of teams that started using the same sabermetric methodology after 2002 because the A's' success with it. That's extraordinary. Further, another low payroll team, lower than the A's payroll, that uses a similar system, the Tampa Bay Rays, have made it to the World Series twice in just over a decade. They lost both times, but they made it to the show. There's no question that the sabermetric analytical system has made lower payroll teams more competitive in the league. I believe it's time for the network defender world to take it for a spin.

[ Music ]

The way that InfoSec leaders train existing employees today, they focus on the individual's needs. When they acquire talent today, they ask potential employees if they have 25 years of experience and 17 certs. As Jonah Hill said in the movie, we're asking the wrong questions. If that's true, then, what are the right ones? What is the cybersecurity equivalent of the A's buying runs and not people?

[ Music ]

I was talking to my friend, Joe O'Brien, about this recently. He's the cofounder of Orion Cyber where he helps organizations identify, quantify, and prioritize cyber risk. He said that, from his perspective, security leaders should seek to buy down risk, not buy superstars. When I heard that, the entire idea locked into place for me. As you have heard me say in this podcast, and now in the Cybersecurity First Principles book on sale on Amazon, link in the show notes, the ultimate cybersecurity first principle, the thing that all of us are trying to do, is to reduce the probability and material impact to our organization due to a cyber attack. When it comes to training and hiring, the network defender's goal shouldn't be to buy and build superstar players. In order to buy down risk, you need to enhance the team's ability to pursue the ultimate first principle. It's a subtle distinction, but an important one. The team's skills you need to accomplish that are different depending on the follow-on stages you adopt like zero trust, intrusion, kill chain prevention, resilience, automation, and risk forecasting. But the ultimate goal should be to reduce risk. Here's Simone.

Simone Petrella: How do we even have people effectively work within the tool sets and controls that we put in place unless they're qualified to do those roles? And the mindset shift that's required is to have organizations actually understand what is needed from a role perspective. If you understand the roles, then you need to understand the skills that are required to be successful in those roles. And then you need to compare that with the workforce you have and where do they meet that mail and where do they not? And then make some determinations around how you're going to fill those gaps? Those gaps could be filled through team training, through identifying other sources of talent. Maybe not picking up the unicorn for an absurd salary, but someone with a lot of aptitude and promise. And how do you sort of bring them up? Or how do you find people within the organization who could transition into roles? It just allows you to have a strategic mindset and how to build that kind of capability without just using it as a money pit.

Rick Howard: Simone, that's why I'm a big advocate of rethinking cybersecurity in terms of first principles. To be honest, until just recently I hadn't even considered that team training, of course, has to be part of our first principle strategies. You can't pursue the intrusion kill chain prevention strategy, for example, unless your team is proficient at it. If we're trying to improve the organization in terms of reducing the probability of material impact due to a cyber event, surely our team has to be trained to do that. And that idea has never even hit our community's radar screen. My peers -- including me -- from the beginning of our history, have focused on the individual. Like you said, the unicorns -- the superstars -- not the team. But this requires a change in mindset by security leadership because now we could build a set of team skills based on the aggregate of each individual employee.

Simone Petrella:Yeah. So I think that's why -- that's actually why I am such an advocate for calling it workforce intelligence because you need to have the intelligence about the needs from the roles, and that comes down from doing an inventory. That is something that is incredibly, you know, critical from a baseline perspective, to understand the roles. And you can do that in an efficient way to get the profiles of those roles and really inventory everything you need. And then when you look at the staff that you have, you gain intelligence on where they are as a barometer relative to those roles. The way that we have kind of done it -- and I think what has provided a really good data point and a data-driven way to make some of those decisions, is by producing assessments and giving assessments to those team members, looking at the team as an aggregate. It is not a performance measure. It is a decision-making tool that allows you to identify -- what do I need? Where are people? Now let's determine how I actually invest money in particular training avenues, again, hiring strategies, you name it. So that's the baseline. And then the beauty of it is you keep having to evaluate that because your workforce is going to change. People are going to learn more. They're going to move into other roles. You want this continuous thermometer or temperature gauge or health meter on the maturity of how it goes, and you want a way to also measure the investments you're making in their development as a workforce. You have to be able to identify which things are working and which don't and adjust course.

Rick Howard: So give an assessment to the individuals. Right? But that's not what it's for.

Simone Petrella: No.

Rick Howard: We're not trying to assess how the individual is -- you know, good or bad. You're putting all that information into an aggregate evaluation of your team.

Simone Petrella: Mm-hmm. Yeah.

Rick Howard: And then make -- and then make a decision of what the team needs to be good at later down the road.

Simone Petrella: Exactly, because at the end of the day, we all want a well-rounded team. You know? We -- you know, we're not all -- not every company has the luxury of working in some of the organizations we worked with where there's hundreds of cybersecurity professionals that are all specialized. But there are organizations that fall on the spectrum where, you know, identity and access management requires a different skill set than the people doing governance risk and compliance. It's not fair to judge an individual based on, you know, the requirements of a role that they're not actually going to be performing.

[ Baseball Commentator ]

Rick Howard: Think of your InfoSec team as equivalent to the Oakland A's in terms of talent acquisition and training. The thing that the Oakland A's and all the major league baseball teams have going for them is a deep treasure trove of player statistics going all the way back to the beginning of the league in 1876. When you have that kind of data store, there are all kinds of ways to slice and dice the information that might provide useful insights to the ultimate first principle. For the cybersecurity community, though, we don't have that. According to Statistica, there were approximately 4.6 million InfoSec professionals in the world in 2022. Unfortunately, we don't have a database that shows what skills each of those players has. The network defender world is so new -- the last thirty years -- and the technology we use to do our jobs change so fast that it's tough to get a handle on everything that everybody is doing. The closest we have come, I believe, is the workforce framework for cybersecurity, the NICE Framework, developed by the U.S. National Institute of Standards and Technology (NIST). NICE stands for the National Initiative for Cybersecurity Education, and the framework is a reference taxonomy that is a common language of the common cybersecurity work and of the individuals who can carry out that work in cybersecurity. The framework groups the kinds of cybersecurity jobs we all have in big, overarching categories -- oversight and governance, design and development, implementation and operation, protection and defense, intelligence, and cyberspace effect. It provides typical job titles, work roles, job descriptions, and the knowledge that a network defender must have in order to do each job. NIST publishes a comprehensive spreadsheet for all that information on their website. The link is in the show notes. That work product by itself is invaluable as a reference tool for security leadership when you're writing job descriptions or employee performance reviews. Why create everything from scratch when you have a ready-made consensus collection of the job descriptions and associated tasks already available? At least you can use it as a first draft to modify it later. That said, if we're, indeed, trying to buy down cyber risk by improving the team's skill set, the first task would be to map the NICE categories to our first principles. We would want to identify all the job categories and tasks associated with the first principle strategies and tactics that we're pursuing. I haven't done that yet for all the NICE categories and for all the first principle strategies. That's a future project for me for the summer of 2023. But if you're playing at home, you could use the roadmap of the First Principles book website as a handy cross-check visual. The link is in the show notes. For example, from the roadmap, I can see that for our zero trust strategy and the tactic of vulnerability management, the NICE framework lists the vulnerability assessment analyst, PR-VAM-001. That employee performs system and network assessments and identifies where they deviate from acceptable configurations. From the NICE spreadsheet, there are 36 knowledge areas that apply, 12 with specific skills, and four described abilities associated with that job. My future task, then, is to identify all of those items for each tactic described on the first principles roadmap. That's the first step. The second step is to evaluate the team against the knowledge areas, skills, and abilities -- assess how good the team is at everything. Once you have that data, you can then prioritize the team's training agenda that will buy down the most risk. That all sounds like a lot of work -- and it is!

Tim Allen as Tim Taylor: Oh, no!

Rick Howard: But it's work that needs to be done. If you buy into the whole Cybersecurity First Principles idea as applied to workforce development, this is the entire reason using first principles is important. Up to this point in our collective cybersecurity history, team training hasn't even popped up as something that we all need to do. Instead, we have focused on the individual as a superstar for hiring purposes, insisting that we only consider the most highly-qualified people available. For existing team members, security leadership has, for the most part, abdicated any kind of team strategy in favor of improving individual superstars. When you consider the problem of 3.4 million and growing open positions in the cybersecurity workplace today, clearly those strategies aren't working. What I'm advocating is learning from the example of Billy Beane's Oakland A's -- building a team designed to win games. He realized that the first principle for building competitive professional baseball teams was not to buy all star players but to build an all star team in the aggregate using relatively cheaper and overlooked players and concentrating on using on-base percentage as the stat to rotate on. I'm suggesting that security professionals can do the same thing by rotating on first principle strategies and tactics. The implication, though, is that we have to adjust our mindset away from hiring and training those superstars and be willing to build a team in the aggregate. That means tapping into the pipeline of new graduates coming out of college with no experience. It means taking a chance on a young potential employee with no certifications but lots of aptitude. It means developing a well thought out and consistent training plan for your team, a workforce development strategy that will allow you to buy down risk. And it means creating the team training tactics that will support that strategy. After all, you can't really implement a first principle, zero trust strategy without a team that knows what that is and how it can work most efficiently within your organization. If we can do that, then the workforce gap will begin to shrink, not only internationally but for each of our specific organizations. If we are trained to make the team better in the aggregate, then the number of specific open jobs will start to go down. Let me give you one last shot, Simone. What's the Twitter line here for workforce intelligence? If you want one message you want to give to security professionals out there, what is that?

Simone Petrella: It would be -- you need to be smart about your workforce so that you can make decisions to help make your workforce smarter.

Rick Howard: Excellent. That's a good way to close this off. So -- thanks, Simone.

Simone Petrella: Thanks. I think that's probably the most I've done in Twitter in, like, the last ten months.

Rick Howard: You and me both. I dropped Twitter like a hot potato --

Simone Petrella: Yeah.

Rick Howard: -- right in the middle of COVID.

Simone Petrella: Yeah. Take that,Twitter.

Rick Howard: And that's a wrap. The first episode of Season 13 is in the bag. And don't forget -- you can buy copies of my new book, Cybersecurity First Principles: A Reboot of Strategy and Tactics. You can order it now at Amazon. Also, we'd love to know what you think of this podcast. Send email to cyberwire@N2K.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CSO Perspectives are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sectors, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. The CyberWire's CSO Perspectives is edited by John Petrik and executive produced by Peter Kilpe. Our producers are Liz Irvin and senior producer Jennifer Eiben. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the show's mixing, sound design, and original score. And I'm Rick Howard. Thanks for listening.

[ Music ]

[ Sound Effect, Silence ]