Podcasts
Special Editions
Ep 60
Special Editions 4.12.24
Ep 60 | 4.12.24

Cyber Talent Insights: Navigating the landscape for enterprise organizations. (Part 1 of 3)

Show Notes
Transcript

Dr. Heather Monthie: Welcome to Cyber Talent Insights on the N2K Cyberwire network. [ Intro Music ] My name is Dr. Heather Monthie, and I am a cyber workforce consultant with N2K. I'm joined here with my colleagues, Dr. Sasha Vanterpool and Jeff Welgan. We're excited to be here today for this special three-part series on cyber workforce management and development. On today's episode we'll be talking about cybersecurity workforce intelligence from the perspective of the employer and people who are recruiting and attracting top cybersecurity talent. Welcome Jeff and Sasha.

Dr. Sasha Vanterpool: Hey Heather.

Jeff Welgan: Hey. Thanks for having us. [ Music ]

Dr. Heather Monthie: All right. Let's get into our first question here. So, we are a great team of cyber workforce consultants who work every day with companies on their cyber workforce intelligence. So, for those of you who are listening that might not understand what that term, "cyber workforce intelligence" is or "cyber workforce development" is, Jeff, can you elaborate a little bit on what this concept is?

Jeff Welgan: Yeah. And I realize this might be a new term for a lot -- a barless [sic] nurse or cyber-focused practitioners, right? But workforce intelligence is actually a thing, right? It is a thing that really refers to, like, the collection, analysis, utilization of data as it relates to a workforce, you know, an organization's workforce. So, the concept really comprises a number of things. Obviously, the data collection which we'll get -- we will talk a little bit about, I think, in this episode, but you know, performance data, you know, skill data, gap data, job opening data. That's kind of what we're really talking about here when we're talking about data collection. Then analyzing that in a useful way so that we can draw meaningful insights from that data which would then -- kind of feeds into a number of things across the enterprise, right? Like, particularly related to a number of things across the enterprise, right? Like particularly related to strategic workforce planning efforts. I used to work in the intelligence field for a number of years, and I think a good way to just think about any intelligence, whether it's workforce intelligence or cyber threat intelligence, your data that you provide, or the intelligence needs to really be, like, three things. It needs to be timely. It needs to be relevant to what you're looking at. And then most important it has to be actionable. So, that's really what we're focused on is getting that data, analyzing that data so that enterprises and decision makers can take action. Just in this case, it's around people.

Dr. Heather Monthie: Excellent. So, for those of us that are in the cybersecurity industry, we constantly are hearing about a talent gap in the cybersecurity workforce. So, can you -- for those that may not be familiar with, you know, some of the topics that we talk about around the cybersecurity workforce talent gap, can you just give us a quick, down-and-dirty refresher on the state of the cyber workforce?

Jeff Welgan: Yeah. I think one of the best definitive sources for this is actually at cyberseek.org; a number of good folks who are analyzing the workforce regularly and doing good updates on kind of the state of the industry and the workforce there. They, just about -- I think over the summer of last year -- updated the data and the 2023 supply-and-demand ratio is at 72 percent. So, what does that mean? That means that there are 72 percent of qualified candidates to fill those job roles that exist out there. So, there is still a shortage of supply for the demand in the workforce. It's a little bit better -- this past year's data -- 2023 data -- is a little bit better than the 2022 data, but it's really just marginally better. And I think there's some underlying causes why that might be the case, although we can't definitively point to one thing or another. But as we know, 2023 saw a lot of layoffs, especially impacting cybersecurity professionals and large tech organizations. So, that would certainly lower the number of job postings or i.e., the demand. So, I think that's one key component of it, of course. And then there's an ever-evolving profession here as well that I think we need to kind of pay attention to as professionals in this space. And that's just -- it's just similar to cyber. Technology and needs and skillsets evolve dynamically with the business; dynamically involve with innovation. So, that, I think, plays a key role in not only the importance of workforce intelligence, by just kind of the supply of relevant skills. And I would point to, just as an example, the rise of AI and the demand around skillsets related to AI, whether that's prompt engineering, or kind of on the database side, because more and more companies are leveraging that skillset for a number of different applications across the workforce. So, that certainly would impact the talent gap in a number of ways too. It could be AI; it could be other things.

Dr. Heather Monthie: Excellent. Thank you. So, Sasha, there are a lot of complex scenarios that we need to consider when we're talking with clients about cyber workforce strategy and how do we develop an upskill existing cybersecurity team? So, when we're thinking about the complexity of some of these different things, we look at things from a talent acquisition perspective, a talent management perspective, and then talent retention. So, can you talk a little bit to the talent acquisition piece and some of the work that you've done with employers on how do we make sure that we've got well written job descriptions that are actually looking for the correct skills, responsibilities, qualifications that are needed for a work role? And just some of the things that you've seen with working with employers on the talent acquisition piece of cyber workforce?

Dr. Sasha Vanterpool: Yeah. I think it's important to, you know, think about it as those different phases of the lifecycle. So, you know, specifically thinking about talent acquisition, I think when we're talking about talent sourcing, we're talking about, you know, where to look for those candidates and, you know, when they are actually applying for these jobs, I think that's the first pieces as far as making sure that the job descriptions are effectively communicating what the job roles and responsibilities are for that actual position. Some of the work that, you know, we've done with clients can be really simple, as far as just working on standardizing the formatting and how the actual job description looks on paper and how it's organized in different sections like that. That's kind of like the easy part. But I think, you know, where it gets the most challenging is the content that's included. And I think when it comes down to it, we want to make sure that these job descriptions are accurately representing what the responsibilities are in this role. So, when I'm applying for this, can I get a good idea of what I'm going to be doing on a day-to-day basis? What the responsibilities are, and then what are the actual skills that you're looking for and really breaking those skills down between the technical skills. But then also making sure that those professional skills, those power skills, those soft skills, employability skills, whatever you call it, are being communicated on there as well. Because they're just as important as those technical skills. And then also really emphasizing the difference between what skills are you looking for and then what experience are you looking for? And when it comes down to experience, it's important to sure, be familiar with -- if you're working with specific software, that could be helpful; that might be a preference. But at the end of the day what it comes down to is do you understand or are you able to perform this particular action that this software or tool is looking for as far as, you know, one software to another doesn't really matter as far as the brand, but again, going back to that actual skill that's being asked for and looking for that specific experience. I think we're also seeing differences as far as you have the changes when it comes to those requirements. When it's education or years of experience, things like that, these are ever-changing as the actual roles are changing. And then of course, there's always that challenge of every job being listed as a cybersecurity analyst or engineer or architect, and making sure that we are advising these companies of taking a look at what functionality is this role really, you know, focusing on here and making some adjustments to how these roles are classified. And of course, you know, making sure that that is communicated on the job description.

Jeff Welgan: One thing, I think, was -- is like super interesting and this is really for Heather, you as well, just the other week, right? We're working with one of our really large, global clients and in an effort to rewrite and make some suggestions on their job suggestions. And one thing we talked about internally for a while was really -- and presented back to them -- was like, what style do you want this job description written in? You know? And, you know, because there are a lot of different, you know, stylistic changes too. Like, some organizations kind of want to go with something a little more hip, and others want to kind of say in this role, you can imagine yourself doing X, Y, and Z. And others are just more straightforward, of like, here's the skills, or how do you group those skills? So, I didn't know if you had, like, additional perspective on it, or just opinions on stylistic changes or differences in the job description component of this work?

Dr. Heather Monthie: Yeah. I think that when you are looking at specifically entry-level job descriptions, you know, I think there's a lot of people that are really frustrated right now with people calling a cybersecurity job, entry level, when they're requiring two to five years of experience, or you're -- you know, name your certification. So, it's not truly an entry-level position. But I think that if you are an organization that is open to hiring people coming directly out of a -- an educational program, whether it's a four-year university or it's a -- or sort of a re-careering academy-type of program, that you can write those job descriptions in a way that really behooves the person that's going to apply for that job. So, you can write it at -- in a way that says in this job you will learn how to do X, Y, and Z. So, you can really frame it in a way that really helps them to understand that they're not expected to know all of this stuff just yet. It's that these are the things that you're going to learn in what is expected to be probably your first role in cybersecurity. So, when I think about some of the stylistic things, I think it's about more on the perspective of the person who's reading it and who you're trying to attract to come to your company and making sure that you're speaking in a way that's really going to intrigue them and say wow, I want to come work for this organization. Sasha, do you have any other ideas or thoughts?

Dr. Sasha Vanterpool: No. I think that's a really good point and thinking about, like yeah, the audience as far as who do you think is going to be the ideal candidate that you're going to be actually reviewing it. I think just some other things as far as, like, stylistic or, like, formatting kind of things, I personally like when a job description is kind of categorized as, you know, the role responsibilities on being separate from, you know, the preferred experience, and then having a separate section for any skills or specific competencies, you know, that they're looking for. And then even if there's an opportunity within those sections to break it down and categorize it, by you know, particular domains or functionalities, or whatever it may be, technicalities. I think it just kind of helps as far as compartmentalizing it a little bit more and makes it a little bit more digestible and maybe not as overwhelming, especially for those entry-level folks.

Dr. Heather Monthie: All right. Jeff, so when we're talking about cyber workforce intelligence or cyber workforce strategy, we think of it in three different areas: Talent acquisition, talent management, and talent retention, and Sasha's touched on, you know, the talent acquisition piece. What might you add to that, but then also as we're talking about, we've got a cybersecurity team, how do we develop them; how do we upscale them? But then also, how do we retain them and keep them from, you know, jumping ship and going to a different company?

Jeff Welgan: Yeah. I'd like -- I'm a visual guy so, I think it's really important to kind of, like, in your mind's eye visualize this problem set as a lifecycle or a continuum. And yes, on the left-hand side of that or the starting point of that is talent acquisition, and Sasha, you did a great job talking about the sourcing issues and job descriptions were key components of that. But as you kind of continue that lifecycle, you move into talent management, right? And that is things like, how you do job family classifications or pay banding, right? And making sure that you're titling those job roles the right way, saying it's an engineer if it truly is an engineering kind of role, versus analysts to Tasha's points earlier. But what are the appropriate pay bands for that too? If it's a really technical and niche role and it's hard to find, you might have to pay a little bit more than something a little bit, you know, a little easier to find or not as technically hard or difficult as a skillset. But if someone's lumped in, if you're a really technical professional and you're lumped into a pay band or a job title that's kind of, you know, doesn't emphasize that, you may be underpaid. So, getting that right for an enterprise is a key component of the talent management com- phase of the lifecycle, if you will, role analysis -- and I hope we can talk a little bit more about role analysis because I think this is kind of the center point, the keystone, of doing a cyber talent management effectively. But role analysis is really thinking about what is the role actually required? You know, what do you -- what skills do you actually need in this role at this specific level to be successful for our specific organization? So, that's important. Skill gaps analysis, right? You want to be able to identify if there are areas of improvement for your team or an individual. So, that's a component of talent management as well as those training and development plans. Then you kind of move into the next phase, and that's really around retention or attrition. There's kind of a bleed over there, but career pathing is a component of that. Like, people want to understand there's mobility -- upward mobility, sometimes laterable [sic] -- lateral mobility as well. And then what are the retention and attrition plans? What is the company doing to reduce attrition and keep people longer? And then we can -- then we'll get into a little bit into, like, company culture and other things that kind of play into that along with training. But those are kind of like the key pieces, and I think of all those components as, like, essentially levers. Because if you adjust one of them, they are interconnected. It will make improvements or deficits in another area. So, that's why I kind of really gravitate towards that job/role analysis because if you really start there and get that right, it makes some of those other levers a little easier to start -- to know where to adjust them appropriately.

Dr. Heather Monthie: So, what does that mean when we're working with a client on that job/role analysis, that actual task, what does that mean? What kinds of things are we doing? How are we partnering with, you know, these organizations to do that job/role analysis and get some actionable data from that analysis?

Jeff Welgan: Yeah. It's -- well, a number of things. We do, but I think that are kind of just generally really important to do for anybody who's kind of doing this on their own or working with someone who's helping them. One important piece is just to have a common taxonomy. You want to be able to compare apples to apples across your job roles. We leverage the NIS -- NICE framework, the National Initiative for Cybersecurity Education. We don't really lean into the defined work roles there, but what we do lean into are defined competencies. So, we really like the version of the NICE framework where it has those 60 defined competencies and they -- they span across technical stuff as well as those power skills, where it's leadership, operational, or professional skillsets. So, there's 60 of them that allows us the -- a common language to kind of compare different job roles. And then you really need to start to understand what the roles are requiring. And we also look at job descriptions to kind of get an insight into that, but we know often times -- and we're all guilty of it -- it -- job descriptions are a pain in the butt to do, so what do you do? You copy and paste from a previous version. And what happens over time is that through copying and pasting or quickly getting that work done, you're moving further and further from the target of what the job role's actually requiring of you. So, what we want to do is be able to kind of recenter the focus there and we do that through job description analysis, internally/externally, but also really working with job managers to better understand what their expectations are for those job roles and then really triangulate a lot of data to kind of define what is the actual fingerprint for this job role as it relates to competencies. And then again, like, when you do that and you do that right, you can then start to compare those job roles with each other. So, if you're moving up you can kind of see that level one to level two to level three progression, and then what skills are emerging from an expectation perspective to be successful in any of those target roles. The same thing lateral. You want to go from soft to incident response, what's the difference there? Where can we build a career path for that lateral movement for those teams? So, the data is very, very important as it relates to the job/role analysis.

Dr. Heather Monthie: I think that's a really good point in that lateral shift or that lateral pathway that somebody could make within their cybersecurity organization. When you look at some of the research that's been done on how do we retain cybersecurity talent, one of the things that people are looking for is the opportunity to grow, learn, develop their skills, and then have a very clear pathway of, you know, where can they move within the organization? So, you know, like you said, if you're in incident response, you want to move to a SOC; with this job/role analysis you can really see, as an individual person, as a -- as somebody who's saying what do I want to do next with my career? You can look at that and say, these are the skills I already have. These are the skills I need to acquire in order to move laterally into that new cybersecurity role. So, I think that's really helpful for companies to have as a strategy to help retain that talent. Sasha, what are some other things that you've seen that companies might do with that data?

Jeff Welgan: Can I touch that one really quickly? I don't mean to interrupt you Sasha, because I know you're going to say something really great here. But I wanted to emphasize something you said, Heather, and that is like, you know, it's really important to the employee, right? So, this is why enterprises need to get this right is because it's important. And kind of you think back to these levers and the interconnectedness of those, which is just kind of a key stat -- point to highlight. Employees have a 75 percent likelihood of staying with a company when they're making an internal move. So, you want to like, understand how the career path thing connects to retention. That's something especially people in this field, are really paying attention to. Does the company offer me that mobility and give me a path? So, sorry to interject there Sasha, but --

Dr. Sasha Vanterpool: No.

Jeff Welgan: -- I'd love for you to kind of --

Dr. Sasha Vanterpool: Yeah.

Jeff Welgan: -- continue on with the question.

Dr. Sasha Vanterpool: I think so. I think that's a great point to make, and I think, you know, going back to your earlier point, it then also can impact the talent acquisition piece. Because after you've collected this data and have a better understanding, okay, these are the actual skills that somebody in this role needs to be successful. Then can I go back and make sure that the job description is accurately reflecting that and emphasizing, you know, certain skills, certain experiences that need to be included on that. So, at the very beginning I'm hiring, you know, this talent that actually reflects what I'm looking for. So, it really does all, you know, combine and really hits all of those pieces of this, you know, lifecycle. When it comes down to it, that's what you want to have as an employee. You want to make sure that, okay, I'm getting hired into a position that I am going to enjoy, I'll be able to excel in, going to be able to learn. And then I'm going to be able to grow and flourish and hopefully be able to stay with the organization because that, you know, pretty much the whole point, right? So -- [ Music ]

Dr. Heather Monthie: Yeah. So, I think that as somebody who, you know, has worked in cybersecurity in the tech field for a long time, you know, my brain just really likes this idea of, you know, frameworks and, you know, really putting things into something that's very easy and -- to digest and understand. So, I really like this concept of a cyber workforce management lifecycle, so the talent acquisition, talent management, and talent retention. And Jeff, you were talking about, you know, some of these levers that you can pull to, you know, start doing some of these tactics, right? And one of the things was the job/role analysis. What are some of the other sort of levers that you can pull within, you know, this framework or this concept of, you know, cyber workforce management, and what are the -- some of the things that companies can do outside of that job/role analysis?

Jeff Welgan: Yeah. Let me just kind of back up from that question a little bit and reemphasize the importance of the job/role analysis as it relates to those tactical actions, right? Because you can adjust another lever, say you wanted to take a swing at job titles and classifications, right? If you do that without first understanding those job roles, you may be moving it the wrong way. And that can be -- that can start setting you back, right? So, if you change the pay range and you're asking again for something really technical or high demand and you are underpaying or you are offering a salary that's underpaid in the market, you're not going to find the talent you want, right? So, making sure the data is driving your decisions the right way in the actionable way, is really, really important to kind of --

Dr. Heather Monthie: It becomes the foundation.

Jeff Welgan: -- whatever levers we have. Right. Exactly. That's why I kind of referenced it as like a keystone. It kind of holds the arch together and allows you to kind of make adjustments other places as needed. Then I think there's other things, Heather, you asked, like, "What else can you do?" It kind of goes a little bit outside of the peripheries of the -- of that framework and the eight or so discrete, kind of, components of it that I highlighted. You can start talking about how do we want to organize our, you know, work/life balance for the organization? You know, depending on the mission and the culture of the company or agency or organization, if you're kind of looking at government institutions, right? Can you have a work from home policy? Does that work? Do people want to work from home versus be together, co-located, working together on something in person? So, those are other levers, right? Something as silly as dress code. I used to work for a large management consulting firm, and it was a big deal. We all wore suits in 2010. Like, we all wore suits to work and then we got a new CEO, and the new CEO was, like, "You know what? We are moving forward on -- into cyber and we want to attract more cyber talent for our contracts and our professions." And they did a study and they're like, yeah, it -- professionals viewed us as a stuffy consulting organization who wears suits, and they didn't want to wear suits. So, we made a jean policy --

Dr. Heather Monthie: Jeans.

Jeff Welgan: -- and it like -- it changed -- yeah, ching! It fixed a lot of things, you know? So, something that might seem silly like that can have huge impacts if you identify -- you do the right work to kind of identify where the source issues are and, you know, actions that might make improvements.

Dr. Heather Monthie: Sasha, what are your thoughts about, you know, just sort of the company culture and, you know, what are some things that employers can do to sort of shift that company culture to attract really good cybersecurity talent and keep them?

Dr. Sasha Vanterpool: Yeah. So, I think you know, Jeff brought up some good points. I think, you know, company culture, and you know, how people interact with one another. Whether they do individual work or on a team, being able to be familiar with their other coworkers or colleagues, whether they're in-person or not. I think having just opportunities to get to know, hey, you know, I don't really work with X, Y, and Z department, but I want to be comfortable with knowing what they do and, you know, what they're responsible for. So, that way, if you know, something comes up there's -- I know who to get in contact with if I need. Having that, you know, transparency and communication flow amongst the different teams or departments, I think, is a really nice feature to have. But then also making sure that as an employee, I feel comfortable that I just want to learn more and I want to be able to, you know, whether I'm thinking about a promotion or a lateral move or what have you, or just trying to get -- become more of an expert in the work that I do. Having those opportunities for professional development. So, it can be, you know, training. It can be going to conferences. It can be going to networking events. Just being able to stay, you know, up-to-date in what's going on in the field and a specific, you know, industry sector that I worked in. I think being able to have that sense of comfort and support, knowing that, you know, my company supports my growth and professional, you know, development and learning, again, can be on a smaller scale or a larger scale. You know, and going for certifications or being able to, you know, fund me to get another degree or whatever it is that that particular individual is interested in. Having that sense of support and community, you know, is I think, another really important feature of that. And that again goes back to I feel supported by this company. I want to stay with this company and how can I continue to grow and develop laterally or, you know, moving up into a different level or position. But this company cares about me; I care about it. And I want to stay with it for the long-term, I think, is the ultimate, you know, goal.

Dr. Heather Monthie: You bring up a really good point about professional development and training that I think that there's, you know, a lot of organizations will go and purchase sort of this blanket, you know, subscription to, you know, X, Y, and Z cybersecurity training or project management training, or name your thing.

Dr. Sasha Vanterpool: True.

Dr. Heather Monthie: And generally speaking, from an adult education and training standpoint, people will generally gravitate towards things that interest them. It's very easy to spend time and it's a lot more, you know, motivational to yourself to actually take training that you might be interested in. What I think is interesting about what we're doing with the cyber talent insights and some of the job/role analysis work that we're doing, is that it can really help security leaders identify what skills gaps you have on your team. I've -- you know, I've managed a large team; I've managed small teams and as your team grows, it's very difficult to really just sort of keep track of what the skills are that you have on your team. And you might not necessarily know where there's -- where those skills gaps are. And, you know, through some of these, you know, insights that we can, you know, work with the organization to help them see where some of these skills gaps might be on their team, and that could potentially be a cyber risk. But if you've got nobody on your team that ident- understands identity and access management to the level that is needed, that's a risk for your cybersecurity team. So, you -- from there you can then either -- you have two decisions. You either hire somebody that has those skills, or you can upskill people that, you know, might be interested in identity and access management, it's just not something that's ever really been on their radar. So, I just -- I -- you know, I -- no question here, I just -- I think it's a -- it's an interesting -- it's an interesting perspective when you're looking at professional development, that it's not just, you know, we're going to give you training on whatever it is that you want. That's great. That's a really great employee benefit --

Dr. Sasha Vanterpool: Sure.

Dr. Heather Monthie: -- it helps with company culture. But also, we want to make sure that we're identifying where those skills gaps are on our teams and closing those gaps.

Dr. Sasha Vanterpool: Providing a sense of direction.

Dr. Heather Monthie: Yeah.

Jeff Welgan: Yeah. I mean, because like, you know, at the end of the day, you know, for enterprises it's all about ROI -- return on investment -- right? Like, is that training program I'm putting in place a good return on that investment made? So, being able to pinpoint where you should be, you know, making the investment into certain training areas is a really important datapoint for enterprises and decision-makers there. But I will emphasize that the ROI just doesn't stop with the enterprise. It's important for the employee too. No employee wants to go through basic identity access and management if you understand it already. Like, so if they understand it already, let's fast-forward, double tap that, and we'll move forward and we'll do something more complex. Let's focus on an area that you do need, you know, some support. Because we don't want to waste your valuable time too. So, it's really beneficial in both perspectives, and that's where the data really kind of helps guide decisions there.

Dr. Sasha Vanterpool: Yeah. And I think just to add to that, I think it's also making sure we're not just focusing on those technical skills. And so, it's -- if it's identified especially as you progress, as trying to go into a manager role, for example, having those power skills. And so, giving these employees the opportunity to either maybe mentor or job shadow with somebody who's already in that position but then also giving them the opportunity hey, you lead this presentation, and we want to work on those communication skills, you know, both written and verbal. But let's say it's, you know, a presentation giving them the actual experience to practice, say okay, are you comfortable presenting to, you know, high-level leadership? And you want to make sure that you're getting that experience. It's not always something that, you know, you sign up for a course, you know, to do. It's sometimes just getting more experience. But again, using the data to pinpoint that area of focus and the sense of direction on okay, what kind of training? What kind of experience can we help develop in you?

Jeff Welgan: Yeah. Help Net did a survey last year, Help Net Security, around the soft skills. And they found of the soft skills these are the five that were in most demand from employers looking at cyber security candidates: Communication, critical thinking, problem solving, teamwork, and attention to detail. And we see it every time we talk to a client. It's like, yeah, we haven't -- there's no soft skills, no power skills listed on the job description. You ask the job manager, "Is that important?" They're like, "Oh, absolutely."

Dr. Sasha Vanterpool: Absolutely.

Jeff Welgan: Well, then we need to fix that, right? I love that you brought that up, Sasha.

Dr. Heather Monthie: So, in closing, if you're talking to a cyber security leader, so somebody who -- it could be any one of these. It could be a CISO, it could be a director on a cyber security team, a manager of a cyber security team, or even somebody in maybe HR or on the learning and development team that might be responsible for helping to develop the cyber security talent in the organization. What is just one really good piece of advice that you would give somebody that really just has that responsibility as part of their job? What is one piece of advice that you might give them?

Jeff Welgan: You want to go first, Sasha?

Dr. Sasha Vanterpool: Sure. I think, you know -- and as we're talking about all this -- I want to tell them make sure you're friends with your HR and learning and development department or team and collaborate and work together. And I think, you know, so many times I mean, I think that can be a whole another conversation within itself. But we see how, you know, they're so siloed off from each other and not talking to one another, but I think, you know, those in human resources, learning and development, they obviously have a specific skillset and education experience that can really help with some of the things that we've talked about. Whether it comes to just the job descriptions or the training piece or things like that. But making sure that there's that communication and collaboration between the CISO, or you know, just the cyber security department in general, and making sure that they're aware of what, you know, they're looking for. So, that way they can collaborate and work together to make sure that all pieces of this lifecycle that we're talking about, you know, from the talent acquisition to the management and to retention, there's collaboration and communication there, so everybody is kind of happy and getting what they're looking for.

Dr. Heather Monthie: I would definitely echo that. I think that a lot of the work that I've done over the years, I really just kind of introduced myself to people as I'm the bridge between the CIO, the CTO, or the CISO --

Dr. Sasha Vanterpool: Yeah.

Dr. Heather Monthie: -- and the HR learning and development team, like, I'm sort of that bridge. Because in a lot of organizations, especially as organizations get bigger and bigger, the two aren't talking to each other.

Dr. Sasha Vanterpool: Right.

Dr. Heather Monthie: And so, I really think that that's a great piece of advice for anybody in any size organization, Sasha. So, thank you.

Dr. Sasha Vanterpool: Sure.

Dr. Heather Monthie: Jeff, what might you provide as a piece of advice?

Jeff Welgan: I mean, I would also echo the same, but for the sake of listeners, I will highlight a different part of it, although that is really an important component here. The -- I would say the -- understanding that this is complex. I mean, we're talking about people, and I think people is always complex. And I think a lot of organizations -- well, I should back up. A lot of the cyber teams feel like they have to take this on themselves. I think too, some of the disconnect with HR or L & D that we just mentioned here, that HR doesn't understand technical things; are not getting things right, and it's kind of a -- each are pointing fingers at each other -- not all organizations but some. So, it is complex. And because it's complex a lot of times cyber security teams, like, take it on themselves to do it. And I think when you -- when -- and that's fine, but because it is hard to do it is hard to do in addition to your regular duties, and that's what we see all the time. Like, you know, some stock manager is trying to take on a lot of components of workforce planning and, you know, workforce intelligence as a side duty to the organization. And I don't think you kind of move through it as effectively because they have other priorities to deal with. So, highlighting that point along with that there is an approach to do it and that approach really centers on data collection and data analysis so that you're not just going into a room blindfolded. You can actually turn the lights on and see what's around you so you know where to -- to kind of move next, and what you're looking for as you kind of, you know, traverse this complex labyrinth of issues so that those would be the good things I would kind of add to it. [ Music ]

Dr. Heather Monthie: That's it for this first episode of Cyber Talent Insights. We would love to continue the conversation with you offline. Feel free to connect with Sasha, Jeff, or me on LinkedIn. Send us a message and we're happy to talk about cybersecurity workforce intelligence. For additional resources from today's episode and our LinkedIn profiles, check out our show notes. Please join us for the next two episodes in this series where we cover cybersecurity workforce intelligence from the individual's point of view in Episode 2 and how to strengthen the cyber talent pipeline in Episode 3. We'd love to know what you think about this podcast series. You can email us at cybertalentinsights@n2k.com. Your feedback ensures we deliver relevant information to develop effective cybersecurity teams in a constantly changing landscape of the industry. We're privileged that N2K and podcasts like Cyber Talent Insights are part of the regular routine of many of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at N2K.com. This episode was produced by Liz Stokes. Mixing original music and sound design by Elliott Peltzman. Our executive producers are Jennifer Ivan and Brandon Karpf. My co-hosts are Dr. Sasha Vanterpool and Jeff Welgan and I'm Dr. Heather Monthie. Thanks for listening. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.