Special Editions 4.26.24
Ep 62 | 4.26.24

Cyber Talent Insights: Strengthening the cyber talent pipeline apparatus. (Part 3 of 3)


[Jeff Welgan: Hello, and welcome back to Cybertalent Insights on the N2K CyberWire Network. [ Music ] I am Jeff Welgan, and I'm joined once again by my amazing colleagues, Dr. Sasha Vanterpool and Dr. Heather Monthie, for this special three-part series, sharing our insight on the complexities of the cybersecurity workforce. [ Music ] Heather, can you remind the audience what we focused on in our first episode?

Heather Monthie: Yes, absolutely, Jeff. I'm so excited to be back here today. First, we highlighted the state of the cybersecurity workforce from a supply-and-demand perspective, and then we shift our focus on the enterprise perspective, so looking at the importance of using cybertalent intelligence to help make informed decisions related to the cyber workforce management lifecycle, which includes things like job roles analysis, talent acquisition, upskilling, reskilling, and workforce retention.

Jeff Welgan: Awesome. Thanks, Heather. And Sasha, how about Episode 2? Do you mind giving a quick recap of that for our listeners?

Sasha Vanterpool: Of course. So for Episode 2, we continued the conversation by really focusing on the cyber practitioner, what it means to take a market-driven approach to cyber career development, personal branding, certifications, and why a company's workforce management program is really important to get correct for the cyber professionals.

Jeff Welgan: Thanks, Sasha. And for today's episode, we want to center our conversation around the cyber workforce pipeline. We talk about where the next great wave of talent is going to come. We examine sources of new talent, such as K through 12 programs, higher education and trade school programs, transitioning military, and other initiatives and programs focused on cultivating the next generation of cyber professionals. [ Music ]

Unidentified Person: Cybertalent Insights from N2K CyberWire will be right back after this. [ Music ]

Jeff Welgan: All right, let's get started by talking about cyber as it relates to K through 12, and for the purposes of today's episode, I really want to shelve the conversations around the importance of cyber safety, cyber hygiene, etc., and center in on career awareness and cyber skill education. So we'd actually had Tatyana Bolton, a Security Policy Manager at Google and Senior Advisor to U.S. Cyberspace Solarium Commission, as a Solution Spotlight guest not that long ago. I think she frames up the topic really nicely for us, so let's just take a moment and take a listen to that.

Tatyana Bolton: The K to 12 piece is really critical, because if you are -- if you don't have enough of a population that's even knowledgeable about the basics from an early age, then they're not sort of inspired to go into cybersecurity and fix these problems, right? If you're not even seeing cybersecurity professionals until you're older, you're not really thinking about that as a career path. Like, there's not enough cyber experts to go into every school in America and say, "Hey, I do cybersecurity for a living." What does that look like? You know, what does that even mean? The teachers also, you know, you can't put it on them. They're, like, massively overwhelmed as it is, K to 12, not having enough focus, not having enough resources.

Jeff Welgan: All right, so Sasha, let's unpack this a bit. Can you elaborate just a little bit on the constraints and limitations of primary and secondary education systems as it specifically affects the cyber workforce pipeline?

Sasha Vanterpool: Yeah, absolutely. I think Tatyana makes a good point that a lot of the schools, unfortunately, nowadays just don't have enough resources, so those school resource constraints, that includes limited funding, limited access to advanced technologies. Of course, there's teacher shortages. There's limitations and a lot of conflictions when it comes to standardizing curriculum, and that kind of affects all subjects, but especially when we're talking about STEM, especially when we're talking about cybersecurity, so as far as like the cyber education curriculum, incorporating hands-on interactive learning experiences, all of that, and just the exposure to what, you know, a career in cybersecurity could even look like, that's what we're really lacking in the schools. And I think that it's especially prevalent, you know, again, all of these limited resources, unfortunately, in the more racially diverse and socioeconomical disadvantaged communities, so we're seeing that if in these communities they're not even being exposed to it at an early age, that that's possibly causing what the correlation is that we've seen in the field today where we have professionals not coming from, you know, diverse backgrounds and not being inclusive to, you know, women, people of color, people from, you know, different socioeconomic backgrounds. I think it's starting from that early age.

Jeff Welgan: Yeah, it makes total sense, and it's certainly a challenge that is not an easy one to climb, but there are some organizations we'll talk about later on in this episode, too, that are kind of moving towards that. Heather, I didn't know if you had any reactions to Tatyana's comments here, if you wanted to weigh in on this as well, as it relates back to, like, constraints, limitations, and primarily focused on primary and secondary education systems.

Heather Monthie: Yeah, absolutely. I think that one aspect that, when I'm working with a school and they need some help, like, you know, I want to start a cybersecurity program, where do I get started, it's important to note that every school system has their own IT department, they have their own, you know, cybersecurity teams, and they're going to have their own policies and their own constraints and maybe some possible limitations for what can be taught in the schools, so certain pieces of software might not meet the acceptable use policies, so they can't necessarily install software on a computer. If something is web-based, the privacy policy might not be aligned with something that can be used in K-12 schools, particularly if the students are under 13. Here in the U.S., there's some privacy laws for children under 13. So I think that when we're thinking about bringing technology into the classroom to teach cybersecurity is that what we've got to do is sort of find this happy medium around, you know, we're teaching students how to do particular skills, but we're also not, you know, violating any sort of policies or procedures that the IT and security teams at that particular school district has in place.

Jeff Welgan: Yeah, great point. So I think, you know, in Episode 1, we really talked about, like, the state of the talent gap, and this is why, you know, getting an early start is so important. You know, the total job openings right now in the cyber space is around 572,000, according to cyberseek.org, so that kind of leads to my follow-up question here on this is, you know, in addition to just kind of looking at the pipeline and the gap there, why is it important to cultivate curiosity in cyber careers this early on with students? And, Sasha, I'll pass it over to you.

Sasha Vanterpool: Yeah, I think it's, you know, kind of showcasing that there's this opportunity for them to even have this career. I think, you know, like you said, we're not talking about necessarily, you know, being safe on the Internet. That's a whole other conversation. But just understanding that this is even a possibility and the avenues and the career paths that are even available in this field and being able to expose them from an early age, being able to see what a day in the life is, having guest speakers, having, you know, job shadowing opportunities, all of that can really help them paint that picture for them, so that way they can kind of get an idea, okay, even if I'm interested in some element of cybersecurity, maybe I'm not sure what path or track I want to go down, that's fine, but then I can start exposing myself to different hands-on experiences and opportunities to not only familiarize myself with the knowledge and skills and training that I'll need, but then I can even align my actual curriculum with that, especially as you get a little bit older and, like, middle school and high school, when you have these electives, that you have the opportunity to choose or actually follow down like a career track, they can start getting that experience early on. I think more and more, especially with these career academies that are IT or maybe cyber-specific, they're giving these students the opportunities to get certifications in high school or maybe dual enrollment, and again, you're not even able to set yourself up to have that opportunity for success if you don't even know if it's an option, and a lot of the times these decisions are having to be made earlier and earlier, like middle school, and then to go into that path for high school. So the earlier the exposure, the better, for sure.

Jeff Welgan: And then the space is super competitive, too. I mean, I remember when I was in, you know, we know that the cybersecurity industry is extremely competitive despite the number of job openings that are out there, which is ironic in itself, but, you know, if you think back when we were in high school, I don't know about both of you, but it was like our exposure to computers for me was like typing, you know, like it was a typing class, and I went to like a rural school, so there wasn't, you know, a ton of budget there, but today, you know, like one of our Urban Alliance interns, you know, was telling me just like the other week that his goal before he, like, leaves high school is to get an A-plus certification and an AWS certification. So like, kids coming out of K through 12 programs are coming out credentialed in a number of cases. So it's really just kind of a different dynamic, a mental shift for someone, you know, like our age and as we think back on those K-12 experiences. Heather, I think you probably have a lot to share here, too, so I'll just kind of turn it over to you for a sec.

Heather Monthie: Yeah, I have tons of stories I could share here. I think that what's really important about exposing young people to different cybersecurity careers is looking at it sort of from the perspective of cybersecurity is a relatively new field. It's not like going into teaching. It's not like becoming a doctor. It's not like going to law school, becoming a lawyer. These are professions that have been around for a while, and a lot of parents can really help guide young people into a career that, you know, we know that in order to become a teacher, you've got to do these things. If you want to become a nurse, you've got to do these things. It's very -- they're very well clearly defined pathways that have been around for any length of time, and when we're talking about cybersecurity, oftentimes parents aren't familiar with it. Even really anything in tech, sometimes parents aren't necessarily familiar with it. They don't know how to guide their students or their children when they come to mom and dad and say, "Hey, I'm interested in this. I want to learn more about it." And then they're like, "I have no idea how to help my child learn more about this particular profession." So I think that's why it's really important for different types of training organizations, colleges, universities, vocational schools, community colleges, etc., that have these sort of pathway programs where you've got things like summer camps and, you know, weekends -- weekend camps, things like that, where it's really showing students what a career in cybersecurity can look like, and it's helping parents guide their children on a career that might be interesting to them.

Sasha Vanterpool: Absolutely. I'll just also just add really quick that I think, too, for them to have that hands-on experience in high school, like participating in these clubs and boot camps and competitions, I think that is just not only just a cool experience to be a part of but is really what's going to help them set them aside and stand out amongst that competitive market, whether they are, you know, trying to enter into a specific, you know, higher education program or they're looking to go directly into working after high school. It's a really great opportunity for them to set themselves apart and, you know, get that experience early on.

Jeff Welgan: Yeah, great points, and I know in a little bit here we'll talk about industry partnerships and collaborations, but I do want to take a moment to make a quick plug, you know, for the Camden Dream Center, and the CEO over there, Pastor Keith Davis, is doing some really great work for working on getting exposure to young individuals as it relates to STEM programs, especially for underrepresented groups there, and sparking that curiosity from a really young age. So there are, in addition to the K through 12 programs, like community programs that are really getting involved in this space, too, or even like social clubs that, you know, kids can kind of, you know, participate in to get more exposure beyond what the school itself may be able to provide. So those are really exciting to see kind of crop up. But I think to wrap up this section, I just want to, like, focus in on one last question for both of you is, are there any other strategies that you are aware of for sparking interest in cybersecurity careers among young students through engaging and interactive learning experiences? Heather, why don't you go ahead and go first on this one?

Heather Monthie: Yeah, there's a few. There's many out there. I'll just mention a few that I am personally involved in. First is the AZ Cyber Initiative, which is a nonprofit here, local to Arizona, where we run boot camps for teachers and students learning about cybersecurity. Teachers learn how to teach cybersecurity. Students learn about careers in cybersecurity. It's been so successful that we're starting it now as the U.S. Cyber Initiative to help bring this to other states to help train K-12 teachers on how to teach cybersecurity, but then also get more young people interested in careers in cybersecurity. And similarly, there is the GenCyber Program that is -- it's a collaboration between NSF, NSA, and some other entities, but these are grants that are provided for various organizations, colleges, universities, nonprofits, training organizations, and what they do is they offer up something very similar. They're training boot camps for K-12 teachers to learn how to teach cybersecurity and to feel more confident teaching something they might not necessarily feel super confident with that particular topic, and then also bringing more students into some of these boot camps as well to give them some hands-on experience of what a career in cybersecurity might look like. So those are a couple of those organizations that I've personally been involved with that I think are doing a really good job with, you know, just working to develop that talent pipeline from an early age.

Jeff Welgan: How about you, Sasha? Anything in particular as it relates to kind of engaging and interactive learning experiences focused on a younger generation?

Sasha Vanterpool: Yeah, I mean, I think that there are a lot of great organizations out there that are doing things, and what I love is, especially those who are community-based, because like we talked about, a lot of these schools don't have the resources, and there's a lot of limitations that are beyond, you know, the teacher's control, even the school, you know, sometimes having to go through the district and all those rules and regulations. So a lot of the times I think that if, as a parent, you're seeing that your child is expressing that they are interested in this, there's other ways that you can go about, you know, within the community to look into these, like we talked about, these kind of boot camps or these kind of clubs that they can join at the community level that you don't have to necessarily wait to see, you know, what the school gets approved or, you know, the resources that they have or that they don't have, which I think is really neat for parents. Then, of course, you know, just the technical age that we live in and, you know, with things online as far as, you know, YouTube and, you know, different podcasts and things like that, that you can find out some additional resources as well. But I think that, you know, of course, we want the schools to be better equipped. We want them to have kind of more standardization, have access to more resources, but I think it is nice that there are a lot of community-based organizations out there, especially those ones that are, you know, focused on diversity and inclusion and really kind of going into those underprivileged communities that don't have access to these things and being able to provide them with that exposure. And I think, you know, those practitioners out there as well, you know, getting involved yourself and volunteering your time to be that opportunity of exposure to those young students to spark their interest, I think is always a great way as well.

Jeff Welgan: Yeah, sometimes you just have to meet people where they're at, too, you know, especially when we're thinking about young individuals. Sometimes you need to find the connective tissue with them on what is in, you know, what's kind of in line with their own interests and how that relates to something beyond, you know, high school. And one thing I'm -- one organization I'm, like, just kind of really fascinated by and interested in lately is the work that Microsoft's doing with Minecraft education, targeting high school students here. So I know, like, Laylah Bulman, she's one of the executive producers there, is doing some pretty great work with high-schoolers and teachers using Minecraft as a game, but as a teaching tool for STEM, which is pretty fascinating if you think about it. Great. So I think let's pivot just here quickly and move over, move the conversation over to adult education and training in that particular landscape. For adults, there's clearly a lot more options to consider, higher ed, whether that's universities, cyber centers of excellence, community colleges. We also have trade schools, technical schools, accelerator programs, job transition programs. So there's a lot to consider in this particular bucket for adult learning, but knowing what to choose can be really an important decision for adults kind of looking to or building their career in cybersecurity. What are some of the unique challenges, needs that adults are seeing, and what route considerations should they keep in mind when making the choice to learn? Heather, I'll kind of pivot over to you here on this one.

Heather Monthie: Yeah, I think that it's really important to understand that if you are an adult who's got some experience in another field, and we've talked about this previously as well, that you've got transferable skills, so don't feel like you have to go back to school and spend another four years to get a Bachelor's degree to pivot your career into cybersecurity. There's a lot of programs out there. There's a lot of schools out there. There's a lot of nonprofits. There's a lot of training organizations out there that have created sort of shorter training programs specifically for people who are trying to transition into cybersecurity. So these are, you know, if you look at a traditional college degree, you've got all of your, you know, sort of your technical courses, but then you've also got, you know, the professional skills, so writing and presenting and that kind of thing, and oftentimes people who've got experience in another field, they've sort of got that down, and so we just need to learn the technical pieces to a cybersecurity role. So some of these shorter training programs really focus in on those technical skills that are needed for a cybersecurity role. One other thing that I think is real important, too, to note, if you are somebody who's transitioning into a career in cybersecurity, is that, you know, looking at different certification options, we've talked about certifications in a previous episode as well, that there is, you know, there's a lot of different certifications that are available out there. And that just try to find, you know, if you're working with a college or university or training program or some sort of organization, maybe your learning and development team within your organization, perhaps they have some sort of pathway to find out with regards to certifications and trainings and things like this to get into a specific role within cybersecurity. But then, you know, from the flip side, I also think that from the employer standpoint is that there's a lot of really good people out there that have, you know, they're probably over 35 years old. They probably don't have a degree in cybersecurity. These are new-ish degrees, so a lot of people don't have degrees in cybersecurity. So, you know, I think that a lot of organizations are starting to lighten up on the Bachelor's degree requirements for cybersecurity with that understanding that there's a lot of different pathways into this particular field and it's not always a traditional, you know, four-year Bachelor's program for the adult student.

Jeff Welgan: Yeah, great points. I don't have a degree in the cybersecurity field, but, you know, I'm in the fringes of it, so -- and a lot of people my age, you know, rode that wave into the field back in the earlier parts of the 2000/2010s. One thing I kind of want to turn over to you, Sasha, more related to transitioning professionals, you know, especially when we think about military, you know, we all have connective, you know, degrees of separation to military here. I know both of you are married to a service member. I am a veteran as well, so -- and Sasha, you used to -- your last place that you worked was at Cyber Florida, which really focuses on a demographic here around transitioning professionals into cybersecurity. So, you know, what are some unique challenges that you've seen as we're talking about adult learners who are coming into this space and, in particular, coming out of maybe a very different type of career?

Sasha Vanterpool: Sure. I think that, you know, for any military veteran, making that transition from their military life and career into the civilian career and lifestyle is a challenge, but I do think that most veterans have this, you know, innate need to protect and serve, and so I think it's a very natural transition to go from whatever branch of the military that you might have been in to kind of continue that protecting and serving and just do it in, you know, the Interweb of cybersecurity, and so I do find that there are a lot of programs that are dedicated specifically to helping military veterans transition into cybersecurity, which is great and awesome, but I do think it's still very overwhelming, and I think, you know, veteran or not, when you are a career-changer, that is very overwhelming to begin with, but I do think that when you are a career-changer, you're thinking about what are those transferable skills that I'm bringing over? What can I take from my previous experience into this field? But you're also still learning about the field. And I think one thing that we all know about cybersecurity, it is the wild, wild West, and so there is not the same standardization as far as, like, you know, curriculum or pathway to get into the field. And just like, you know, Heather just mentioned, there's so many different routes that you can go, and unfortunately, I do think that what we have seen with some of these accelerated boot camp programs, a lot of them are like, you know, get your certification and, you know, in three months, and you can do this if you pay, you know, I don't know, $50,000, and it's just can be really expensive, again, really just like, okay, what path do I choose? Who do I follow as far as certifying body? There's so many different certifying bodies out there when you are going the certification route. So it can be a lot, and I definitely think that, you know, we talked about in our last episode, making the connection with those people who already are in the field, finding out about how they got into their path and, again, you know, making those collaborations with those who are already in the industry and trying to have those partnerships or, you know, working with your professor if you do go the traditional education route. Trying to get some guidance, I think, can be helpful, but I think it is important to recognize just how intense it can be, but there are so many different paths. And so for those career-changers, you know, we want to make sure that we are supporting them to the best of our ability. [ Music ]

Unidentified Person: Cybertalent Insights from N2K CyberWire will be right back after this. [ Music ]

Jeff Welgan: Yeah, I think something to consider here, too, is, you know, there's lots of choices, and choices are going to be hard here. You're not going to find this perfect solution. There are, you know, kind of going back to the theme of the episode here around, you know, pipeline and organizations that kind of help with the pipeline in a variety of ways, I think one of the considerations any individual and the adult learner may want to consider here is they're looking at programs that are options to consider or looking for programs where they do get some hands-on skill sets, too, because employers are looking for that, the demonstration that you can do the thing that you say you have knowledge on, right? So I think for anybody listening who's kind of thinking about the field, you know, see what all the options are, weigh those out with what your tolerance is, whether that's a financial tolerance or a time commitment, and, you know, weigh those options out, but definitely think through the hands-on experience, and if you're not getting it from a program, like a training program, you know, look in other places, too, where you might actually get some of that, the application of the knowledge into the task itself. Kind of in line with that, Heather, I'm sorry, Sasha, did you want to add anything to that?

Sasha Vanterpool: No, I just want to say that's a really great point.

Jeff Welgan: Okay, great. Kind of adding to that, I'm going to pivot back over to you, Heather, for a second because you were a dean at a college, and, you know, we're talking about hands-on programs and that is certainly a challenge for any institution that's training or teaching, but, like, what are some of the challenges that you noticed, you know, for educational programs or training programs that are trying to keep up with fast-paced nature of technology, new cybersecurity practices? NIST just put out a new cybersecurity framework. Like, as things kind of change so quickly in the industry, how does that impact the institutions that are teaching the next generation?

Heather Monthie: I think I could do an entire podcast episode on just that topic.

Jeff Welgan: We might.

Heather Monthie: On what are some of the challenges of teaching cybersecurity, and so I think that, you know, going back to what I mentioned earlier in the K-12 world, it also happens in the collegiate world where every college, university, school out there, they've got their own IT department, they've got their own cybersecurity team, so you've got to work within the boundaries and the constraints that they've put in place for their network. Their job is to secure the enterprise network in that instance. The enterprise network includes school labs and the Wi-Fi that your students are connecting to, so my suggestion right there is always just become really good friends with your IT and security teams and get to know them and work with them versus looking at it from the perspective of "they're not letting me teach my students what I need to be able to teach." The other aspect to that is that a lot of the software that's out there that's being used in the enterprise is expensive and schools don't have the budget to be able to teach those particular pieces of software. So what I always recommend to students is, you're learning this particular tool, right, and you can talk about how you have used that particular tool. It might translate very well over to a different tool that does the exact same thing, so when you're -- the analogy I always use is, you know, if you're taking an art class and you're learning how to use a purple-colored pencil, it's not teaching the students how to use a purple-colored pencil. You're teaching them how to create something new, create artwork using a purple-colored pencil with the idea that they can take everything that they've learned and now come over here and do it with, you know, red watercolor, that there might be some, you know, some different technique changes and some different things that might, you know, operate a little bit differently, but sort of that thought process and that, you know, coming up with that creative design is very similar. So it's, again, going back to transferable skills, that you're learning something on one piece of software that can certainly translate to a different type, a different vendor that does the exact same thing. And really the third thing that I think is important is to, you know, from an educational standpoint, we're really working with students to become problem-solvers, to become creative thinkers, versus how to click here and do this thing on this particular tool. It's the bigger picture. It's you've got this issue that's sitting in front of you right now. How are you going to solve that problem? And how you do that is, you know, we work with students, giving them different types of case studies, giving them different projects to work through, and ideally, and a lot of colleges and universities are doing this now, ideally the students will come out of a program with some sort of a capstone project, and the idea there is that they'll have artifacts that they can bring to a job interview to show you, if you're a hiring manager, they can show you, "This is what I have done. This was the project that we did, and here's how we did it. You know, I worked in a group and we used this particular tool and here's the design." And, you know, maybe they've got a video of how they actually created something. But, you know, a lot of the training organizations that are out there now are really recognizing that, you know, employers are looking for that hands-on experience, so we've got to get students that experience while they're in that training program, and you do that through different project-based learning, capstone projects, etc. We could also talk about things like internships and, you know, volunteering your time with nonprofits, things like that, but I'll save that for a future episode.

Jeff Welgan: Well, that's wonderful. I think, you know, we certainly work with a number of colleges and universities on the practice test side, kind of working with them to give access to students, to those practice tests, so they can go through and, you know, earn those certifications. But in conversations with various CISOs at colleges and universities, one of the things I'm always excited to hear about, and there's a number of, you know, higher ed institutions that are doing this, is around those internships, but internally for the cybersecurity teams there for the college or university, because you think about a lot of the big universities, they have so much data to protect, not just like student data, enrollments, but payment data. A lot of times there's a health center, so there's, you know, HIPAA considerations, healthcare data, and they're complementing their workforce through, you know, cybersecurity graduates or program enrollees who get hands-on experience doing real-world, you know, defensive security operations, and then rotating out of those internships, and it serves the college and university really well, too, because they have limited budgets. So finding talent, paying for talent, it can be challenging. So I think it benefits everybody there. I love hearing those stories.

Heather Monthie: So I did something very similar to that. When I was in the university setting, I worked with our CISO and our CTO to develop a program where students could go through an eight-week sort of rotation on each team within the IT team and also within the security team, so they'd work on the NOC, they'd work on the SOC, they'd have a different eight-week rotation, and then they'd have to give a presentation on what they were doing. But it was really helpful for, you know, the CIO, CTO, CISO, etc., because they were getting access to some of the really good talent. But on the flip side, my goal was always, I want students coming out of a program and I -- with experience. I don't want them to come out not -- and now we're trying to get the first job after we graduated, that I, you know, want them to get that experience while they're in that program. So I think a lot of universities and colleges are seeing that there's sort of this untapped talent pool within the students that are in their academic program.

Jeff Welgan: For sure. So capital C, Cybersecurity, super complex. You can almost think about it as a complex or a complicated biome or ecosphere where all these separate systems are at play, you know, private industry, government, education, certification bodies, nonprofits, the list goes kind of on and on here. Simone Petrella, she's our President at N2K, recently sat down with Camille Stewart Gloster while she was working as Deputy National Cyber Director at the White House, who described it this way.

Camille Stewart Gloster: And then the last imperative is really focused on building ecosystems, because we have found through all of that engagement that I talked about that ecosystems, regional, local, that can really tailor to the needs of the community, but also create these networks of feedback that can help inform how training happens, how education happens, how employers find their workforce are really vital to a thriving cyber workforce. So when employers can inform academics on what the education and training apparatus should look like and when those same academics can ask for skills-based opportunities for their students, you know, and when we can engage the community, you get a more robust dialogue that not only solves the workforce challenge, but solves a number of other challenges. The federal government has the smallest piece of implementing this strategy. We can provide funding, we can work on the federal workforce, you know, we can work on some strategic things and provide support, but the private sector, academia, state and local governments, nonprofit partners all need to drive implementation, launch a collaborative effort with academia, private sector, and a number of others to have a conversation about what a cyber workforce ecosystem looks like there, what their needs are, how the state and local governments can continue to support them. If you are an academic organization, if you are a nonprofit, if you are eligible to get grant money from them focused on some of these cyber workforce initiatives, if you start to do work that is implementing this strategy, I encourage you to reach out to partners like National Science Foundation, CISA, NICE, that have money and resources or can be a conduit to you getting some. We are not the only source of funding. There are funders and philanthropists who are doing this work. There are private sector organizations that are doing this work as well, and so there's a lot of opportunity for funding. I encourage folks to start to reach out to those organizations that have made themselves available for them to get the resources. Our goal is to pull folks together to help with resource sharing and to catalyze action. What I don't want to be is a bottleneck. So I want organizations, I want regions, I want locales to feel empowered to go do this work with or without my or the office's involvement, but where we can support, where we can bring organizations together, where we can help spark a cyber workforce ecosystem.

Jeff Welgan: All right, great. Sasha, so what are your thoughts or reactions here? Camille had a lot of points to highlight here. What do you have to say about all of that?

Sasha Vanterpool: I really like how she described it as a "cyber workforce ecosystem," and I really think that that's what it is. So, you know, we've mentioned quite a few different organizations, and again, the list really does go on and on, but I really think where the power in these organizations and really having an impact on the pipeline comes from them working together, and, you know, we can list the challenges of, you know, schools not having funding and -- but it's another organization that comes in and can provide the funding, and then it's them working together that can help overcome these challenges and the needs that we're facing. And I think it's not only just that, but it's identifying kind of where different people are at, so you don't have to be a part of, you know, this giant, you know, federal government organization. You can be just a consultant, so you can be, you know, a practitioner kind of early on in the field, and you can share your knowledge and wisdom and kind of, again, sharing your path on how you got to where you are today, you know, volunteering your time, working directly with the schools and, you know, being that example for them, helping them with developing curriculum. That might be something that's a little bit more time-consuming. There's different ways that you can kind of get involved, and I think being respectful of, as an individual, everybody has, you know, a busy schedule and different things going on, so it doesn't have to be that you're spending 24/7, you know, helping out and working together. It can be an hour of your time. It can be a week. It can be different things, but it's really all about, you know, coming together and establishing these partnerships that are going to help influence one another. And so, you know, the industry can help influence the curriculum that schools are teaching, but then also the schools can help make an understanding that, hey, the expectations that, you know, these employers are looking for aren't really realistic in just the space that we're in, and so I think increasing that communication and that collaboration is just super, super important.

Jeff Welgan: Yeah, makes total sense. You know, Heather, you had mentioned a couple of really great, you know, initiatives in Arizona specifically, right, that are working to bring this, you know, create their own ecosystem and bring different people, organizations together in one place. Are there any others that have really kind of caught your attention and why? What makes any of those ones that you might have in mind unique?

Heather Monthie: Yeah, I think I'll speak probably a little bit more generally here because, you know, like I said earlier, I mentioned a few that are happening, you know, here locally and also nationally, but I think that to echo on Sasha's point about creating this ecosystem, and when we look at that, we're looking at industry, academia, and government and how do those three, you know, sort of work together to develop this talent pipeline. And so if you, you know, I come from the higher ed background. I, you know, worked in education for 20-plus years, so that's really sort of my perspective on this, and the way I look at it is that there are universities in every major city. There's colleges, there's community colleges, you know, in every single state. Every single one of them that has any sort of a cybersecurity program, technology program, etc., doesn't matter, they have a -- sort of their own local ecosystem, okay? So they've got partnerships with employers. They've got advisory boards that include people from industry and government. They've got, you know, a network of faculty who are really passionate about helping people start careers or grow their careers in cybersecurity. They've also got some really good teaching experience. So I think that if you are looking at yourself saying, you know, "I want to figure out a way that I can, you know, be more involved," I would really start with your local community college, vocational school, university, and look and see what kind of academic programs they have there around cybersecurity or even just, you know, tech, like IT security and, you know, see how you can get involved there. Can you join their advisory board? Can you help influence curriculum? Can you help, you know, whether it's showing up for an hour for a guest speaking opportunity, can you provide input on curriculum on a particular class to make sure that the university or the college is approaching it from the way that, you know, the employers are looking for those particular skills. So I think that when we're talking about this ecosystem, you know, it happens at the national level, but I really think that there's a lot of opportunities, you know, at the more local level for people who want to get more involved and looking at it from that perspective of that it's a partnership between industry, academia, and government, and, you know, if I were in industry or government, that's where I would start, is looking at my local schools to see how I can get involved there.

Jeff Welgan: Yeah, there's a lot of benefits to the partnerships. Sasha, you know, can you weigh in on a little bit of the benefits and how they contribute positively, kind of back over to this, the whole concept here of pipeline, right, and the need to create the next wave of talent?

Sasha Vanterpool: Absolutely. So I think, you know, to Heather's point that she just made and some of the things that we talked about earlier, the great thing is, is that you don't have to wait for the school system to, you know, or the school district, I should say, you know, to approve of additional funding and things like that, you know, tapping into that local community, those advisory boards that have actual professionals, they can be the ones who come in as a guest speaker, who can, you know, be there for a career fair, who can provide a workshop to these students, who can maybe volunteer their time to be a part of a cybersecurity club or a competition and, you know, provide that real-world "this is what's happening in the industry today" knowledge and insight in addition to, like we said, you know, the curriculum input, maybe internship opportunities, job shadowing. I mean, there's so much that I think that, obviously, when you're talking about security, there are just some natural limitations, and talking about, you know, bringing too young of kids, you know, involved there, but I think there's definitely ways to get creative and to work around it, and again, that can honor the time limits that some people do have. And I think it's just really important, especially for those who are coming from diverse backgrounds to be able to go to these local communities and these impoverished communities that, you know, don't even know that there are people that look like them that can be successful in this field, and I think that, you know, these diversity and inclusion organizations that focus on cybersecurity and IT-related careers, they do a really good job as far as, you know, how we can expose and diversify the incoming talent pool to make sure that the industry is more representative of women, of people of color, neurodivergent people, and, of course, military veterans and career-changers and those from rural communities as well. We need to make sure that we are showing that, you know, having a variety of perspectives and voices and, you know, different people from all different backgrounds, it's what's going to help stay on top of this ever-changing and evolving field.

Jeff Welgan: Yeah, and there's, obviously, you know, from what we just highlighted, there's a lot of stakeholders involved here, a lot of organizations that play across these, you know, this biome or ecosystems that sit within it. You know, I think that's one of the things that FIU, Florida International University, is doing with NIST and hosting and putting on their annual NICE conference and expo, which is this year, is coming up in June in Dallas, so it's a really good conference to bring in educators and government and industry together around this issue, so I'm always excited to go to that. On a personal note, opinion, and this could be, you know, controversial for some, maybe not everyone agrees with me on this, but I think that, you know, the collaboration, these ecosystems are necessary, but they're kind of created out of necessity because everything has been operating in their own little silos, so we create these ecosystems to kind of bring things together, and sometimes, because this industry is so vast and complex, those ecosystems become their own little silos. So I think one of the frustrating things for me, more recently, as we kind of like look across this interconnected, you know, system of organizations and industries kind of coming together is that there is no governing body for the profession, you know, in the same way that doctors pursue with like the Board of Medicine, or lawyers, you know, have to kind of get licensed. And, you know, I think at some point, we will need to, as an industry, as a profession, kind of have a national association for cybersecurity professionals of some sort that kind of oversee that ecosystem to kind of say, yeah, these training providers, these certifications are good, and you as a, you know, professional in this field are licensed, ready to go to do, you know, identity access and management, or licensed and ready to go at a mastery level to do cybersecurity defense. So I hope that we can continue making some headwinds there, though I don't think the work is light. I think there's a lot of red tape, a lot of politics involved, but I think at some point, we need to kind of address that and maybe do a whole deep-dive episode on that idea as well. [ Music ] That's it for this episode of Cybertalent Insights. For additional resources from today's episode, check out our show notes. Feel free to connect with Heather, Sasha, or me on LinkedIn. Send us a message. We're happy to talk more about cybersecurity workforce intelligence. For additional resources from today's episode and our LinkedIn profiles, check out our show notes. Please join us for the other two episodes in this series where we cover cybersecurity workforce intelligence from the perspective of employers and recruiters in Episode 1 and for individuals entering the field of cybersecurity or perhaps making a transition from one career to another in Episode 2. We'd love to know what you think of this podcast series. You can email us at cybertalentinsights@n2k.com. Your feedback ensures we deliver relevant information to develop effective cybersecurity teams in the constantly changing landscape of the industry. We're privileged that N2K and podcasts like Cybertalent Insights are part of the regular routine of many of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Mixing, original music, and sound design by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. My co-hosts are Dr. Sasha Vanterpool and Dr. Heather Monthie, and I'm Jeff Welgan. Thanks for listening. [ Music ]