Podcasts
Special Editions
Ep 64
Special Editions 6.2.24
Ep 64 | 6.2.24

Solution Spotlight on the 2024 NICE Conference: Business Roundtable.

Show Notes
Transcript

Simone Petrella: Hello, everyone, and welcome to this Special Edition N2K CyberWire podcast. In this featured Solution Spotlight episode, N2K president, Simone Petrella, is talking to Erin White about Business Roundtable's Cybersecurity Workforce Corporate Initiative, the recently released Cybersecurity Workforce Playbook, and the collaboration between Business Roundtable and NICE to strengthen the Cybersecurity Workforce ecosystem. So the Business Roundtable, it launched its Cybersecurity Workforce Corporate Initiative in December of 2022. But recently, with coordination from members and inputs from experts at the Department of Commerce's National Initiative for Cybersecurity Education and others, you recently released a Cybersecurity Workforce Playbook to help employers create entry-level points to cybersecurity careers and strengthen talent pipelines across those various industries and sectors. So, Erin, thank you so much for joining to chat with us about this study and some of the other work that Business Roundtable is doing in Workforce and Cyber Workforce specifically.

Erin White: Thanks so much. It's great to be here today.

Simone Petrella: Before we dive into the study, can share a bit about what inspired Business Roundtable to create this initiative in the first place?

Erin White: Yeah, absolutely. And I think sort of stepping back, it helps to understand the context of the Roundtable and what we're all about and why that led us to focus on Cybersecurity Workforce. So BRT is an association of more than 200 CEOs of large US-based companies. And these CEO lead companies that support one in four American jobs and drive nearly a quarter of our GDP. And they develop and they advocate for policies to try to, you know, promote a thriving US economy but also expand opportunity. And we believe those two things go hand-in-hand. But in addition to policy, the CEOs and our teams work together on practice. They want to solve workforce challenges that to some extent are within their control to solve. There are things that they can do in thinking about the talent lifecycle -- how they hire, promote, and retain talent that they can control, you know, aside from policy. And so that's sort of what we do is we think about ways that companies can come together to solve these common challenges. And, you know, cybersecurity is a field with tremendous workforce challenges. You know, given the day, it could be 700,000 open roles or 500,000 open roles, it almost doesn't matter how many hundreds of thousands of open roles, every open role is a risk not just to business operations but to national security to overall economic competitiveness. And this is an issue that matters for every company not just technology companies, but for retailers, manufacturers, energy, transportation, airlines, you know, infrastructure, so much more. And so our members really care about this workforce shortage not just for themselves but for the broader communities in which they operate for their supply chains. Recognizing that if they can't fill a role, it's highly likely that a local school district, hospital system, energy infrastructure utility, they can't fill a cybersecurity role. So they wanted to come together and say, what are we seeing that's working to solve these workforce challenges, how can we create more entry points to cybersecurity careers -- because these are great careers that pay well and create opportunity. How can we create more entry points to those careers for not just for talent that we consume but talent that will support the nation's security infrastructure as well? So that was really what was behind kind of launching this effort.

Simone Petrella: One of the things that I know struck me immediately in learning about the effort but also seeing it borne out in the study is, I have gone on record for years now kind of pointing the finger at the private sector, saying, there is a false expectation that the industry is somehow supposed to create these people and that the private sector will just absorb them. And so to see this concerted commitment to know like we want to be part of the solution here and here's what we can do to actually internally help make that change in workforce, that's such a step in the right direction, in my opinion. So it's really exciting to see so many large-scale companies who have the ability to like push that needle forward to come together and commit to doing that.

Erin White: Absolutely. And I think, you know, so many of them realize we can't have a chief information security officer in two years if we don't have more entry-level staff today. And so this need will only continue to grow. You know, I don't have to repeat the number of fronts that you see in the news almost every day. And so recognizing that cybersecurity is a critical skill. It's not a need that's going to go away anytime soon. We have to create a pipeline that serves that need today and tomorrow. And not just a pipeline, but we're increasingly talking about pathways. This idea that a pipeline is one narrow line, but pathways are multiple pathways into the cybersecurity workforce. And that's really what this playbook document codified was the company is sort of coming together to recognize that there are many pathways into cyber.

Simone Petrella: Yeah. One of the things that I know comes up a lot when people discuss this issue is, you know, is it a talent or a workforce gap or is it an experience gap? And you just pointed out, rightly so, that you can't make the numbers work. The math doesn't work in supply and demand if you're not willing to grow someone from entry-level or a mid-level role into those senior roles. You can't create overnight experience. And so what kinds of discussions that you all have been having or what was reflected in the playbook as we start to get into that conversation, how are your members thinking about that kind of reality, where you have to invest in some entry-level or other pipelined entry points of talent in this field?

Erin White: Yeah, absolutely. I think there are some things that employers can control. There's some things they can't control in the world. But we wanted to look at those elements that an employer could control. So they can look at what are they requiring for cybersecurity roles at all levels of the organization. And we identified a couple of, you know, potential barriers. Requiring a college degree when two-thirds of American adults don't have a college degree. And some studies of cyber hiring managers have said, hey, the degree doesn't necessarily translate to your ability to perform as a cybersecurity professional. So looking at degrees, understandings what types of degrees are necessary, where and when. Also looking at certifications. You know, cybersecurity is a field where jobs often demand certifications at much higher rates than other IT professions. And so, know, for example, hearing anecdotes of entry, supposed entry-level roles requiring a CISSP, which you can't even sit for unless you've been in the industry for five years. So things like that, really looking at degree requirements and certifications but then also thinking about experience and recognizing that, you know, for an entry-level role, by definition, that individual may not have experience in cybersecurity. So what can employers do to overcome those challenges? Certainly, they can strip some of those requirements out of job descriptions, but they can also look to bridge those gaps for individuals. So we have some companies who are saying, hey, come in with an English degree, some aptitude and interest in cybersecurity, and we'll help provide some of the hands-on keyboard, technical training, you know, for you to skill yourself into a cybersecurity field. Or maybe, hey, we want to give college students or two-year students or students at a nonprofit training provider program some hands-on keyboard experience, so we'll support a cybersecurity challenge or a competition. You know, ways to help bridge some of those gaps for the workforce at different stages. So that's really the kind of conversation we've been having.

Simone Petrella: Right. Which is really interesting, because there is truly a gap between the formal or informal education someone might receive or even the training they get and there is a difference between that and being job ready. And I think what you're describing is how do we create a job-ready cybersecurity workforce, not necessarily just a pipeline of people who have cybersecurity expertise.

Erin White: Yeah, really well said. And job readiness is partly on the job seeker, but it's also partly on the employer. And our employers recognize that, and they are large employers and they do a lot of learning and development programs. And so they are increasingly willing to lean in and say, you know, if someone comes in again with interest and aptitude, can I help provide them with that additional skill set? And we had a really interesting conversation one day among sort of 10 companies about this problem, and someone said, we don't expect almost any other role someone to show up ready 100%, hit the ground running on day one. When I think about my first day at the Business Roundtable, I was still, you know, trying to find my way down the hall to the office, right. So I wasn't job ready on day one, so why would we have that expectation for cybersecurity professionals? Even though, of course, you know, the risk is high, and we know that. There is a real risk. If you don't have people with the right skills, it's a business risk and a security risk. But I think there's a willingness to say, how can we help that person get more ready for the role once they're in the door with, you know, 80% of what they need?

Simone Petrella: Yeah. Veering away from for a second, what do you think has kind of spurred this kind of mass recognition upon employers at this point? Like what in the set and setting of this particular time and moment that there's this recognition of, we have come to the table and help the workforce become job ready here, too?

Erin White: I think stepping back, you know, we're at the landscape right now of consistently record low unemployment for year-over-year. So that means there's not as many people who are looking for work who can't find it. We're just overall across industries a smaller pool, whether we're talking about healthcare or infrastructure or, you know, welding or any other sort of discipline. So we see this as a labor shortage. And I think in a labor shortage, companies and just employers in general, public and private sector, they're more willing to get creative and experiment. So there's sort of a supply-side problem across the board. Alongside that, over recent years, employers have been getting more creative. The skills-first hiring movement is several years old now. This idea that we hire and promote for skills rather than for years of experience or degrees. There's a willingness to explore new populations who historically have been overlooked or kept out of the workforce, like individuals with criminal records or others. So I think there's sort of this movement of employers increasingly recognizing how they have to grow talent pools alongside just the reality of a labor shortage. Now, that's sort of generic workforce writ large, how about cybersecurity, you know? Change Healthcare breach. There's so many incidents that just continue to increase. And while, you know, we get really excited about the potential of new technologies like generative AI and the potential to make the workforce productive, we also recognize that that creates more threats. And so I think our employers, again, they see this landscape, they see the threat landscape changing, and they're just, you know, more willing to be creative and experiment and are seeing great results, by the way. It's not that their experimenting is not paying off, they're seeing great results as far as, you know, bringing in new folks, bringing in more diversity of individuals from different backgrounds. And these are individuals who are then staying with the company and contributing year-over-year.

Simone Petrella: We'll be right back. [ Music ] You touch on in the playbook some of the like more widely applicable recommendations that other employers can use if they're dedicated to really trying to make an employer focus then in the cybersecurity workforce kind of shortage. What are some of those main takeaways in particular that you guys found in your kind of committees and results that made its way into this playbook if someone else is looking at their company to really implement a job-ready program for cyber workforce?

Erin White: You know, it really starts with taking a look at the suite of roles and breaking them down into the knowledge, skills, and abilities required to be effective. And a number of our companies have used the NICE framework, the NICE Cybersecurity Workforce framework, as one sort of taxonomy of skills, basically just a way to bucket the types of jobs, the types of roles, the types of skills. So when you break down jobs into that, then you can start to get a little more creative in how you map that. You know, lots of folks have been really strong in this. JP Morgan-Chase has done this. Leidos has done this, Guardian Life Insurance. I mean, just naming a few from across industries that sort of started with, let's just step back and understand what are the roles, what are the skills and knowledge needed, and let's consider removing some of those degree and certification requirements. So that's sort of step one is looking at the workforce. But then there's this opportunity to really try a suite of practices. And I'd say there is no one practice that if you just do this, you'll have your shortage. Rather, it's a holistic approach. And Guardian, under the leadership of CEO Andrew McMahon, has been a real champion for this. And in part, you know, they're 150-year-old insurance company, they have a lot of data, they have a lot of data that they want to keep secure, and so they've thought sort of 360 degrees about their cyber workforce program. They've thought about the degree requirements. They've thought about innovative hiring partnerships with nonprofit training providers like NPower. They've thought about partnerships with HBCUs, with community colleges. They're offering students work-based learning who are in four-year programs. But then they're looking inside their company, and they're providing employees with opportunities to grow technical skills on internal platforms, to do gig assignments and rotations to try an experiment and grow. I think that's the sort of strategy that, you know, ultimately more of our employers are starting to embrace, that they can't just do one thing, it's sort of multiple things that play at once that help them really solve their workforce challenge.

Simone Petrella: Oh, it's incredible. You know, taking that on a side -- because a lot of listeners are certainly employees and represent companies, but there's also a fair amount of individuals who are looking to either enter the field or, you know, progress in their own fields -- what do you think is the impact that this could have on that supply population? You think this will actually create a more even keeled opportunity for folks to actually enter the cybersecurity field or profession if that's something they're interested in doing?

Erin White: Well, certainly we'd like to think so. We hope that employers and not just really large employers or Business Roundtable members, you know, but all employers sort of embrace a more sort of creative approach to workforce development that recognizes the multiple pathways in. And so what we hope is that more individuals see themselves in the cybersecurity workforce. You could be a career changer. You could be a mid-career professional who wants to move into this hybrid occupation. And maybe you see an opportunity for yourself because you recognize, hey, you know, VISA, for example, is partnering with a local community college here in the northern Virginia region for payments processing credentials. So maybe I can get that credential alongside my cyber certificate and transition into this hybrid field. Or maybe I am a transitioning military veteran and I have some technical background, but I have mission orientation, and I can see myself in one of these fields. So what we're trying to do is just expand the number of people who see themselves in cyber and then create more on-ramps within a given company to that pathway. And I'd say for those who are listening who are currently employed, I mean, a lot of our members are looking at their own workforce. If you understand a company and their brand and their landscape of operations economically, you probably understand the risks they face. So we have examples from Walmart of frontline retail associates who, again, interest and aptitude are able to go through an internal academy training and transition to technology workforce, ultimately the cybersecurity roles, because they understand the brand, they understand retail, they see the risks. And so I think there's a real opportunity as employers increasingly look at their own workforce and say, hey, you're in a role, technical or not, we're going to help provide you with the opportunity to move into this incredibly critical position for our company.

Simone Petrella: Yeah. And what's so powerful about that from my perspective is, if you start with that kind of data-first driven understanding of, hey, what are our roles for our company, and then like where's our needs, and then what do we have today, then the doors of possibility of kind of how you want to solve that, frankly, do become very specific and unique to that company, their culture, their risk profile, their threat landscape, the way that they kind of view themselves. Like, you know, there are some retailers like Walmart that are very invested and then take a lot of pride in the cashier to executive, you know, model. So that can fit very well. That might look totally different than, you know, what a financial services, you know, company is going to do. Like you can make those decisions. It's not a one size fit all. And I think that one thing that stuck out to me in the report is it's accounting for that, you know. Know where you are and where you're going first and then decide what programs or things you want to put in place to help you get there.

Erin White: Absolutely. And, you know, a number of our member companies are providing this type of training opportunity not just for their own employees but to the field. So Cisco, CEO Chuck Robbins, is chair of the Business Roundtable. And Cisco has, you know, a nearly 20-year track record of their networking academy, which, you know, skills millions of people nationwide. And, you know, 95% of the learners on that platform leave that training opportunity all online with either a job or a step towards another educational opportunity. So, you know, and IBM, same type of idea with their Skills Build platform. These are also open platforms that provide learners with no-cost or low-cost learning opportunities to help, you know, augment their skills and maybe even say, hey, is that kind of field of interest to me, is this something that I might want to move into?

Simone Petrella: Yeah. One of the other things that stuck out to me towards the end of the report was a bullet that advised other companies to provide the time and the training resources to enable the staff that they have, whether IT or otherwise, to transition to cybersecurity roles. And I think that that's such a kind of powerful conclusion to come to as you think about the economic realities. And my kind of question to you on that is, you know, my interpretation was, oh, that's like an economic recognition that there is an incentive and an advantage from a -- it makes business sense to create that time and investment, as opposed to like paying for the talent or expecting it to come in. Am I reaching too far there or did I make the right read between the lines?

Erin White: Yeah, I think that is a right read between the lines. It's the reality of, look, either we go out to the market and try to purchase the talent off the open market. Which, by the way, we already talked about supply, you know, wage premiums, etcetera. Maybe I can't even afford talent. Maybe we keep poaching the same people from each other. Or I invest internally. And, you know, that return on investment is incredible, particularly if you're thinking about retention and turnover costs. You know, our businesses, they want to keep their great employees, they want to keep them. And, you know, cybersecurity does have a retention challenge. So some of this is about your existing professionals and providing them with opportunities to learn new skills, to practice new skills, to take on new roles -- hey, I'm in the SOC today, I want to try some kind of analysis tomorrow, or I want to go into governance. It's providing those opportunities to keep your existing cyber employees but also then recognizing the payoff is huge to just invest internally in workers and, you know, give them no matter where they are within the company the opportunity to grow their skills. Because, again, that definitely pays off in the end.

Simone Petrella: You mentioned at the very beginning that many of your members have leaned in the NICE framework and the NICE Cybersecurity Workforce framework to inform the way that they've kind of done their inventories on this. And I believe that Business Roundtable as well some of your members will be, you know, working and representing your interests at the upcoming NICE conference, but can you share a little bit more about how Business Roundtable, your membership, and NICE are working together to kind of jointly tackle this?

Erin White: Yeah, absolutely. We have a number of member company staff from whether human resources or cybersecurity leaders who are engaged within various NICE committees and initiatives, whether it's about apprenticeships or work-based learning opportunities or talent management. So they're really trying to inform from a private sector perspective some of what the great work and resources that NICE is producing. But for the conference itself, we're very excited. We have a workshop on day one where Business Roundtable members will come together, senior leaders from cybersecurity and human resources, to share more real-life examples. I've just given you a flavor, but there are many more about what's in the playbook. So it's a chance to kind of dive in, you know, speak with business leaders and learn more about what they're doing. And hopefully they can learn from the audience and from each other. So we have a preconference workshop. We're also very excited that the head of cybersecurity, the chief information security officer, for United Airlines, Deneen DeFiore, will be giving a keynote talk at the conference. And Deneen calls herself sort of the accidental cyber executive. She has a great story. And United, again, a great company. The United Airlines CEO, Scott Kirby, is the chair of our Educational Workforce Policy Committee. And so we're really excited to be able to have her share some insights. There will be other members throughout the conference. We feel like, look, this is an all hands on deck problem. The conference this year, the theme, is around partnership across the ecosystem, which means business, public sector, nonprofits, education at all levels coming together to solve this problem across centers. Because it can't just be on any one of us, it has to be all of us, you know, working together to solve the problem.

Simone Petrella: Well, really looking forward to the workshop coming up here in June as well as Deneen's keynote. And we're going to have an opportunity to chat with her coming up soon as well. So, Erin, thank you so much for joining me today, and I'm really looking forward to seeing where this goes with Business Roundtable and all of your members.

Erin White: Excellent. And I'd be remiss if I didn't end with a quick plug for the playbook. You can access it at our website, brt.org. I encourage you to dive in, share it, let me know what you think. We'd love to continue this conversation.

Simone Petrella: Thanks so much. [ Music ] That's our Special Edition N2K CyberWire program. Thank you all for joining us, and thanks to our special guest, Erin White, for sharing their experience and insights. Remember, N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Our mixer is Tre Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Liz Stokes. Thanks for listening. We'll see you back here soon. [ Music ]

Special Editions
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Creator: CyberWire, Inc.