N2K logoOct 12, 2023

Solution spotlight: Shaping the next generation of the workforce.

Solution Spotlight: Simone Petrella sits down to talk with Jon Check from Raytheon about the collective effort across the public and private sectors to shape the next generation of the workforce and how Raytheon is approaching this.

Simone Petrella: Today, I'm joined by Jon Check, Executive Director of Cyber Protection Solutions at Raytheon. Jon, thank you so much for joining me today.

Jon Check: Thanks Simone. Delighted be here.

Simone Petrella: Great. Well, I know Raytheon has been leading the charge on talent and workforce for years sponsoring initiatives that tackle the issue like the National Collegiate Cyber Defense Competition and developing your own experiential learning. Can you tell me a little bit more about those efforts?

Jon Check: Sure, I would love to. Well, Simone as you know, Raytheon is very focused on security. So, one of the key things that in building a quality security team is really focused on efforts that not only help Raytheon itself, but also help with the whole community. So, in that regard there's a couple of things that we're very focused on. We've been a sponsor for the National Collegiate Cyber Defense Competition for many years now. That's the competition that's between different colleges and universities, usually somewhere close to 200 that has regionals and then finals, and ultimately a national champion cyber defense where the students are defending a fictional company against cyberattacks and those cyberattackers are Red Teamers that are very experienced in the world and know exactly what to do and the students learn a lot from that, so that experiential training is really very helpful. Something else we are very focused on is the U.S. Cyber Days. That's something that we're a founding sponsor for that where that's really more of a community building where the U.S. Cyber Team competes internationally along cyber competitions and there's a combine; it's just like the NFL or any other professional sports where there's a whole process that the team goes through to get created and that's really focused on with people more 18 to 24 years old. So, it's a different group, a little bit different than the National Collegiate Cyber Defense Competition. So, that's another more of a community building and really helping grow the cyber town in general across -- across the United States and elsewhere and our partners. As well as, something really exciting we're doing within Raytheon, is our Raytheon Offensive Labs. I'm talking fast because I'm really excited about this, and our Offensive Labs is something that where we create experiential training based on the roles that we are building towards within our business. So, for example, we are up-skilling or reskilling existing employees to help meet certain mission needs or we bring in people that are new to the workforce or less experienced and then take them through a tailored training course that can be up to 16 weeks to really provide them that differentiated training that they might not have, and that's typically instructor-led. It's very focused by industry experts and it's trying to teach the defender to think like an attacker, which is not typically training that people receive in the normal curriculum.

Simone Petrella: That's fantastic. You know, one of the things that always strikes me when you think about the things that you're describing that are for external community building in the talent area, but then internally, I want to go a little bit more in-depth on the Offensive Labs, the kind of university structure that you have. How are -- how is that working for you guys so far and how are you measuring success as you see cohorts come out of that program?

Jon Check: So, really of the metrics -- so, we started that in 2022. So, we've had our first 2 cohorts come out of that, more than a 100 students had been through the process now, been through that -- the training. And those we've measured 2 ways; one reason we did it was, because like everybody else, we were struggling to fill some cyber security roles. So, we said okay, Raytheon manufactures things, let's manufacture talent. That's a great idea, right? Everybody's talked about cyber training, but really put an extreme focus on it to ensure that we were getting people that are living the work every day on certain missions and then training people to be able to be effective on those missions. So, the way we've seen -- the way we're measuring that is really okay, are those people when they join the teams are they effective in their roles? And are we getting the customer satisfaction we expect for that person really contributing to the missions that we're supporting? And that's one of the key ways we focus on from a customer facing metric. From a Raytheon, it's the okay, we have reduced the amount of open positions we have. We are filling the roles that our customers are expecting us to and that's a very tangible way to measure the success of we are filling the open positions, right, versus looking for that perfect candidate that's never going to show up with all those skills we want; we're taking the initiative to train them and it's a real investment bias typically, like I said, up to maybe 16 weeks.

Simone Petrella: Yeah. Well, and I -- do you have any background into what was the impetus or the kind of catalyzing event that kind of made Raytheon think about taking this kind of manufacture talent perspective? And I ask the question because I've been in this space for a while myself and I say one of the biggest challenges we have is having organizations step up and say, how do we think about this strategically as a team as opposed to waiting for talent to kind of get created externally and then we bring them in. So, was there a watershed moment that made, you know, the organization realize we need to really invest in this?

Jon Check: Well, I would say it was during the pandemic, is really I think, what really changed the dynamic of how you're going to hire, who you're going to hire, and how you can really interact with potential teammates or talent that you want to bring onboard, right? Before then you could go to different events, Black Hat, DEF CON whatever and think about all -- you would meet with individuals and talk about what you do and people can do materials like a hiring event. That was all lost, right, during that time period? It became very hard to uncover the people that really you've got exciting roles for them potentially, but it's really hard to connect. So, part of the tact we took initially was really training internal folks; people that are already onboard to say, okay this person already has these skills, they have the right clearances required for this type of work, let's get them into the training curriculum that will tailor, you know, be very specific to their needs and really ensure that they have those skills. So, we really started more with our internal folks and then really migrated to more of a, okay we're going to hire external candidates and train them up. Because with the next -- with an internal person you already understand where they are in their maturity of their talent level and the skills that they have, where as an external person it's much harder to engage that no matter how thorough or how much of a, I mean, role-based assessment you can do. It's very difficult when it's an external candidate.

Simone Petrella: Yeah. So, how are you -- how is Raytheon thinking about those team skills that are needed to execute on these job roles that are in demand not only internally, but from your own customers?

Jon Check: Well, I mean, there's the -- it ultimately comes down to the soft skills for us, right? Which typically is somebody a continuous burner, right? Are they going to get what it requires? You can't be afraid to fail. You got to be able to say, okay I'm going to try to learn a new skill. It's going to be difficult. I'm going to get frustrated, but I'm going to keep persevering and really in a perseverance trait helps in all aspects of cybersecurity, because that's one of the things we do is when you're going after -- there's a new threat that's emerged, doing the forensics to figure out, okay what's happening? How did it happen? Who's doing it? How do we stop it? What's the remediation? All of those things come into somebody, you have to be very -- you have to have a lot of perseverance to get through that process, because it can be very frustrating with a lot of maybe dead ends or long nights and other activities where it takes the right mindset as well. So, really we look for people that have those skills, someone that's inquisitive, right? They always are asking why. Well, why is does it work this way? Well, what could we do differently? You know, all of the -- all of the soft skills will it lead to? Because what we found is, you have somebody that has those committed soft skills, they can learn any content that's brought to them typically. If they have those -- the desire to do it, it's going to -- they're going to learn, be effective, and be a very effective teammate on whatever mission they are going towards.

Simone Petrella: You mentioned that participants in the cohorts that have come out of the Offensive Labs so far have actually had tailored curriculums to the roles they're being placed in. How are those curriculums being developed and deployed based on needs?

Jon Check: So, we have a basically like take a cyber-academy approach to it. So, there is obviously a whole level of coursework and of course the courses that we have created which we do supplement with some commercial courses where it's needed, right? We don't -- we can't build everything. As much as we like to build everything here ourselves, there's certain things that just doesn't make sense, right? They may be more foundational, if it's certainly a foundational aspect. But when it comes to our course we treat it like anything else. We build the course load. It's typically -- the way we approach it is much more hands on than a web-based type or on demand type training. We really focus on that true experiential training that won't get by doing a typical online type training, because it really tries to drive very hard, because that's allows the instructor to truly understand where the skill's gap may be with the individual student which then leads into more tailoring of, okay here's the specific things, my thought potentially you would go down this one track, but based on how you're performing here, we can shorten that to 2 days but here is a different area that has been exposed that maybe we should work on. And that's one of the key aspects that helps us be very agile and flexible in that training process, to ensure that we're getting the training to the individual at the right level they needed and not just a training that, you know, somebody's flipping through slides saying yeah, I know that; yeah, yeah, yeah I know all this stuff. When ware going to get the stuff I don't know? We really try to ensure that we don't have that type of downtime when we're doing the training.

Simone Petrella: Fantastic. Switching gears just slightly, knowing that Raytheon certainly has been quite a bit both in the public sector as well as the private, what are some of the ways that you think about how there can be better collaboration between the public and the private sector as we talk about how to solve this talent gap problem beyond what we're even seeing in individual organizations?

Jon Check: Well, so the way I really look at the talent problem is there's 3 key aspects with a lot of side, you know, spokes to it. So, the first thing is, that we got to solve the quantity problem; got to remove artificial barriers of entry to people that want to join the cyber fight, and also people that aren't really thinking about it, giving them the awareness that hey that sounds interesting and maybe I want to join doing that. Two is, we talked about it already, once you have that you got to create the quality, right? You got to build the quality workforce with that quantity and bring it in. And the third is, you got to support them once they've reached that goal which that gets to the aspects of, okay the continuous training, tailored role-based training that they will need, but also all those soft things and avoiding burnout, of ensuring people's voices are heard when they see something that and they provide a suggestion, people follow-up on it and ensuring that the organization as a whole makes it a priority to do all those things. So, it's easy to say, there's a cybersecurity problem and we don't have enough people, but are people taking an active role? And that's what I would like to think that we are taking an active role, you know, participating in all of the events that we can, right, but from the STEM perspective with NCCDC, and U.S. Cyber Games and other events, as well as having our own internal lab to train people, as well as trying to remove those barriers on our job postings and not say, thou shall have you know x number of you know have a 4-year degree, this type of coursework with this GPA, with these certifications, and all those things that are really a wish list of really trying to say, if you have these skills and you're determined to do these types of things, we can train you. And that's really a real mind shift for us as well, because you know Raytheon is a company of engineers and we take engineering very serious but we recognize we can't do it by the traditional pathways alone. We have to open that aperture and not have that artificial limiting of potential candidates that can join the workforce.

Simone Petrella: Right. Makes a lot of sense. And you know not to keep, you know, we've talked about a lot of great proactive and beneficial programs here, but I would be remise if I didn't ask what are some of the challenges that you see in executing not only the initiatives with inside Raytheon, but just other public/private collaborative attempts to solve the talent issue as across the industry and how do we kind of address to how we can make a more statistically significant gap in that short list?

Jon Check: Well, I think that -- so I think one of the key things is we have to really build the ecosystem and community. One of the things that really I've been thinking about over the past, certainly the last 3 years it has really daunted me, get into these discussions that everybody's talking about their own individual attrition, right? "Oh, our -- woes me our company lost this many people to attrition." They're all going somewhere else. The only regrettable attrition is somebody is so burned out they leave the cybersecurity field, right? One of my team members during the pandemic left cybersecurity to start his own car rental company, and I thought about that. I was like "That is truly regrettable." That person is a subject matter expert that we will have a hard time replacing and I'm not saying he was burned out, maybe he just wanted to try something new and that the car rental business was something he'd always been interested in, but again, that's a regrettable attrition to the community at large, not just to Raytheon. So, I'm always -- I'm thrilled when some of our teammates that are Raytheon move onto new roles that go to bigger and better things, because now they're a part of that community that we can rely on and that they're, you know, there's no -- cybersecurity is a team sport, but it's also a team sport at the highest macro level, right? Where it's a public -- it's a private sector, public sector all collaborating to solve the same problems. They get down to a very tactical level when you're talking about your own business or your own customer set, but at the highest level, those problems are problems that typically affect wide swath, lots of people and very -- it's something you collaborate on to really make a huge difference with.

Simone Petrella: Your example is so interesting, because you know in many of the conversations I've had, it's come up that we don't so much have a talent problem but an experience problem. And so, while there are some great initiatives to upscale and rescale, you know, talent into the cybersecurity field from an entry level perspective, what are some of the ways you are thinking about retention or how to at least minimize what you call regrettable departures from the field, because you're right, we all suffer as an industry when someone chooses to leave and that experience is something that can't be replicated immediately.

Jon Check: That's right. So, so one thing is one of the things that I created when I got to Raytheon was Cyber Landia [assumed spelling]. So, it's a place where everybody is empowered to get the job done that they need to. They can get the training they need to complete the work. They have the support they need which means if they need to tap out and say, hey I'm really you know I've reached my limit. I need to take a day off. We give them the space to do that, but also ensure that everybody's voice is heard, which truly means when there is something that needs to be changed, everybody feels no matter where they are in their career journey from the person that just started with Raytheon to the person that's been here for you know 20 years, they know that they can say something to help us improve what we're doing and really trying to put a focus on that and that's hard, because you know a lot of times the job that we have, the -- our adversaries don't always work in the same timelines as us. They -- sometimes they like to pick holidays. Sometimes they like to pick nights and weekends; that's what it seem like it always is. I'm sure that's not the case, but and that's -- that can be very demanding not only in the [inaudible 00:16:13] but also in their families and that support system that relies on them. And that's really one of the key things is ensuring that people understand that this -- that we have a culture where if you need help, please say something. If you, you know, and within you know the shift to a lot of work from home type activities, people don't have those offhand conversations as much where they just run into somebody and the office, so really also ensuring one of the things that I always encourage the team; talk to somebody you haven't talked to today. Just call them out of the blue on our teammate, find out how they're doing. Don't ask them about work-related things, just ask them how they're doing and I think that makes a huge difference, because that's one of the things that gets lost. Everybody -- especially if you're sitting at home, you just don't have the support maybe that you could get otherwise to really talk about the things that may be stressing you out.

Simone Petrella: Yeah, absolutely. Well, we started this conversation saying how cybersecurity is a team sport and I think that we're ending kind of demonstrating that throughout the entire lifecycle it's still a team sport. We talk a lot around our parts about how it is a version of money ball where we're often looking, you know, through talent as a team base and do we have the right people in the right roles and then are they trained to do, you know, the work that they need to do in those positions. And it's really exciting to hear some of what you all are doing. So, Jon thank you so much for joining us today and I appreciate the time.

Jon Check: Thanks Simone. It's been great. I loved this conversation.