Closing the Cyber Workforce Shortage Gap | Marian Merritt

Ep. 20 | Reimagining Cyber | Closing the Cyber Workforce Shortage Gap | Marian Merritt

Marian Merritt  00:03 

An entry-level job, by definition, should not require three years of experience. And we just don't have enough. And if you look at the CyberSeek data, you can really get a visualization. Most jobs out there require five to 10 years of experience. So there is a conundrum here. Let's say you have four employees, and one of them is leaving every year, which is very common. If you're not thinking about bringing young people in or career entrance or career switchers in on a regular basis, you're just not going to continue to have bench strength on your cyber team. So that's a concern. 

Rob Aragao  00:38 

Welcome to the Reimagining Cyber podcast, where we share short into the point perspectives on the cyber landscape. It's all about engaging, yet casual conversations on what organizations are doing to reimagine their cyber programs, while ensuring their business objectives are top priority. With my cohost Stan Wisseman, Head of Security Strategist, and I'm Rob, Chief Security Strategist. And this is Reimagining Cyber. Stan, I know you're out remote today. Who's joining us in this episode? 

Stan Wisseman  01:10 

You know, Rob, I'm actually using a different mic because I'm actually traveling for the first time in a long time. But today, our guest is Marian Merritt. Marian is the Deputy Director for the National Initiative for Cybersecurity Education or NICE, at the National Institute of Standards and Technology. NICE is a partnership between government, academia and the private sector, which works to promote cybersecurity education, training and workforce development. And it's great to have you with us, Marian, especially during Cybersecurity Awareness Month. Anything else you'd like to add to your background for our listeners? 

Marian Merritt  01:47 

Sure. First of all, thank you so much for having me on. It's really a pleasure to join you today. And one of the things I find very interesting about this field of cybersecurity is that despite the fact that I never went to school to study it, I've been working in cybersecurity for over 24 years. And I think you'll find many professionals have similar circuitous paths to their careers. So, hopefully people will find that reassuring if they are considering this as a field for themselves. 

Stan Wisseman  02:17 

Marian, I'd like to start by asking you about the cybersecurity skills shortage we all hear about I mean, is it real? Do you think that the situation is improving? Or is it getting worse? 

Marian Merritt  02:26 

So the cybersecurity skills shortage, the supply versus demand, absolutely, it's real. And we hear it both on the side of employers, we hear it from educational providers, there's real challenges. But when we ask ourselves, do we think it's getting better? I will say that we've increased the number of people entering the field, we've certainly been putting a great deal of effort into improvements in the quality of the curriculum that's out there, the number of centers of academic excellence, you know, those really prestigious cybersecurity academic programs. They've been growing in huge numbers in the last several years. So progress is being made, but the demand continues to outstrip supply. 

Rob Aragao  03:15 

So Marian, what what is it that you see is behind the shortage itself? And do you foresee really any progress, positive progress being made in the near future? 

Marian Merritt  03:27 

So there are a couple of factors that lead to this shortage. Some of it is just this is a relatively new field, it continues to grow, it continues to mature. Employers are getting more particular about particular areas of skill that they need as they build out cybersecurity teams. So you have that. But, you also have other things going on, like job descriptions being over-spec'ed, so that when candidates are reviewing your job position, they may self select out of the running for it. So there are people who are getting left behind and finding it challenging to find jobs, despite the fact that they've got really good, you know, experience or they've graduated from prestigious programs. So, we do have to do a little more work in sort of resolving some of those issues, making sure that as people are completing programs, they're getting matched to employers, that they have a really good idea of what jobs they actually are being prepared for. Employers can do a great deal more to make sure that they have those entry level opportunities. That's also an area of concern. 

Stan Wisseman  04:32 

Well, Marian, I definitely want to put a spotlight on one of the tools that NICE has provided to help with that alignment of jobs and the skills is the NICE framework. For our listeners that don't know, the NICE cybersecurity workforce framework provides a great way for employers and HR personnel and employees to define jobs in cybersecurity and speak a common language, identifying that training needs necessary for a particular role, the career path, the position requirements, as well as to agree on a proper way of measuring and assessing those abilities. And Marian, are you seeing, you know, that common language around cybersecurity roles and skills and knowledge make a difference? And are there some specific examples that you can share around how it's being used? 

Marian Merritt  05:21 

Oh, absolutely. So first of all, let's remember that the NICE program office is part of NIST. And, and I would imagine your listeners are very familiar with NIST as a source for really trusted and reliable standards on a variety of technical topics. And it really was to the heritage of how advices developed it at NIST. We do everything in collaboration with the public. So the NICE framework continues to evolve as we receive feedback from the users of it in the community that's out there. And where there are gaps, we perhaps have a work role missing, we can work to add that, and as a result, it's a very robust tool. And you ask about, you know how people are using it? Well, first and foremost, the NICE framework originated from a need for the federal government to describe their own workforce, to enable people to prepare successfully for work in the federal government, and to move from agency to agency, and to get rid of issues like people describe the work differently, and therefore, I don't know if I'm qualified, you know. If everyone's standardized on a certain set of knowledge, skills and tasks associated with a position, it becomes easier for people to apply for those jobs. So that's the concept. Then what happened is, the NICE framework became a requirement for not only the federal government to adopt, but also for federal contractors. And that has really kickstarted adoption into the private sector. We also find that organizations from every sector (even those who are not necessarily federal contractors), are seeing the value of adopting the framework. So, one of the ways that people use it is to assess their current workforce, and identify gaps, either in the knowledge of people on the team or entire work roles they may be missing. The existence of the framework, of course, is really a great tool when you want to, you know, go to your senior managers and say, 'Hey, I need to expand my team, because look at these whole areas with gaps in', or 'I want to send my team out for training, because there are whole fields of knowledge that we're not as strong on as we should be," and the NICE framework enables that. What we've also seen is the whole ecosystem around education and workforce training has embraced the NICE framework. So you will see if you go to the websites of the major certification bodies, that they have aligned their courses and their certifications to the framework. So you can be sure that as you're aligning your team, and you're trying to give everyone the right kind of training, you can find it very easily. And we see this also happening in the academic community. So if you go to community college or to a four-year institution, and you're going through some kind of cybersecurity program for a degree or a cert or whatever, you're also going to see the NICE framework being described, because the academic institutions understand that when they're, you know, teaching a course, the students are very interested to know what kind of work roles does this knowledge helped me qualify for? The industry is really embracing the NICE framework, because it's so helpful for career entrants to understand how the field works out, but also for those who hope to see their careers continue to progress. 

Rob Aragao  08:33 

Marian, I think that the NICE framework, again, is a very robust tool. But as I was reviewing the framework itself, and on the website, I also came across what you have out there called CyberSeek, and CyberSeek looks like it's also a great reference, right, where it's an interactive map, helping people identify the different kinds of supply and demand by state down to the metro area, relative to what's needed within the cybersecurity industry. When you take back what you've learned from people that you spoken with that you CyberSeek, both on the job seeker side of it as well as different industry organizations looking to hire people, you know, what type of feedback are you getting on the usefulness of CyberSeek? 

Marian Merritt  09:13 

So, I'm a huge fan of CyberSeek, and it's available at cyberseek.org, that's the website. And it's been funded from a grant from us at the NICE program office but it's put together by CompTIA and Burning Glass. So very credible providers of information about cybersecurity work. So there are two main tools on the cyberseek.org website. And the first is the heat map, the clickable heat map, and the second is a career pathway tool. And that's been really useful for people who are thinking of entering the field to see where do people commonly start. And we see it's network management, it's it's helped us get software development. So for a lot of people, cybersecurity might not be an entry-level work role, and having that career pathway tool has really been useful. 

Stan Wisseman  10:00 

So, Marian going back to that point about the fact that a lot of jobs are now open to remote workers, will CyberSeek have a feature that would enable you to discern whether or not the 40,000 jobs available in Texas for cybersecurity, which ones are the percentage are also available for remote workers? 

Marian Merritt  10:21 

It's a great question. And I will say that given how CyberSeek is constructed, the data is pulled from live actual job descriptions. And so even though it's collated over a period of time, it is intended to show what kind of aspects of jobs people are recruiting on. So I know that as remote becomes a much more common aspect of work, we could expect to see it, I just can't commit to it at this time. 

Stan Wisseman  10:45 

Okay, got it. So going back to your your point about requiring a CISCP for an entry level job, that's a that's a very good example of how sometimes they the folks creating the job description, don't understand, you know, some of the credentials they're putting on there, right, as a requirement. But even without that, you know, entry-level positions are really difficult to find for those without experience, right? I mean, to your point that you made earlier, the, the gist description, sometimes they're very precise. And sometimes you you opt out yourself, because you I don't fit that. And so you don't even apply. But I've talked to, and I'm sure Rob has as well, a number of folks who have made a commitment to you know, going through a cybersecurity program gotten, you know, the certificate, etc. But they then can't get the job because they don't have that 2-3-5 years experience that that's being looked for. What do you suggest on both sides of the equation? 

Marian Merritt  11:52 

Yeah, it's a really challenging situation at the entry-level. First of all, we don't have enough entry level jobs, real entry level jobs. You know, an entry-level job, by definition should not require three years of experience, and we just don't have enough. And if you look at the CyberSeek data, you can really get a visualization. Most jobs out there require 5-10 years of experience, so there is a conundrum here, we need employers to think very carefully about entry-level not only because we just need more entry-level positions for people coming out of schools, but additionally, retention is such an issue in the cybersecurity field. And even if you've got a small team, if you let's say you have four employees, and one of them is leaving every year, which is very common. If you're not thinking about bringing young people in or career entrance or career switchers in on a regular basis, you're just not going to continue to have bench strength on your cyber team. So that's a concern. Now, to the issue of the lengthy requirements in a job description, that has a net effect of leaving a lot of people out, you know. We've seen the data, if a woman doesn't feel when she looks at a job description that she qualifies 100%, she won't apply. If the language used is somehow gendered, you know, using terms like cyber ninja, or you've got to be a team player, or we work hard to get the bad guy. All of which sounds fine to me, because I think I've been here too long. But to a lot of people that says men. 

Stan Wisseman  13:25 

I may be guilty of that in the past as well. So interesting point. 

Marian Merritt  13:28 

Right? You know, it's something to ask. And there are tools out there. And there are lots of experts that can help. But by testing, you can do A/B testing of your job descriptions, and see if it makes a difference in the candidate pool you get. There's other evidence that let's say you have a commitment to diversity, and you want to get more women and people of color on the team. And that's great. Well, there's data, I read an article from the Harvard Business Review that says unless you have more than one finalist, like in your final candidate pool, who meets that diversity criteria, you won't increase the numbers, because that individual will be seen almost as a token, really. But when you have two or more, you start to increase diversity on the team because people begin to look past the superficial and look at the qualifications, which of course is what we want. So entry-level roles, we need those to increase. We need people to be thinking about how they can get out of the reflexive I'll pay a recruiter I'll pay whatever I can, I've got to get 5-10 years experience, I need someone who's done this work before. I mean, it's so human to want to go there, but it doesn't help you in the long run. 

Rob Aragao  14:37 

Marian, I think you know, when you look at the retention aspect that that is another issue. Right? As you said to me, people are flipping in and out different companies within a year's timeframe. Eighteen months is the average for an analyst, things of that nature. But you, we talked about the entry-level positions, which which there's a ton of there's a ton of people who want to get into the market and this kind of the disconnect. Now, when you kind of pull all together, there's also how do I validate the necessary skills, and that this person really has them to come in and do what I need of them specifically for our organization? And what are we looking for? And then even my own employee base, right, as I'm looking to uplevel the capabilities and skill sets within, you know, how do I, again, measure? How do I validate that they're able to take it to the next level? And one of the things that it sounds like is starting to kind of catch on as a way to help measure that is cyber ranges. So I was wondering, you know, are you seeing much of the application of cyber ranges just come into play, and is that really helping, if so? 

Marian Merritt  15:39 

So NICE, actually sponsors a cyber range, it's called the NICE Challenge Project. And it's available to universities, because it's one of the ways that students can demonstrate their capabilities by showing what they've done in, you know, kind of a live fire simulation. And that's been very popular, and that continues to be adopted across a lot of universities. So, you know, nice is trying to invest in things that have the potential to really address some of these inefficiencies, but also sort of miscommunications about what somebody is qualified to do. It's hard for an employer to look at a resume and see the list of courses you took in a university and know what you can do for them. So we've got to help communicate better. But additionally, we are seeing employers start to use assessments or, you know, capture the flags or these ranges as a way of screening candidates, or having candidates as they become finalists, you know, demonstrate their capability. You can also use them as training tools for people in house and identify gaps in knowledge. I'm, in fact, we just did an article, it's available on the NICE website, which is at www.nist.gov/nice, sign up for our quarterly newsletter. But the the issue from a few months ago, actually featured Cloud Ranch, which does pre-hire assessments for employers. There are a lot of NICE cyber ranges and pre-hire assessment tools out there both ranging from the low cost or free, like the Nice Challenge Project, but also commercial versions.  

Stan Wisseman  17:10 

Marian, the earlier we can get folks exposed to cybersecurity best practices, the better. I'm glad you guys are doing at the university level, the cyber ranges, but you're also reaching out to K through 12. You have a NICE K-12 conference coming up, right? 

Marian Merritt  17:23 

We have a NICE K-12 conference every December. Of course, we're still in the virtual mode right now. But, but you bring up such a great point. How are we going to get more young people even aware of cybersecurity careers and the range of them that there are? You know, people like me work sort of on the policy management side of things. I'm a cyber security professional. So while there may be myths out there for young people about what cybersecurity work is, you know, guy in a hoodie typing really fast, you know, magic coding, that kind of person. The reality is, there's work in cybersecurity for every type of person and every interest. You can't expect young people to know that. Their parents don't know that. So we actually have not only the K-12 conference, but we have a week dedicated to cybersecurity careers. And it occurs during the month of October, October 18-23 is Cybersecurity Career Awareness Week. 

Rob Aragao  18:19 

Marian, I think you know, what you've shared with all of the great resources that NICE has to offer, the the future of our cyber workforce, you're reaching down to the K-12 level, not just a traditional kind of we're looking at the university, but going into the K-12, I think that's critically important. So we really appreciate you taking the time today to share with us all and our listeners, what is out there, what is offered by NICE. So for those of them that haven't taken advantage, there's so many great resources that need to go out and start leveraging to be able to better their own programs and apply it to be able to also identify additional talent that they're looking to bring into their organizations. Thanks again for joining us, Marian. 

Marian Merritt  18:55 

It was an absolute pleasure. Thank you so much. 

Stan Wisseman  18:58 

Thanks, Marian. 

Rob Aragao  18:59 

Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to Subscribe. This podcast was brought to you by CyberRes, a Micro Focus line of business, where our mission is to deliver cyber resilience by engaging people, process and technology to protect, detect and evolve.