Dark Reading Radio

Wow--we are already at the top of the hour. So much great conversation and insight from our guests, Carson Sweet and Rodney Petersen. Thank you both so much for joining Dark Reading Radio today. And thank you to everyone who came today and joined the online chat. 

Thanks again to the attendees, Kelly, Rodney, and Dark Reading for hosting the discussion.

I think training and certification is ripe for both EXPANSION and IMPROVEMENT.  The reason that there is such a robust training ecosystem is because a college education tends to focus too narrowly on "knowledge" and leaves "skills" development to the employer or training organization.  How do you know that a college degree means the student is prepared to do the job?  (Some professions are better than others - e.g., nursing, teaching, etc. - at putting students into job situations where experiential learning can occur and their qualifications can be observed.)  How do you know that a certification means the worker is prepared to do the job?  ANSWER:  Alignment fo the NICE Workforce Framework and Performance-Based Assessments.

DarkReadingTim... it's a combination of things. Education, certifications, references (especially blind references), and having a candidate do actual problem cases are all part of what we lean on to measure security talent. 

Good points, @Carson. 

Signed, the English Major :-)

Kelly, the question of "can I hire a linguist to be a security FTE" is a question of (n) degrees of seperation and how much time you have to train them. For example, many great security engineers I know were previously career musicians. There's an affinity in the way their minds work. However, you're probably starting from near-zero in terms of knowledge and skills.

On the other hand, the security skills set is changing dramatically. Automation engineers, data scientists and linguists are in hot demand, because those are now the needed skills. It used to be about TCP/IP and networks, now it's more of a data game.

If we don't use credentials like CISSP, how do we measure the level of skill/experience that the applicant has? Do we test prospective employees onsite?  Or is it all about your references?

I like that, @Rodney: Cyber=Cool

I think we have to make cybersecurity careers more appealing and interesting.  That is one of the challenges of cybersecurity competitions - although extremely beneficial they can tend to be unwelcoming to females and non-technical types.  The NICE Workforce Framework outlines 7 broad categories of work, 31 specialty areas, and underscores the diversity of the cybersecurity field.  However, teamwork, communication, and other soft skills are extremely important to cybersecurity so we need to make cybersecurity sound like the exciting career that it is and not a field that is only populated by "geeks" or "nerds" (which is the popular impresssion).  We need to make cybersecurity careers COOL!

Sara, I think they are. Rodney made great points about skills training, not just education. They're both really important... you can't be well-rounded without a solid educational foundation, but you can't stay up-to-date without hard skills training.

One thing the DoD study found that I find interesting is that it's not necessarily the technical skills that are needed for today's cybersecurity jobs. Should organizations be recruiting college students from a wide variety of areas—psychology, linguistics, communications, etc.? <--following this theme

@Rodney @Carson  You're talkin' my language!!! Hiring based on based on skills, not traditional skills. Learning on the job, and benefiting from knowledge of the enterprise. I hope more people start thinking like you.  

Great question about determing the quality of a college or university offering a cybersecurity.  I would start by recommending that you consider a DHS/NSA Center of Academic Excellence in Cybersecurity (search cae community dot org) since they are designated based on meeting the CAE criteria and knowledge units.  There are many community colleges who are also CAE schools and we are working to improve the prospects for transferring from a 2Y to a 4Y school.  Whether a diploma or a certification, NICE also is an advocate for Performance-Based Assessments which is why we support a grant for the creation of the NICE Challenge Project - an online tool for developing cybersecurity knowledge and skills and asserting comptency.

@Linda  Thanks for the reference!

@SoluFoodTo-Go, RE: how valuable will your degree be... there are some interesting ways to go about this. One is to get connected security professionals in your area (e.g. Meetups) and ask. If you can manage to lock into someone's time as a mentor, they can give you great guidance also. And you can always augment your skills with your own additional education... for example, take your own SANS, CSA, etc. courses. You will get out of your education what you put into it.

At the end of the day, if you have solid knowledge and skills, it doesn't matter where your degree comes from. I never finished undergrad, for that matter. It's about the content, not the source.

I think the apprenticeship model is spot-on, btw.

The CISSP also was most valued cert by security pros in a recent ESG-ISSA report, which found that some 56% of security pros hold a CISSP, and most say it was "valuable" both for getting hired (61%) and for on-the-job know-how (55%).

The NICE Conference in Kansas City on November 1st will feature an opening keynote by Byron Auguste on "Rewiring the Labor Market".  His premise is that employers need to hire based on skills, not traditional credentials, and should also focus on individuals with the ability to learn on the job.  That is why NICE is so interested in apprenticeships, cooperative education, and other "earn as you learn" programs.

Sara - RE: growing security skills from within, I believe in this approach whole-heartedly. Many companies do this. It's benefitial not only in terms of gaining cyber security skills, but also in gaining cyber security skills who already know the enterprise.  My experience has also been that some of the strongest security technologists out there were non-security technologists first. It provides a real-world, practical base to learn from.

Another resource for a cybersecurity overview has just been published by Dr. Ed Amorosa of TAG Cyber LLC.  He very recently published an annual overview Practical Handbook and Reference Guide for the Working Cyber Security Professional The TAG Cyber 50 Enterprise Security Controls as well as a volume of luminary interviews and a third volume listing all the various vendors people should get to know.   @Sara - Ed is also doing a course for over 100 companies that covers a variety of cybersecurity topics over a 25 week period.

(tricky though)

^via @SoulFoodTo-Go

That IS a good question

HERE:

I'm in the group of employees with a degree and working in IT. For-profit schools have been in the news lately for their negative practices.  How are prospective students to know if the education they are getting is useful or will be respected in industry?

I see a great question from @SoulFoodTo-Go:

Robert D, the CCNA program is going to be very vendor-specific. It's also going to focus almost strictly on the network level of the I.T. delivery stack... and there's so much more. If you're looking for a broader survey of the security field, you might consider looking into a CISSP program or SANS education, and then see what specialization suits you... or maybe you'll decide to become a security generalist. But my suggestion is always to go broad then dial it in.

Ah, what are the "entry-level" positions.  GREAT QUESTION!  My experience has shown that the greatest demand is for mid-level jobs, typically requiring bachelors degree, certification(s), and experience.  However, the Cybersecurity Jobs Heat Map to be launched on November 1st will also include a Career Pathways Portal that will help us better answer the question of "what entry level jobs are avaiable".  This is a critically important issue for NICE as we believe that individuals with the right skills, including an Associates Degree, are capable of fulfilling many cybersecurity work roles.  The identification of "career pathways" is an important next step.

Taking this from the opposite angle... are employers training up their internal employees and/or willing to hire and train people with an interest in security, even if they don't have all the experience? Or are they only looking for experienced people? Because with a shortage like this, it seems like we'll never fill it if we're just fighting over the same few people, instead of creating new ones -- including those who may already be mid-career?

Kelly, you're already doing some of that good work. :)   

Awareness through media is big. Other area where we've tapped into unrealized talent have been via methods like online "hackathons" and even something as simple as a job fair. But in any case the key requirement is to have programs in place to nuture and round out the existing talent a person might bring in... these skills have to be developed and maintained.

So many questions.  So little time.  I especially line the one:  will the shortage problem ever stop?  I am inclined so answer "yes" and "no".  I think there are some ways to reduce the need for "cybersecurity workforce" if we have more secure products and infrastructure and can focus less on incident response.  However, the NICE Workforce Framework is moving towards a focus on Work Roles and that means that cybersecurity is (almost) everyone's responsibility.  So whether you "securely provision" or "oversee and govern" in the digital economy you will need to have the corresponding knowledge, skills, and abilities in order to succeed.

I'm in the group of employees with a degree and working in IT. For-profit schools have been in the news lately for their negative practices.  How are prospective students to know if the education they are getting is useful or will be respected in industry?

Wow--lots of great information on opportunities for training and ed in security. @Carson and @Rodney, what is the best way to get the word out about some of these to folks who are not as familiar with security/the industry and could be potential untapped talent?

Thanks to the attendees for joining. Some good questions appearing below..

Robert, Yes CCNA that is something I too and exploring even though it is manufacturer specific.

Estella, there are many pathways that I have discovered. Coming from an IT background some of the core knowledge pathways include fundamentals in Network Administrator/Engineer, System Administrator, Web Administrator/Developer, IT Technical Support and DB Administrator

Has anyone taken a look at the new CCNA CyberOps certification from Cisco? Does anyone think the certification will open doors for people who have some IT experience, but little exposure to cyber secuirty?

I don't think there's any question we need more education and training at the entry level to get more security pros into the industry. But many of the technologies and threats we're seeing in large enterprises require a very skilled analyst with multiple years of experience. How will we get these new people experienced enough that they can perform these very sophisticated functions?

Yes, we need to make computer sci, cybersecurity less intimidating to the public. The industry is missing a lot of talent. These are good jobs, that pay well. But too many people think it's something that is too far over their heads...

What do you recommend for an IT Technician to transition into cybersecurity?

Agree with this! I wish they required comp sci when I was a student - for us, it was an elective. Security should be a must for all students, of any major.

Great question @abernhar!

It does seem like there should be a bit of both -- I had to take a Comp Sci class in order to graduate with a degree in journalism.   ???  Seems reasonable to have a 101 security class AS A FOUNDATION class, not an elective, and then reinforce them in all the other cases throughout everything else. 

What are the job opportunities for an entry level Security+ certified individual today (sans Univercity degree) and in the near future?

@Sara Certainly doesn't seem so! It's such a fascinating career. It's mind-bending that more people don't gravitate towards it. But for "regular folks" it is just too intimidating!

First, second, third, millionth question: do you think we will EVER stop having this shortage problem? 

:(

Excited to hear about new developments in the infosec jobs scene!

We're glad everyone is here today! The player will appear above this window at the top of the hour -- if you don't see it, then please refresh your browser window (and make sure you're using a browser that supports Flash).

Hi KJH - I'm looking forward to it too!

I'm really looking forward to our show today!

test