Hello friends,

Did ya miss me?

Apologies for the few week hiatus! It involved a number of family trips that somehow got stacked together on the calendar, as well as moving into a new home. We are on the flip side of that!

This week the Biden administration released the long-awaited federal government strategy on how to tackle the cybersecurity talent shortfall that America faces. This week we will do a teardown of the report, summarizing the approach and highlighting the strong points and still missing points in the national strategy.

We are starting a new newsletter cadence this week, officially shifting the frequency to 2-3 times per month. You’ll also see some movement of the sections. As always, you’ll have a blend of research, advice, and cybersecurity industry updates- with an emphasis on the human side of security.

Next week, we will be debuting our initial monthly report on the cybersecurity jobs market, which I’m super excited about.

I am planning on being out in Vegas next week for Blackhat/ Defcon. Would love to meet up with you- hit me up!

Enjoy,

Brad

National Cyber Workforce and Education Strategy: A review

The Biden administration has released a 60 page, 59 point plan to address the cybersecurity talent gap in the coming years.

While not perfect, the strategy does an admirable job of leaning into the very real challenges and suggesting many practical approaches that are readily achievable. There’s a heavy emphasis on collaboration between the government and private sectors (as there needs to be).

Most importantly, the presence of the strategy in and of itself – in tandem with the national cybersecurity strategy and implementation plan – is a sign of the importance that the administration is assigning to cybersecurity in general.

Our national cyber challenges will only continue to escalate- it’s critical to have a public/private plan on how to address them.

In context: our national talent shortfall

Before diving into the solutions that the strategy lays out, let’s put the scale and nature of the problem into some perspective.

1) There are fewer people than there are jobs

• Depending on the source, there are somewhere between 400K and 700K open cybersecurity jobs in the US per year

• Job openings are growing at 2x the pace of new practitioners- we aren’t forming the talent fast enough

• About one quarter of all the cybersecurity roles in the US are open at any given time

2) It takes a long time to find people, and the match often isn’t great

• Average time to fill is 4-6 months

• Industry turnover is high: 20-25%

As a result, there are some very essential things that are just not getting done within companies (alerts reviewed, patches deployed, risks reviewed, etc). It’s a very real, very large national vulnerability.

Why is this?

We’ll have a deeper unpacking of the root issues in future posts, but the key challenges are:

1) A short term/ tactical/ reactive approach to security in most organizations that cuts short sufficient budgetary investments in training and development for security

2) Poorly written job descriptions that over-emphasize experience and under-emphasize skills (or use experience as a proxy for skills)

3) Employers that are not willing to invest in training for the security teams, and only want experienced hires that are ready to go

4) Skill gaps among security leaders in team building and formation, as well as security risk measurement and value articulation

5) Much of the basic entry level work has already been automated, and a large portion of the ‘work to be done’ truly does require advanced skills and competencies, as well as a technical understanding of the underlying assets and infrastructure (e.g. operating systems, applications, networks, etc). These skills and this knowledge isn’t formed quickly, and it isn’t usually formed through traditional educational modalities.

So what’s the strategy?

There are three embedded objectives in the plan:

1) Meet cyber workforce demands
2) Enable the lifelong pursuit of cyber skills
3) Strengthen the cyber workforce through greater diversity and inclusion

The plan itself is built around four pillars. We will summarize the key takeaways for each:

Pillar 1: Equip every American with foundational cyber skills

• The plan tacitly recognizes that humans are the largest cybersecurity vulnerability and that most security incidents have a human element to them. Everyone thus plays a role in making workplaces and the country more secure, and the plan seeks to raise the waterline of education and understanding

• But it goes beyond basic security awareness training concepts and recognizes that underlying technical skills will only become more important to our economy broadly, and that formation of interest in software and computing at an early age contributes to having great technical talent down the road

• Here are the core skills the government would like all Americans to have:

Pillar 2: Transform cyber career education

• There is a strong emphasis on opening low-cost (or free) education with an element of hands-on labs that can be deployed at the pace appropriate for a given individual. Security and technical education does lend itself well to this modality

• Fostering local security ecosystems is a critical element here; the report sites several examples of successful public/ private initiatives at the state and local level that have strengthened the regional security workforce

• One of the major challenges is a lack of qualified educators across elementary, high, and university levels- the report has several recommendations on how to build the stock of qualified teachers

Pillar 3: Expand and enhance America's cyber workforce

• This section is really the ‘meat’ of the report and where the most substantive recommendations lie

• Cybersecurity is a great field to upskill talent into, and to look to non-traditional (and often diverse) pools. There is an emphasis on providing training and support to bring more people into the field; for instance, by expanding the capabilities of community colleges to provide robust cybersecurity curricula

• Skills-based hiring is critical to bring more people into security roles. Right now, most employers hire for experience. How common is it to see ‘5+ years of experience with XYZ technology’ on a job description? We can more directly assess what people know, and what they are good at, and use those insights to make hiring decisions

• There is also a focus on work-based learning via apprenticeships and internships, as well as bringing people from underserved communities into the field

4) Strengthen the Federal cyber workforce

• This is an area where the government both wants to lead by example, as well as help build a talent base with skills that can be leveraged both inside and outside government

• Highlights include investments in federal workforce professional development, building model career pathways, and growing internships and apprenticeships

Our take: highlights of the plan

Overall, this is a fantastic and ambitious plan that includes some particular elements worth celebrating:

• A balanced emphasis on hands on/ experiential and instructional learning, aligning with how people actually learn

• Support for workforce development tools for small enterprises, which lack the scale and funds necessary to 1) hire expensive, highly trained security experts and 2) build custom training programs, and are the most frequent and most vulnerable target for cyberattacks

• An emphasis on transitioning to skills based hiring (as opposed to years of experience), and testing those skills upfront with assessments

• Emphasis on collaboration across government and private sector entities

Shortfalls of the plan

No plan is perfect, however- and there are a handful of omissions and potential issues.

• Most people pivot into cybersecurity from IT jobs. The idea being that once you understand how something works (operating systems, networks, etc), you are well equipped to understand potential vulnerabilities and how to secure them. There is not enough treatment in here around how to cultivate the underlying tech/ IT skills that will be needed in cyber (e.g. software development, systems architecture, etc)

• Like all things federal, there’s a host of elements in the strategy that will undoubtedly hamper speed and efficiency. It’s rife with acronyms of various working committees across agencies, and some elements have the risk of becoming a rather academic exercise. NIST NICE is a great example of a solid framework, and needed taxonomy that got bogged down in its own complexity, and arguably misses the forest through the trees (but that’s another topic entirely).

• Overall, there may be too many points and objectives, and it risks getting in its own way (for instance, how important is it to have a strong push for including cyber skills as an element of corporate social responsibility?). Not bad certainly, but far from the most impactful lever.

Overall though this is an effort to be applauded. As always, the strategy is the easy part. The implication is the hard part.

If you are interested, a full outline of the plan is included at the bottom of this newsletter.

News, tools, and resources

💼You have probably been living under a rock (or vacationing off the grid) if you haven’t heard about the new SEC cybersecurity requirements. I won’t recap them here, but here are a few good pieces unpacking their impact. Rundown of the key points (Tenable). Perspectives on impact (Security week).

🪲IOT devices are notoriously unsecure. The Biden administration is planning a label to validate strong security, thus meant to encourage IOT companies to take security seriously (The Verge)

⚡China has malware deeply embedded in the US power grid, with an emphasis on locations by military bases, according to the New York Times. Not surprising, but scary nonetheless. No indication as to the nature of the malware (NYT)

🪖If you weren’t scared of Palantir already, their CEO is advocating the urgent development of AI based weapons (NYT)

🪟An APT group linked to the Russian SVR is attacking m365 users with social engineering attacks using phishing over teams (Microsoft)

🪖Elon Musk is in the business of approving which attacks Ukraine can launch with help from Starlink (Telegraph)

🏛️Interested in working for the US government? Here’s a job board that the federal government maintains on cybersecurity job openings (currently 944)

🔧Meta has released a new open source tool to generate music from text prompts (Meta)

Events

💼Black Hat. Las Vegas. August 9-10

💼BSidesLV. Las Vegas. August 8-9.

💼DefCon. Las Vegas. August 10-13

💼ISACA GRC Conference. Las Vegas. August 21-23

💼Grrcon. Grand Rapids. September 28-29.

Full outline of the key points of the national cyber workforce and education strategy

PILLAR ONE | EQUIP EVERY AMERICAN WITH FOUNDATIONAL CYBER SKILLS

STRATEGIC OBJECTIVE 1.1: MAKE FOUNDATIONAL CYBER SKILL LEARNING OPPORTUNITIES AVAILABLE TO ALL

1.1.1 Enhance foundational cyber skills learning opportunities through Federal investments

1.1.2 Foster ecosystem approaches to enhance foundational cyber skill learning opportunities

1.1.3 Encourage the development of an open knowledge network for foundational cyber skills.

1.1.4 Use data and tools to guide investments in foundational cyber skills learning opportunities.

1.1.5 Include foundational cyber skills in existing educational frameworks, programs, and activities.

STRATEGIC OBJECTIVE 1.2: INVIGORATE THE PURSUIT OF FOUNDATIONAL CYBER SKILLS AND CYBER CAREERS

1.2.1 Promote the economic and societal benefits of foundational cyber skills

1.2.2 Encourage foundational cyber skills as a corporate social responsibility.

1.2.3 Leverage national outreach and awareness initiatives to encourage the development of foundational cyber skills and the pursuit of cyber careers

1.2.4 Establish a presidential award for foundational cyber skills.

STRATEGIC OBJECTIVE 1.3: FOSTER GLOBAL PROGRESS IN FOUNDATIONAL CYBER SKILLS

1.3.1 Exchange best practices in improving foundational cyber skills with international partners and allies.

1.3.2 Include foundational cyber skills development and awareness in international capacity-building programs.

1.3.3 Promote the development of international standards and frameworks relating to foundational cyber skills

PILLAR TWO | TRANSFORM CYBER EDUCATION

STRATEGIC OBJECTIVE 2.1: BUILD AND LEVERAGE ECOSYSTEMS TO IMPROVE CYBER EDUCATION

2.1.1 Expand and support cyber education ecosystems

2.1.2 Increase engagement in cyber education ecosystems

2.1.3     Integrate cybersecurity across disciplines to prepare the cyber workforce to build systems that are secure by design.

2.1.4 Protect learners in safe and secure cyber learning environments

STRATEGIC OBJECTIVE 2.2: EXPAND COMPETENCY-BASED CYBER EDUCATION

2.2.1 Focus federal cyber education investments on developing learning resources aligned with stages of cognitive development

2.2.2 Enhance applied cyber content in interdisciplinary education programs.

2.2.3 Increase the availability of curricula for cyber education programs.

2.2.4 Increase concurrent and transferrable credit opportunities.

2.2.5 Expand innovative models for academic credit

STRATEGIC OBJECTIVE 2.3: INVEST IN EDUCATORS AND IMPROVE CYBER EDUCATION SYSTEMS

2.3.1 Increase the cyber teaching capacity of K-12 systems and postsecondary institutions.

2.3.2 Establish a national cyber educator fellowship program.

2.3.3 Increase enrollment in advanced degree programs to strengthen research and development in cyber.

2.3.4 Increase participation in advanced degree programs to expand the cyber faculty pipeline.

2.3.5 Encourage interdisciplinary approaches to teaching cyber

2.3.6 Incorporate cyber education and training into career pathway initiatives

2.3.7 Expand opportunities to earn credits for experiential learning in cyber

2.3.8 Establish and support national cyber award programs for schools and teachers

STRATEGIC OBJECTIVE 2.4: MAKE CYBER EDUCATION AND TRAINING MORE AFFORDABLE AND ACCESSIBLE

2.4.1 Enhance the cyber workforce talent pipeline in underrepresented communities.

2.4.2 Increase access to learning opportunities and culturally connected cyber content.

2.4.3 Increase the participation of students and teachers in cyber scholarship programs.

2.4.4 Incorporate cyber instruction into public programs that serve local communities.

PILLAR THREE | EXPAND AND ENHANCE AMERICA’S CYBER WORKFORCE

STRATEGIC OBJECTIVE 3.1: GROW THE CYBER WORKFORCE BY PROLIFERATING AND STRENGTHENING ECOSYSTEMS

3.1.1 Encourage more robust stakeholder involvement in ecosystems.

3.1.2 Improve cyber workforce data interoperability and analysis.

3.1.3 Expand the availability of low- or no-cost workforce development tools for small enterprises

STRATEGIC OBJECTIVE 3.2: PROMOTE SKILLS-BASED HIRING AND WORKFORCE DEVELOPMENT

3.2.1 Leverage community colleges to enhance cyber workforce diversity and better meet local workforce needs

3.2.2 Build and enhance industry partnerships in cyber education and workforce development ecosystems to enhance diversity and improve programs.

3.2.3 Expand the use of skills-based hiring practices.

3.2.4 Expand the use of skills-based workforce development practices.

3.2.5 Increase on-ramps to cyber careers through work-based learning opportunities

3.2.6 Encourage the adoption of flexible employment models, such as fractional employment.

3.2.7 Engage with employers and human resource professionals on skills-based strategies.

STRATEGIC OBJECTIVE 3.3: LEVERAGE THE DIVERSITY OF AMERICA TO STRENGTHEN THE CYBER WORKFORCE

3.3.1 Explore incentives in federal cyber grants and contracts addressing underrepresented and underserved communities

3.3.2 Expand the availability of low- or no-cost competency-based credentials.

3.3.3 Increase collaboration with organizations that serve or operate within underserved and underrepresented communities.

3.3.4 Facilitate and support greater participation by veterans in the cyber workforce.

3.3.5 Develop immigration policies to welcome and retain foreign-born talent into the nation’s cyber workforce.

STRATEGIC OBJECTIVE 3.4: ENHANCE INTERNATIONAL ENGAGEMENTS

3.4.1 Collaborate with international partners and allies on workforce development best practices.

3.4.2 Include cyber workforce development in U.S. capacity-building efforts abroad.

PILLAR FOUR | STRENGTHEN THE FEDERAL CYBER WORKFORCE

STRATEGIC OBJECTIVE 4.1: DRIVE SUSTAINED PROGRESS THROUGH GREATER FEDERAL COLLABORATION

4.1.1 Use the FCWWG to drive sustained improvements in the federal cyber workforce.

4.1.2 Enable better data-informed decision making to guide federal cyber workforce management.

STRATEGIC OBJECTIVE 4.2: ATTRACT AND HIRE A QUALIFIED AND DIVERSE FEDERAL CYBER WORKFORCE

4.2.1 Lead the development and implementation of skills-based hiring practices

4.2.2 Grow programs that provide scholarships for federal service.

4.2.3 Scale paid internship and Registered Apprenticeship opportunities.

4.2.4 Reduce barriers to better enable cyber professionals to transition between private and public service.

4.2.5 Improve awareness of job opportunities.

4.2.6 Expand the use of shared hiring actions.

STRATEGIC OBJECTIVE 4.3: IMPROVE CAREER PATHWAYS IN THE FEDERAL CYBER WORKFORCE

4.3.1 Develop and publicize model career pathways.

4.3.2 Invest in professional development.

4.3.3 Make hiring and pay flexibilities, as well as other talent management tools, more available to meet critical needs across the entire federal cyber workforce.

STRATEGIC OBJECTIVE 4.4: INVEST IN HUMAN RESOURCES CAPABILITIES AND PERSONNEL

4.4.1 Train HR professionals in cyber talent management

4.4.2 Provide tools and capabilities to support cyber talent management

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line