This blog is part of a series for Cybersecurity Awareness Month 2022. You can find the other blog posts here:
The Three Phases of Keeping Burglars and Cybercriminals Away
Best Practices for Passwords and Multi-Factor Authentication within the DOD
Devalue the Data and Secure Your Agency through Encryption
In my humble opinion, “See Yourself in Cyber” should also include talent management and filling critical roles within industry and DOD agencies.
As has been predicted, the baby boomer generation is retiring – a situation exacerbated by the COVID-19 pandemic. Not only have baby boomers decided to retire early, workers of all ages have gone from classic 9 to 5 jobs to founding their own businesses and joining the gig economy.
The impact? A shortage of available talent to fill critical roles throughout industry and DOD agencies. The situation is worsened by a system that is slow to bring in new talent due to a lack of qualified candidates. It’s a problem perpetuated by high barriers to entry.
And yet there is hope. In fact, there is a model that exists today that is available for use by the DOD as well as industry. As you may have guessed from the title of this article, it comes from my favorite sport: Baseball.
In this blog I’ll outline the problem that plagues the IT industry, particularly DOD agencies, in recruiting a keeping a steady flow of new talent. I’ll reveal where hefty requirements hinder qualified talent from even considering a career in IT; I’ll illustrate how advanced technology is helping to bridge the talent gap; and, I’ll highlight a few lessons and tips that DOD agencies can learn from baseball.
The Problem
One of the things agencies have not done well for a long time is facilitate the critical knowledge transfer when someone leaves a role. It’s nearly impossible for a new hire to get inside the more veteran person’s brain without some level of job shadowing.
While internships give on hands experience to students, there aren’t many colleges and universities with good, skills-based programs to get students ready for starting out in their careers. Rather, the programs focus on teaching theories, policies, and high-level concepts of IT. While it’s good background, especially for those seeking leadership roles, it’s not going to prepare students for the day-to-day functions of an entry-level cybersecurity position.
To reiterate, while the inflow of new talent has slowed, the outflow of early retirees or those changing careers has been hastened as a result of the COVID-19 pandemic. Losing seasoned professionals before new candidates can be hired translates to fewer people with the abilities to conduct training, combined with a loss of institutional knowledge. What used to be a six or more month job shadowing and mentorship has become a much longer, DIY journey.
Qualification requirements, particularly credentials or certifications, are a double edged sword. While these attributes provide employers with an easy way to screen candidates, it’s also not fair to require an entry level position to have three years of experience and a certain number of credentials that take many months and thousands of dollars to acquire. And yet, there continues to be a steady shift toward these requirements.
When I started in the industry, these hefty requirements didn’t exist. I was able to start work in an entry level position and gain knowledge as I progressed in my job responsibilities.
The high entry requirements are particularly unfair to rural and less advantaged students who don’t have local opportunities locally to acquire any requisite experience. Further, they typically don’t have the $10-20k required to gain some of the core credentials.
The Solution:
Current students have more access to technology than any generation before them. However, the courses that are taught tend to look at concepts in siloes – programing, understanding applications, etc. Those courses typically don’t teach about the piping of the internet, networking, how everything fits together, and the core concepts that would enable undergrads to be good analysts.
Many pupils, both high school and college, have jobs. Instead of offering them a job selling shoes or waiting tables in a restaurant, why not offer them more opportunities in their future field? A few hours a week in a level-one helpdesk position would give students hands-on working knowledge of customer service and problem solving within the IT space. It doesn’t give them free food like the restaurant might, but it will likely pay more (about $20 an hour) and give them a much stronger foundation as they enter their future careers or degree programs.
Not only will these high school and college scholars absorb a basic understanding of technology, but they will also learn the language of the industry, which is filled with jargon and three letter acronyms (TLAs). This base knowledge will allow them to enter at a higher job level post-graduation.
Further, in reaction to the talent shortage, some agencies have started offering internships and apprenticeships to students, to shorten the startup and training time.
Many private sector companies and some agencies, including the U.S Department of Homeland Security (DHS), are putting programs into place that start training students in cybersecurity as early as middle school. This younger talent has grown up using computers and mobile devices, and with this background, they are more equipped to understand IT and cybersecurity principles. They just get it. In comparison to students of the 60s and 70s who may have heard that a computer existed but had never seen or used one, these modern students have far fewer barriers to explore the IT industry and all of its subdivisions than any other generation before them.
Industry and agencies ought to invest more across the duration of an employee’s career - it’s a win-win for both the employer and the employee. Bringing in entry level positions with fewer requirements and hurdles allows employers to evaluate exactly who is interested and qualified to move up. It also gives the employee the insight to determine if the role is really what they want to do, before investing a lot of time and money.
While education is important, analyst and support desk roles don’t necessarily require four-year degrees. Allowing recent high school graduates to fill these entry-level positions welcomes them into the workforce, offering the opportunity to earn money and mitigate the potential debt that comes from a four-year college degree.
For promising employees, it then makes sense for employers to invest both time and financial resources for acquiring further credentials and education.
Let Technology Bridge the Gap
While bringing in entry level positions without credentials and experience increases the talent pool and lowers the initial salary requirements, it does require more training upfront to quickly learn the role.
However, with advances in automation, artificial intelligence (AI), and machine learning (ML), we can make it easier for these new hires to do their jobs more efficiently and with less training time. It’s what we at MFGS, Inc. did with our ArcSight incident detection and mitigation solution. When we redesigned the user interface a few years ago, we did it with the entry level analyst in mind. It became far more visual and intuitive, which also makes it far easier to operate.
Not only does advanced technology allow those with less experience to do more, but the AI/ML enhancements allow agencies to bridge the talent gap: doing more with fewer people while they work on filling open positions.
One of the big concerns that results from AI/ML is the potential for permanent reductions in workforce. While that is admittedly a possibility, there are two factors that prove that potential wrong. The first: while advancements in technology have reduced the number of people required to do certain, manual jobs, it has always been balanced by an increase in other, more highly technical roles. Remember, we used to hire people who took messages from callers (now voicemail or text) and dictation (now a personal computer with a word processor).
Further, when it comes to incident identification and remediation and other cybersecurity functions, it truly takes the natural curiosity of a human to identify more complex issues. This is exemplified in the Solar Winds vulnerability. It took a senior level technical expert looking at something that just didn’t seem right and diving in for further investigation to realize there was a big issue.
Feeding the workforce funnel - What DOD agencies can learn from baseball.
I am a huge baseball fan, specifically for the New York Mets. (Sorry Phillies fans…) I think there is much of value that DOD agencies can learn from the baseball farming and feeder systems. At the end of the day, both are a numbers game. The junior or minor leagues are working to find people who show promise. The players who end up in the feeder teams likely started in little league and continued on through high school. The goal is to find players with potential at improvement through training. It’s never a guarantee, but the teams know this. They may keep someone around for two or three seasons investing in training, salaries, and more.
Sometimes it works and the rookie ends up playing in the majors. Other times, it doesn’t pan out. While the player might be disappointed that they don’t get to go on, the league is perfectly content because it’s built into the model. The player who didn’t advance to the majors could stay in the minor league or decide to leave altogether.
The important thing to note is that just like in baseball, industry and DOD agencies can work from that feeder system, strengthening the training that occurs in middle and high school classes. Next steps are to engage with teachers to find promising students interested in a help desk role for a few hours per week, and if everything works out with the first phase, they can move to a full time role after graduation. As the entry level person shows continued promise and interest, they continue to qualify for the requisite certifications to move to the next level.
Summary
Despite a marked reduction of talent in the hiring pools, coupled with an expedited retreat of retirees, all is not lost. There is evidence that supports the build of a standardized infrastructure to teach students about cyber earlier in the game. Internships and apprenticeships are growing in popularity, and technology is bridging the gaps while giving the talent influx an opportunity to increase. And the existing, proven model of training in baseball can be mirrored in agencies, giving hope for a strong future of knowledgeable and excited new talent seeing themselves in cyber.
Stay tuned for our future blog articles covering more for Cybersecurity Awareness Month 2022.