How can we ensure that our cyber workforce remains challenged, agile and effective?
According to Cybersecurity Ventures, 3.5 million cybersecurity jobs will go unfilled by 2021, up from one million positions in 2014. Clearly, cyber professionals today are in the driver's seat. So how can businesses fill their open positions? The answer is complicated — it requires both readjustments on the part of businesses and an enthusiastic embracing of new technologies and processes. In addition, it requires a change in thinking from the top, including a willingness to let advanced technologies like AI and machine learning do their jobs.
To learn more, we talked to Bill Brennan, senior director for cyber business enablement at Leidos. Brennan's team leads our cyber workforce transformation efforts.
Q: How can an organization position themselves as attractive enough to retain and appeal to scarce cyber talent?
Brennan: Cyber professionals are no different than any other type of professional. They want to be valued and they want a path forward. The traditional way of defining cybersecurity roles and nurturing talent is outdated, because it doesn't adequately address all of the different areas of knowledge, skills and abilities required for different jobs. We think it requires a full cyber workforce transformation.
Q: What is involved in a cyber workforce transformation?
Brennan: At Leidos, we spent time re-examining and re-imagining how we define what people in cyber do. We ended up identifying 27 different work roles that we grouped into five subfamilies: cyber operations, information assurance, cyber research and development, security architecture and engineering. Then we further divided them into more than 1,300 definitions of knowledge, skills and abilities. Then we took it even a step further, creating more than 7,200 proficiency levels. That allow us, at a very atomic level for each person, to define both skill capabilities and skill gaps. It also allows us to align them to individualized training plans and define both horizontal and vertical career growth.
Q: Does this system allow people to transition to something completely different in cyber security?
Brennan: Yes. In fact, that's exactly why we did this. The idea of horizontal movement or transitioning skills between work roles was very nebulous and we wanted to find an effective way to make it more concrete. We are now at a point where we can say "If you have this level of proficiency or you these skills, you are already 70 percent of the way there, and you can take this training course, or individualized learning, or develop the skills on your own to get the rest of the way there."
Q: What about people who want to enter the cyber field?
Brennan: It's a good fit for them, also. It allows us to attract people who may be transitioning out of the military or people in other careers with skillsets they can apply to the cyber domain. We even removed the requirement for a bachelor's degree.
Q: These are radical changes. How did you manage it?
Brennan: Change is hard, and large-scale enterprise change is even harder. It's like saying everything you've done for the past 30 years is wrong. But overall, the company has been incredibly supportive of the change. They have been willing to listen and understand why we need to do something differently. We have even gotten feedback from subject matter experts across the industry who told us they have been thinking along the same lines. But of course, there are hurdles to overcome when you change, and that's just general organizational change management around things like compensation.
Q: How does this approach to the cyber workforce benefit your company and its customers?
Brennan: It allows us to create longer-term employees who understand the way Leidos does cyber which, in turn, benefits our customers. It also makes us a preferred cyber employer, which means that we will attract better longer sustained talent.
Q: Considering all of these changes in cybersecurity and the cyber workforce, what is something you'd like to highlight?
Brennan: The importance of introducing cyber technology and fields to young people. One of the challenges is that people in school now don't realize that it can be a career. We're hoping that our definition of some of these roles, as well as us working with universities and providing internships, will open their eyes.
Q: We have talked a lot about how to improve the skills of cyber professionals, but what about technologies that reduce the need for human skills, like Artificial Intelligence, Machine Learning and automation in general?
Brennan: That's the other side of the coin, and it's equally important. Advanced cyber automation, AI and machine learning help organizations offload repetitive tasks. That's the biggest challenge, especially in the cyber defense world or cyber operations world. People want to use their grey matter for what grey matter's good for, and that's not repetitive tasks. So in terms of the workforce, it's important to have two kinds of people: people who consume what the machine tells them and then do something with it, and people who teach the machine how to perform tasks. That's what we look for in the future of our workforce.
Q: How can a company use technologies like AI and machine learning most effectively?
Brennan: First, make sure that your approach to cyber is data-centric. At Leidos, we want to collect as much data as we possibly can. The challenge is that there is so much data and there is only so much you can consume. We're working on solutions that will allow us to consume data in a repeatable way, such as repeatable analysis and actions based on data. Then we can offload the data to machines and teach them how to do it. We call this D2I: Data to Intelligence.
And think broadly, outside of cybersecurity. For example, automation, AI and machine learning can be really helpful in helping an organization stay within budget or work with reduced budgets.
Q: How has cybersecurity changed over the past few years, and how do you expect it to change going forward?
Brennan: As more things are pushed into the cloud, we don't have clear boundaries anymore, and that requires a change in mentality. Today, the focus should be on visibility, and on finding ways to maintain control of data in an identity-centric mode as opposed to a gates- and guard-centric mode.
And then there is the proliferation of commoditized attacks. Ten years ago, you had to worry about the very bad and the very good, and there was a gradient in the middle. But with the ability to weaponize fairly decent malware and create havoc within an organization, it has changed considerably what's needed for an organization to defend itself.
 Cybersecurity talent crunch to create 3.5 million unfilled jobs globally by 2021 (Oct. 24, 2019), cybersecurityventures.com