During this NPower panel, hear from industry execs Devon Bryan of Carnival Corporation, Kimberly Quan (KQ) of Juniper Networks, Katrina Moquin. of Akamai Technologies, Dr. Elizabeth Kolmstetter of Cybersecurity and Infrastructure Security Agency (CISA), and NPower alumni, Licole Bursey in a panel discussion on the cyber talent gap and ways to tap into a viable pipeline of nontraditional cyber talent.
Guests:
Devon Bryan, Global CIO at Carnival Corporation
On LinkedIn | https://www.linkedin.com/in/devonabryan/
Kimberly Quan, Senior Manager, Cyber Fusion at Juniper Networks [@JuniperNetworks]
On LinkedIn | https://www.linkedin.com/in/kimberlyq/
Katrina M, VP of Product Security at Akamai Technologies [@Akamai]
On LinkedIn | https://www.linkedin.com/in/katrina-m-8477361/
Dr. Elizabeth Kolmstetter, Chief People Officer at Cybersecurity and Infrastructure Security Agency [@CISAgov]
On LinkedIn | https://www.linkedin.com/in/elizabeth-kolmstetter-8217289/
Licole Bursey, Alumni, NPower [@NpowerOrg]
On LinkedIn | https://www.linkedin.com/in/licole-bursey-5a25a3176/
Event Host: Nelson Abbott, Senior Director, Advanced Program Operations at NPower [@NPowerOrg]
On LinkedIn | https://www.linkedin.com/in/nelson-abbott/
____________________________
Moderator: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
___________________________
Episode Notes
With over 630K open cyber jobs in the US, NPower continues to produce a strong network of diverse cybersecurity professionals for in-demand cyber roles. Hear from industry execs Devon Bryan of Carnival Corporation, Kimberly Quan of Juniper Networks, Katrina M. of Akamai Technologies, Dr. Elizabeth Kolmstetter of Cybersecurity and Infrastructure Security Agency (CISA), and NPower alumni, Licole Bursey in a panel discussion on the cyber talent gap and ways to tap into a viable pipeline of nontraditional cyber talent.
The panel delves into various aspects of the talent gap in cybersecurity, including the challenges organizations face in recruiting and retaining cyber talent, the need for diverse talent pipelines, and the importance of creating a sense of belonging in the workplace.
Dr. Kolmstetter highlights the importance of purpose and making a connection with the organization's mission to attract diverse talent. She emphasizes the need for a workplace environment that celebrates diversity of opinions and thoughts, where people can thrive and feel they are making a difference.
Devin discusses the image problem that cybersecurity still faces and the need for representation of diverse practitioners. He stresses the importance of visibility and showcasing cybersecurity’s fun and exciting aspects to attract more people, especially those from underrepresented communities.
Licole shares her personal experiences and insights as someone who has successfully navigated the job market in cybersecurity. She discusses the importance of having a diverse skill set and approaching the job search with a holistic mindset, focusing on mental and physical readiness.
Throughout the episode, the panelists emphasize the progress that has been made in addressing the talent gap, but acknowledge that more work needs to be done. They discuss strategies for attracting and retaining diverse candidates, such as removing degree requirements and leveraging non-traditional recruiting streams.
The conversation offers practical insights and solutions for organizations and individuals in the cybersecurity field. It is a valuable listen for anyone interested in understanding the challenges and opportunities in closing the talent gap, promoting diversity and inclusion, and building successful cybersecurity careers.
____________________________
Watch the NPower video on YouTube: https://www.youtube.com/watch?v=LV4y_b26G5k
Watch other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
____________________________
Resources
Engaging with Advancing Tech Careers Collaborative for partnership opportunities: https://www.npower.org/get-involved/atcc/
Command Shift Diversity Directive toolkit: https://diversity.commandshift.org/diversitydirective/
NICE Job Description Toolkit: https://www.nist.gov/system/files/documents/2023/09/22/MTM%20Guidance%20on%20Writing%20a%20Hiring%20Rubric.pdf
NPower Virtual Career and Resource Fair: https://app.premiervirtual.com/events/15495c07-5f3a-4639-8b08-fe90b3ddfd24/npower-virtual-career-and-resource-fair/organization
____________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
All right, great. Thanks, everyone. So welcome, welcome, welcome, welcome. We're very excited for today's event. My name is Nelson Abbott. I am the Senior Director for Advanced Program Operations at NPOWER. Before we get started, a little bit about us. NPOWER is a workforce development organization, and we help underserved and military-connected communities move from poverty to prosperity by connecting them to technology careers, and that includes infrastructure, cloud computing, and as we're here to talk about today, cybersecurity. We're going to be discussing the talent gap in the cybersecurity space and share some ideas on how you can help close that gap. So without further ado, let's get started. To set up the panel discussion, let's start looking at some data. As you can see here, organizations are struggling to not only recruit cyber talent, but to retain it as well. Very significant, over half of each. The result is what we're here to talk about, over 660,000 open cybersecurity jobs, according to CyberSeek. This also creates additional risk that leaves organizations open to cyber attacks, so it's really a dire issue that needs to be addressed. We're going to talk about some of the challenges that we are seeing through our work here at NPOWER and offer some suggestions that folks can start implementing right away after this webinar. First up, let's talk about the challenges, as we see here, that cyber leaders have in finding certified and qualified talent. Really, it's right there in the numbers. Ironically, those same leaders, 90%, are willing to pay for training. Now, this is training that can lead to those desired certifications that people are looking for. Technology is always changing, so certifications that you hire for today may not be relevant tomorrow. Our recommendation, instead of hiring ready-made talent that can be costly, consider hiring for adaptability, critical thinking, and competency. Next, facilitate better coordination between the hiring managers and the talent acquisition teams, making sure that job descriptions accurately reflect the duties of the job and the desired competencies. Then, make sure that your interview process is updated to reflect those competency-based assessments and the different types of experience and transferable skills that many candidates bring to the table. A phrase I hear often from cyber professionals is, we want diversity of thought. Well, in order to get that diversity of thought, you have to hire diverse candidates. However, as we show here, there is a lot of challenges with hiring women, minorities, and veterans. These challenges then translate into a not-very-diverse cyber workforce. As you can see here, this is the makeup of the cybersecurity workforce as of right now. These are deep talent pools that are just not being tapped into. An additional roadblock is the college degree requirement. Based on research from Opportunity at Work, this has a huge impact on Black and Latino candidates, essentially writing off two significant populations. So, here are some suggestions that people can walk away with today. First is to start working with organizations like NPower that have pipelines of diverse, certified talent. Next, an obvious one, remove those college degree requirements from entry and early career-level roles, which will expand your candidate pools. Finally, review your job descriptions and remove any kind of language biases that may discourage diverse candidates from applying. And there are some resources that you can leverage to help you. NPower has worked with the Modernized Talent Management Group at NICE, and we developed a toolkit for creating better job descriptions, and that toolkit is available right now, and we're happy to share a link to that after the webinar today. Lastly, let's look at the retention piece. According to one poll, almost a third of cyber professionals are planning to leave the field altogether, and here you can see some of the reasons that they cite. These all tie back into what I've been talking about so far, training and diversity. The limited support for development of skills and lack of career pathways coupled with unfriendliness to women and certain ethnic groups really does have an impact on retention and diversity. And some additional insights is that while there are a lot of organizations that have diversity goals, 83% here, only 17% of global leaders are compensated on those outcomes, so a real big disparity there. As has been said many times before, what gets measured gets managed, but if these initiatives are not being measured, then what we end up with are diversity programs in name only, and the trend of revolving door diversity executives that we've been seeing over the past several years will only continue. If organizations don't provide growth opportunities and make all people feel that they belong, we will continue to see people leave the cyber field. So here are some ideas that people can start implementing right away. One, create those opportunities for professional development and upward mobility. When someone is onboarded to an entry-level role and they see that there is a career pathway, they will feel there is a home for them at your organization. Second, upskill incumbent workers and backfill those entry-level roles with diverse non-traditional talent. Internships and apprenticeships are great ways to groom new talent from the ground up. This is a cost-effective way to address immediate needs while preparing talent for advanced roles needed in the future. When a person can grow and thrive within a company, they tend to bring a sense of loyalty, which also helps support high retention rates. And finally, again, more resources that we can offer to you folks. My colleagues here at Empower with the Command Shift Initiative have created the Diversity Directive. This is a toolkit to help increase diversity, inclusion, and belonging within your organization's hiring, retention, and investment practices. Really a wealth of information that you can start leveraging right now. So in closing, I'd like to end off with some of the ways that the audience members can help us help you address this problem. One, reach out to us for hiring diverse certified talent. Engage with us for volunteering opportunities, either in our classes or on the executive level. And funding. We provide our training programs free of charge to our trainees, and the way that we're able to do that is through the generosity of our corporate and foundation partners. So that funding can help us to continue to provide that program free of charge to our trainees. Some of the value that we bring to the table you can see here is that diverse talent to help organizations meet those DEI goals that we were just talking about. Certified talent. All of our programs are geared towards industry-recognized certifications that are in demand from employers today. Those volunteer opportunities for social responsibility initiatives, either again on an individual level, in a classroom level, or on an executive leadership level. And then we also have a wealth of thought, leadership, and experience in this space, and we can work with your teams to create pipelines for non-traditional diverse talent. So I'd like to end off by saying a thank you to everyone. Appreciate your time and attention. I want to acknowledge our partners, Akamai, Carnival Corporation, CISA, ITSP Magazine, Juniper Networks, and Palo Alto Networks. They all helped to contribute and support today's event, and so really appreciate all of their efforts and support in helping make today happen. And so I am done with my part, and this tees it up for the panel discussion. And I would like to introduce our moderator, Sean Martin from ITSP Magazine. Sean, take it away. Very good. Thank you, Nelson. Thank you, Matt Velez, and the rest of the Empower team for including me to be part of this conversation. It's an honor. And I want to thank the panel for taking the time to prepare for this, and also be present for today. I'm glad to see everybody here for today's conversation. And most importantly, thank you, everybody who's attending, either watching live or on demand. Our goal today is to get people to think differently about how we view talent, approach talent, engage with talent, attract talent, manage and retain talent, and support the ecosystem in a way that makes this less troublesome, and we can kind of close this gap, which seems to be a consistent theme over many years. So there's no question I've been following the Empower team for quite a while. I love what they're doing. They're making some great progress, which we'll touch on a bit later. And I'm sure we'll hear about stories throughout the conversation today. But there's a lot we can do still. And that's what this panel is going to help uncover, things we have done, areas we can continue and improve upon. And without further ado, let's actually get into it. A quick round of hellos from the panel. I'm going to start with Elizabeth, you first, just looking for a name, title, and a quick word of why this is important to you. Well, hello, and it's a pleasure to be with everyone today. I'm Elizabeth Kolmstetter. I am the new Chief People Officer at the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security here in the federal government. And this is an incredibly important effort and initiative. And I think this is exciting to be here talking about this, not only to tap more diverse populations for the talent gap that was just very well articulated, but this is a national requirement. The demand is growing more than the supply can handle. So we have a lot of work to do. So I think this is incredibly important. And CISA, as your government agency partner, wants to be part of making this very achievable across the nation. Thanks. Thanks, Elizabeth. Devon. So hello, everyone. I'm Devon Bryan. I'm currently the Global CIO for Carnival Corporation, previous five-time CISO. And I would say, Sean, why this is important for me personally as a practitioner, certainly in the defense of the organizations that have trusted me to drive their cybersecurity programs throughout my three-plus decades as a practitioner, making sure that I was bringing as diverse a skill set, as diverse a talent pool as I can, to help to combat the diverse threats that the organizations that I've supported face was a critical part and a critical component of my go-forward strategy. So diversity of thought, diversity of perspectives, certainly getting rid of and avoiding groupthink, right, by bringing diverse perspectives to the day-to-day trench work that, as cyber practitioners, our organizations expect of us, right, was key to some of the strategies that I pursued throughout my career. So I certainly, you know, thank NPower for having me as a part of today's panel. I look forward to the conversations. Love it. Thank you. Katrina. Hi, everyone. My name is Katrina Muken. I'm the VP of Product Security at Akamai. And this is important to me for a couple reasons. First, because I know firsthand what it's like to be the only woman in a room. And I'm, you know, really personally excited about being able to change that. But also, I really believe that we need to have, you know, diverse perspectives and thoughts in security. It's an industry, things are always changing, and we need people looking at it from different directions in order to be successful. Thank you, Katrina. Kimberly. Good day, everyone. I'm Kimberly Quan, or KQ. I head up Cybersecurity Culture at Juniper Networks. And everybody, you know, I echo all of what was said so far. And from the perspective also of being someone who is the other in a lot of the work environments in cybersecurity, I not only think it's really important to go out and source in different places, because that diversity, which is effective for everyone, we need to bring that in, obviously, but also the importance of keeping that diverse workforce and making sure that when we bring people into our environments, and we train them, and we teach them about our companies, our environment, our technologies, that they want to stay and that we make sure that it's a comfortable place for them to be. And invite their friends. And certainly, last but not least, an outcome, a product of the great work that NPOWER does, which we'll hear about in the organizations, but part of the talent pool and an amazing student from NPOWER, Licole Bursey, a little bit about yourself, and maybe a little extra time for you about your journey entering into the world of NPOWER and your experience leading up to that point. Yes, hello, everyone. I'm currently an NPOWER alumna. I first started with NPOWER back in 2019, post-graduation, and entered into Tech Point Mentors.
and earned a certification. The next year later, they introduced the first National Cybersecurity Advanced Program, and I took up on myself to enroll into that cohort. Graduated from the cohort, earned my security plus, had the opportunity to not only train hands-on cybersecurity training, but also brought it down and I was able to obtain a security job, which I was a information security analyst. Empower is an organization that I fully support to help others to be what they need to be, and I'm looking forward to the conversation. Wonderful. Thank you, Nicole, and thanks everybody for your views. I wanted to hear why it's important. I'm sure a lot of people listening feel the same thing. The one point I think we'll hear throughout this whole conversation is that we're all being purposeful in our thoughts on how to address this challenge. We're not just going on our day-to-day journey, not thinking about this. We're all taking a good hard look at how we approach this, and I think coming together, this group we can represent and perhaps suggest some ideas that'll help folks do the same within your organization. So as we were preparing for this, many times I was asking myself, and I'm sure a lot of people on the line here are wondering why is this still a problem? Why are we continuing to talk about this? Why haven't we made progress? What are some of the blockers? And I think we have made progress. Statistics may or may not prove that out, but I think having the conversations help us make progress, and I think we're seeing subtle changes, and we're seeing work like being done at NPOWER make a difference. And I'm gonna start with you, Elizabeth. What, from your perspective, or some of the challenges that we've experienced that we've started to overcome, some of the roadblocks we've started to jump over, and maybe an example that you can share to help illustrate that. Absolutely, thank you. And I don't want to miss an opportunity to also highlight that we are here in October, which is Cybersecurity Awareness Month. So what a wonderful time for us all to be talking about this very, very critical need and topic. So I would say, I mean, of course, there are so many things that I think we, as a panel, are gonna talk about. For me, from the government, you mentioned the over 600,000 openings. Well, over 35,000 of those are in the federal government. And of course, our work is for the nation. It's for the American people. So our imperative is to make sure we are an employer who people wanna, who see a future, a career, that they can actually contribute. We do see that people want to make a difference. They want to work for an organization that has purpose and meaning and giving their time and talent to. So I, of course, think the government has the highest level of purpose. And we can talk about, in my case at CISA, a national security imperative to make sure that everybody's technology is safe, their use of, everything is touched by technology and enabled by technology. So what higher purpose would there be than to make sure the American people have security and safety in their daily lives and in their work lives? So I like to say that purpose is very important to talk about so that we can make a connection with people around what is meaningful for them. People go and they get education and certifications and skills, and they wanna put those to good use. So I'd say first is making a very compelling you know, presence around what it is the organization is doing. And I do think that that does broaden the opportunities for diverse groups to see themselves making a difference in the organization. And the second one that we're really focused on, obviously as the first chief people officer, we have separated the HR from the people function, people and culture. People wanna feel that they're treated as people and that they are not just an important person to fill a job. But once the jobs fill, it's onto the next thing. So one of the things that we are striving to do through my new role at CISA is to make this workplace, the environment, the experience that people have really bring out and celebrate their authentic selves, their diversity of opinions and thoughts. We do a lot around psychological safety because it doesn't matter if you have diverse people if they can't speak up their innovative ideas or their different perspectives. So it's not good enough just to fill the jobs. We have to have people experience a wonderful place to work where they can thrive as the people they are and those amazing ideas and talents they bring to us. So we go beyond recruitment and retention to bringing a workplace experience to life where they can thrive and feel they're making a difference to something that's really important to them and that they feel like, you know what? I'm making a difference. I'm here driving something very important. And so, cause the work is hard. So it's really important that people make that connection with the purpose of the organization. So I'd like to say it's more of a full employment value proposition of why come and do this work? Why come and work for this organization? So that's one of the things that I think that we could do more of just as we look to attract the kind of talent we need to fill the huge gap. So I'd like to just kind of put that out there as a starting point. Thanks. Yeah, I love that. And my co-founder of the magazine, Marco Capelli and I have had this conversation many times around kind of the public service announcement for cybersecurity and the value of it to the private sector, the public sector, society and the world at large. And the more we can raise awareness of how important and how potentially fun the job can be, I think the better off we are. So that's part of it is getting more people interested but then there's the next roadblock of, I don't know if I'm qualified. I don't know if I have the mindset. I don't know if I have the experience yet based on some of the job requirements that I'm reading. So Devon, I don't know if you have any thoughts on some of those barriers real or just in people's minds of how to approach this space to see the roadblocks, move past them, jump them, work with others to power through them. And maybe again, an illustration from you of how perhaps you've done this in many of your roles over the years. Yeah, so I think most everybody listening in and certainly my fellow panelists are all painfully aware that cybersecurity as a practice still has an image problem, right? In that, you talk to the non-practitioner, right? In terms of who in their mind, who do they visualize when they hear cybersecurity, right? And by and large, right? It won't be somebody who looks like me or Kimberly or Katrina or Licole or Dr. Comstead, right? So there's still this image that cybersecurity is a practice that's conducted by middle age, teenage to early 20s or so, white male in a hoodie in a dark room someplace, right? So there's still that prevailing image of who a cybersecurity practitioner looks like. So we have to solve for that. And there are great programs underway across multiple organizations to try to tackle that, but we still have a ways to go, right? Certainly, looking like I do, I'm very, very aware and coming from where I come from, I'm very aware that kids in the inner cities, right? Across our country, it's representation matters to them. Right? So, the saying goes, children can't be what they can't see. So it's important for current diverse practitioners, black, brown females to be visible, right? To help to, as Elizabeth just said, make this practice fun and make it appear like we're having fun doing this so that kids in middle elementary and high school who haven't perhaps even considered cyber as a career, can see practitioners who look like them and aspire to be like them, right? So we have to solve for the image problem. I think if we're all just honest with it, I think that's a start. So I would say that is a part of the problem, Sean. It doesn't necessarily address all the other dimensions of some of the challenges that we currently face. I mean, we have to, at a macro level, acknowledge the fact that technology underpins so many different aspects of our professional, personal, and social lives, right? As companies and organizations are looking to leverage technologies to transform the way businesses, governments operate in the services they deliver, right? So the technology landscape has exploded as such, so has the associated cyber risks, right? Because bad actors are always looking for ways to exploit technologies. And as such, as more innovations occur to drive different transformations across the business sector, bad actors will always find ways to try to exploit those. So that is also underscored kind of the vacancies that we are always trying to solve for, right? So to your question of how can we then start chipping away at addressing, you know, kind of sort of the hiring shortages, in addition to creating programs where we're visible at career days and our kids' schools and all that in communities, right? You know, we have to look to tap into non-traditional recruiting streams, right? How do we get access to pipeline of solid talent, folks like LeCole, right? And so one of the practices I've always employed, right, as a practitioner, excuse me, irrespective of where I've worked, is that in addition to the traditional college hiring programs that most organizations have, I have established relationships with Empower when I was at the Federal Reserve, when I was at KPMG, and I've leveraged those arrangements with Empower to really help me grow, build diversity into my workforce, right? So that's something that I've done, you know, as a, from a personal motivation perspective, that I would certainly encourage fellow cyber practitioners to do. I also leveraged the scholarship for service program that's administered by, you know, OPM as well, but when I found I was getting great candidates there, but, you know, I wasn't getting the diversity mix that I wanted, hence the appeals of, you know, a program like Empower. So those are some of the things that I would certainly, as a call to action to diverse practitioners, A, be visible, and certainly existing practitioners, yes, leverage your typical college recruiting and other kind of onboarding, talent onboarding programs, but also look to programs like Empower. I've found tremendous success in the Empower graduates I've been able to onboard at my previous organizations. Thanks for that, Devon. And then I think it's a natural transition. I wanna hear more from Licole about, I mean, cause there's the skillset, right? So you have to know enough to get a job, which we can, I'm sure you'll talk about a little bit here as well, but I think they're both Elizabeth and Devon touched on the point that you have to see an opportunity, recognize that you have the ability to pursue that opportunity, and that on the other side, you'll be welcome to pursue that opportunity and to be successful in it. So can you share with us a bit about how the full picture, not just, you can touch on the training, certainly how you prepared to be a cyber professional, but how you approach the whole big picture of being ready mentally, physically, and approaching the space and working with organizations to ultimately land a position? Yes, as someone who was previously in the job market and now has a fresh start to the job market, some of the things that I'm able to identify and change up the way that I job search. First, let's just get into the job process in general. First, we have the recruitment standpoint, and a lot of people have a very diverse set of skillsets based off the job that they previously had. And when we're looking for jobs, we're not looking to either have that same role or we're looking to advance.
And I feel like they can play 50-50 on both ends, because it's like, do you want to remain in the same place? Or do you want to move further within your career? And from a recruitment standpoint, it could also be like, OK, they already have these set of skill sets. So what are they actually looking for? And it's more so harder for recruitment to understand why is it hard to track down these skills they have. And most recruiters that I've been able to come across don't have a technical skill set. So how can we improve the recruitment requirements for typical skill sets so they're able to identify not only people like me, but people who are curious to what technology is and a new career pivot or anyone who's already in and just looking for different options that are being created. Because as technology continues to advance, there are going to be more and more jobs that be created. Not from a cybersecurity standpoint, but from across the technology standpoint in general. So we had the recruitment. Then we're going to the recruitment phase, then transition to interviewing. And within interviewing, you're either, and it goes back to recruiting as well, it's like, OK, how efficient are you going to get back with me if I really want this job? And do you really want me for the job? How are you building the relationship between recruitment and the job? And how are you forwarding that interest or relationship to the people who actually want to hire people like me? And so this is a relationship throughout their entire job process to even figuring out if the job is really going to be for you or not, or for the organization to feel like, OK, they do have these great characteristics for this role, but how would they actually fit into this role? How can they be able to adapt to this role? And it's the same for the job seeker, too. And within having to experience a job, some things we just don't realize about what's going on in the background, too. I mean, there are so many barriers of being a security focused organization, which causes leadership and or the solutions that team members have that work under this leadership to go back and forth within the structure of the organization. So how do we rebuild the structure of the organization so that the team to progress and how to get our organization security focus, which comes to the effect of that we lack effective cybersecurity awareness and training, not for an employee that actually works in the cybersecurity department, but also employees who don't work in it because they all play a part to win attacks happen. Everybody is involved. So how do we continue to build our training and our awareness of within cybersecurity? And I do believe that organizations like Empower does have a very effective training model to implement into organizations who want to improve their cybersecurity. I love it. I'm going to put this back to the panel. I don't know if KQ or Katrina or Dr. Comstert or Devon have some thoughts on this, given what Licole just described, where we might be in to make some changes. Raise your hand and I'll pick you. Go for it. So we talked during our prep about empathy. I think it's really important and you can always teach empathy. We need to use empathy when we're thinking about the way the hiring is now. We need to think where the diversity is. If we're all saying that we value diversity, then we need to start doing things differently. So we need to think about the standard processes that have been the status quo for the past umpteenth years and bring empathy in to understand where are those candidates that we're looking for? We can't have the same Caucasian guy, hacker type, kind of creating the workflow that we're going to use to go bring in our diverse colleagues. So we need to obviously source from different populations to cast our net wider, but we also need to think about the processes. What are we looking for in resumes? Where are we getting them? How are we writing them? How are we writing the job descriptions? So really we need to break down what we've been doing and think about the end goal as opposed to just doing the same thing and thrashing about expecting a different result. As Licole was talking, I was thinking about a friend of mine and he worked for a tech company for many years and was surprisingly cut. And his background is similar to mine with electronic discovery, information governance, and forensics. And I helped him along to teach him about cyber and I thought that there were good forays into cyber for him. And I told him about organizations and certifications and things like that. But if it wasn't for me having a relationship with him, and that's where a lot of people get their information, then where are they going to get that leg up, that help? And so organizations like Empower really help bridge the gap. Yeah. Katrina, your thoughts on this? Yeah, I agree completely. And I think, you know, changing the process is really important. When in the past, I realized, you know, we weren't getting what we needed out of traditional recruiting and looking for experienced hires and we had to make changes. A lot of work we had to do was internal. We had to rewrite our job description. So they targeted employee people with different set of skill sets, right? We're no longer looking for people with 15 years experience. We're looking for people who are smart and have problem solving and are curious. And I think the hardest part of that was getting our recruiters and the other interview panelists on board and really changing the expectations of what we're trying to get out of that process and making it friendly so that the people coming through it, you know, have the opportunities and are successful. And aren't being compared to, you know, this level and, you know, these expectations that we realize we don't need them to meet. It's not what we're looking for now. Dr. Kolmstad, can I call on you? I know you've made some specific changes within OPM to actually address some of this, right? Well, yeah, actually, the Department of Homeland Security was given a special authority within the federal government to launch a talent program called the Cybersecurity Talent Management System. And this was a unique authority that we have now across our Homeland Security Department, and it has new hiring processes to move away from the academic qualifications to an assessment that assesses the necessary skills and proficiencies to some of the points that were made earlier. Also has new compensation structures. One of the things the federal government has is a pretty rigid pay scale, and it doesn't compete with the market. And so this unique authority allows us to compete and bring more labor-related pay incentives to those with cybersecurity skills experiences. There is an incentive to continuously get more skills and higher proficiencies, in some cases certifications, but that continuous learning, because we know the technology advances are actually exponentially, you know, increasing. And so we want to have an incentive to continue to grow your skills and then get compensated as well. And that is a pretty unique kind of talent system for the government. So CISA is using that, and we've been hiring some of our workforce under that, and I think that's a very exciting new approach that we are benefiting from. I'd also like to piggyback on, I think, but actually, Licole and Katrina and KQ said, yes, the technical skills are important, but when you're talking about the early career, we have to also look for, and I don't like the term soft skills, I'll get on my soapbox, we've got to stop calling them soft skills. They are power skills. They are actually the things that help people advance and actually really bring that innovation, problem solving. Licole said collaboration and curiosity. We need people who want to work with other people, especially at CISA. Our work is partnerships with private sector, with academia, with the grants, such as what NPower got. We are constantly looking at. So yes, there's technical skills, but especially for early career, we want to see a diversity of skills and the kinds of, you know, things that people want to continuously learn. They're flexible, they're interested, and that's what's really bringing us the kind of, you know, new employees to come in and be part of our organizations. And I think that's something we sometimes, again, I think what Devon was saying, they think cybersecurity, oh, you have to be good at math and you have to be good at statistics, you have to be good at computers or computer science. And there's so much more. And there's just so much more availability that I think changing some of that dialogue, too, is you don't have to be a computer geek to be great at cybersecurity. We actually want some of these other kinds of power skills in our employees. So Devon, we've touched a little bit on, I'll call it the hiring ecosystem, all the pieces, parts that we might get one part really fine tuned, but we only get 10% of the value of it because the rest of the parts don't really connect with it well. How do you suggest we kind of get a big picture view of what needs to change here so that each player, and maybe some players have to move aside for some situations and become more prevalent and present in others? But how do we work through the ecosystem to make wholesale significant change, not just piecemeal change? So it's a difficult question to respond to, Sean, because it is a very difficult problem, especially in the private sector, right? So unlike, you know, what Elizabeth just mentioned, the special authority that was granted to CISA for the cybersecurity talent management system, that does not exist in the private sector, right? So what does that translate to? That translates to individual cybersecurity executives at all levels of the hiring process, right? Making a personal commitment, right? To have conversations with their HR leaders, their recruiters, right? You know, restructuring JVs, being intentional about interviewing panels, taking a hard look at, you know, do these positions really require college degrees, right? Can we switch and evolve to competency-based hiring that CISA obviously is leading the way with right now, right? And you put that in the context of, you know, the day-to-day of what CISOs are charged with, right? You know, first and foremost, they've got to protect, detect, respond, right? They're managing budgets, they're leading teams, right? But this would have to be an important enough imperative, right? They have to care enough. And that's the thing, right? You know, as Mahatma Gandhi says, be the change, right, that you want to see, right? So CISOs would have to own this and put personal stake and personal skin in the game to help to drive the change in the industry that they want to see by starting with their organizations first. And there are a number of folks who are very committed to this across the industry who are doing great work to try to move the needle in their respective parts and getting involved in groups like Empower. I have some colleagues on the ATCC. John Miller at Citi hires like 20 plus Empower graduates each year. He's my hero. That's, you know, that's who I aspire to be someday in order to have a program like that to onboard as many graduates, right? And others, right? And certainly getting involved with groups like Cyversity that I was lucky enough to help co-found, Women in Cybersecurity, the Grace Hopper Fund, on and on and on. It takes a personal commitment by folks who are really passionate about making sure that they are bringing, you know, as diverse a skill set as they possibly can to the challenges that they face from a diverse cyber threat landscape, right? And put in skin in the game. So, Sean, it's something that's not easily tackled. That's why the problem has continued to linger because it requires a personal commitment from CISOs and folks in positions to influence hiring to have that conversations, make the time, have the conversations with their talent management team, have their conversations with their head of HR to drive the organizational change and then incrementally the industry change that's necessary to help them. That's necessary to help to address this. Yeah. And I think being a storyteller for me, having a view of the end goal, writing a story to reach that end goal and telling that story to everybody who's involved or has a role to play in that story so that we all kind of march toward the same thing would be super helpful. In my opinion, I think when we were prepping, we talked about the idea of the cybersecurity practitioner being a hero. And I referenced my time in building technology, building products. There's always this hero mentality that you have to work harder and stronger and be better than everybody else. And it's kind of rooted in the warfare mindset that cyber has in general. But I'm wondering, and I'm going to put this to you, Katrina, for your thoughts on this. Do we, do we have perhaps an issue with the
role or the people themselves having this hero complex or being, we're magicians, right? Cybersecurity professionals are magicians. We do things, we know things that others can't and don't. And because of that, we're special and we deserve a spot. But I'm wondering if that plays a role in allowing others to come in. And I'm thinking of the hiring team and I'm thinking of the hiring manager and how they communicate and how they present the team to the candidate and the candidate to the team to, I don't know, are we continuing to set barriers there that can be removed and perhaps things get better, Katrina? Yeah. You know, I see in my experience, I've definitely seen that dynamic. And I think it is traditionally when you think about security people and they're sitting in the dark in their hoodies and, you know, solving all the problems and super special skill sets. But, you know, I really think what I see a lot more in the organizations I'm in is collaboration and everyone knows, you know, security isn't anyone's job, one person's job. And, you know, in my field in product security, we work really closely with developers and architects and we can't do it alone, right? They're the one building the products, we have to work with them. And so I see more and more emphasis on that in it. How can we collaborate and partner with groups and provide people, you know, with the tools they need to be successful and really, you know, it gets away from that idea that, you know, nothing that I do or my team does is like rocket science. Anyone can do it if they want to, right? You can learn the skills and be curious. It's really about, you know, wanting to know how things work, questioning how they work and, you know, do they really work the way you say they do and are they doing what they're supposed to do and wanting to make things better and fix things. And so I've definitely I think even just since I've started out, seen a shift from that and that like what we're doing is some sort of like, you know, magic, black magic kind of thing to being something that's much more collaborative and something that, you know, we have to do in partnership with the rest of our organization. And KQ, I've been waiting to get to this point on employee resource groups and the value they bring in the organization, the learning we can we can glean from them to help with hiring and certainly with training. So tell us a bit about the work that you've done at Juniper in this regard. Yes, so Hillary Weingast, who, you know, was very instrumental in this partnership between Juniper and Power, heads up corporate responsibility and, you know, diversity and inclusion. And in the amount of time that I've been here at Juniper, which is five years, it's really changed from being an environment where sometimes some diverse people came in and felt like they were other. And, you know, everyone had good intentions, but no one wants to feel like the kind of token employee. But what Juniper has done is built these really strong employee affinity groups. And when we were talking during the prep, it seems like it's pretty groundbreaking that there's a neurodiversity community as well here. But it's just really making sure that the people feel welcome and that they are celebrated. And these events that are put on have been for all the affinity groups. The participation is just it's impressive and the amount of interest employees have learning about their colleagues. So I think that that efforts like that go very far to welcoming those West who may look different from our colleagues or come from different backgrounds. And there's a real effort here. It's walking the walk, not just talking the talk. Perfect. I want to in the few minutes we have remaining. Kind of look at this from the perspective of. We have a talent pool, we'll call it a lake that we're fishing from, and if we don't restock the lake, right, if we don't keep the lake healthy so the fish survive and thrive and and and produce whatever it is we're fishing from them from the lake, then we're kind of shooting ourselves in the foot here. So I want to talk about. Investing in the talent pool, in the lakes that we want to fish from, investing in the people that we want to hire as employees and to be part of our organizations. So let's talk about. Hiring internships and and reinvesting back into the community that we want to want to have successful, so that I'm going to start or kick you, go ahead. I was just going to say, you know, internships are really they're they're incredible because you know what I was saying before about bringing people in and training them and making them part of the family and you really want them to stay and you hopefully you know you you both want to retain that relationship. So we are bringing in interns from NPower. Even before this partnership, we we did some some interns. I have one from high school actually for a program that we're doing that's community based and there there are youngsters who are coming in as freshmen who are actually learning about cybersecurity and other areas in Jennifer as well. But we we actually have someone who's a junior now who is deciding that she's going to go into cybersecurity. And so I know we all have different things we want to say. So I'll end there. But I just feel so strongly about these internships. I think we all do, but Katrina, I think you you as well have programs, right? Yeah, I know at Akamai we have a couple NPower interns. I've worked with NPower interns in the past and it's been a really great experience. You know, and again, it's just going back to finding these people that are, you know, they're interested and they're curious and they want to learn and contribute. And that's really, you know, it's like 90 percent of, I think, what we need in insecurity now, right, to get started. So that's been really great. And, you know, Akamai too has other programs to training programs and whatnot to give people access to technical skills who didn't come from a traditional background. And it's really important in building up the diverse workforce. Homesteader at your end. Yeah, I just want to jump in. So, of course, across the government, we have internships all semesters and over the summer. CISA has been posted at CISA.gov slash careers. And I agree. We also have high school and college, but you don't have to be in college to get an internship. So even high school. And I also want to highlight we implemented a program where we're doing exit interviews with every intern as they leave to find out what they benefited from and what they are looking for in a future employer so that we can also help them, again, stay in this career field. Even if you don't want to come to CISA or you don't want to come to the government, we want them to be creating this capability for the nation. So what are you looking for? How can we help build your network, introduce you to some of the partners in industry and so forth? So I think it's really important that interns, while they could be a pipeline for employment, are also a pipeline for us building this capacity we're talking about. So another great opportunity to hear from them about their experience and what they're looking for next and help them stay in this career field, which is part of what we're talking about. How do we keep them, retain them, giving into this this important career field? So that was just something we implemented and it's gone very well. We've learned a lot and we're really excited when they say they'd love to come and work at CISA in the future. But we are not expecting them all to choose that path. There are many paths. I'm going to hold Nicole's final message to the end. So, Devon, I'm going to come to you with some of the stuff you've done within power and beyond. And maybe any any final thoughts as well from you on this topic? Yeah, I was just quickly, you know, plus one on all the great comments that my fellow panelists have just rattled off in terms of internships. I would add just a couple of additional points. Certainly converting interns to FTEs is critical. And I think Elizabeth just touched on this, irrespective of whether or not those conversions happen within your organization or elsewhere across industry, the industry benefits. So that certainly is a plus. And in addition to internships, apprenticeships, those are also critical as well, because those kind of provide direct pathways from intern to FTE. Right. So apprenticeship programs are critical and also military transitioning programs. Right. I've been lucky enough to actually sponsor one of the first real onboarding programs, transition programs for military veterans since I've been at Carnival and I'll continue to support that. But yeah, internships are certainly critical. Staying with apprenticeships and military transitioning programs, helping our warriors who essentially place their lives on the front lines for our country, make that transition to cyber warrior is something that I'm deeply passionate about as a veteran myself. And so I'll certainly continue to look for ways to invest in that as well. That's fantastic. And I'll add to this point, Devon, that as Dr. Comsteader mentioned that we're in Cybersecurity Awareness Month and you pointed to the veterans here, that this can't just be on Veterans Day and for Cybersecurity Awareness Month. We have to find a way to live and breathe this on a daily basis and spread the love, if you will, with everyone that we know and interact with within and without and outside of the organization or the industry, I should say. As we wrap here, I'm going to hand it back to Nelson in a moment, but I think I captured a few highlights. And so I think for me, and I kind of pointed to this earlier, if we can we can be innovative in our thinking to actually see what we want to achieve and then can tell a story and then find the path to achieve it, we're going to have a much better chance of success for actually reaching that end game. And it's not going to, as we've talked about today, it's not just going to be one individual or one group or one entity or one company or one program. It's going to be an ecosystem, including recruiters and down into the high school range where we're raising awareness and perhaps bringing skills and training at that level and focus on the candidates. We have to make them successful. And with that, I'm going to give Licole the final word as we close here. Your thoughts on success thus far for you and what success looks like moving forward, thanks to Empower, I would say, right? Definitely is a big part of my growth, for sure. I can say I'm looking forward to not only never any success, but looking forward to who I am, what I am and where I'm going and how can I use that to get others what I need to be. And I'm looking forward to changing the narrative for everyone so we can have a better workplace, so we can enjoy our jobs, so we can really enjoy doing what we do every single day. And that's a part of the process and trust in the process. So I thank you guys for not only delivering a message today, but for Empower for providing opportunities such as this to help people as well. And thank you to everyone who's chimed in today. I took the time today to chime in and learn more about how can we further more safe this cybersecurity gap. You're an inspiration, Nicole, to me, I'm sure to many others, so hopefully this gets everybody up and down the hiring stack, inspired to make changes. And with that, Nelson, I'll hand it back to you. And as I do that, I want to thank this panel for a fantastic conversation. Hopefully those listening took a few nuggets that they can take with them and most importantly, think differently about how they approach hiring so we can we can close this gap. Nelson. Thanks, Sean, and thank you to Devon and Dr. Kolmstetter, Katrina, Nicole, Kimberly, all for taking time out of your extremely busy schedules and sharing in this discussion today. So, again, thank you to the audience for attending today's event. I hope, as Sean just said, I hope you found some useful nuggets and action items that you can take back to your organizations to start making some of the changes that we discussed today and help address this cyber talent gap. As we come to a close, I would ask that you keep your windows open. There is a brief survey that we would love to get your feedback on on today's event and how we can continue to plan more events like this in the future and make them even better. So, again, thank you all for attending. And we look forward to seeing you again in the future. Thanks all right.