Cyber Workforce Optimization: Leveraging Skills Within the NICE Framework

Speakers: Jeff Welgan and Joseph Thompson

*Since the live date of this webinar, N2K has changed to N2K

Webinar Transcript

Jeff Welgan  0:06  

Hello, everyone. Thank you for joining us today for an in-depth discussion on cyber workforce optimization and leveraging skills from the NICE Framework. I’m Jeff Welgan, Chief Product Officer at N2K, leading our company’s strategic vision for cybersecurity training and workforce development solutions. I’m joined today by Joseph Thompson, Senior Associate of Booz Allen Hamilton. Joe is a senior leader who helps lead Booz Allen’s talent transformation practice, providing talent management solutions to support organizational effectiveness and employee engagement. Thank you for joining us today, Joe. 


Joseph Thompson 1:01  

Thank you. 


Jeff  0:42  

I actually want to start off with, a large part of why we’ve come together on this topic of cyber workforce optimization and the NICE Framework. It comes from staggering metrics in the current state of the industry as you can see on the slide here. So clearly, Joe, there are a lot of pretty jarring statistics on this slide. As you think about the current state of the cybersecurity workforce, what about the stats are most concerning to you as it relates to companies and employers?


Joseph  1:08  

I think the one that jumps out to me the most Jeff is the open positions number. That number only includes those that have been identified formally as cybersecurity. It doesn’t show all of the adjacent positions that would attract cybersecurity professionals or the myriad positions that actually perform cybersecurity [tasks] but may not be identified that way. Nor does that number show the growth in the positions because that’s a 2021 number. And in 2021, we had experienced 30% growth. So that number has grown today. We also know that the job postings in the information sector have gone up 40% since that number was collected, so that number is arguably well below the true size of the gap. Especially considering that US cyber professionals can be courted by companies around the globe. Even in the Western Hemisphere, the number of openings, for example, in Brazil, is higher than that in the US. So there’s a lot of gap. And it tells me we’re not going to be able to hire our way out of that gap. That’s what I see. But Jeff, when you look at that, three-quarters of all leaders struggle with sourcing experienced talent, I’m curious if you see that as more of an issue of finding talent with the right experience, or finding talent with the right skills.


Jeff  2:39  

Yeah, this is a tricky question, right? Because it’s not really clear from the statistic here where they’re saying, sourcing experienced talent, so what does that actually mean? Honestly, I think it’s a little bit of both. I think there are positions out there clearly that require a certain level of skill set or experience in those skills. So I do think it’s focused on skills, but that’s probably inherently related to experience for some things. I think where there may be opportunity to bring this down from a 73% struggle to maybe something still egregious, like 60%. Maybe by really looking at those jobs that they’re trying to fill and deciding, “Do I need someone who’s really seasoned or do I need someone who’s just really skilled?” Or “What in that job can be shed from a scaling perspective to someone else that may not actually need that level of experience?” and “What’s truly needed for that job where you really need the seasoned, experienced skill set?” That may be harder to find and focus on.


Joseph  3:51  

I think it’s an interesting point. I think sometimes we use the term “experience” to mean “skills”, because we haven’t talked in the language of skills all that often. I agree with you that in some cases, it may be seasoned, just a number of things you’ve seen a number of instances, but I think for a lot of hiring managers, it may be more skills. But you’re right. We can’t separate it from there. I think it’s interesting because, and we’ll talk about it here coming up, how do you tackle this problem? But that’s a big number.


Jeff  4:29  

And the talent pool is finite, right? So you really need to think creatively as an employer, when you’re looking at these stats about how you really address this skills gap that’s plaguing the industry at the moment. So it’s a good way to start us off, staggering stats. But the next thing I’d really love for us to talk a bit more about is how organizations should be thinking about baselining its cyber workforce skills and needs and I know you’re going to show a holistic approach that you use at Booz Allen. But before we dive in, I do think it’s important for us to step back for a moment here so that we can establish an important reference baseline for our audience, since we’re going to be mentioning NICE an awful lot. 


In 2017, NIST published its first version of Special Publication, or SP 800-181, the National Initiative for Cybersecurity Education, NICE Cybersecurity Workforce Framework, or NICE CWF, which is most commonly referred to as the NICE Framework. It’s still a very young framework, but one that seeks to give guidance to the cyber industry profession. There’s constant movement on this framework, as you’re seeing two different views of how it’s structured here on this slide. At the bottom where you see these 1084 KSAs, they’re moving more toward task statements, or TKS statements. That’s the common denominator across both of these. Right now, the NICE Framework really lives in this specialty area structure. So on the right-hand side of the slide, it’s categorizing the profession into 52 different job roles, and those job roles then break into 33 identified specialty areas, and then those specialty areas report up to seven categories that have been identified within the NICE Framework. But they’re moving towards this competency structure, which we’re seeing on the left-hand side, and it’s in draft mode or they’re very close to finalizing things, it still looks at the KSAs but those KSAs are grouped into what they call “competencies”. And there’s, in the current state, 60 in the draft. Those competencies are broken into competency groups like leadership or technical or organizational professional skills. So I think that’s important for us to understand how it’s broken down. The NICE Framework certainly has done a great service to the cybersecurity industry and its workforce. So I first want to acknowledge and commend the hard work that so many people have previously and are currently investing in the framework. That said, at the end of day, it is still a framework, it’s not meant to be all-encompassing, exacting, or prescriptive for those that leverage it. There are certainly some shortcomings to be aware of. So I’d love, Joe, for us to talk about the shortcomings and how companies and workforce professionals can work through or around some of the framework’s weaker spots. 


Joseph  7:36  

Thanks, Jeff. And, like you, I think it’s a great initial start. We’re trying to tame the wild west that if you think back, 10-15 years ago, anybody could hang out a shingle and say, “I do cyber”, and this is at least attempting to be able to do this. It’s sort of like the field of medicine, circa the 1870s, is where we were 10 years ago, anybody could call themselves a doctor. So it’s a good start. One of the weaknesses, though, to me, is that it’s really heavily focused, if not exclusively focused, on the technical skills. And one of the things that we’ve seen again and again, is that often what distinguishes a great cyber person from a great IT person is not the technical, it’s a soft skill. I think that the framework hasn’t gotten to that point yet. But that’s one of the big ones I see and one we have to work with clients quite a bit to help them understand.


Jeff  8:39  

Those softer skills are lumped in or linked to their professional group, and it gets associated with some of the managerial or risk oversight positions. But as you pointed out, as you progress, those skills become important to different technical fields as well. So it leads us to another potential weak spot in the NICE Framework in its current state does not really account for that leveling progression. It maps out certain knowledge and skills or tasks, statements that are associated to these different job roles. But it does not necessarily show the change from the entry-level position to your seasoned manager within the role. So I think that’s something we’ll talk a little bit more about later in this webinar, as well, and how you can think through that progression of leveling.


Joseph  9:32  

Yeah, because that’s a really important part. And as you said, we’ll get to that. But I’d be interested to know what your experience has been working with clients who were thinking through their talent strategy. Are you finding that most of your clients are aware of the framework and what are some of the challenges that you’ve heard them describing?


Jeff  9:52  

One of the biggest [challenges] is just trying to decide whether or not to fully align itself to the framework. They have titles within their cybersecurity workforce that don’t necessarily match the titles identified in the NICE Framework. And that’s another weak point. I don’t know if it’s a very solvable one other than just having a Rosetta Stone. And I think there are some resources that are out there that help with that. But that is a struggle. I always recommend to our clients that it’s not a one-for-one. Just because you have a SOC analyst, that would correlate to what NICE would say as a cyber defense analyst, doesn’t necessarily mean that that’s exactly the square box you need to put your SOC analyst into. It counts for a lot of the knowledge, skills, abilities, or tasks statements for that job role, but the industries are unique. A SOC analyst, maybe it’s a poor example because they’re a little bit more common from a roles and skills perspective across the board. But one job role at one industry, or let’s say, a cyber risk analyst at JPMorgan Chase, may be very different than a cyber risk analyst at a mid-tier bank or at GM, or a manufacturer. So those kind of nuances is where the art comes into really interpreting the skill of being a workforce analyst comes into play when you’re looking at the cyber workforce and how to use the NICE Framework. One question to you, Joe, is what are your thoughts about how security leaders should think about incorporating the NICE Framework in their workforce development strategies, this will help us segue into the next slide.


Joseph  11:35  

Yeah, and I think you touched on it. It’s a great starting point, but it’s not a destination. As you mentioned, it’s an attempt to professionalize the occupation. So it’s going to help us with a common taxonomy so that we can make some key distinctions. If we go back to this idea of the medical community professionalization, it helps us to give clear distinctions between what is a surgeon, what is a nurse, and what is a hospital administrator. But that framework, that taxonomy, doesn’t tell an individual team if they need a trauma surgeon, or orthopedic surgeon, or veterinary surgeon. So that’s really where it’s a starting point and you have to go deeper.


Jeff  12:24  

Great point. And I know Joe, at Booz Allen, you have a strategic and holistic approach, as we’re seeing here on the slide, to secure talent throughout the entire employee journey, which considers how to leverage the NICE Framework. Would you mind walking through this strategy for us, especially since we’ll be talking a bit more about some of the phases in more detail as we progress to the next couple of slides?


Joseph  12:47  

Sure. You know, it’s a whole process we could spend an entire webinar on but very quickly, we look at this as sort of talent defense in depth. Just like in cybersecurity, you have to have multiple layers that work together. That’s how we see this process. We try and pick up where the NICE Framework leaves off. Once you’ve identified that type of cybersecurity talent you need, that surgeon if we stay in the [medical] analogy, then we want to work to determine exactly what skills [are needed]. The critical skills needed by a pediatric neurosurgeon are not the same as those needed by a plastic surgeon. So then we want to flow the skills we’ve identified into sourcing and selection into the marketing of those individuals who have the critical skills needed, not just the generic skills, and we want to build assessments validated for those critical skills so that we find that pediatric neurosurgeon, not just someone who has medical school credentials, and then we flow those skills through the entire rest of the lifecycle. But the key is to understand that the skills you use as the basis for hiring aren’t skills that matter, they help you with sourcing. They should help you to hire a pediatric neurosurgeon, not a plastic surgeon. Once you’ve made that hire, then you’ve got to invest in them, you need to train them for the needs of your organization, and its roles, and not just for today, but as both the organization and the person grows. That means you’ve got to understand the skills the person has and the skills your organization needs. And I think, Jeff, that’s an area where N2K excels, isn’t it?


Jeff  14:31  

Yeah. And we’ll talk a little bit more about that. I think to foreshadow here what’s to come, really understanding the competency fingerprint for each of these roles is very important for employers. And that helps you differentiate or grow the skills where you need to grow them for the targeted role that you have in mind. But first, we need to secure the talent and source them in. It’s no good unless you’ve got an unlimited workforce that you can reapply to your problem set at your company. But those resources and those employees have to come from somewhere, usually, right? So I’d love for us to talk more about that planning or selecting phase. Joe, if we can turn around, what do organizations need to consider for sourcing that talent? So let’s talk a little bit more about sourcing. How should employers think about skills as it relates to identifying and sourcing talent?


Joseph  15:32  

Jeff, I think it’s a mistake people sometimes make thinking that they can solve the entire talent equation by hiring that exact, perfect individual who comes in the door that already has all the skills that they need. But that’s a real challenge. Our experience has shown us again and again, that in any given role for which you’re hiring, there’s only going to be maybe six to eight, at the most, competencies that are really vital and should drive your hiring decision. What’s interesting in our experience is that within that, every organization tends to have a range of tasks in a given role. So they run from the routine all the way up to the complex. Since you talked about this issue of if someone needs to be seasoned or is it about the skills? Because what we find is if you can say, alright, here’s an entry into this role, it’s only a very small subset of those six to eight competencies that are crucial that really make a difference when you’re hiring. So it becomes a real trade-off. If you need that, highly seasoned, they know everything expertly, they’re going to be few and far between. And they’re going to be very expensive. If you can afford to hire someone who knows enough to be effective, you’ve got a much bigger talent pool to choose from. Of course, the flip side is you have to invest in them once you’ve hired them. We can identify these critical competencies for a role, for different points within a role. That not only helps us on the hiring and sourcing, but it also feeds that other end because if you have unlimited training resources, like a lot of people do, this gives you a way to prioritize that investment. But I do want to emphasize at this point, we’re talking solely about competencies on which a hiring decision should be made at this point, we’re not talking about that wider array of competencies or skills that enable someone you’ve hired to excel in a role or in an organization. So I’m curious, Jeff, in your experience, have you seen that in a given cybersecurity role, of the key skill sets that matter, they change and they grow as the individual grows or as the position takes on more complexity?


Jeff  17:57  

Yeah, absolutely. You know, what you want from a SOC Tier I analyst to a SOC Tier III, changes a lot, right? As you grow in the field, any field, as you level up, your responsibilities do inherently often change unless you’re going into a real technical subject matter expert [role]. Maybe you keep those core skills and all you’re doing is refining those core skills. But generally speaking across most organizations, you start to see as you move from entry to mid-level, a greater proficiency in your core skills, and then starting to add more periphery skills or adjacent skills to it to make you a little more well rounded. Then as you move into this advanced phase, you really are fine-tuning those things, but then there’s a little bit of a natural evolution in the job. Whether you are now moving into leadership roles or not. As you move into those more business, spotlighted positions, you have to start developing some of the softer skills or professional skills that may become more important in how you present information, how you communicate, how you think about strategy, and how you develop your talent in your workforce. Warren Bennis, who is an American scholar, author, and a pioneer in the contemporary field of Leadership Studies once said that “Growing other leaders from the ranks isn’t just the duty of a leader, it’s an obligation.” That’s a really profound statement, right? Because as you move up in the leadership skill, your role changes to be less of a subject matter expert in the field of study, and starts to be more of an integrator for the business and then empowered to really grow the next cadre of leaders below you. That’s a really important skill set. You see that evolution as we plot that data across the leveling of any given job role as well.


Joseph  20:04  

Yeah, so I think the common theme that we both talked about here is if you understand the progression of skills when you’re looking at the sourcing and hiring, and then if you understand the progression of skills once you have them in a role, you’re in a much better place to be able to focus on what matters. And not just what matters but when it matters within that employee’s talent experience. And so if you’ve got more entry-level than seasoned, you’re going to invest in a different set of training or skills than if you have a whole lot of mid-level or very seasoned. And so again, the more you understand about those progressions in your organization, the more focused your efforts are going to be. 


So we’ve been talking about, you know, the skill set matter and how do you get there? Well, the important thing that we’ve learned is you need to do a job analysis so that you can identify the expectations for the role. So that you can identify what are those six to eight critical competencies that you need in the sourcing of talent. So it all starts for us with that job analysis to really get down to what matters in sourcing. As I mentioned before, we know that those skills that you use to make a hiring decision aren’t the only ones that are going to be relevant to the job. One of the things that I love about what you do at N2K, is you really plot out the skills and the competencies that you need. I’d love it if you could talk a little bit more about the fingerprinting approach that you use.


Jeff  21:50  

Yeah, it’s just not like the technical name for it, but it’s certainly what I always refer to it as because the shape, as you see here on the bottom left graphic, becomes very distinct, like a fingerprint. And so we’re looking at two things. I’ll talk about the left-hand side of this first one, when N2K goes in and does what we call workforce mapping and alignment. The goal of that is to really define what the expectations are, from a competency standpoint, for that job role, right? So we’re looking, again, leveraging the NICE Framework, and its draft mode of the competencies, 60 different competencies here broken up by the four groupings, those are color coded. And then we’re taking or leveraging an opportunity over one of the weak points with the NICE Framework because the NICE Framework doesn’t tell you at what proficiency level any competency should be for a job role, so we wanted to account for that as well. So we actually do a triangulation approach to getting to this data for our clients. We look at job descriptions that they have and we analyze that text, we use data analysis on that to extract the skills and convert those skills over to a competency. For example, a skill that might be listed in a job description might be something like SQL injection. You might have to have knowledge about that. Well, what does that mean from a competencies perspective? Because there’s no competency that’s defined as SQL injection. So we do that translation of figuring that out. We’ll look at the external market as well to find similar job roles and do the same kind of job description analysis there. So we have two data points. And then we actually go through a lot of consulting with our clients as well to put them through essentially what we call a competency exercise, or asking the job managers to tell us a little bit more about the competencies that are most important to the job role, and then grade them on a proficiency level. And then we’ll come in and do an interview and what we described as validate and calibrate in that interview. We can now then look at those different sources and say, you know, you mentioned that this particular competency was not important, but what we’re seeing from the job descriptions is that maybe it is important, so is it or is it not important? And that’s a fair question because they might actually say, No, it’s not important, I put it’s not important, the job descriptions are wrong, which we know is often a very common issue. Job descriptions are oftentimes outdated or poorly written. So we want to be able to validate that and then calibrate if it was important that needs to be bumped up from a proficiency level perspective, that’s the time to do that. And then we can pull this data together. So that’s really defining the expectations. The other thing that we do is we offer a diagnostic tool and you mentioned skills assessments earlier for different roles. We’ve created a broad spectrum diagnostic that hits a number of the areas in the NICE Framework that we can deploy to anyone in these job roles. Now, what that allows us to do is take that data on performance around knowledge areas, and then overlay, like an old transparency, if you’re old school and went to the school where they had projectors right. You could put one transparency layer paper down and that would be our job expectations. Now we can take their performance and overlay it and identify, is there a proficiency that they should have, but they’re not demonstrating? That’s a skills gap. Let’s identify how best to address that. So really arming our clients with the data to focus their investment or their time and efforts on the areas that are needed most for the workforce.


Joseph  25:38  

I think that focus is really a key piece, because, again, as we’ve talked about in the last slide, nobody has unlimited resources, and you get clarity on what to invest in, and what really matters when you do this type of analysis. And so I think it’s a terrific way to start understanding the cyber talent that you have, so that you can make those focused, meaningful investments and not just use the shotgun approach and hope you hit something.


Jeff  26:12  

Yeah, that’s right. And there’s a lot of training, I mean, we are a training provider, right? N2K. So there’s a lot of options out there for organizations. And going through a process like this will help you determine whether or not the vendor you’ve chosen is the right vendor for you or not. Because then you can say, hey, across the board, I need these types of trainings, at a broad level for my team or teams. Does my training provider really address my weak spots? Maybe it does, great. Continue investing in that training provider as long as they’re making effective changes, and improving those skills gaps for you. But we’ve also had clients say, you know what, our training provider isn’t addressing any of these areas. That’s a good opportunity to take that back to their budgetary decisions, and maybe even L&D, if L&D is involved and say, hey, we might need to look at some other options here because I need to invest in training that addresses the specific things.


Joseph  27:14  

Yeah. It’s interesting, Jeff, because I think companies make the mistake of thinking that they should control all the training, right, and we’ve talked about weaknesses, and focusers, that’s great. But one of the things about cyber talent is they’re gonna want to do training that’s of interest to them, too. You need a vendor who I think can provide not just those needs that the businesses identified. But you need to be able to get something that the cyber workforce itself is interested in doing. It may not show up as a weakness on your plots as a business. But it may be an aspirational learning that they want, and you need a vendor, I think that can hit both the business needs and the talent needs. And that often takes a vendor that’s got good, engaging training across a broad range of topics.


Jeff  28:09  

Yeah, absolutely. You know, one of the things that I really like about going through the work of actually analyzing competencies that are relevant for a job role is that you can really lean into the data, right, we highlight that a lot at N2K. That data assists with any career development plans and pathways to that point you’re making earlier about investing. And this is certainly the case when you have an employee who wants to progress, whether that’s up the ladder, right? They need to know what areas of focus are most necessary to get to that next level. But it’s also helpful for those who are looking for lateral moves as well. You see plenty of those, and especially if we’re looking strategically across the workforce, you might have a need over here that could be filled by another group of people or person. So it’s important to know that. So not only is it helpful for those individuals, as they’re looking at those career progressions, it’s helpful for organizations that want to be able to have really a thought-through plan for its cyber workforce, particularly in a time where talent is in high demand, right? So Joe as you kind of look at those, or these role comparisons here, especially in the light of sourcing and sustaining talent, what are some of your thoughts on building talent, versus sourcing or outsourcing talent? We’re sort of talking about the holistic approach at the full circle moment here.


Joseph  29:29  

So as we started off, when we’re looking at those statistics, the size of the gap is so large, I don’t think we can hire our way out of it. I think we’re going to have to use a blended approach where you invest in some of those highly seasoned experts, but a lot of it you’re going to have to develop internally. But regardless of who you’ve hired, one of the things we know about cybersecurity professionals is they don’t like to stay stagnant. They love to grow their skills, both their soft skills, and their technical skills, and then they want to use those to take on new challenges. So when we think of sustaining the talent, we really have to have those opportunities for them to grow and for them to put those new skills to use. So that means, as a leader, you either have to look for ways to create talent mobility options internally for your cybersecurity workforce, or your cyber talent is going to create their own talent mobility options by leaving for another organization. And so when we think about sustaining, there’s this really strong nexus between sustaining a cyber workforce and development. But you know, I had a question for you, you touched on it briefly, you touched on the role that, you know, understanding these skills can play in the job descriptions, but I’m curious how you see some of these detailed skills data also influencing that better applicant pool that is really tough for some organizations?


Jeff 31:06  

Well, it’s a great question. And I think, with every single client that we work with, there’s just admission across the board, that the job descriptions that they have, aren’t necessarily the best. And we admit it to at N2K, you know, when you’re sourcing talent, it’s like, you just want to get the talent in. So you want to get the job description out as fast as possible. So you either write it up quickly, right? Or in most cases, pull it, copying, you know, Ctrl C, Ctrl. V, from someplace else, you know, Frankenstein something together. And that is so common. But unfortunately, what happens is that there becomes five iterations or versions of a recycling job that happens, and then inherently, the job descriptions become a little stale. So what’s great about going through the process of fingerprinting the role, and doing it where you’re using the NICE Framework, which is very structured on how they look at TKS statements, or knowledge and skills or abilities, is that when we plot out the competencies. You can really focus in to your point earlier about when you’re sourcing, what are the most important competencies for the job role? So you could look at from our plots, anyways, anything that would be level, a proficiency level three, or above which we say proficient, advanced, or expert, particularly in those experts, advanced proficiency levels. And then you can go back to NICE because they lay this all out for you and say, Okay, well, encryption was listed as one of those competencies where we have an advanced [proficiency], it’s like a level or proficiency level 4 for this job role. Well, great, what about encryption, what knowledge, skills, abilities, or what tasks are really relevant for that job role as it relates to encryption? So you can actually go and look at the NICE Framework and whittle it down. Now, there’ll be a number of knowledge, skills, or abilities that are grouped under encryption, but not all of those are going to apply to your job description or your job role. Some of those are more applicable to one role versus another role. A good example being you might need to understand encryption concepts as a SOC analyst, or a forensics analyst if you’re going to be working on decrypting some things, right? Very, very different skill sets as applies to encryption as it does to a software developer who’s trying to do SecDevOps, right? They’re writing programs and scripts and making applications. So understanding which specific knowledge skills or TKS statements relate as it goes back to that you can actually just start pulling those from the NICE Framework itself, and reintegrating that into the job description so that you’re at least hitting on relevant skills that someone did that as a professional be like, Yeah, I know how to do this. I definitely know how to do that. I definitely didn’t do how to do that, that allows at least for a better JD that goes out on Indeed, when you’re looking for some of those candidates.


Joseph  34:21  

Yeah, I think that’s really important. I think a lot of people think that the war for talent is won or lost at the point of hiring, but increasingly, it’s really back at getting somebody to want to apply. And you need to understand that that job description, that’s, you know, the lure that you’re putting out there, and if the person, the pre-applicant, if you will, can’t make sense of your job description, if it’s so spread out that they’re like, I’m not sure if they’re looking for this or this, or if it’s not appealing to them, and they never apply. You’ve never even had the opportunity to compete for that talent. So that we view that job description, that’s the lure you’re using, right? When you fish in that talent pool and it the better that job description is for the talent you want, the more likely you are to be able to reel in the talent that you need.


Jeff  35:16  

Yeah, one point I’d like for you to maybe dive into a little off-script here, Joe. You know, I talked a little bit about skills assessments. And I know you all do skills assessments as well. But we also see on the screen here on the right-hand side talking about aptitude assessments. So I didn’t know if there was anything you wanted to share, and how to utilize or leverage both in this sourcing process.


Joseph  35:42  

One of the interesting things that we have found is when we talk about those six to eight critical competencies, is that in a lot of these different cyber roles, the majority of those critical competencies for hiring are often around the soft skills, are they problem solvers? Are they creative thinkers? And it’s typically not at the technical skill set. And so you know, the ability to sort of say, Oh, they’ve got this certification, or they’ve done that type of work is often not really the key foundational piece. And so being able to develop assessments that are looking for that ability to be creative, or that ability to solve problems, can really make a huge difference on your ability to get in the right type of talent, that once they’re in, you can develop in 100 different directions. But you’ve got to get that great, raw material to work with. It’s almost like if you get a wonderful piece of wood. A master carpenter can carve that into just about anything, right. But if you give them awful wood, they’re gonna be very limited in what they can do with it. And so we find that it’s often those soft skills are really not soft, but that is where you need a different type of assessment process to go after.


Jeff  37:10  

Yeah, makes perfect sense. We’re kind of at the final slide here and getting closer to time just for the audience. If you do have questions, we will try to answer a few questions at the end of this. So if you want to chat, chat that into the chat box. Feel free to and we’ll kind of keep an eye on that. But since we’re getting close to time here, I won’t go through this last slide, point by point, our final thoughts and considerations. But Joe, I didn’t know if there was anything on this that you wanted to cherry-pick out from it, and call out as an important piece of the puzzle here.


Joseph  37:47  

I’ll highlight the trends piece because there are so many labor force trends which are going on right now, which are making this a very complex area in which to hire. And I think that the more talent intelligence that an organization brings to bear to look at not only the skills that I need, but where my apt to find them, I think is crucial. And you know, so we talked about on that slide, where we’re showing the sourcing, if you try to hire for all eight competencies, you know, the number of individuals you’re likely to find are going to be in the 10s. And chances are, they’re already all employed at a major competitor. And it’s gonna be really tough to dislodge them. But if you can sort of move to the left on that and go for those smaller ones, it’s going to open up more talent in more places. And the more that you can look at those trends, the more you can study that the better you’re going to be able to identify which talent pools are already all fished out and where is there a fresh pool. And that I think is really key. If you are sort of reacting to what comes in, you’re not going to succeed. So I think that that trends piece is enormous for any kind of digital talent like cybersecurity.


Jeff  39:13  

Yeah, I personally really liked a couple on here, I liked the hire when found one absolutely right. And some of our best hires have come because we found a candidate, not necessarily looking for a specific role, but we found someone who we just really liked what they had to bring to the organization. And we said, You know what we don’t want to lose the opportunity of having this person with us, right? And we know that there are probably some great things that this person could do for the organization. So we’ve had some really great hires from around that kind of, they’ve just changed a lot of things at N2K in a positive way that has just been wonderful. So my advice would be don’t be afraid when you see somebody who’s just amazing or brings the right skill set to your organization, but you might not have a job description for it. If you have the budget, and you can try to bring them in, do it before they go to some other organization. And then the last point I would make is around that address training needs. Because we’ve been talking a lot about that. But when we do those competency fingerprint comparisons, right, you can really think through in a more nuanced way, what the learning path or learning journey should be for that individual or the team of individuals who are going along the journey, right? It doesn’t have to always be a robotic approach to certifications, although certifications are really great, they have some benefits. But sometimes you only might need a little bit from that certification, and a little bit from something else, and a little bit that’s kind of customized or tweaked or configured. So when we think through that, how to maximize your return on investment with your training providers, as well as that return on your employees’ time going through their user experience.


Joseph  41:13  

Return on assets as it were right. Because I mean, there’s the last time and I think it’s such a critical point, Jeff, because it’s a real mistake to just have this enormous learning catalog. I mean, this is a day and age where you can go to Tik ToK and learn how to do things or YouTube. There are so many options in training, it’s not helpful to give an employee, here’s your prodigious pile of training, find something. If you can address your training needs as an organization, it means everything. You know, like Booz Allen, we’ve identified where we want to have more training, we’ve incentivized people if you complete this training, then we’ll do this and that. And so you can create that focus, not just that meet your workforce needs, but that creates clarity so that you know, the average learner isn’t paralyzed by which of these 35,000 course offerings might I take, right? And that focus, I think, enables people to learn. It cuts through all the noise, and it says “this matters”. And so I’m gonna focus there. So I think that’s the way you frame that is a great way to think about it.


Jeff  42:33  

Awesome. Well, thank you, Joe, for making the time to speak with us. It’s always a pleasure getting to chat with you. And a big thank you to everyone who joined us today. As a reminder, you’ll receive an on-demand recording of today’s talk in an upcoming email. Also in the Attachments section, you can also find a PDF version of the slides, plus links to connect with Joe and I on LinkedIn. And you can also request more information from N2K or Booz Allen there as well. So thank you all. Thank you, Joe. Hope everyone has a wonderful day today. Take care.


Transcribed by