Data’s Role in Building a Successful Cybersecurity Workforce Strategy

Speakers: Simone Petrella and Will Markow

*Since the live date of this webinar, N2K has changed to N2K. Emsi Burning Glass is now Lightcast.

Webinar Transcript

Simone Petrella  0:00  

Good afternoon, everyone. Thank you for joining us today and welcome to another installment of N2K’s webinar series featuring conversations with security leaders and industry partners to discuss some of the biggest topics and trends impacting the cybersecurity workforce. My name is Simone Petrella, Founder and CEO of N2K, and I have the honor of being joined today by Will Markow. Thanks for joining Will.


Will Markow  0:34  

Hey, Simone. Thanks for having me. 


Simone  0:36  

So just by quick introduction, Will is the Vice President of Applied Research of Talent at Emsi Burning Glass and where he oversees the research and consulting team focused on strategic workforce planning, as well as the impact of emerging industries on the workforce. Also, notably, and something that Will and I have worked together and certainly overlap, in many ways, is the partnership that Will and his team have with both CompTIA and NICE to lead the development of CyberSeek. I’ll make a plug for you,, is an interactive online tool to provide data on the cybersecurity workforce across the United States.

Will, I think you know, one of the reasons I’m so excited to chat with you today is we have very similar viewpoints, but also struggle with some of the challenges around how we can actually move the needle when it comes to the cybersecurity talent gap. One of the things that I talk about very frequently with my team and our clients is this concept of people, process, and technology. And the truth of the matter from my perspective is that a lot of organizations are very willing to easily make investments into large technology spends, or focus on the processes and controls around those technology spends to help manage and mitigate their cyber risk. But it sometimes supersedes the importance of the type of talent and people you need in order to make all those things work. What’s your take on that? And is that something you see as well in your work? 


Will  2:15  

100%. I think there’s definitely this prevalence of thought that if you invest in innovative new technologies, or innovative new processes, that’s going to lead to innovative solutions to cybersecurity risk. But the reality is, you really have to have innovative skills on your team, in addition to the processes and the technologies. I mean, if you are really just investing in the technology or the processes, to me, it seems a little bit like buying a Tesla for a toddler, right? It’s just gonna sit in the garage until they learn how to drive. And so you really need to have people with the capabilities to leverage those new technologies to leverage those new processes and use them smartly, in order to actually leverage and bring as much value out of them. We also see that when you look at the organizations that have the most resources, like the Fortune 100 companies, they have every resource you can think of. They have tons and tons of money that they can spend on technology, but they’re often better consumers of new technologies and new processes and solutions than they are actually creators of them. And that really comes down to the skills that their team has. When you look at the companies that are better creators and innovators, like unicorns, or startups valued at $1 billion+, their tech and R&D teams are 33% more likely to have emerging high-value high growth skill sets than our legacy Fortune 100 companies. And so I think that really underscores the value of not just investing in those innovative technologies and processes, but really making sure you have people with innovative skills on your team so that you can actually build those innovative solutions yourself. 


Simone  3:58  

You know, one of the challenges with the security sector, and maybe not the unicorns developing technologies, but at least any company that’s invested in protecting their own networks and defense, is when you think about those right skills, they are ultimately still a cost center, even the people. So what are some of the things that are important to understand and inventory when you think about getting those right skill sets into those jobs to leverage and maximize the optimization of those technologies? 


Will  4:25  

Yeah, I think that you’re exactly right. There’s another prevalence of thought that those skills are always a cost center, and investing in those skills are just going to cost you money. But it actually gives you a very strong ROI if you invest in those skills in a couple of ways. One is obviously if you can mitigate your risk, then you can reduce the likelihood that you lose a lot more money as a result of cyber breaches. But there’s also just the cost associated with eventually trying to hire those skills in the market. Because one way or another companies are always going to have to go out and find new skill sets, they’re always going to have to find new people. And the more proactive they are in that process, then the earlier they can make those capabilities in-house and the cheaper it’s going to be long term for them to develop those skill sets. We see some skill sets, for example, cloud security skills, DevSecOps, and others that can come with a salary premium of $10,000, $15,000, or more. And if you had invested early on and tried to develop your workers with those capabilities, rather than now just having to rely on buying them on the spot market for talent, then you would have got a really strong ROI on your reskilling dollar. 


Simone  5:35  

Yeah. Well, and I think you bring up a very good point. And I want to segue to that. But I think one of the things I know that we’ve talked about in the past is then this concept of, is it better to invest in buying that talent and paying that premium? Or do you build it? And I want to get to that in a second, but one observation I do want to make when it comes to that particular point, is employers and this is something I’ve seen, and just for everyone listening, you know, one of the things that’s so powerful about Emsi Burning Glass and their data is that they’re really looking at all the job postings that are out there and looking at the skill sets that are actually being requested in those jobs. And what always strikes me is that when we talk about training and upskilling, or getting the right people in the job, we’re kind of reliant on the employers to sign and define those roles. And you talk about cloud security, like, employers are the ones that are moving into digital transformations and integrating that need into their roles. And they are doing so at a much faster pace than the rest of the industry, if you talk about catching up to say, let’s create them for you on the open market. So I didn’t know if that’s something that you see in the data, where they’re sort of like the job requisitions are changing, but then there’s this expectation of the talents being grown externally. 


Will  6:56  

100%. I think that certainly in cybersecurity, there’s an expectation that there will just be enough workers with these emerging skills and we do see that in the job posting skills change very rapidly, especially in cybersecurity. Many of the skills I was just listing like DevSecOps, cloud security, and even some risk management skills are projected to grow 100 to 150% or more in just five years, and many roles in cyber and outside of cyber, they don’t have a static mix of skills. They’re constantly evolving, especially as new technologies come down the pipeline. And cyber is perhaps most susceptible to this because every new technology requires you to secure that new technology. And so there’s always a new set of capabilities that cyber pros have to know. But I think many employers are just expecting those workers to grow on trees, they are just expecting the K through 12, or the post-secondary training system to adapt as rapidly as possible. And even if they try to, that’s not a time-sensitive solution, because you’re going to have to wait at best two years, if you hire community college grads, for them to get a degree and enter the workforce. Probably going to have to wait four years or more for the next crop of bachelor’s degree or master’s degree candidates to come through. And so employers, they really have to be more proactive in identifying what are those changing skill sets and those new technologies that they now need to secure so that they can be more proactive in developing those skills themselves and really take a leading role in building the next generation of skilled cybersecurity workers. 


Simone  8:36  

Yeah. So when you think about that concept of the, you know, impetus to it’s better to build than buy. And, frankly, it’s, you know, based on what you’re saying, and we see it as well, when you just look at the sheer supply and demand, you really have no other alternative. If you’re an employer, you’re going to have to build even if you do select some roles that you’re going to make the decision to buy and get those skill sets internally. What are some of the examples you’ve seen? And what are the traits or characteristics of organizations that maybe have more of a build mentality versus a buy mentality? And how do they approach that if you’re even thinking about transitioning to this type of strategy? 


Will  9:18  

Yeah, it’s a great question. And just to double-click on the first point you made about how it’s really a misnomer to think that it’s a build versus buy, there’s no way around building. If you hire talent, eventually, they’re going to have to learn new skills, it’s just not static. So you’re going to have to be invested in that process of constant change one way or another. If you fight it, it’s probably not gonna go so well for you. And so I think that that’s really the first thing that the companies we’ve seen that are trying to make that transition away from a buy-first mentality to a build-first mentality, have to realize it’s really a culture shift away from thinking we can find the talent we need if we just go out and hire it or even if we just go out and outsource it even, that’s probably not going to work for you long run. And so we’ve definitely seen some companies that have tried to make that shift. And the first step is pretty much always first understanding where are you today. Understanding what are the skill sets you have internally and what are you going to need moving forward. And then what are some of the things that you can do to try to move the needle in a build-first mentality? I’ll give you a concrete example. We were working with a large manufacturing firm, that was looking at a cybersecurity team. And it had historically taken more of a buy-first mentality and was trying to transition into a build-first mentality. And what they found is that a lot of their cybersecurity workers because they took such a buy-first mentality, there was this described as a barbell effect in the skills on their team, where some of their workers in the cybersecurity team were highly skilled, they actually had higher proficiency levels than they were expected to have, and many of their highest value skills. But then the other half of the team were not beaming at the requisite proficiency levels, and they didn’t have many people who are right in that sweet spot. And so by identifying that, they realized that there were a) some folks on their team, who definitely needed to be up-skilled, and then b) they also had some other folks on the team who were in a good position to facilitate that and support those workers because they were highly skilled. And so I think that you’ll often see that the organizations that are trying to make that shift are fairly inconsistent in the skills of their team. And so there’s kind of an equalizing that they need to do as they go through that transition from a buy-first mentality to a build-first mentality. 


Simone  11:42  

Do you think that have you seen anything? And I don’t know if this is something that actually is evident when you look at the job postings that are out there and kind of by industry, but do you see certain sectors doing a better job than others when it comes to thinking about cyber skills?


Will  12:03  

It’s a good question. And interestingly, one of the sectors that we’ve seen as being a little more forward-thinking when it comes to developing their talent is actually the federal government, which you usually don’t think of as a bastion of innovation. But really out of necessity, they found they can’t compete with private sector salaries. So they just can’t compete in a poach-first market. So they’ve had to invest in hiring workers with non-traditional backgrounds, which might mean not having a bachelor’s degree, might mean not having prior experience working in cybersecurity, and they build some training programs to try and help grow those workers on the job. And what we’ve seen is that it actually in many cases, led to higher retention rates in the federal government than some private sector employers who are taking more of a poach-first mentality. And I think what that really demonstrates is that when you take that poach-first mentality, you really just try to compete on pay, you’re always going to get the people who have the sexiest looking resumes, who went to the fanciest schools who have the fanciest credentials. But often the people who know how to look best on paper, their best skill is knowing how to look good on paper. And there may or may not be substance behind the work they’re actually doing. So I think that the experience in the federal government has been one place where we, we have seen one sector, taking a little bit of a more forward-thinking approach to developing their cybersecurity talent. One other area I’d point out as well is actually the AI and data analytics space. You know, in some ways, they’re similar to cyber, but I think one of the things that they’ve been doing far more effectively than cybersecurity is giving more entry-level opportunities for people who haven’t worked in the field before. And I think that part of the reason for that is, it’s much more intuitive for an employer to look out at the universe of people who have some kind of quantitative background, whether it be science, whether it be tech or something else, and say, we can see how your skills are transferable into data science, so learn Python will take a chance on you. In cyber, I think it’s less intuitive for many employers to see where those skill-adjacent pools of talent are and give them a chance. But when we actually look at the data, we find that there are about 600 different occupations employers could be pulling cybersecurity workers from with just a little bit of additional last-mile training, which is actually more than AI and data analytics. So I think there are those skill-adjacent opportunities. Employers just don’t have the muscle memory yet to identify where they are. 


Simone  14:50  

Yeah. Which just as an aside, and I mean, I’m going totally off script from what we’ve ever talked about, but I find that to be such an interesting phenomenon from both a personal level as someone who has been in the industry for the last 15 years, where the reality is people who got their start in cybersecurity because it wasn’t a dedicated field. And it was considered Information Assurance and maybe a subset of IT. Really, almost anyone that started in cybersecurity in the last like anywhere, if you started before 10 years ago, probably came from what you would define now as an adjacent field. And yet somehow a muscle memory got built, that all of a sudden, we do have this expectation that people are just kind of pure-play cybersecurity professionals. I don’t know if that’s something you see in the data. But it is just a fascinating phenomenon because it’s not how we started.


Will  15:40  

Oh, absolutely. I think there’s this belief that there are these linear career paths in cyber as well as other fields. And the reality is, when you look at the data, it’s much more like spaghetti, people going all over the place. And I think cyber is probably one of the places where you’re exactly right, people were coming from everywhere. There wasn’t a clearly defined cart path for people to follow to enter the field. There was usually somebody who accidentally stumbled into security through one means or another. And then I would agree, I think, you know, magically, in people’s minds, a switch was flipped, and they thought, oh, there there is this pathway, we must have a cybersecurity career path, and everybody must follow it. And so we’re never going to hire anybody who doesn’t have at least five years of prior work experience in the field. No, that’s not how it ever worked and you shouldn’t start thinking it is today. And so I think that there has to be that mind shift, or mindset shift back towards that belief that people can come from anywhere into cyber and you as an employer can be actively invested in helping them develop the skills they need to succeed in those roles. 


Simone  16:48  

Yeah, well, I think that’s a great segue, because for those employers or leaders who are thinking about how can they build a plan and how can they prioritize the things that they need to do for their organization? You know, how do you, a) How do you leverage data? And b) how do you build a plan that’s actionable? Because I think the other challenge in all of this is when it comes to people, it’s the hardest thing to measure improvement on, right? Because we are constantly changing in a way that it’s easier to calculate that ROI when you’re talking about a tech debt or something like that. But what are some of the things that you have found to be successful working with some of your clients? 


Will 17:25

Yeah, so one of the first things is taking another mindset shift away from the belief that you should define your workforce in terms of job titles and headcount and measure success based on how many butts in seats you’ve got. The reality is you have to measure your workforce in terms of the underlying skill sets that they possess. And some organizations are more ready for that mindset shift than others. But what I have found is that most organizations, at least have one or two teams, often the cybersecurity team is one of those teams, where there’s a leader who’s totally on board with that. So we often recommend that don’t try to bite the entire apple all at once, take smaller bites, and start with one team. Cyber, often is one of them, that can more readily take a skills-based inventory of their workforce, and figure out what’s their starting point. And then from there, use either combination of market data, or internal data taken from stakeholders and conversations with internal folks about what are the skills that are going to be needed two to five years down the line, because then that gives you a starting point and an endpoint that you can then work backwards from and start to fill in what are the most effective combinations of building versus buying or even borrowing some of those skill sets that you need in order to close those gaps. So I think that really the first step is just figuring out who in your organization is ready to take more of a skills-based view of your workforce. And then getting that baseline of where you are today. Since, you know, if you don’t know what foundation you’re building upon, it’s gonna be really hard to build a firm house on top of that.


Simone 19:12

Right. And I think that’s one of the areas that you know, I would imagine that given what, you know, industries and employers are posting, some of the data set that you’re collecting in aggregate is probably very helpful in defining if a company hasn’t maybe done all the introspection to really do what, you know, our world on the surface I would call like a job task analysis. Where you’re essentially trying to like, squeeze the brain of the people doing the work and saying, what are the skills? Some of it can be market data-driven too. Do you see that in some of the environment as well? 


Will 19:49

Absolutely, and we do see a lot of organizations now realizing that some of the traditional internal ways of defining the skills or identifying the skills of their teams don’t work as well sometimes as using more of a market-based approach. Since unless you have strong leader buy-in to do assessments or surveys or things like that you’re lucky if you get 30 or 40% of your people to respond. And so what a lot of organizations are doing now is they are using that market-based lens to essentially infer what are the skill sets that are associated with the roles in my organization, in my industry. And where are there gaps between what we have historically thought was important, and put it in our job descriptions, versus what the market is telling us really is important today, or is going to be important two to five years down the line. And so I think there definitely is a very strong shift towards using more external market data about how skills are evolving in different roles in different industries to help figure out what are the skills you need to be building internally.


Simone 20:52

Yeah, and I think that’s such an important point when I think about what that means for building a program, but also sustaining and evolving that program over time because you can use that market data and it’s incredibly important. And I agree, I think one of the biggest challenges, I mean, and I’ll say this in full disclosure, as a company where we advocate for doing a diagnostic assessment to collect data on the actual competency of the people in those cybersecurity roles. That can be a difficult hurdle to get over in the mindset. But once you have that, then you can start to actually put initiatives, training, upskilling, rotational programs, a whole host of things, that once you have those two data points, you can start to measure over time and actually show that there’s a needle moving within the organization, as opposed to just benchmarking against only what’s happening externally. But again, that takes a significant amount of kind of strategy and thought. And I’ll throw another curveball at you when I ask this because it’s something I know that we encounter a lot. And I think it’s just you know, if there’s any anecdotes or things that you can share on where this has worked, or maybe not. You know, there is definitely a tendency where it’s a question in an organization like who’s responsible then for this approach to building talent? Is it the functional team itself in this case? Is it the cybersecurity team who has to take this initiative and gain the buy-in? Or do they have to talk to an HR business partner? And is that HR business partner taking the lead? Or are they actually just a supporting player? And certainly, you know, I’m oversimplifying that dynamic, because there’s personalities that get involved every layer of the way.


Will  22:39  

But it’s a great question to ask. And I think a lot of organizations either think that it can’t be done easily, or they don’t know where to start. So they never begin that process. Or they just realize, hey, we don’t have a partner in HR, or if they’re in HR, they say, we don’t know someone who’s a business lead so who is asking for this? So we’re not even going to try to do it. But what I generally found is that, whether you’re in HR, or whether you’re a CISO, or another division lead, if you have the will, you’ll find a way. And if you work with other folks in your organization, you can ask around, you can usually shake the trees and find someone who’s willing to work with you. And I think the most successful implementations we’ve seen usually are when you have a mix of the functional leader and someone in HR. Because HR, they may have already done some internal surveys already may have collected some internal skills, they might have access to talent analytics, that you don’t even know that they have. And the business leader, they’re really the ones who have to get people motivated and invested in this process. When it’s coming from HR and only HR, we almost never see success. I hate to be that blunt about it. But you almost never see that a centrally driven HR only approach is successful. But when we see the combination of a business leader and HR, it can be wildly successful. We worked with this one organization that was a medical device manufacturer, and they had a very strong IT leader who was saying we need to focus on building. We need to focus on developing a build-first mentality and grow our own. And they found a strong partner in their HR team who got them all the information they needed all the data they needed. They paired our market data with some internal assessments of their people to get their proficiency levels on different skills. And they got about I think, a 90% plus response rate, which is unheard of from a lot of traditional surveys that you give your people. And it really gave them a very clear line of sight into where they were doing well and what skills they actually had a competitive advantage in relative to their peers, but also where they could gain the most benefit from building certain skills. And just as a concrete example, we found that they had a large need for more workers who had knowledge of the NIST Cybersecurity Framework because they were rolling that out. When we looked out into the market, we found that just that one skill, on average came with over a $10,000 salary premium. And so what we calculated for them was that if they invested in building a training program around just that one skill, they could save talent acquisition costs of up to $540,000. Which is pretty significant ROI on just teaching one skill, 


Simone  25:43  

Right. Yeah, and probably something that doesn’t require a large amount of external resource allocation, you know, just to permeate that skill across the workforce. But you know, it’s interesting, you mentioned market and what you see out in the market, I’m curious beyond then from like, knowledge of the NICE Framework, what are some of the other skills that you’re seeing that are in hot demand and needed in the market data that you see today? 


Will  26:11  

So actually, the fastest growing skill we tracked in the entire market, not just cybersecurity, was DevSecOps last year. So I think that it grew something like three or 400%, year over year. So that’s definitely one of them. We’re also seeing that there’s an explosion in demand for cloud security skills. Everybody’s moving to different types of cloud-based infrastructure, and they need people who can secure those. So those are two of the fastest growing. We still see a strong trend towards demand for risk management and threat intelligence, even incident response, but the general umbrella term that I often get for the types of cybersecurity skills that we see growing most rapidly, is proactive security, as opposed to reactive security. We’re seeing a lot of demand for people who know how to build secure infrastructure from the ground up, whether that’s secure application development, or cloud security, or DevSecOps related skills, and less growth in some of those traditional reactive skills where it’s okay, well, there’s been an incident now, how do we handle it? They’re both still important, but we’ve definitely seen the strongest growth in the skills that are more proactive in nature than reactive. 


Simone  27:29  

Yeah. Now, do you think that that’s actually a complicating factor, when you think about this kind of initiative around building the talent and building the skills you need? Because we actually made the comment, like, it’s sometimes easier to take one bite at a time, start with one team, often the cybersecurity team. And I see this all the time in our work as well, where skills like cloud security and DevSecOps in particular, even risk management, you’re actually starting to get into those adjacencies, where it’s not a pure play defense of the enterprise’s network type of role, but has a very important, you know, component to play in the security of the organization. But that’s not necessarily the same teams who control like, it’s not their own budget, they don’t have their own reporting structures. So almost by design, you have no choice, but to look beyond that. And I think there’s an organizational challenge to that. But then it’s also like, how do you prioritize which of those workers and those teams end up having that build versus buy mentality? 


Will 28:31

It’s a really fantastic question. And I think that is also one of the factors that leads a lot of business leaders, CISOs or otherwise, to say, well, this sounds too hard, I’m gonna have to work with all these people shake all the trees and things like that. But I think that what we’ve often found is that when there is one person who’s really taking the initiative, such as the CISO, and looks beyond their walls to break down silos and work with other teams, they usually get a strong response. And people say, hey, yeah, we think this sounds like a good idea. I think that we probably have people on our team who would appreciate learning some additional skills, and we recognize the need to work together. And, again, sometimes you can do it with very minimal effort on the other leader’s part. So give you a concrete example. There was an E-commerce company here in the Boston area that they were doing a few billion dollars worth of revenue a year, they were a digitally native company. And their CISO was never allowed to hire more than three people at a time. And so what he realized was, it was just impossible to work with only three people and secure the entire infrastructure across this behemoth of an organization. And so what he ended up doing was working with other teams and saying, let me build essentially an internal Center of Excellence on your team. I just need one of your people. I will train them up in a few skills, it’ll take no more than 10-15 % of their time. And then they can be that Center of Excellence for the rest of your team. And it was, I thought, an elegant way of helping to disseminate skills across other teams, giving someone on those teams an opportunity to build new skill sets, build internal relevance, and their internal brand within their teams in a very minimal low effort way for those other organizations, and you made it very easy for the other teams to say yes to that scenario.


Simone 30:35

Yeah. And I know we are so both of us are so focused on the cybersecurity area. Obviously, you all capture data on a number of different industries in a number of different fields. I’m curious if this is something that you’ve seen an equivalent in any other field. When it comes to when we’ve been at a point in time where we’ve really had to invest in like, we have to grow this because not going to come and how did that work out for us?


Will 31:05

It’s a great question. You know, the closest analog I can probably see is data science and analytics. Because I think that was another field that really came about outside of traditional training infrastructure norms, and we used to call them hybrid jobs. But now hybrid work has a totally different meaning so we got to come up with a new term. But the underlying idea is that both cybersecurity and data analytics are fields that fuse together disparate skills from different domains in ways that traditionally really weren’t the case. It was a very clear pipeline for accountants, or you can even argue software developers more so than cybersecurity. And so I think that, what we’ve seen in the data science analytics spaces is a little similar to what I was saying before, I think a lot of employers there found it more intuitive to identify pools of skill adjacent talent that had worked as engineers or had worked in IT, or have even worked as a business analyst and had some quantitative background. And I think it was just easier in their minds to say, you know, quant background equals, you can do data. But in cyber, it’s a lot harder for people to have that intuitive link between, you’ve done X, so you can do cyber. And so I think that one of the things we try to do with our data is, is to help educate employers and others on where those natural linkage points may be where there are those pools of skill adjacent talent that you can potentially tap into, to expand the pool of cybersecurity workers. And what we’ve found is that there really are a lot of people out there. I mentioned that there are about 600 different occupations that you can fairly readily rescale into cybersecurity. And the employers who do that, we find that on average, they can increase the talent pool that they’re recruiting from by about 270%. That really moves the needle when you’re trying to reduce the time to fill those positions,


Simone 33:13

And probably be stronger in a cybersecurity posture because of it. I mean, the one example that comes to my mind is we did a skills-based competency assessment on a fairly large cybersecurity service provider team. And they were predominantly specializing in incident response, highly technical going in post-breach. But what they had, you know, they had found and they inherently knew this, but the data proved out, that they were still chronically suffering from a dearth of just basic network topology and network management experience and knowledge. Which this might not seem important at first blush but if you are going to be going in and investigating an incident, understanding the underlying network by which you are searching is really, really critical. But like somehow that entire step has gotten bypassed. So there was a knowledge of like, here’s a gap that we know, we don’t necessarily look for in the skill. But then when you compare that with what the people have, it’s like, Oh, we’ve confirmed that confirmation bias is real, and we have to do something about it. 


Will 34:17

Yeah. And I think that’s a perfect illustration of why the current model of cybersecurity workforce development is broken. Because I see so many companies that say we want to hire somebody who has three to five years prior work experience at a minimum, we want them to have fancy credentials, and all of these things. But that means that there isn’t a strong entry-level pipeline for talent and people aren’t picking up those fundamentals. And the people who do have those fundamentals in other fields are being overlooked by a lot of employers because they don’t realize how important those skills are to their cybersecurity teams. And so that’s another reason why it’s so important to take that inventory of your team’s skills and figuring out what are the capabilities that really are important to these roles, not just, you know, the three skills that I can think of off the top of my head that sounds sexist at the moment.


Simone 35:11

I actually am also curious, because I know this was something that when we first met, and this is a number of years ago, a lot of the skills that would be seen in the market data were around specific tools, which I always found to be such an interesting anomaly. Because you’d have essentially a synonymous skill for like a tool and the ability to use a particular language or tool, as well as then something incredibly broad listed as a skill, like information security, right? And so there’s really a hard apples-to-apples comparison. Is it still that disparate when you look at the data? Or are you starting to see that there is actually a bit of a, narrowing of the definition of what we’re honing in on when we define these skills?


Will 35:53

So there is often not a narrowing in how employers define these skills in their job postings. And so we have to go through that standardization process. And that narrowing process on our end, that’s actually one of the things that we do with a lot of organizations who, in some cases, we found organizations, they’ve actually tried to build out a skills taxonomy or skills list that they use for the job descriptions. But there’s no standardization, it’s all over the place, they can sometimes have 10 different ways of saying the same thing. It oscillates between being way too broad, such as just saying, we want you to have information security expertise to something way too specific, such as you know, and sometimes even an individual feature within a tool, not just the tool itself. And so I think the first step is often figuring out okay, what’s that right level, that it’s actually going to be useful to give people a concrete list of skill sets. But I totally agree that a lot of employers are still struggling to figure out what that right level of granularity is, in terms of how they define the skills that are needed in their teams.


Simone 37:05

Right, and to just acknowledge the challenge, not to beat the dead horse, but something that’s also constantly changing. And so when you think about what do you need today, but then also future-proofing your program so that you can kind of constantly evolve, like, what are the things that you need to put in place that you can build off of so that you can iterate in the future? Because you know, I think and that’s one of the things I would love to get your take on. I know I have a stance on like, what do you do? You kind of do all this work on the front end to identify these skills, maybe have a common taxonomy? It’s not a one-and-done. So how do you ensure that that’s something that’s actually sustainable and repeatable in a less cumbersome way?


Will 37:47

Yeah, no, I completely agree. It’s, it’s not a one-and-done. Skill sets are constantly changing. There are constantly new technologies that you have to focus on. I mean, just take 5G, we’re talking about 5G. Now, not too long ago, we were talking about 4G, you know, every 10 years, there’s a new G. And the same is true for many other fields. And so I think that the first thing is employers, they have to embrace the mantra that change is constant. There are always going to be new skills, and you have to take a more dynamic view of the skills in your workforce. That means yes, building that skills taxonomy, but also viewing it as a living, breathing thing that can change over time, just as the skills that you assigned to different skills or to different workers within your team have to change over time as well. And I think that really taking that market-based view and taking your cues from what are other people doing as well. And not just looking within your four walls, but saying, okay, what are my competitors asking you for? What are people in other industries asking for in terms of skills? What are the new emerging skill sets that are growing the fastest market-wide that is highest value, that our hardest to fill? We often find that organizations can really differentiate their workforce. If they’re constantly asking, what are the skills that are growing the fastest? What are the skills that are the highest value? And what are the skills that are currently scarcest on the market? Because if they focus on those skills, when they try to go and build them in their workforce, that’s where you get the greatest ROI on your reskilling dollar. And that’s how you constantly get first mover advantage by developing those emerging high-value skills before your competitors. Ao I think that, really just making sure you keep that consistent pulse on what’s both needed internally for your strategic goals, but also what’s being needed externally by your competitors and other peers in other industries is really necessary in an era of constant change.


Simone 39:43

Yeah. And I think what’s tacit in what you just said, and I know I’m a big proponent of it, and I know it’s a very hard concept to sometimes wrap our head around, but that’s where just taking this data-driven approach. Whether it be capturing the market skills and then using that as an overlay against what you then have internally, being able to visually capture that and visualize it in a way that you can actually report on it is almost like the first step because that allows you to have something to remeasure and then actually show here’s where the starting point was and this is where I’ve gone year over year. And it’s hard when you do that in a qualitative setting because then it’s just this sniff test. And you go well, we’re doing okay versus our competitors. Well, how do you know that, right? So that’s something that I think is implied and easier said than done. I know that can be a very difficult thing for us to capture when we’re talking about people. But you know, the market and what you have internally are the two places we have to start.


Will 40:42

Yes. And I think one of the important things you mentioned there was, to have a plan for how you’re going to visualize it and leverage it. I tell you how many times an organization says, okay, we’re gonna go all in on collecting all this data, we’re gonna get 3500 skill profiles for all of the roles in our organization. Then you ask them, okay, where you’re gonna put it? And they say, ah we’ll figure that out. Okay well figure that out now! Like what! It’s gonna sit there collecting digital dust. How are you going to visualize it? How are you going to roll it out to managers to talk to their employees? And you really have to have that plan in place, and at least have one trial partner again, it can be a CISO, it can be someone in the organization who says, yeah, I want to try this for my team. But if you don’t have that plan in place, and you just go out and aimlessly collect data, then you’re not gonna get much value out of it.


Simone 41:35

No, a great lesson to learn and I’ll let us pause there because I think it’s probably one of the most important points that we’re landing on. Will, thank you so much for your time today. I always love this discussion. And it’s always so great to chat with you. I hope everyone else got something out of it. And it will be available for recording. If you have any follow on questions, is there anywhere that they can go to find you or Emsi Burning Glass?


Will 42:01

Absolutely. So they can go to They can also go to if they want to learn more about the cybersecurity workforce in their region. And I’m always just happy to connect with people on LinkedIn. You can find me and if there are additional questions that I can answer for you, please feel free to reach out.


Simone 42:20

That sounds great. Well, thank you so much for doing this, Will. It was a pleasure. Have a good afternoon, and we’ll talk soon.


Will 42:27

Thanks, Simone. Great chatting.


Transcribed by