(music) You're listening to the Cyberwire Network, powered by N2K. (music) (music) Identity architects and engineers simplify your identity management with Strata. Securely integrate non-standard apps with any IDP, apply modern MFA, and ensure seamless failover during outages. Strata helps you avoid app refactoring and reduces legacy tech debt, making your identity systems more robust and efficient. Strata does it better and at a better price. Experience stress-free identity management and join industry leaders in transforming their identity architecture with Strata. Visit strata.io/cyberwire, share your identity challenge, and get a free set of AirPods Pro. Revolutionize your identity infrastructure now. Visit strata.io/cyberwire and our thanks to Strata for being a longtime friend and supporter of this podcast. (music) (music) (music) (music) (music) (music) (music) C.U. Mo is Assistant National Cyber Director at the Office of the National Cyber Director at the White House. Our own N2K President Simone Petrella recently caught up with C.U. Mo. Here's their conversation. (music) (music) All right, well, I am so thrilled to have C.U. Mo from the White House here today and for context for everyone listening in July of 2023, so just about last year this time, ONCD, the Office of the National Cyber Director, put out the National Cyber Workforce and Education Strategy. So C.U. to kick things off, we're about a year in, how are we doing on progress on the strategy? Well, good to see you Simone. Really admire your work. I've been following your work for quite some time now, so really appreciate the compliment every time. (laughter) Well, I really appreciate the opportunity to kind of talk about what we're trying to do here at the White House on Cyber Workforce and Education. And you are right, time flies. I mean, the strategy has been out for almost a year, not quite. And we are really excited to kind of give like a progress report about what we're doing, how we're doing. But I can stress enough that I say this all the time, I want to be repeating again, is that the White House Office of National Cyber Director, ONCD, is not the first office that is trying to solve the cyber work for the education issue. A lot of people have been doing a lot of good work throughout the years. So, you know, I just want to suggest that, you know, we're not the only ones, and we're not doing this alone. It's just always good to start on by acknowledging all the good acts being done, and then talk about how we can collectively move everything forward together. So, I think one of the things that I love to sort of kick off on is that there is, you know, a progress report that you are all looking to release here in the coming days. Can you tell us a little bit about what we can expect to see as that report becomes public? Yeah, for sure. The report essentially reaffirms that the foundation of solving the National Cyber Workforce and Education issue is sort of like, ticks all of us. You know, we are talking about what we are doing as part of the National Cyber Workforce and Education Strategy, which I will call, it's a mouthful, which I will call the strategy from now on. So, what the strategy is prescribing is that, you know, there are three broad issues in what they think today, right? None of Americans are considering a career in cyber or cyber security. They either don't see someone like them in the field or they don't know anyone who are in the field or they always assume that it's a narrow and technical role, like, you know, the old cliche of, like, the guy in the hoodie, you know, hacking and defending in the dark room kind of thing, right? So, that's one issue. And the second issue is training and education opportunities have not been able to keep up with the demand, right? So, the second issue. And the third issue is the idea that we don't have enough locally driven collaboration to connect people to jobs, connect people to training or provide wrap-around services so that the workers can get the support that they need to actually pursue a cyber career. So, what you would see in this report is sort of like a narrative on some of the progress that we have made on all of these three areas, right? That's right. I can go into the more detail later on, but just to sort of, like, frame the conversation here is that, you know, from the federal government standpoint, ONCD is coordinating with 34 other federal agencies so that we are all doing this collectively. And then we are also working with non-federal government organizations, right? Like competitive employers, academia, state, local, and territorial governments to actually, you know, move the ball forward together and we have commitments from over 100 organizations. So, you know, I can go into a little bit more detail, but what books should I expect to see is some progress on those three broad areas and then a narrative on what are some of the priorities that we have in the future in regard to those three areas? Yeah, yeah. One of the things, and see, you know, this is very near and dear to my heart, but from the spring, there's been a lot of releases coming out of the White House and then subsequent reporting on the emphasis on a skills-based approach for employers, but also the federal government. And I was hoping, you know, you could sort of provide a bit of explanation and clarification on what does it mean to do a skills-based approach in cyber? And what does that mean from an ONCD perspective? Sure. Yeah, I think many of us always relate skill-based approach to only skills-based hiring, right? I think I want to kind of pull this up to this and say, hey, it's actually more than hiring, but often time, the work starts at hiring, right? Because when we think about skill-based approaches, we have to think about the skills that necessarily do a particular job, which lends itself to changes and updates in a job description, for example. It lends itself to changes in qualifications, right, and all these different things. So, but what I want to kind of take a step back is to sort of ask the question, okay, why are we doing skills-based, right? The reality is a lot of Americans have certain skills, and they have acquired either from a job or from a training, but it might not have an official certification or degree, right? So, when you focus on skills, what we're doing is that we are making sure that we are not -- we are removing and lowering the barriers without lowering the standards, right? So, that allows us to actually build the best team possible to achieve the mission that we want. Yeah, and that makes a lot of sense. And it makes a lot of sense because, you know, if you don't have that understanding of your requirements to begin with, how do you actually start the process, continue the process? Like, you can't implement it for anyone without doing that sort of foundational workload. That's right. So, when we think about skills-based approach, it has to stop on very top, right, from a strategic level about what are the skills that we need to accomplish the mission, and let's figure out who, you know, what level of employees and, you know, that has -- like, what kind of role should have what skills, right? So, that, we believe, gives you a more flexible way of thinking about talent and the pipeline, right? So, now, we're not going to get there right away, right? And I think, you know, and I totally understand it, as you're trying to promote skill-based approaches all across the country, we realize that the federal government has to lead by example. And if you know Simone, like, making changes in federal government is difficult, but there are areas when we kind of get a lot of people together, and that's why we, you know, worked with Office of Personnel Management, OPN, and Office of Management and Budget, OMB, and our 34 other federal agencies to sort of like, hey, but there's a way for us to sort of get going, right? Get as much of the processes converted to skill-based approach, let's do it. And that's what we announced in April of this year at the White House convening for good pain, meaningful jobs in cyber, is let's take one occupation series in the federal government. So, this is like the broad categories of jobs that affects a lot of cyber workers, and we found that about 60% -- a little bit more than 60% of cyber workers in the federal government is covered under the 2210 Information Technology Management series. So, what we have decided collectively is the administration will modernize, right, the 2210 occupation theories into skill-based approaches, right? So, that means, you know, you know, we're going to try to go as far as we can, right? Starting from minimum qualifications, right, looking at roles and all these different things, right? Now, I don't want to sort of prejudge the actual outcome, you know, but to know that, you know, it's more than just hiring as the whole approach itself, right? So, and the staffers are currently working really hard because we have a deadline of sort of getting this done by the summer of 2025, right? But I hope, you know, also see a lot of the -- you know, we've turned out that a lot of best practices, OPM is talking to the interagency. We are talking to interagency actually trying to set us up. You know, given the deadline that's coming up for summer of 2025, you know, just to maybe dispel any concerns that anyone listening would have, that obviously sounds like a big deadline. But, like, what's the volume of job descriptions that we're talking about here, just because I want to kind of be able to make clear to an audience that, you know, it might not necessarily take you a year, even though the federal government for, you know, 100,000 occupation series positions. Well, the -- what I will point out is a lot of all these work are ongoing, right? And this is just like the culmination of it. And it's what I would say about, you know, about that. And then, like, for those who are listening, when you're making policy changes like that, we have to remember this is, you know, people's likelihood, right? And, you know, like, you know, we want to do it right. We don't want to rush -- we don't want to rush it. And we want to make sure that we follow the processes that we have in place. And then also, we're talking a lot about, you know, like the 2210s exist in a lot of different departments and agencies. So, you know, we want to make sure that everyone's equity is represented here. But I think the signal that we're sending, right, like the takeaway here is, if an organization has large as the federal government is willing to do this, right, I think all of us, right, organizations pick a small -- all across the country. Now, just in Washington, D.C., or the tech capital around the country, my hope is everyone's going to come together to really look at how they can take advantage of the benefits of skill-based approaches can provide, right? Think about the business objectives that you have, your mission, the organization is trying to deliver. Think about the skills that you need as you come up with a workforce strategy, like a talent plan that you have. And then, so I think about how you can kind of create a pipeline set up so, like, the workforce mixture that you need, right? Like, not everyone has -- you know, not everyone has to have, you know, not everyone has to be the most senior or technical person. They might be, like, you know, a mix of combination of, like, some senior and, you know, and true level, right? So, I feel like when you start thinking about skills in that sense, then that opens up how you think about your workforce, and then, in turn, change how you'll go about recruiting and retention, reskilling, and up-skilling, right? So, that's, like, the key thing here that we're trying to push for is, yeah, it's more than just about removing a degree requirement, right? I happen to believe that degrees are extremely helpful, and, you know, I have a degree myself. This is more about how can we take a more agile approach in thinking about skills and talent and workforce, and if the benefit is, it opens up pathways for more folks who might not have the right technical degree, you know, like, boom, Simone, you and I, you know, we're seeing some of these famous or popular cyber people. They are, like, philosophy majors or, like, music, musicians. So, you know, if you think about, like, hey, we need, you know, CS degree only, then you kind of miss out on all these other talent, right? That's what we're pushing for. I mean, I just want to, like, emphasize what you said right at the beginning. I think the takeaway is, if the federal government can embark and sort of lead truly by example as the largest employer in the United States, then, you know, we should be able to do it in our own organizations, too, and take that step and invest in it. Yeah. And then if you look at the way the federal government is invested, so here's the second takeaway for everybody, right? As the federal government and the Biden-Harris administration is making tons of investments across the country, right, across, you know, chips and science bill, inflation reduction act, right, and the bipartisan infrastructure law, right? Just to know that, you know, we also have complementary efforts to make sure that the American workers, right, the workforce are equipped to actually, you know, deliver on those investments, right? And as part of that mixture, what we have done, you know, in the implementation of strategy is to align cyber workforce and education needs with all these investments, right? When you think about it, right, as the world's getting more digitized, if we're making investment into, like, clean energy, right, battery manufacturing, we're going to need cyber folks to help protect manufacturing plants. We're going to need, you know, we're thinking about charging stations. We're going to need cyber security in charging stations, right? Same thing with chips and science, same thing with, you know, building a new wing in an airport. It will be cyber consideration, right? So as part of that, ONCD is working in integrating and aligning this workforce strategy with all these other workforce efforts that we see from the federal government. And a couple of things that we'll point out, like, you know, just to, like, to build on the skill-based approaches that we talk about is, you know, the Biden-Harris administration has invested about $440 million in registered country shit. Now, not all $440 million is for cyber security. It's also for, like, you know, all these are high demand and demand industries. But cyber security is one of the categories that we are pushing for, right? And that, that type of on-the-job learning, right, on the work, you know, on-the-job training in which workers can earn and learn at the same time. And that's just, like, a variation of how we can provide quality pathways, but also another way to think about skills. When you think about skills, then you realize, wait a minute, there are some skills that I really need when somebody starts working and there are some skills that I can help develop once they join the organization. We'll be right back. Enterprises today are using hundreds of SaaS apps. Are you reaping their productivity and innovation benefits? Or are you lost in the sprawl? Enter SAVI Security. They help you surface every SaaS app, identity, and risk, so you can shine a light on shadow IT and risky identities. SAVI monitors your entire SaaS attack surface to help you efficiently eliminate toxic risk combinations and prevent attacks. So go on. Get SAVI about SaaS and harness the productivity benefits. Fuel innovation while closing security gaps. Visit SAVI.Security to learn more. The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now, employees, apps, and networks are everywhere. This means poor visibility, security gaps, and added risk. That's why CloudFlare created the first-ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business. One of the disconnects and challenges that I see, and we see in some of our work, and I think apprenticeships are a great example of it, is we've started to make real progress on the entry-level side. We had some recent data that was released out of CyberSeek that shows that we've actually, for the first time, started to see a surplus in entry-level candidates. But is that because we've actually created more entry-level candidates, or are we actually not providing them enough opportunity to get into those jobs? We ought to ask that question. That's the missing middle issue here in the White House. I just want to point out, right? I want to thank CAS for releasing that report, because you will see in our implementation, initial implementation report that is coming out, is that White CAS made a commitment to the White House that they will be creating this EOS report as part of their support of the strategy, right? So that's just on the kind of mission they get to call out, because that's one example of, you know, the government cannot do it alone. It takes all of us, and in this case, we made a very deliberate approach when we released the strategy to know, like, hey, we do need more metrics. We do need to know more why there are folks who have certifications, and yet they haven't been able to get connected to a good pathway into a job yet. So, you know, food also, like CAS was, like, delivering on the talent report for all of us, right, from the benefit of the whole ecosystem, so appreciate that. Now, back to the original sort of, like, what you were saying, like, hey, we have to ask the question, are we creating so much more candidates for entry-level now, or are we artificially changing the workflows to sort of say, hey, we actually need, instead of one person with, I don't know, two to five to eight years of experience with this skill, and then everyone is going for that small pool of candidates. And this is what I tell companies all the time, or I know that all the employers, right, private and public, is that the entry-level employee today is the senior technical employees of the future. If we do not continue to grow and develop our entry-level employees, then the missing little problem that we have, right, will continue to grow. So you kind of have to think about, you know, you have to kind of balance, like, what you need today, and also what you need two to five years from now, because you can already see what the trend line is, where is the things going to go. So what we want to push for is global hiring and approaches. It's like, hey, you consider changing maybe your entry-level roles, right? So you kind of move your roles, be more flexible on how you think about your roles, so that there's a way for you to get more retention-level folks, with a pathway for them to get new skills, then they become the next-level senior talent that you need. And then also perhaps you need to kind of reassess your current senior talent roles, right? Are they doing too much? You know, are they -- is it reasonable, right? Are you looking for the unicorn, right? Which, you know, based on data so far, things like, by and large, companies are looking for that unicorn, because we see this as, like, you know, the fact that people are getting paid a lot of compensation to move from, like, one sector to another, that's a proof point right there that, like, after someone hits that two to five-year experience mark, they get recruited through everywhere else. That's a sign for companies to be like, okay, we need to rethink this, and we think the base approach is the way to do it, but coupled with things like registered apprenticeships, cyber clinics, right, all these other stuff that we're doing to get more hands-on learning, but there's also a limitation on those programs, right, in terms of, like, little hands-on approaches we can do to get closer level that you need. On that skills-based approach, I wanted to, like, also emphasize the plumbing you just said, because Rick Howard and I have this theory about how cybersecurity is actually -- we're at, like, the beginning parts of the analogy to Moneyball when the, like, Oakland A's baseball team had to field a, you know, a team with a budget that was significantly less than the best teams in the world, like, the Greenpeace, and so you can't buy your unicorns at that point. In fact, they lost all their unicorns, their A players, and, you know, in cybersecurity, I think that kind of the challenge that companies often struggle with are, you know, they're not all fielding the same amount of players, and so the positions are all slightly differently defined if you, like, break down the skills, but we sometimes forget, like, that has to then get tied to their business objectives, and that's an opportunity that we have, because then you can say, what are the skills I need for my business objectives, how many people am I actually kind of creating to actually build out this capability? Now, let me think about how I can actually fill those with talent that either is in the pipeline, is existent in my workforce, that I have to upscale whatever else it may be. And that's the opportunity, right? Like, I know we talk about, like, the hundreds of thousands of open jobs right now. They're, like, I don't know, tens of thousands of managed action, tens of thousands of health care, tens of thousands in utilities, right? The opportunity here is, if you do those analysis of what you need for your sector, that's the competitive advantage right there, because then you can kind of put the mixture together, right? Like, perhaps you don't need the, sort of, like, super senior, you know, pen tester that some sectors might need. Yeah. You know, depending on your sector, but there are some skills from pen testing that perhaps you need. And that, but that, but then you're building up a profile of the people they are looking for, or Google people they are looking for, that are not necessarily the same people that you're competing against. I think that's why, you know, in our strategy, we sort of talk about 90% of the jobs will require a sample of digital skills. And I think, in fact, you can tip that analogy further by saying more and more jobs will require cyber skills. And even your job, you know, let's say you're like a water utility, you're like, you know, on a water engineer, whatever. There might not be a cyber in your title or your job description. But we think that you will have to do some of those work, right? You know, on the flip side, right, it's like software engineer. You're not a cyber engineer, a software engineer, but, you know, you get, you know, like what the national cybersecurity strategy was saying, like, we need to build more resiliency chore stuff. So in this way, like software engineer is, well, they're not cyber security focus people, they get stuck doing things are more resilient as well, right, calling things are more resilient. So you can see a lot of all this and analogy everywhere. I think that's, I think that's it, right? Like we think about the key point, like the key part of what we're trying to do here and you see this in this recording. The administration is taking a coordinated approach, a whole of mission approach, because these jobs exist in all different sectors, not on technical or not technical in a way that you envision that their technical to be in a water utility technical right or energy pipeline technical work there, but they're not the guy in the hoodie anymore. So that's the headline. So if that is what's happening, what are we doing to help well with elevating field based approaches were leading by example. In the federal government. So you should do it too. And we're cooperating and partnering with private sector, academia, seeing local government, you know, nonprofits, all these different organizations. But all collectively get their right skills, skill based approaches, hands on learning. Think about, you know, reading about your work roles, right? How are you creating a pipeline. So that we can remove barriers and broaden pathways for folks to join in. And then we talk about individual or individual or regional differences, right? Like a job in, you know, Tampa, Florida, very different from Penn Antonio Texas, very different from Washington, DC, very different from like Boise, Idaho. So, you know, when you click a locally driven approach, you think about collectively, what do we need? What kind of skills are necessary in your region, right? And then that permits to, at an organization level, one of the skills that I need for my business objectives for my mission, then it permits them to. Oh, what are some of the on rants we can get. Oh, perhaps I need to partner with my local to your college, or maybe even K to school district to kind of figure out how can we get some of these foundational and basic training. So that you have a pipeline of entry level employees. And then you think about, oh, are we asking too much from our middle or senior level technical people? How do we read just that? And how do I be a part of the training and education solution, right? Like a company or as employer, you know, should I maybe partner with my employer for certification? Or should I partner with my trade association so that collectively on a smaller side, you don't have resources to have busy, right? So perhaps the trade association has a work stream, they can kind of support all the smaller players in a way that is beneficial for everybody. So you can kind of see the tool line of all the skill approaches, but they are emanating in different ways. And then, and all we do in the White House is we're convening, we're pushing on the same vision. But really what we have found is that many of the better solutions, good solutions come from businesses. They come from locally different partnerships, right? Like, you know, I didn't go tell, you know, anybody to kind of merge water and cyber because they're any one of my team, all the administration. But some universities saw the opportunity and they're kind of like forming it. But what we do is we are spreading the gospel. Now, more schools are seeing like, oh, water and cyber, interesting. Every county has like a water treatment plant, you know, so that's something that is, so that's like the exciting part of the work. And I hope that like, you know, the people who we are report will see the direction that was taking and kind of join up. On this in this work. Since when this is, this is published, the report should be available. Do you have a placeholder or a link where people can go access that report yet? Or is it a TBD? Go to White House dot go for slash cyber workforce. That's where you should track all work. That's where all the commitments live. That's where all the strategy lives. And the report will be on there as well. And then there's also a way for all of you to reach out to us, you know, if you scroll down to the web page, there is a form there. So if you have, you know, any ideas that you would like to pursue or any on your project that you think is very aligned and you want to talk to us about it. We always look for projects to highlight and elevate. Just because, you know, other people might be thinking about the same thing. They have to see an example working in a different region on different factors. They might try to replicate it in just sector in their region and then collectively, well, that much better. What we do so. Awesome. Well, see, thank you so much for sharing updates on where things are with ONCD and the progress of the strategy. Exciting things to come. Thank you so much. And for those who are talking to your friends, make sure that they consider a Korean fiber. It's just being as meaningful and then you will be helping defend a nation. Thank you. Thank you. That's C.U. Mo Assistant National Cyber Director in the Office of the National Cyber Director at the White House, speaking with our N2K President, Simone Petrella. [Music] [Music]
