WEBVTT 1 00:00:00.500 --> 00:00:18.000 [Music] 2 00:00:18.000 --> 00:00:23.000 Frank: Hello, everybody. Thank you for joining us today for our time we discussion on training, 3 00:00:23.000 --> 00:00:26.500 a resilient workforce and supportive critical infrastructure. 4 00:00:26.500 --> 00:00:30.000 I'm Frank Cilluffo, I direct the McCrary Institute for cyber and critical 5 00:00:30.000 --> 00:00:34.000 infrastructure security at Auburn University. 6 00:00:34.000 --> 00:00:38.000 War Eagle, this talk today is about building bridges, bridges to the future and communicating 7 00:00:38.000 --> 00:00:43.400 what is needed from government, industry 8 00:00:43.400 --> 00:00:48.450 and academia to develop an agile and ready work for us for today and 9 00:00:48.450 --> 00:00:52.620 tomorrow to safeguard the nation's infrastructure, which includes both 10 00:00:52.620 --> 00:00:56.920 physical facilities and cyber technology we want you to 11 00:00:56.920 --> 00:01:01.020 understand how DHS is thinking differently and more 12 00:01:01.020 --> 00:01:05.250 inclusively about social sciences, diversity, policy 13 00:01:05.250 --> 00:01:09.280 R&D and knowledge of our evolving security landscape. 14 00:01:09.280 --> 00:01:13.430 We all know this is a multidisciplinary set of issues and 15 00:01:13.430 --> 00:01:17.710 DHS is armed and ready to address it as such. As we 16 00:01:17.710 --> 00:01:21.800 also all know technology really matters, but the women 17 00:01:21.800 --> 00:01:26.000 and men behind it, our workforce matters even more. 18 00:01:26.000 --> 00:01:30.330 I can't think of a more compelling national and economic 19 00:01:30.330 --> 00:01:34.480 security issue than this nor a better group of people to 20 00:01:34.480 --> 00:01:38.860 shed light on the topic. Let me briefly introduce our speakers. 21 00:01:38.860 --> 00:01:42.950 Dr. Angelyn Flowers serves as professor of Homeland Security and coordinator 22 00:01:42.950 --> 00:01:47.150 of the crime, justice and security studies at the 23 00:01:47.150 --> 00:01:51.170 University of the District of Columbia (UDC). 24 00:01:51.170 --> 00:01:55.300 Sue Armstrong serves as associate director for strategy 25 00:01:55.300 --> 00:01:59.550 performance and resources in the infrastructure security division at the 26 00:01:59.550 --> 00:02:03.610 U.S. Department of Homeland Securities, cyber security and critical infrastructure 27 00:02:03.610 --> 00:02:07.790 security agency better known as CISA. 28 00:02:07.790 --> 00:02:12.070 Lori Antonucci serves as director of workforce innovation 29 00:02:12.070 --> 00:02:16.180 and solutions at Man Power and was the lead author for 30 00:02:16.180 --> 00:02:20.440 the cyber security hiring guide in partnership with MXD. 31 00:02:20.440 --> 00:02:24.480 Casey O'Brien serves as the assistant director 32 00:02:24.480 --> 00:02:28.640 for cyber defense education and training information 33 00:02:28.640 --> 00:02:32.910 trust initiatives and the co-principal investigator for the 34 00:02:32.910 --> 00:02:37.000 national cyber watch center at the university of Illinois and 35 00:02:37.000 --> 00:02:41.220 last but certainly not least Randall Sandone serves as 36 00:02:41.220 --> 00:02:45.250 the executive director of the critical infrastructure resilience 37 00:02:45.250 --> 00:02:49.290 institute, better known as CIRI at the University of Illinois 38 00:02:49.290 --> 00:02:53.540 urbana-champaign. For opening remarks I'm pleased to 39 00:02:53.540 --> 00:02:57.600 introduce Randy Sandone, who I just mentioned from CIRI 40 00:02:57.600 --> 00:03:01.780 which is a DHS center of excellence based at the 41 00:03:01.780 --> 00:03:05.790 University of Illinois urbana-champaign. Randy and the 42 00:03:05.790 --> 00:03:09.880 CIRI team conduct research and education to enhance the 43 00:03:09.880 --> 00:03:14.080 resiliency of the nation's critical infrastructure and businesses and public entities that own 44 00:03:14.080 --> 00:03:18.090 and operate those assets and systems. One of CIRIs 45 00:03:18.090 --> 00:03:18.110 mission areas is to contribute to the development of a 46 00:03:18.110 --> 00:03:22.240 mission areas is to contribute to the development of a robust and well prepared 47 00:03:22.240 --> 00:03:26.240 pipeline of professionals equipped to tackle the rising 48 00:03:26.240 --> 00:03:30.240 challenges associated with securing and protecting our critical infrastructures. 49 00:03:30.240 --> 00:03:34.380 I've had the privilege to work with Randy and his team on 50 00:03:34.380 --> 00:03:38.410 a project and I can tell you that they are doing awesome 51 00:03:38.410 --> 00:03:42.460 work, important work and couldn't ask for a better person than Randy to kick it off. 52 00:03:42.460 --> 00:03:46.660 So Randy over to you Sir. Randy: Thank you Frank for 53 00:03:46.660 --> 00:03:51.010 graciously agreeing to support this event as moderator. I know you're extremely 54 00:03:51.010 --> 00:03:55.140 busy. I know that and I sincerely appreciate the time you've given us 55 00:03:55.140 --> 00:03:59.410 and let me also say that CIRI is pleased to be working 56 00:03:59.410 --> 00:04:03.460 with Auburn University. Your team is doing outstanding 57 00:04:03.460 --> 00:04:07.650 work in support of our National Cyber Security, Education 58 00:04:07.650 --> 00:04:11.650 and Training network project with CISI and we look forward to continuing 59 00:04:11.650 --> 00:04:15.730 that work and continuing to work with Auburn on other 60 00:04:15.730 --> 00:04:19.960 projects going forward. I also want to thank all of our panelist. I know you too very busy. 61 00:04:19.960 --> 00:04:24.340 And we are very grateful for your support of our program 62 00:04:24.340 --> 00:04:28.500 and the time you've given us. Thank you very much, I look 63 00:04:28.500 --> 00:04:32.810 forward to the perspectives you'll share with us later in the 64 00:04:32.810 --> 00:04:36.920 panel discussion. This discussion about the challenges 65 00:04:36.920 --> 00:04:40.920 and opportunities in cyber security workforce development 66 00:04:40.920 --> 00:04:45.280 supports one of CIRIs three primary missions and that is 67 00:04:45.280 --> 00:04:49.340 educating and developing a workforce equipped with the 68 00:04:49.340 --> 00:04:53.370 knowledge and skills needed to enhance the security and resilience of our nations critical infrastructure both 69 00:04:53.370 --> 00:04:57.420 physical and cyber. Our other two missions conducting 70 00:04:57.420 --> 00:04:57.480 innovative outputs oriented research and sustainably 71 00:04:57.480 --> 00:05:01.670 72 00:05:01.670 --> 00:05:06.020 outputs to the field are equally important, but I must 73 00:05:06.020 --> 00:05:10.030 emphasize that education and workforce development 74 00:05:10.030 --> 00:05:14.290 particularly on cyber security is critically important and I 75 00:05:14.290 --> 00:05:18.310 dare say urgent priority at the DHS CISA and at 76 00:05:18.310 --> 00:05:22.480 CIRI and I think for the nation. Our nations increasingly 77 00:05:22.480 --> 00:05:26.810 cyber enabled infrastructure as we all know 78 00:05:26.810 --> 00:05:30.920 is the foundation of our economy and our very way of life. 79 00:05:30.920 --> 00:05:35.250 And I think we also all know that infrastructure is 80 00:05:35.250 --> 00:05:39.290 under attack 24 hours a day, 7 days a week 81 00:05:39.290 --> 00:05:43.460 356 days a year by highly competent criminal 82 00:05:43.460 --> 00:05:47.760 enterprises and nation state actors that seek to do us 83 00:05:47.760 --> 00:05:51.860 harm. Protecting that critical infrastructure is an urgent 84 00:05:51.860 --> 00:05:56.100 national security imperative and CISA and CIRI are diligently addressing the issue 85 00:05:56.100 --> 00:06:00.120 as you will see here today. Let me stress one thing though 86 00:06:00.120 --> 00:06:04.250 cyber security is everyones business. We are all soldiers in this battle. 87 00:06:04.250 --> 00:06:08.520 We all have a role to play. Cyber security 88 00:06:08.520 --> 00:06:12.590 education workforce development initiatives at CISI, 89 00:06:12.590 --> 00:06:16.800 at CIRI and in industry as those that will be highlighted by 90 00:06:16.800 --> 00:06:21.160 our panel are helping to enhance the knowledge and skills of students and working professionals alike. 91 00:06:21.160 --> 00:06:25.310 To better prepare them for the challenges we face today and the challenges we will face 92 00:06:25.310 --> 00:06:29.610 tomorrow. CIRI is proud to be playing an important role 93 00:06:29.610 --> 00:06:33.660 in this critical endeavor and we thank you all again for 94 00:06:33.660 --> 00:06:37.710 being here and back to you Frank to lead our discussion. Thank you very much. 95 00:06:37.710 --> 00:06:42.010 Frank: Well thank you Randy and very well said and with that why don't we 96 00:06:42.010 --> 00:06:46.130 jump right into the conversation. I think and start maybe 97 00:06:46.130 --> 00:06:50.370 by framing the issue, its got so many facets and components to it. 98 00:06:50.370 --> 00:06:54.420 And it might be helpful to 99 00:06:54.420 --> 00:06:58.570 frame the challenge a little further and I'll start with sort of a general question and that 100 00:06:58.570 --> 00:07:02.830 does a workforce skills gap leave us at risk 101 00:07:02.830 --> 00:07:06.930 and how do we expect the need to grow in the future? And obviously we'd 102 00:07:06.930 --> 00:07:11.130 got short, mid-tern, mid and long term challenges but 103 00:07:11.130 --> 00:07:15.160 Sue why don't we start with you. CISA is in the center of a 104 00:07:15.160 --> 00:07:19.200 whole lot these days. Lots of exciting activity and thought it 105 00:07:19.200 --> 00:07:23.430 would be great for you to shed some light on some of it. 106 00:07:23.430 --> 00:07:27.480 Sue: Well I really appreciate the opportunity to address the 107 00:07:27.480 --> 00:07:31.510 question Frank. You and I, you know we've crossed paths 108 00:07:31.510 --> 00:07:35.790 and worked a long time together in the critical 109 00:07:35.790 --> 00:07:39.880 infrastructure world which has changed 110 00:07:39.880 --> 00:07:44.080 and we need to realize that 111 00:07:44.080 --> 00:07:48.100 who we are attracting to the 112 00:07:48.100 --> 00:07:52.230 workplace, whether it's federal or contractors 113 00:07:52.230 --> 00:07:56.480 to the federal government really has changed. 114 00:07:56.480 --> 00:08:00.540 So what I think we need to do and I'll talk about 115 00:08:00.540 --> 00:08:04.720 this a little bit later, we have the 116 00:08:04.720 --> 00:08:09.010 CTMS, you know 117 00:08:09.010 --> 00:08:13.130 cyber talent management service pilot 118 00:08:13.130 --> 00:08:17.370 coming up but we also need to think about 119 00:08:17.370 --> 00:08:21.410 as a workforce, most federal and private 120 00:08:21.410 --> 00:08:25.570 how are we combining planning for security 121 00:08:25.570 --> 00:08:29.600 and protection and resilience and by that I mean 122 00:08:29.600 --> 00:08:33.660 your typical 123 00:08:33.660 --> 00:08:37.840 gates and guards and stuff 124 00:08:37.840 --> 00:08:42.150 perimeter, excuse me, planning but 125 00:08:42.150 --> 00:08:46.280 how do we get everybody who is a security 126 00:08:46.280 --> 00:08:50.520 planner whether it's cyber, physical 127 00:08:50.520 --> 00:08:54.570 insider threat, personnel security 128 00:08:54.570 --> 00:08:58.750 information security, workplace security 129 00:08:58.750 --> 00:09:03.050 if you have a secure place 130 00:09:03.050 --> 00:09:07.170 to work in and you need to protect that. How does 131 00:09:07.170 --> 00:09:11.400 everybody come together. So I'm just advocating 132 00:09:11.400 --> 00:09:15.460 that this is a physical cyber convergence 133 00:09:15.460 --> 00:09:19.630 place that we're in as a nation. 134 00:09:19.630 --> 00:09:23.920 And as a federal government and as private sector and sometimes a 135 00:09:23.920 --> 00:09:28.030 private sector does this better than us so we have 136 00:09:28.030 --> 00:09:32.250 something to learn from them so that's my answer to that 137 00:09:32.250 --> 00:09:36.280 and we'll talk more about cyber hiring later. 138 00:09:36.280 --> 00:09:40.440 Frank: Awesome, thank you Sue and it really is good to 139 00:09:40.440 --> 00:09:44.460 see CISA driving and moving from sharing 140 00:09:44.460 --> 00:09:48.510 and cooperation to genuine collaboration between the public and private sector. 141 00:09:48.510 --> 00:09:52.670 And you can feel it, you can feel it in the DNA and very 142 00:09:52.670 --> 00:09:56.960 exciting. Casey I 143 00:09:56.960 --> 00:10:01.070 rightfully we laid out the call to action. We weighed out a number of the call to action 144 00:10:01.070 --> 00:10:05.290 and did so I think in a very strong and 145 00:10:05.290 --> 00:10:09.340 powerful way. How do we question 146 00:10:09.340 --> 00:10:13.490 the status quo. How do we sort of look at new ways to 147 00:10:13.490 --> 00:10:17.510 address some of these challenges. This isn't new. I mean 148 00:10:17.510 --> 00:10:21.570 obviously the dire nature of it is growing and it seems 149 00:10:21.570 --> 00:10:25.740 to be growing exponentially but CIRI is doing some great work over to you 150 00:10:25.740 --> 00:10:30.250 Casey: Thanks Frank. So speaking to the why does 151 00:10:30.250 --> 00:10:34.390 it work for skills gap leave us at risk first and then come 152 00:10:34.390 --> 00:10:38.650 back to the perhaps challenging the status quo portion. 153 00:10:38.650 --> 00:10:42.740 Frank: Yep. Casey: So cyber security if not the number one national security 154 00:10:42.740 --> 00:10:46.770 priority is certainly at the top of the list. The workforce skills gap leaves us 155 00:10:46.770 --> 00:10:51.050 at risk because the lack of talent and readiness leaves 156 00:10:51.050 --> 00:10:55.170 the systems we rely on for our functioning civil society 157 00:10:55.170 --> 00:10:59.400 vulnerable and that's a threat to all of us. And perhaps 158 00:10:59.400 --> 00:11:03.450 just pushing back a little on the status quo in terms of the workforce 159 00:11:03.450 --> 00:11:07.610 you know I would argue very generally speaking here 160 00:11:07.610 --> 00:11:12.190 that in addition to a lack of qualified professionals we also 161 00:11:12.190 --> 00:11:16.190 have a skills gap in recruiting and hiring in part and parcel with this is a lack of 162 00:11:16.190 --> 00:11:20.430 willingness to train ere candidates and 163 00:11:20.430 --> 00:11:24.480 a couple of the questions coming up. I'll speak to some of the ways 164 00:11:24.480 --> 00:11:28.520 in which we can look at different ways of building the needed 165 00:11:28.520 --> 00:11:32.790 talent pipeline. Frank: Awesome and Angelyn 166 00:11:32.790 --> 00:11:36.880 can you share some thoughts on what Universities that I think 167 00:11:36.880 --> 00:11:41.080 not only have a opportunity, dare I say a responsibility to 168 00:11:41.080 --> 00:11:45.380 educate the workforce of tomorrow so, what 169 00:11:45.380 --> 00:11:49.530 do you think universities can do? And what are you doing at UDC? 170 00:11:49.530 --> 00:11:53.810 Well I think the first thing we need to, universities need to 171 00:11:53.810 --> 00:11:57.900 recognize and that they are grappling with is that as we 172 00:11:57.900 --> 00:12:02.120 know technological change grows exponentially 173 00:12:02.120 --> 00:12:06.140 but at a practical level what this means is that whatever 174 00:12:06.140 --> 00:12:10.260 the status quo was when your students enter 175 00:12:10.260 --> 00:12:14.510 is going to be history when they graduate. 176 00:12:14.510 --> 00:12:18.570 So universities are having to figure out how do you train students 177 00:12:18.570 --> 00:12:22.740 for jobs that don't exist yet 178 00:12:22.740 --> 00:12:27.040 with skills and knowledge that you just kind of 179 00:12:27.040 --> 00:12:31.160 predicting and forecasting for the future. 180 00:12:31.160 --> 00:12:35.390 And that is a challenge and one way we can address that is by working with 181 00:12:35.390 --> 00:12:39.440 my industry, and government, and academia working together 182 00:12:39.440 --> 00:12:43.600 to kind of grapple with which direction do we 183 00:12:43.600 --> 00:12:47.880 see things moving in so we can design educational 184 00:12:47.880 --> 00:12:51.990 programs that really do produce a workforce 185 00:12:51.990 --> 00:12:56.210 that actually knows how to adapt 186 00:12:56.210 --> 00:13:00.240 to the world that they will be in which they will be 187 00:13:00.240 --> 00:13:04.370 in which they will be functioning. We need workers who are not afraid to 188 00:13:04.370 --> 00:13:08.630 expand their horizons once they get on a job. 189 00:13:08.630 --> 00:13:12.700 And I think that is also something that universities have a 190 00:13:12.700 --> 00:13:16.900 responsibility to inculcate in their graduates. 191 00:13:16.900 --> 00:13:21.280 Frank: Well said and Lory 192 00:13:21.280 --> 00:13:25.450 in addition to making sure everyone reads your cyber 193 00:13:25.450 --> 00:13:29.790 security hiring guide, let me first see if you agree 194 00:13:29.790 --> 00:13:33.900 that the call to bring industry 195 00:13:33.900 --> 00:13:38.160 and government together on this is important as I personally 196 00:13:38.160 --> 00:13:42.170 believe it is, but I don't want to lead the witness too much. 197 00:13:42.170 --> 00:13:46.320 But I'd be curious sort of from your perspective where you see things today? 198 00:13:46.320 --> 00:13:50.360 And also there sort of a 199 00:13:50.360 --> 00:13:54.410 there's a question about the gap itself so I'd be very curious if you would want to shed some 200 00:13:54.410 --> 00:13:58.570 thoughts on that? Lory: No, it's important to really 201 00:13:58.570 --> 00:14:02.860 continue to get great marriage counseling between 202 00:14:02.860 --> 00:14:06.960 industry, academia, and government on this. Relationships 203 00:14:06.960 --> 00:14:11.180 counseling I guess would be a good way to put it but it 204 00:14:11.180 --> 00:14:15.210 is all about the convergence that other folks have really set-up. 205 00:14:15.210 --> 00:14:19.210 As Angelyn mentioned there is also a bit of a scaling and a timing 206 00:14:19.210 --> 00:14:23.450 sort of issue in terms of investing in education 207 00:14:23.450 --> 00:14:27.510 and keeping up with the maturing of many of the employers as 208 00:14:27.510 --> 00:14:31.690 they continue to grapple with all of this. So I think that you know again 209 00:14:31.690 --> 00:14:35.990 there is a number of different ways as we talk about strategies 210 00:14:35.990 --> 00:14:40.100 that can shorten some of that what we call time to performance. You know 211 00:14:40.100 --> 00:14:44.330 getting a lot better at the bridge experiences that we offer to 212 00:14:44.330 --> 00:14:48.380 various experience levels as their coming 213 00:14:48.380 --> 00:14:52.530 into and out of roles across cyber security. And I also think 214 00:14:52.530 --> 00:14:56.810 really letting industry and academia noodle together 215 00:14:56.810 --> 00:15:00.910 about both the business and the technical skills. 216 00:15:00.910 --> 00:15:05.130 I'll be talking a lot here and there about this hybrid nature of a lot of the workforce that we 217 00:15:05.130 --> 00:15:09.150 really need to invest in. Awesome thank you Lory and I'm really glad 218 00:15:09.150 --> 00:15:13.280 you brought up retention and upscaling. It's not nearly 219 00:15:13.280 --> 00:15:17.540 a recruiting and making sure that everyone have the skills 220 00:15:17.540 --> 00:15:21.550 that are needed right now. That's I think a very important 221 00:15:21.550 --> 00:15:25.710 point as well as we are not just training the cyber ninjas 222 00:15:25.710 --> 00:15:30.030 but everyone does play a role in cyber security. 223 00:15:30.030 --> 00:15:34.040 I mean everyone. And how we 224 00:15:34.040 --> 00:15:38.260 bake that into everything else we do 225 00:15:38.260 --> 00:15:42.290 i.e., layer cyber into that I think is critical as well. 226 00:15:42.290 --> 00:15:46.440 Let me sort of jump to another question that's sort of addressing the gap. 227 00:15:46.440 --> 00:15:50.730 We've identified the need. We've identified the target set. It's pretty darn big. 228 00:15:50.730 --> 00:15:54.750 But we also have a number of good initiatives 229 00:15:54.750 --> 00:15:58.760 in terms of addressing some of the gap and what we're doing 230 00:15:58.760 --> 00:16:03.080 to address the current workforce skills gap and 231 00:16:03.080 --> 00:16:07.200 Sue, I think again I'd love to start again with you if that's okay? 232 00:16:07.200 --> 00:16:11.450 And I know CISA is doing a lot so please. 233 00:16:11.450 --> 00:16:15.510 Sue: Absolutely. 234 00:16:15.510 --> 00:16:19.680 Just two things really here 235 00:16:19.680 --> 00:16:23.990 I mentioned the CTMS, which is the 236 00:16:23.990 --> 00:16:28.110 cyber talent management system that has 237 00:16:28.110 --> 00:16:32.340 gone through a rule making process and very excited 238 00:16:32.340 --> 00:16:36.390 to announce that it would be piloted 239 00:16:36.390 --> 00:16:40.540 for 25 positions at the very least on 240 00:16:40.540 --> 00:16:44.840 November 15th but this is 241 00:16:44.840 --> 00:16:48.940 a learning process out of several things that we have 242 00:16:48.940 --> 00:16:53.140 tried as legacy 243 00:16:53.140 --> 00:16:57.160 national protection and program 244 00:16:57.160 --> 00:17:01.300 directorate MPPD and now CISA to 245 00:17:01.300 --> 00:17:05.550 attract the best and the brightest cyber 246 00:17:05.550 --> 00:17:09.630 folks but your point 247 00:17:09.630 --> 00:17:13.820 I think Lory you made it, is right on. We need 248 00:17:13.820 --> 00:17:18.130 all kinds of people to do this work. 249 00:17:18.130 --> 00:17:22.140 And to protect national security and economic 250 00:17:22.140 --> 00:17:26.140 prosperity. So what 251 00:17:26.140 --> 00:17:30.160 this pilot for this new program 252 00:17:30.160 --> 00:17:34.300 kind of entails is 253 00:17:34.300 --> 00:17:38.560 looking and working a long time 254 00:17:38.560 --> 00:17:42.620 if you will with the Office of Personnel Management 255 00:17:42.620 --> 00:17:46.800 for new hiring processes 256 00:17:46.800 --> 00:17:50.810 meaning everybody gets to put in a customized application. 257 00:17:50.810 --> 00:17:54.910 You don't have to do the federal resume 258 00:17:54.910 --> 00:17:59.120 thing where you just enter your job experience and 259 00:17:59.120 --> 00:18:03.140 blah, blah, blah sorry and 260 00:18:03.140 --> 00:18:07.270 the applicants themselves get to participate in 261 00:18:07.270 --> 00:18:11.530 assessments including simulations, meaning 262 00:18:11.530 --> 00:18:15.600 show us how your experience would translate to 263 00:18:15.600 --> 00:18:19.780 being on a threat hunting team, be on a 264 00:18:19.780 --> 00:18:24.100 assessment team, etc. We are looking at new 265 00:18:24.100 --> 00:18:28.240 compensation structures as well. We've tried 266 00:18:28.240 --> 00:18:32.490 retention bonuses as cyber 267 00:18:32.490 --> 00:18:36.560 hiring incentives and that 268 00:18:36.560 --> 00:18:40.730 worked and didn't work. 269 00:18:40.730 --> 00:18:45.020 So and then a whole new career 270 00:18:45.020 --> 00:18:49.030 development approach which we are really looking for 271 00:18:49.030 --> 00:18:53.250 this pilot to flush out. 272 00:18:53.250 --> 00:18:57.290 So we recently published 273 00:18:57.290 --> 00:19:01.440 for everybody's edification a rule in the 274 00:19:01.440 --> 00:19:05.720 federal register which will become effective the 15th so 275 00:19:05.720 --> 00:19:09.810 you can look that up and we are looking forward to 276 00:19:09.810 --> 00:19:14.020 piloting our first 277 00:19:14.020 --> 00:19:18.030 iteration if you will of that. 278 00:19:18.030 --> 00:19:22.150 And also I just want to and I know I'm going over my time, 279 00:19:22.150 --> 00:19:26.680 but I also want to just say you know 280 00:19:26.680 --> 00:19:31.100 there are all kinds of resources across the CISA 281 00:19:31.100 --> 00:19:35.380 spectrum and we are looking forward to working with 282 00:19:35.380 --> 00:19:39.430 our Science & Technology and our university programs 283 00:19:39.430 --> 00:19:43.600 colleagues to build the workforce of 284 00:19:43.600 --> 00:19:47.900 the future so we hope this pilot will show 285 00:19:47.900 --> 00:19:52.010 some kind of 286 00:19:52.010 --> 00:19:56.280 substantive results but then we can collectively 287 00:19:56.280 --> 00:20:00.380 learn from them both at the federal and SLT 288 00:20:00.380 --> 00:20:04.520 I'm looking at Angelyn and academia 289 00:20:04.520 --> 00:20:08.800 level to learn from. So thank you for the 290 00:20:08.800 --> 00:20:12.910 opportunity to respond to that. Frank: Awesome, thank you Sue. Good stuff. 291 00:20:12.910 --> 00:20:17.140 I do hope everyone 292 00:20:17.140 --> 00:20:21.170 recognizes it wasn't easy to put that 293 00:20:21.170 --> 00:20:25.310 together so good on you. So we've got to do things different 294 00:20:25.310 --> 00:20:29.570 and I think thats a great start. Lory sort of looking 295 00:20:29.570 --> 00:20:33.650 from the employer or corporate perspective I 296 00:20:33.650 --> 00:20:37.830 mean emerging technology is changing business culture. It's changing 297 00:20:37.830 --> 00:20:42.150 how we do business. It's changing so much so 298 00:20:42.150 --> 00:20:46.280 I'd be curious whether immigrating to the cloud or 299 00:20:46.280 --> 00:20:50.530 whether it's automated devices and advances 300 00:20:50.530 --> 00:20:54.600 of the sort. Sort of shed some light from your perspective on some of this as well please. 301 00:20:54.600 --> 00:20:58.780 Lory: Thanks Frank. 302 00:20:58.780 --> 00:21:03.100 So again I think I will ask 303 00:21:03.100 --> 00:21:07.220 permission to keep connecting technology with the business 304 00:21:07.220 --> 00:21:11.470 and the operating side of the employer 305 00:21:11.470 --> 00:21:15.480 seeing on this and that's because of where all these impacts are coming from. 306 00:21:15.480 --> 00:21:19.650 You know there are threats from inside, there are threats from external. There are 307 00:21:19.650 --> 00:21:23.960 some that are intentional, there are some that are malicious and so 308 00:21:23.960 --> 00:21:28.080 you know with every advancement that employers lets just take 309 00:21:28.080 --> 00:21:32.310 manufacturing as a large employment base for the country for sure 310 00:21:32.310 --> 00:21:36.360 with every advancement they make in using technology or 311 00:21:36.360 --> 00:21:40.510 adding technology to products they are increasing the threat landscape. 312 00:21:40.510 --> 00:21:44.810 Right, so it's really been I think 313 00:21:44.810 --> 00:21:48.910 important in a couple of areas to sort of in a couple of areas to keep blending the business and the 314 00:21:48.910 --> 00:21:53.130 technologies. One of the first areas is this notion of making securities 315 00:21:53.130 --> 00:21:57.150 a lifecycle effort. So really across the entire business 316 00:21:57.150 --> 00:22:01.290 lifecycle you know from product ideation and 317 00:22:01.290 --> 00:22:05.560 all the way through secure design from the start. All the way through 318 00:22:05.560 --> 00:22:09.620 to how do we manage security of personnel data 319 00:22:09.620 --> 00:22:13.630 in the 30 plus billion 320 00:22:13.630 --> 00:22:17.930 devices that we expect to see connected to the internet 321 00:22:17.930 --> 00:22:22.040 in the next several years. And so it's really important 322 00:22:22.040 --> 00:22:26.280 for us to keep looking at those edge technologies. All of thee 323 00:22:26.280 --> 00:22:30.320 personnel device connections to corporate networks, 324 00:22:30.320 --> 00:22:34.480 a lot of organizations have bring your own device sort of policy which only increases it. 325 00:22:34.480 --> 00:22:38.770 So sometimes it's not about even the more advance 326 00:22:38.770 --> 00:22:42.860 technologies. any technology personal or otherwise where it 327 00:22:42.860 --> 00:22:45.960 can open up the different threats etc., that need to be managed. 328 00:22:45.960 --> 00:22:51.320 And if I can just mention one other thing. You brought } up there Frank in the intro about culture 329 00:22:51.320 --> 00:22:56.590 and I think that's the other thing that's so important that we see a great deal of effort 330 00:22:56.590 --> 00:23:01.770 being placed in questions in terms of addressing the gap, which is to recognize that this is not just 331 00:23:01.770 --> 00:23:06.780 a technical issue. It is a cultural issue in organization and 332 00:23:06.780 --> 00:23:11.540 we need leaders to step up as many of them have been. To put expectations out there 333 00:23:11.540 --> 00:23:16.720 about progress and change and security practices and technologies etc., 334 00:23:16.720 --> 00:23:21.810 It's about thier valuing of the different roles. You know we looked at two 335 00:23:21.810 --> 00:23:27.140 hundred and 47 roles on both the business, technical and then those hybrids 336 00:23:27.140 --> 00:23:32.380 that are necessary. So a culture that can appreciate and accommodate almost at any size 337 00:23:32.380 --> 00:23:37.550 bringing in these hybrid roles is really going to be important so 338 00:23:37.550 --> 00:23:42.620 again I just want to put a plug in for it's both the business side and it's the technical side. 339 00:23:42.620 --> 00:23:46.810 Frank: Well thank you for that Lory. and I'm glad you brought it up. It really the internet 340 00:23:46.810 --> 00:23:51.130 of everything in so many ways and 341 00:23:51.130 --> 00:23:55.300 for too long, our ability to network has far outpaced our ability to 342 00:23:55.300 --> 00:23:59.560 protect the network so I am glad that we're starting to 343 00:23:59.560 --> 00:24:03.620 try to flip that and go, I hate to use it, left the boon, but that is where 344 00:24:03.620 --> 00:24:07.800 we need to go. And let's turn to another 345 00:24:07.800 --> 00:24:12.130 questions in terms of recruiting students. And I'm gonna have to ask everyone 346 00:24:12.130 --> 00:24:16.260 to try to be relatively brief on all of this but 347 00:24:16.260 --> 00:24:20.500 the work shortage is staggering. I know, we've all seen the statistics 348 00:24:20.500 --> 00:24:24.510 1.5 million potential 349 00:24:24.510 --> 00:24:28.670 unfilled positions as we speak and 350 00:24:28.670 --> 00:24:32.960 what are we doing to recruit students and Angelyn, I want to start with you on this? 351 00:24:32.960 --> 00:24:37.070 Because it is so multifaceted 352 00:24:37.070 --> 00:24:41.300 and I apologize for having to 353 00:24:41.300 --> 00:24:45.340 cram a lot of really good information into a short amount of time 354 00:24:45.340 --> 00:24:49.500 but over to you please. Angelyn: Thank you Frank. I will talk fast. 355 00:24:49.500 --> 00:24:53.770 A couple of key points. First 356 00:24:53.770 --> 00:24:57.870 to increase the workforce it's really important to expand our horizons. 357 00:24:57.870 --> 00:25:02.070 And we need to reach out and engage underrepresented 358 00:25:02.070 --> 00:25:06.080 minorities, racial, ethic, gender 359 00:25:06.080 --> 00:25:10.220 in this field and the other thing we have to realize is that cyber security 360 00:25:10.220 --> 00:25:14.460 is broader is broader than information assurance, IT 361 00:25:14.460 --> 00:25:18.520 computer science. And so there's 362 00:25:18.520 --> 00:25:22.680 this we have a large category of students for instance 363 00:25:22.680 --> 00:25:26.960 who are tech interested, they are interested in the field but 364 00:25:26.960 --> 00:25:31.070 are not as tech savvy as those other sciences. 365 00:25:31.070 --> 00:25:35.320 And so what we have focused on at our university is a 366 00:25:35.320 --> 00:25:39.360 cyber risk management focus for those tech 367 00:25:39.360 --> 00:25:43.520 interested but maybe less tech skilled people. And what we 368 00:25:43.520 --> 00:25:47.800 are finding with the right education and training they really 369 00:25:47.800 --> 00:25:51.900 serve as the nexus in the 370 00:25:51.900 --> 00:25:56.110 human to computer interface. They can serve as 371 00:25:56.110 --> 00:26:00.130 the link in agencies and organizations as the technical 372 00:26:00.130 --> 00:26:04.260 people and the non-technical people. And the non-technical people 373 00:26:04.260 --> 00:26:08.520 who are responsible for carrying out the work and also have to be 374 00:26:08.520 --> 00:26:12.580 aware of potential security issues. 375 00:26:12.580 --> 00:26:16.770 Frank: That's an excellent point and really glad you brought 376 00:26:16.770 --> 00:26:21.100 that up. At the end of the day a good hacker 377 00:26:21.100 --> 00:26:25.230 let's focus on ethical hackers, They have to not only be 378 00:26:25.230 --> 00:26:29.480 technically skilled but they have to be skilled in social engineering as well. 379 00:26:29.480 --> 00:26:33.540 So I think that combination really is where the magic 380 00:26:33.540 --> 00:26:37.710 occurs so good for you for driving that at UDC. 381 00:26:37.710 --> 00:26:42.010 Casey, I mean from Urbana-Champaign’s perspective 382 00:26:42.010 --> 00:26:46.140 anything you want to share with us today? I know your 383 00:26:46.140 --> 00:26:50.390 doing some great work there. Casey: Thanks Frank, yeah just 384 00:26:50.390 --> 00:26:54.400 in terms of what universities and colleges need to ramp of education in this 385 00:26:54.400 --> 00:26:58.550 area. First I think it's important to stress what academia has been doing. 386 00:26:58.550 --> 00:27:02.580 The past 15 plus years and take stock at what exists. 387 00:27:02.580 --> 00:27:06.650 And is often underutilized when it comes to things like recruiting so 388 00:27:06.650 --> 00:27:10.830 there have been cyber security programs or degrees 389 00:27:10.830 --> 00:27:15.150 and certificates and awareness programs and competitions 390 00:27:15.150 --> 00:27:19.290 in the higher-ed space going back to about 2006 391 00:27:19.290 --> 00:27:23.560 the National Security Agency and partnership with the Department of Homeland Security 392 00:27:23.560 --> 00:27:27.630 runs the National Centers of Academic Excellence 393 00:27:27.630 --> 00:27:31.660 in cyber security program. Which has roughly 350 plus 394 00:27:31.660 --> 00:27:35.680 2 and 4 year schools that have earned that designation and 395 00:27:35.680 --> 00:27:39.760 their graduating close to 125,000 students per year. 396 00:27:39.760 --> 00:27:43.950 So while that number doesn't single handily 397 00:27:43.950 --> 00:27:48.280 meet the workforce demands, it does provide close to 10% of the 398 00:27:48.280 --> 00:27:52.440 workforce need and so that would sort of be one of my takeaways 399 00:27:52.440 --> 00:27:56.710 today is that in any talent management recruiting 400 00:27:56.710 --> 00:28:00.800 program companies need to think about 401 00:28:00.800 --> 00:28:05.000 hiring ed is currently charring out and in terms 402 00:28:05.000 --> 00:28:09.010 of what academia can do to ramp up their 403 00:28:09.010 --> 00:28:13.140 offerings, I think they can continue to offer certificates, 404 00:28:13.140 --> 00:28:17.400 both credit and workforce development are non-credit 405 00:28:17.400 --> 00:28:21.450 programs so these are 3, 4 courses that 406 00:28:21.450 --> 00:28:25.470 a learner can complete in a year. They are often times tied 407 00:28:25.470 --> 00:28:29.480 to work roles, often times in-demand work roles and professional 408 00:28:29.480 --> 00:28:33.540 certifications that want the ladder as 409 00:28:33.540 --> 00:28:37.730 a required credential. Schools can create these certificates 410 00:28:37.730 --> 00:28:41.750 based on the technology du jour so while 411 00:28:41.750 --> 00:28:45.840 it can be hard to update degree programs and often times degree programs 412 00:28:45.840 --> 00:28:50.060 to become stagnant, 2 and 4 years can be agile 413 00:28:50.060 --> 00:28:54.080 with the creation of these certificates and I think also 414 00:28:54.080 --> 00:28:58.210 an area in which academia can work is to create 415 00:28:58.210 --> 00:29:02.470 personalized, individualized performance based 416 00:29:02.470 --> 00:29:06.530 education and training programs that increase the number of the capable. 417 00:29:06.530 --> 00:29:10.720 We have a demographic cliff in that we 418 00:29:10.720 --> 00:29:15.010 have large population that's aging and retiring 419 00:29:15.010 --> 00:29:19.140 and the generations coming up behind them 420 00:29:19.140 --> 00:29:23.400 the numbers aren't large enough to replace them so we can no longer afford 421 00:29:23.400 --> 00:29:27.450 this selection model if you will 422 00:29:27.450 --> 00:29:31.600 in academia right. It works well to select 423 00:29:31.600 --> 00:29:35.900 students out when you have large numbers of students coming in 424 00:29:35.900 --> 00:29:40.000 at the top and through a funnel and select out the 425 00:29:40.000 --> 00:29:44.230 best and the brightest but we've got a reverse sort of hour-glass situation 426 00:29:44.230 --> 00:29:48.270 so we need to think of different ways in which we can raise the capability 427 00:29:48.270 --> 00:29:52.420 of everyone. Frank: Awesome thank you Casey. 428 00:29:52.420 --> 00:29:56.700 And I've never had an unspoken thought I gotta throw 429 00:29:56.700 --> 00:30:00.800 a line in here for K-12 as well. At the end of the day 430 00:30:00.800 --> 00:30:05.020 while higher-ed and universities play a critical role 431 00:30:05.020 --> 00:30:09.030 we've got to get both recruit 432 00:30:09.030 --> 00:30:13.150 and be able to teach differently but 433 00:30:13.150 --> 00:30:17.410 also how people learn is changing 434 00:30:17.410 --> 00:30:21.420 so dramatically that I just needed to put that plug in there. 435 00:30:21.420 --> 00:30:25.580 And I can wax on forever there but I'll stop. 436 00:30:25.580 --> 00:30:29.880 The tyranny of time requires I be a bit of a tyrant. 437 00:30:29.880 --> 00:30:34.010 We are going to go through a lighting round. So this is everyone's opportunity to sort 438 00:30:34.010 --> 00:30:38.280 of leave the audience with your call to action. 439 00:30:38.280 --> 00:30:42.320 What is that one key takeaway that the audience can do to 440 00:30:42.320 --> 00:30:46.460 help you build the workforce of the future and what is it you need? 441 00:30:46.460 --> 00:30:50.760 And Angelyn we will start with you on this one. 442 00:30:50.760 --> 00:30:54.850 Angelyn: So my takeaway is that it is important that people remember that cyber security 443 00:30:54.850 --> 00:30:59.070 is not simply the role and function of 444 00:30:59.070 --> 00:31:03.080 people who have computer or technical background 445 00:31:03.080 --> 00:31:07.220 its everyone's responsibility and everyone has a role 446 00:31:07.220 --> 00:31:11.490 to play in this endeavor. 447 00:31:11.490 --> 00:31:15.550 Frank: Awesome, well said Casey. Casey: My takeaway 448 00:31:15.550 --> 00:31:19.730 call to action is that higher education should be part of your recruiting talent 449 00:31:19.730 --> 00:31:24.050 management equation and this includes exploring how graduates from community colleges 450 00:31:24.050 --> 00:31:28.170 can fill technical roles. Many of the cyber security programs at 2 years schools 451 00:31:28.170 --> 00:31:32.420 are mature, they are hands on focus and they have to meet local 452 00:31:32.420 --> 00:31:36.490 employer needs and demands is that's how those colleges live and breathe. 453 00:31:36.490 --> 00:31:40.660 Frank: Very well said, spot on. Lory? 454 00:31:40.660 --> 00:31:44.970 Lory: My takeaway to offer is for employers of all sizes 455 00:31:44.970 --> 00:31:49.080 to map the capabilities and roles that you really 456 00:31:49.080 --> 00:31:53.320 and then figure out the right employee mix. Not everyone has to be a full-time 457 00:31:53.320 --> 00:31:57.370 employee. A lot of people can do these efforts 458 00:31:57.370 --> 00:32:01.520 as bid employees. There's vendor partnerships to be had out there 459 00:32:01.520 --> 00:32:05.810 so get that employee mix right and the hiring and recruiting 460 00:32:05.810 --> 00:32:09.910 will go a lot better. Frank: Awesome, well-said. Sue? 461 00:32:09.910 --> 00:32:14.130 Sue: I would echo some of the colleagues here, 462 00:32:14.130 --> 00:32:18.150 You know this has to start at 463 00:32:18.150 --> 00:32:22.290 kind of a non-higher education level 464 00:32:22.290 --> 00:32:26.550 you know girls who code, the girl scouts of the 465 00:32:26.550 --> 00:32:30.620 united states, entering significant partnerships with 466 00:32:30.620 --> 00:32:34.810 states, with organizations that the boys and girls club 467 00:32:34.810 --> 00:32:39.130 of America. Kids who are of America, you know 468 00:32:39.130 --> 00:32:43.270 I don't want to say captive audience but I'm saying 469 00:32:43.270 --> 00:32:47.540 captive audience for an afternoon and you can teach them 470 00:32:47.540 --> 00:32:51.690 about security, about the 471 00:32:51.690 --> 00:32:55.880 need for us to all work on this together as Ms. Flowers 472 00:32:55.880 --> 00:33:00.210 presented. Let's bring 473 00:33:00.210 --> 00:33:04.360 a new generation along in 474 00:33:04.360 --> 00:33:08.630 learning about security. 475 00:33:08.630 --> 00:33:12.700 I go back to the 90's and everybody was 476 00:33:12.700 --> 00:33:16.910 like this internet is a great thing but it's going to do 477 00:33:16.910 --> 00:33:21.250 awesome stuff for America, but who's building security 478 00:33:21.250 --> 00:33:25.410 into it and that's where this next generation needs 479 00:33:25.410 --> 00:33:29.680 to come in. Frank: Well said and I'm you brought up girls who code. 480 00:33:29.680 --> 00:33:33.700 Because the numbers are also disappointing right now. 481 00:33:33.700 --> 00:33:37.900 20-25% workforce are women and 482 00:33:37.900 --> 00:33:42.220 we've got some awesome that is just sitting 483 00:33:42.220 --> 00:33:46.370 on the sidelines that we've got to pull into this fight. 484 00:33:46.370 --> 00:33:50.650 Double down on that one. Without further ado I gotta 485 00:33:50.650 --> 00:33:54.740 close this conversation. This was awesome. We are out of time. 486 00:33:54.740 --> 00:33:58.950 And this could have gone on so much longer but I wanted to thank our speakers, 487 00:33:58.950 --> 00:34:02.960 I wanted to thank DHS S&T and to everyone tuning in today. 488 00:34:02.960 --> 00:34:07.080 Going forward, DHS looks forward to continuing 489 00:34:07.080 --> 00:34:11.420 this important conversation and including more perspectives and partners. 490 00:34:11.420 --> 00:34:15.480 And I know they will be sharing a follow-up slide to learn more 491 00:34:15.480 --> 00:34:19.650 about S&Ts universities research and workforce initiatives. 492 00:34:19.650 --> 00:34:23.660 On behalf of all of our speakers today and our host I just want to say 493 00:34:23.660 --> 00:34:27.740 thank you, onward and upward it's gonna be tough 494 00:34:27.740 --> 00:34:31.940 but I feel we are going to get there and unfortunately this is a wrap. 495 00:34:31.940 --> 00:34:36.310 So thank you all. 496 00:34:36.310 --> 00:34:50.760 [Music]