ARTICLES

Aligning Businesses and Individuals to Tackle the Cyber Skills Shortage

Companies worldwide are struggling to find, attract, and retain cyber security staff who possess the right skills for their business. We at TAG Cyber hear consistently from enterprises that the organization receives piles of resumes for each advertised position, but rarely do they see individuals with the appropriate qualifications for their specific hiring needs. Though certain skills may be transferable between roles, one position’s skill set doesn’t necessarily translate to an adjacent position. And when the company needs an employee to hit the ground running, they’re left with the difficult decision between hiring someone to grow or train into the position (which could take months) or leaving the position unfilled (which accomplishes nothing).

Meanwhile, individuals who want to take cyber security courses have never had so many options! Between the well-known certification and education providers to small, independently owned consultancies that augment their business through training, it’s not hard to find courses—online and in person—for almost any cyber security topic. Where, then, is the disconnect? Why do companies continue to grapple with a mismatch between job requirements and interested applicants?

One answer is easy: there simply isn't enough supply to fill demand. The other answer is more complex and involves examining how the industry carefully considers the processes of training people into current job requirements.

Simone Petrella, CEO and Co-Founder at CyberVista, decided to tackle the latter challenge. Not content to perpetuate the status quo, Petrella is on a mission to change cyber security skills training by aligning companies and individuals. Doing so requires more than merely offering courses on and certifications for pen testing, cloud security architecture, or how to become a cyber security analyst. Petrella and her team are taking a pragmatic approach to cross-skilling and upskilling individuals through personalized assessments, business needs alignment, and practical, hands-on training—all offered online.

How it began

Petrella was a student at Georgetown University when the 9-11 attacks shed a light on the need for counterterrorism experts. With an undergrad degree in Government, she wasn’t certain what she wanted to do with her career, but when she was offered a job at the Department of Defense (DoD), it seemed like a natural fit. Petrella went to work for the Joint Warfare Analysis Center within the DoD, focusing on counterterrorism, and simultaneously decided to pursue a master's degree in International Law and Policy.

Petralla was experiencing first-hand the endeavor of training for the job she had while executing that job. After a few years, one degree later, and thousands of miles logged by commuting 60 miles each way every day, Petrella decided to simplify her life by taking a job closer to home, with Booz Allen Hamilton. She was grateful to continue her work with the DoD, providing intelligence support and information assurance, and officially became part of the cyber security community.

Nine and a half years later, still in the DoD-focused role but now with the acquisition of a law degree, Petrella felt like she was working on the same problems over and over, only with new issues in the threat landscape and new technologies to combat them. Petrella decided to transition into the private sector at Booz Allen, and immediately saw familiar patterns emerge related to education, training, and workforce needs. “I had a big problem building, hiring, and supporting an appropriately skilled team. The talent issue was something I was always struggling with,” she told me during a recent video chat.

Transitioning from practitioner to provider

Needless to say, Petrella’s work experience and education path to this point wasn’t straight or narrow. She’d explored many security-adjacent areas and worked directly in security as a consultant and leader. This combination had her thinking seriously about the talent shortage; though her day-to-day work wasn’t ever easy, it was significantly complicated by hiring issues—how could she optimize her team’s work when she couldn’t hire the right people to execute the work? Hiring was part of her job, but she felt the system was broken; too much time was spent searching for candidates. And she knew the problem wasn’t hers alone; friends and colleagues complained of the same issue, but no one had a solution. Established cyber security training providers were offering myriad courses for individuals, but applicants’ skills and abilities weren’t lining up with expectations.

As she pondered the talent problem, Petrella was speaking informally with a colleague who worked at Kaplan, an industry-leading education provider founded in 1938. Kaplan had mastered education and training but hadn’t approached cyber security as a discipline. Kaplan held the expertise in how to train people; Petrella had the expertise in cyber security. Together, they evaluated the market: Was cyber security training an in-demand opportunity? Were there new ways to approach training within the space?

They agreed the market opportunity existed but that it should be an independent offering, not something rolled into Kaplan’s standard set of courses or certifications. Thus, in 2014, Petrella made the leap from “I have a problem as a practitioner” to “I want to solve a problem, and the best way is to start a company to do it.”

Having cut her teeth in security, Petrella knew there would be challenges ahead. Not just because she wanted to solve an existing problem in a different way, but because she was one of a very few women company founders in cyber security (and still is). “Being a woman in cyber is something I’ve thought about since starting my career at the DoD,” she said. “At best, I was one of a small number of women in a room. Usually, I was the only woman in the room. I developed a thick skin from working in male-dominated environments. I also had to work harder to demonstrate my credibility than male colleagues. Today, it’s easier to be a woman in security—although we still have our challenges—yet, the work I had to put in early in my career forced me to command confidence and be in a room full of strong personalities."

Transforming accepted practices

As a startup founder, tenacity and confidence would prove paramount over the coming years. “Our first challenge,” Petrella said, “was deciding where to start and getting our footing under us. We had to determine our own staffing needs. Who are those people? What are the right skills? Which projects to tackle first? And what will our goals be?”

Petrella admits to missteps: “We made every mistake in the book,” she joked. She said they didn’t look closely enough at market fit and gather enough data from would-be students. For instance, they decided to offer executive training but didn’t account for crazy-busy schedules of CISOs/CSOs; a full two-day seminar wasn’t tenable for the vast majority of these individuals.

Their experiences, though, taught them what it took to thoughtfully craft a quality curriculum, and led CyberVista to recruit a chief product officer with expertise in education. One thing that helped propel the company was their use of the Kaplan platform— a major benefit since Petrella didn’t have to hire developers or engineers to build a proprietary tool. She leaned on best practices from the education industry while incorporating her knowledge of security. Because there wasn't a need to reinvent the wheel from a platform point of view, her entire focus could be on what security needed from training and education programs.

Originally, CyberVista began as a B2C training provider, as many training companies are today. But Petrella and her team quickly realized that focusing on cross-training and upskilling in the consumer market meant that they weren’t solving the root of the problem: the disconnect between the skills available people had and the skills companies needed to hire for. She became fixated on helping employers—retail companies, financial services companies, healthcare providers, etc.—take a proactive role in building their own workforce. Rather than simply bemoan the talent shortage, leaving it to recruiters and HR departments, Petrella understood that companies could help solve the problem by actively engaging in a solution.

Disrupting traditional cyber security training

“We started gathering data and insights from companies and their hiring managers,” she said. They then looked at the companies’ current training models and hiring practices and used the information to bridge the gap between what companies truly needed and what was available in the applicant pool. They developed an assessment for companies’ workforce needs and built curricula around the results.

Today, companies can offer a “choose your own adventure” type of modular, skills- and roles-based training, actively feeding their programs with the right talent. “Workforce development can’t be off-the-shelf,” Petrella, explained, “We have to understand what a company is trying to accomplish, their specific company needs, and the skills gaps that exist.”

With this data in hand, CyberVista crafts online training and education programs for businesses hiring security talent. Consequently, organizations are helping solve their own problems of finding, attracting, and retaining talent, yet they don’t have to do the heavy lifting of deciding which courses to offer, appropriate curricula, or how and when to offer training. They can also ensure their staff and prospective staff are enrolling in courses that will benefit the business rather than courses that build an individual’s knowledge base but don’t necessarily align with the organization’s work requirements.

“The current cyber security training model is skewed toward individual interests,” Petrella said, “which makes it very hard for companies to hire for the roles they need to fill.” Through CyberVista’s platform, companies can take control of their hiring and staffing needs by having Petrella’s team help them design the correct path for employment. Some of CyberVista’s clients offer training to current employees while others use it as a pipeline for future employees. There's no “right” way.

And for individuals who want to enhance their skill set but don’t want to follow a company-designed program, CyberVista offers modules for that, too. There’s no need to throw the baby out with the bathwater; any person who wants to invest in their own skills building should be encouraged to do so. CybrVista’s online, modular approach makes it easy, whether the program is company-sponsored or individually-initiated. But the best thing about CyberVIsta’s approach is that it’s focused on match making: ensuring individuals have the appropriate skills for companies’ hiring requirements. With this approach, everyone wins: companies find and attract the talent they need, and employees find the right job for their current skills and are given the opportunity to grow and learn over time.