Ep.28 Will Markow | Burning Questions with Burning Glass
In this episode of the cybrary podcast we sit down with Will Markow, the Managing Director for Burning Glass Technologies. Speaking with Leif Jackson, the VP of Content and Community at Cybrary, they discuss "Cyberseek," a website looking to close the cybersecurity talent gap with interactive tools and data.
Share it with friends now!
Leif: Hi everybody, Leif Jackson here again, VP of content and community just here with Will Markow from Burning Glass. Super excited to have you here today Will.
Will: Super excited to be here Leif. Thank you for the invitation yeah.
Leif: So tell me what brings you in today?
Will: So you bring me in today you know, I came in today to talk a little bit about some of the work that we're doing at Burning Glass in the cybersecurity workforce space and how we help organizations to better understand what cyber security talent they need and talk with you about how Cybrary can help them do that.
Leif: Awesome. How's it? Tell me what you do at Burning Glass.
Will: So at Burning Glass I'm the Managing Director of our emerging technologies practice, which in reality means I do a lot of talking and a lot of talking about the workforce and some of the key trends that are impacting the future of the workforce. Burning Glass does a lot of work looking at what are some of the jobs and skills that are in demand today and are going to be in demand in the future and I help organizations better understand how do they plan and prepare for that future.
Leif: That's cool. So tell us about the future, right? Like what are the kinds of the major trends that you're seeing?
Will: So some of the trends that we're seeing are an increasing fear of disruption among companies. They're afraid of being disrupted by new technologies. They're afraid of being disrupted by you know, competitors who are adopting new skill sets and their workforce, new technologies and their enterprise faster than others and that definitely bleeds over to the cybersecurity workforce to a considerable degree because, as you well know organizations are facing new threats every day. New technologies are creating new cyber security threats and you need new cyber security people and new cybersecurity skills to prepare for that and so as a result, we're seeing an increasing emphasis on employers trying to think, how do they incorporate more workers with the right cyber security skill sets, not just into their core cyber security teams, but across their entire organization
Will: So that everybody has the skills necessary to help prevent against some of these new and emerging threats and best utilize some of the new emerging technologies.
Leif: Gotcha, so tell us about some, what some of those new technologies are, what some of those new threats are.
Will: Sure, absolutely so some of the new technologies that we're seeing that have the broadest and most disruptive impact on organizations relate to things such as AI and machine learning, IOT, you know, even things like blockchain and the cloud, which all have a strong technological component and are disrupting jobs across different roles, changing the skill mix required of those roles as new workers have to learn new digital skills, they have to learn, you know, how to interact with new technologies, whether they be cloud-based, whether they be you know, driven by machine learning and all of those dovetail with cybersecurity pretty closely and so you know, you need, if you have, you know, emerging IOT demand, then you have a multitude of new devices that you're going to have to, you know, secure.
Leif: And obviously you can't just do that from the cybersecurity level that it needs to be everybody.
Leif: Right? So talk about like a little bit how you describe those everybody roles, right? Like what, what are they and what kind of skills do those people need?
Will: Yeah. So we really break the cybersecurity universe into two buckets. There's the core cyber security jobs that everybody knows
Will: About pen testers, cybersecurity engineers, but you know, to your point, there's this whole universe of what we call cyber enabled jobs. These cyber enabled jobs, they could be other IT jobs such as network admins who need to know some network security related skills but they could also be an attorney who needs to be up to date with some of the latest privacy skills that could be in regulations. It could be a business analyst. It could be an admin who needs to know, not to click on that malicious link or go and buy you know a bunch of gift cards when somebody tells them your CEO wants you to go and do that in a phishing attack and so the, this universe of cyber enabled jobs you know, really runs a gamut from, you know, just needing some basic cyber literacy and knowing what links not to click on to essentially you know, almost core cybersecurity related individuals who are in IT, who need to know some, you know, information, security skills, some of them need to know, you know, some you know, basic literacy around firewalls and how to secure a network and so really we're seeing increasingly organizations are saying everybody in our company needs some cybersecurity literacy and some cybersecurity skill sets embedded within their role.
Leif: Yep. That makes sense and have you seen those skills that people are developing in those cybersecurity skills? Are those actionable by those users? So things like, you know, attorneys actually using cyber skills and those kinds of things.
Will: Absolutely. Yeah. You know, I think that you know, attorneys is a good example because they have to remain up to date with some of the latest regulations. They also have to just remain up to date with some of the key trends in the field because you know, the many of these cyber breaches, they touch upon many legal aspects and attorneys they naturally, they have to have the skills necessary to understand.
Will: What are the threats the organization's facing, and then tie that back to some of the legal precedent and legal knowledge that they have as well as keeping up with the changing regulatory landscape. We also see that even in the organizations where they're just adopting more cyber literacy there are better cybersecurity outcomes. There are fewer breaches in general and organizations are more secure in both in how they are deploying new technologies in which makes it easier to ring as much value as possible out of those technologies and it really starts with individuals who know how to use those, respond to the technologies responsibly.
Leif: Yeah. So how are people like learning these skills nowadays? Like what are you seeing in kind of the education space?
Will: So it's a good question. There's really a few different vectors through which people are requiring some of those skills.
Will: You know, traditionally somebody would, you know, only know about information security if they either got a degree from a traditional university. In information security, there weren't too many programs focusing on that so that was not the most common pathway into the field and we're seeing more universities now are developing those programs. Those are still not developing workers who are working, you know as an attorney or an admin who still needs to have cybersecurity skills and so increasingly we're seeing new kinds of training providers try to close some of those gaps by focusing on either training for particular skill sets in a very broad sense and helping to just build up organizations general cyber literacy by offering a general Cybersecurity related you know, courses aimed at the admins of the world or the people who don't need to you know, be a pen tester or a cybersecurity analyst but we, so I was seeing many training providers. They, they might not, excuse me, always focus training for a particular skill. They might focus on training for a particular certification and I think there's still some white space
Will: Yeah, for more training providers to focus less on either training for a degree or training for broad, general literacy or training for a certification and focus more on training for individual skills that are needed within roles that are either core cybersecurity jobs or cyber enabled jobs so that you don't have to, you know, essentially, you know, take a blunt instrument, you can use a scalpel use rather than a sledgehammer to help train workers in the specific skills they need, given whatever role they have across the organization and do that in a much more narrowly tailored manner than many training providers have in the past.
Leif: Right and so, I mean, you talk a little bit about like this, you know, maybe a little less on the certification side, a little bit more on the skills side. One of the benefits of having a certification is that it's at least a consistent implementation so like your opinion of what an advanced Python person is, versus my opinion might be, is probably different. Right and so like how would you say that people can keep it consistent or maybe not consistent if we're going to a skills based world as opposed to a cert based world?
Will: So I think the most important thing there is making sure you're leveraging some kind of standardized taxonomy and nomenclature for sure talking about these skills. So a great example I have one initiative that's currently underway is the National Initiative for Cybersecurity Education or NICE. They have built out a cybersecurity workforce framework that maps out 52 different work roles then says, here are all the tasks
Will: And knowledge, skills, and abilities associated with each of those work roles and if you, as an employer can tie your jobs back to that framework and describe your jobs using that language, that goes a long way towards helping to standardize that
Will: And same thing for training providers, if they can map their content onto that shared framework, that shared language for describing the cybersecurity workforce then it makes it much easier to compare apples to apples across candidates or across courses to see what are the skill sets that somebody who says X is likely to have.
Will: Versus somebody who describes it as y.
Leif: Right, right. I think like where the differences are on, you know, specific tools or like emerging skills, right. So I think NICE does an amazing job of updating their taxonomy but they have a cadence around that, so, but skills are every month they kind of change right? So like how do we keep up with that pace of innovation?
Will: Yeah so that, that is where I think it's helpful to try and keep a pulse on what's happening today. Not just, you know, what happened the last time that some government framework was updated.
Will: And so one of the things that we really do at Burning Glass is to try and figure out what are those emerging skills, how do we keep track of them and so you know, we're constantly trying to figure out what are those skills that employers are most constantly requesting by looking at the job postings and seeing in the language of employers, what are they asking for? What are the new technologies and you know, how are they asking for those and then, you know, being able to use that information to communicate to training providers or individuals here are the new skill sets and new technologies that employers are looking for in the cybersecurity space that you should be focusing on
Will: So that you don't fall behind the curve and I think in individuals, they also need to be diligent in figuring out, okay, what is it that I need to learn? How do I keep an eye on what are the new trends and technologies that are impacting my career area, especially if it's cyber security, which is one of the fastest moving career areas and so I think finding you know, opportunities and you know, sources for that kind of information.
Will: Is a challenge for individuals but it's an important one if you want to remain up to date in your skillset.
Leif: Well, and guidance and mentorship, right? I mean, we see that all the time, like the vast majority of cybersecurity professionals just have no group up.
Leif: Right and they just want our guidance. They also don't know what, what skills they should be developing.
Leif: They just know that they're supposed to develop a whole bunch of skills
Will: Yeah, absolutely.
Leif: So to help guide that pathway,you've done some quantification around skills so you want to talk about, Hey as a learner, like what skills should I you know, most be interested in why and then on the business side, right, like what skills should I be developing across my organization.
Will: Yeah, absolutely and so I think that I'm taking one step back, one of the challenges for both individuals and for organizations when trying to figure out what are the skills that they should be developing is they're inundated with a ton of information.
Will: About the latest and greatest technology. Here's the skill that you need to develop and here are the things that employers are asking for and that's important to know what are some of the skill sets that are valuable, but that doesn't really give them a way of prioritizing or triaging what skills should I learn first?
Will: And so one of the things that we really try to do is help people understand what are the skill sets that are going to give you the greatest boost in your careers on day one, that can, and that boost can be either in terms of increased salaries so we can tell you what are the skill sets that are going to bump up your salary the most.
Will: We can tell you what are the skill sets that are in demand in the most jobs right now, we can do tell you what are the skill sets that are going to help you advance your career by opening up new doors, new career opportunities for you and so when we do that, we see that many of those skill sets that are really in the greatest demand right now that people could be focusing on, align with some of these new and emerging technologies, things like AI and machine learning and the intersection with cyber security. So being able to understand
Will: Something like Python, for example, If you're a cybersecurity worker and you add Python to your skillset, you can see a significant bump in salary. It can be, you know, 5 to 10K minimum, sometimes it's even greater than that.
Will: And then you also are opening up yourself for a broad range of new roles that are requiring more automation related skills. Actually automation related skills are some of the fastest growing we see in cybersecurity.
Will: They're growing, or just the past few years we saw demand for skills related to automation and cybersecurity grow over 250%.
Will: Which is considerably faster than cybersecurity jobs overall, which are already some of the fastest growing jobs in IT and so workers who are able to incorporate some of those new skills whether it be Python, whether it be things like Splunk or orchestration technologies that help you to automate certain processes in your cybersecurity team, those are increasingly the workers who have the most appealing job opportunities and see the highest salary bumps. Similarly for employers we're seeing that they really should be thinking about investing in workers who have those automation related skill sets which can help them drive efficiencies on their team and save them money in the long run even if they have to pay more money for those individuals up front in the form of higher salaries, which is always a trade off, but in general, that we do see there's a strong ROI associated with that and then also being able to build cybersecurity workers who have knowledge of new and emerging technologies, such as cloud or IOT, and the ability to secure those new vectors with where we're seeing many new threats come in and so those are often the fastest growing skills that we see and are projected to grow the fastest in the coming years. They offer the highest salary bumps for individuals and so really being able to pinpoint it and zone in on those, the intersection of those new and emerging technologies and the cyber security space is a powerful place for both individuals and companies to be focusing on.
Leif: Right. Super interesting. Like, and so like, you know, if I'm a student right now, like what skill would you say would be best for me to learn?
Will: I would say it depends on your personal history and where you are today. So I don't think there's one, one size fits all answer for here's the skill you should be learning. I think what you really need to do is first take an inventory of the skills you have.
Will: Understand where am I marketable right now? Who will hire me based upon the skills I have and what are the skills that I can add that will increase my opportunities most.
Will: So, yeah and if you're, for example, a network engineer or a network admin, you already have probably some general information security knowledge, you might have some network security knowledge but if you add some more Cybersecurity specific skills, maybe it's cryptography maybe it's, you know, something like Python, so you can automate some processes or just learning more about some of the you know, key cybersecurity related technologies and tools that are out there such as, you know, the Splunks of the world or other security incident event management tools then you can increase your earning potential by tens of thousands of dollars and so, but that, that could be a different skill mix if you're already in the cybersecurity space, you might know the skills, then you realize, Hey, I could, you know, I'm a cyber security analyst, but pen testers are getting paid, you know, $10,000 more, there more opportunities, maybe I want to learn pen testing. So I think that, you know, there are there's really no one size fits all answer for here's this specific skill you should learn. There are just, your really best skills for an individual given their current circumstances and the skill sets that they already have.
Leif: That makes sense. How about soft skills? I mean, we've been talking a lot about hard skills, but what are kind of the soft skills that you're seeing in the cyber market? In specific that people are developing nowadays.
Will: So it's interesting you ask because I think many people when they think about cybersecurity jobs, or they think about other technology jobs they think of them as very technical roles.
Will: They think of them as roles that are really focused on the hard skills but the reality is we actually see employers are more likely to ask for soft skills, such as communication and critical thinking and collaboration or teamwork in those harder, supposedly harder jobs then in almost any other jobs in the market and one of the main reasons for that is that employers are realizing that digital technologies and things like cybersecurity are of paramount importance across the enterprise and they can't leave those fields siloed in you know, small teams. They really need everybody in their organization to have some baseline knowledge in some of these things and they need those people who are the experts in those fields to be able to effectively communicate and collaborate with others across the organization so that they can ring the most value out of those fields and so I think the soft skills that we see most demanded for cybersecurity workers and other technology workers in general are communication, critical thinking and collaboration. There certainly many others as well, but I think really it's any of those soft skills that allow them to connect and communicate. Their technical expertise with the broader goals in the broader teams across the enterprise.
Leif: Yeah, totally makes sense. Hey, if I want to find out some more information about this, like where do I go?
Will: So one place we can go is something called cyberseek.org. So we have developed this website to help people understand what does the cybersecurity landscape looks like if you're an individual, what are the job opportunities out there and where do they exist and how do you enter into the field? So we've built this tool, it's we built it with an organization called Comp Tia, which produces things like the Security plus certification as well as the National Initiative for Cybersecurity Education, and it's an online portal that allows you to go in and see in your specific state or in your specific region what are the cybersecurity jobs? How many jobs are there? What are the top demanded jobs? What are the certifications that are in demand? And what are some of the competency areas that you need to develop in order to qualify for those jobs? We also then have a career pathway.
Will: That is within that tool that allows you to go in and see what are the jobs across cybersecurity that are most commonly demanded? How do you enter into the field and how do you advance within these different pathways within cybersecurity based upon the skillsets or the credentials or education histories that you need to add in order to make those transitions, so you really get down to the level of what are the specific skills you need in order to qualify for these jobs and how much can you expect to make, if you become a cybersecurity analyst or a pen test or a cybersecurity engineer.
Leif: Yeah, totally. I mean, that's, a lot of our career paths is actually, use a lot of the information that are associated with cyber seek and obviously we use your research report as well for a lot of the analysis that we do. So thank you for that. Thank you for all the work that you do there. It's a big boon to our community so we appreciate it. Any final thoughts?
Will: Yeah. I think that we covered a lot of the most important things, but, you know, I think one thing that I'll add is that, you know, often when we talk about cybersecurity jobs, we talk about them as in terms of, you know, how much money you can make and how many job opportunities there are and how fast they're growing and all of that is hugely valuable, both for individuals who are looking for better career opportunities and for organizations and training providers, who are trying to get people excited about the space but I think we also sometimes lose sight of the fact that beyond just the money and beyond just the magnitude of opportunities there's a great mission behind what you do as a cyber security worker you know, you're actually protecting the most valuable assets that we have right now, which is digital assets. You're protecting people's credit card information, protecting people's money, you're protecting people's identities and so I think that it's, you're hard pressed to find a job that not only pays as well as a job in cybersecurity, not only has as much growth opportunity, but has as much mission and gives you as much opportunity to really feel good about the work that you're doing and so I think that's a compelling point.
Will: That we also need to be articulating to people to get them excited about careers in cybersecurity.
Leif: Yeah, totally. I mean, cyber is the new battlefield, right?
Leif: I mean, like our armed forces are protecting us largely over the internet at this point so, you know, and we appreciate all the work that they do to protect us and hopefully we help train it as well so we know that, so anyway, yeah, this has been fantastic Will, really appreciate you coming in today.
Will: It was my pleasure. Thank you for having me.