“In your testimony you mentioned public-private partnerships as potential incentives to push individuals, educators, employers and other stakeholders to help strengthen the cybersecurity talent pipeline. Many states have experimented with programs to improve these outcomes as well. Are there any potential programs that have proven to be significantly effective at recruiting and retaining cyber workforce, and what programs at the state level could serve as a bellwether for future programs?”

“This [example] is actually not a state program; it is actually something DHS has done as well, is to pilot some talent sharing programs with private employers, and I think that can be potentially an effective way to solve the chicken and egg problem of how do you build more experienced workers when employers primarily only want to hire somebody who already has experience. So if CISA can help to reduce some of the friction for training the entry-level workers and giving them on-the-job opportunities either in DHS or in the private sector, then that can both help to solve that chicken and egg problem of how do you bring fresh blood into the industry and how do you make employers more incentivized to hire entry level workers, but it also helps to facilitate sharing of skills and cross pollination between both the public and private sector.”

“In our first hearing of this Subcommittee, we heard from someone from the Bank Policy Institute that cyber professionals in their fields are spending 40 percent or more of their time on compliance. […] Right now, we’re seeing the National Cyber Strategy coming out of the White House has focused a lot on regulation. The Energy and Commerce Committee just recently passed a bill out of Committee adding a new regulation on reporting. How can Congress help reduce this additional burden on a workforce that is already stretched so thin?”

“I do think that there’s an opportunity for Congress to actually partner with the regulatory environment to really appreciate what is really important here. […] So what often happens is the regulatory environment kind of works in its own little world and then you’ve got policymakers working in a different world. In this case, there needs to be a lot more synergy so that if there are going to be more regulations coming, that those regulations actually can be fulfilled. Because if there’s no one to meet the regulation then what is that going to solve? The other challenge is that, because of the environment in cyber, we really need to make sure that we’re not building a checklist environment, where it’s just a checklist for compliance, because then you’re missing the point; you’re actually not protecting the world.”

 

“I represent Florida’s 15th Congressional district, and it is home to the University of South Florida (USF), which has been working hard to ensure that we have the cyber talent [and] that we’re developing young people to come in and work in these industries. The Florida Center for Cybersecurity at USF serves as a resource for us to enhance our cybersecurity education, facilitate research, [and] conduct outreach initiatives in the community. […]  They’re both designed to expand the talent pipeline so that we can meet the roughly 34,000 cybersecurity job vacancies that we have in Florida right now. So, i’ve been so interested to hear the innovative ways that each of you are describing developing that workforce above and beyond the four-year college degree. […] Would you talk about the value and utility of specialized certifications and training? 

“When it comes to certifications, I think that they are most effective when they are an effective proxy for proficiency in the skills that employers most value. So we see that the certifications that really communicate that to employers are the ones that are aligned with the both foundational skills that are most needed within the field, but also some of the high growth, high value skills that employers value the most as well, or they at least communicate to employers that this worker has built the foundational knowledge to rapidly learn those new skills. We also see that there are different roles that certifications can play at different levels of somebody’s career. So, there are some entry-level certifications, such as Security+ and a number of others, that are very effective at helping to open the door for many workers to enter into cybersecurity. But we also see that there are many more advanced-level certifications, such as CISSP, that are very good at communicating to employers that somebody is an expert in the field. Now, the challenge that we also see is we need to educate employers to be responsible recruiters of these certifications.”

“Is there anything more that you perceive that we as Congress could be doing to help either foster the development of this talent pool or help get qualified people into the right placements?”

“One of the most important things that Congress or the federal government generally could do is to really help to educate employers through clear standards around skills-based hiring and around the types of practices, the hiring best practices, that they should be taking. I know we’ve talked a lot about what the supply-side educators can do. I think that there are many fantastic initiatives already underway on that side that can be built upon. But I also think that less has been done to educate employers on how to be responsible recruiters and how to take a skills-based approach to growing your cyber talent pipeline and to give them the tools that they need and the standards that they need to know how to do that within the organizations.”

“We have a diverse workforce in Mississippi, we have some of the largest industry out there. […] We have to look across the nation—our workforce is retiring. In the state of Mississippi, you can work 25 years as a police officer, a teacher, or somebody that works for the state and who is still very capable of entering this workforce and would be an asset. […] So, I would really like to see that focus to target some of these people who are retiring from state jobs who are still in their 40s and can give you 20 years of work, who are educated in the world of getting up and going to work every day. […] I really think that we could come together on this, everybody could, to get this done.”

“We talked about our commitment to creating an early talent pipeline but we also, with our government security and secrecy team, it’s very clear that we need seasoned professionals, especially in the national security space. As my opening statement mentioned, we have folks who have been in that sector for 30 years that we attract at SAP and find value in, and I think part of this is making sure that they stay connected to the missions that they previously were in. But there is the challenge of making sure that when we onboard folks that we also make sure that they continue to develop and grow within our ecosystem and that’s something we’re committed to at SAP.”