NIST’s Collaborative Approach to Growing and Sustaining the Nation’s Cybersecurity Workforce

Thank you, Randy, for that introduction. Welcome to each of you to this 10th Conference of the National Initiative for Cybersecurity Education! This is an exciting time for educators, and for new models of cybersecurity education in our increasing connected society.

I’d like to thank Florida International University and New America for your hard work organizing this conference through a cooperative agreement with NIST. And I’d like to thank Arizona State University for serving as our conference host, here in beautiful Phoenix.

You know, they say that the economy of Phoenix has historically been defined by the five C’s: cotton, cattle, citrus, climate and copper. I think we can safely and rightly add another C to that list: cybersecurity! It is wonderful to be back in Phoenix! 

NIST highly values our many partnerships with academia and industry. We also appreciate the participation of the National Governors Association and the Arizona State Chief Information Security Officer in this year’s NICE Conference.

Although NIST and the National Initiative for Cybersecurity Education naturally have close working relationships with other federal agencies, we recognize the essential role that the states and local leaders play. State and local leadership, of course, influences education policy, economic and workforce development programs, and private sector investments, and addresses needs within local communities.

Maggie, thank you for being with us at the NICE Conference this year and for the way that the NGA has embraced the messages of NICE. Thank you for helping us promote the NICE Cybersecurity Workforce Framework, which we believe will be important to the ongoing success of our governors and state and local leaders.

NIST is very proud to be the home of the National Initiative for Cybersecurity Education, and I am pleased to help celebrate a decade of NICE Conferences.

I am sure that there are many interesting insights about this work among the many companies, institutions of higher education, schools, nonprofit organizations and communities represented here. I hope you will spend this week sharing your stories and best practices.

In recent years, there has been growing recognition that the work you are doing this week and throughout the year is vital to our national security and economic prosperity. 

As the topic of cybersecurity education, training and workforce development has become more and more important, it has become increasingly prominent at the highest levels of industry and government. Cybersecurity and risk management are topics regularly being addressed in boardrooms, and in government cabinet meetings.

As we have heard, over 500,000 jobs in cybersecurity fields are currently unfilled. This is a tremendous opportunity area for America’s workforce. Small business is a key job creator in America, and yet, if small business is hit by a cyberattack, probability of failure of that enterprise is high. These attacks directly affect the livelihoods of our workers and their families.  

As director of NIST, I have been privileged to visit with other countries and to see the impact the NIST cybersecurity framework is having in Japan and other parts of Asia, and in Israel, Europe and South America. Cybersecurity is a global challenge, and we need to stand together with partner nations to address these threats. In Israel, we see students who are learning at the front lines of Israel’s cyberdefenses, and who, through practical “learning by doing,” are developing into professionals and the leaders of tomorrow. 

I’d like to share several examples of what has been happening in the federal government to support and encourage the vital work that you do.

In May 2017, President Trump issued an executive order to “Strengthen the Cybersecurity of Federal Networks and Critical Infrastructure.” The order required that federal agencies use the NIST Cybersecurity Framework to manage their cybersecurity risks. 

It also made it the policy of the United States government to foster the growth and continuing support of a skilled cybersecurity workforce as the foundation for achieving national objectives in cyberspace.

The Department of Commerce, through NIST and the NICE program, along with the Department of Homeland Security, were directed to “assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future.” That assessment led to a November 2017 report to the president with findings and recommendations for both the public and private sectors. It included four imperatives. 

The first imperative is “to launch a national Call to Action to draw attention to and mobilize public- and private-sector resources to address cybersecurity workforce needs.”

Well, many have already heeded the call. We are pleased to have representatives here from the Aspen Cybersecurity Group, who followed up on our report to the president with one of their own. It’s titled “Principles to Grow and Sustain the Nation’s Cybersecurity Workforce.”

And just a few days ago, the group announced that major employers are committing to building a stronger cybersecurity workforce pipeline. Fifteen companies, including some in attendance at this conference such as Apple, IBM, Google, Northrop Grumman, Verizon, and more, have committed to the following concrete actions:  

• To widen candidate pipelines by expanding recruitment focus beyond applicants with four-year degrees, and by ensuring that job descriptions are equally effective in recruiting both men and women; 
• To rewrite job postings to be engaging and to focus on the core requirements; in other words, don’t “over-spec” them; and 
• To make career paths understandable and accessible to current employees and job seekers, referencing models like the NICE Cybersecurity Workforce Framework.

This is exactly the type of leadership and collaboration that we need between the public and private sectors to directly address the nation’s cybersecurity workforce needs, beginning with the cybersecurity workforce at each company.

The second imperative outlined in our 2017 report is “to transform, elevate, and sustain the cybersecurity learning environment to grow a dynamic and diverse cybersecurity workforce.”  

We are seeing evidence of this type of activity right here this week. Just yesterday, ASU led a sold-out seminar on “Implementing New Approaches to Online Learning and Innovative Instructional Design.”  

Tomorrow, the National Security Agency and the Department of Homeland Security will designate a record number 60 additional institutions of higher education as Centers of Academic Excellence in cybersecurity. This will bring the total number of CAEs to 312 in 48 states, Washington, D.C., and Puerto Rico.

NIST is also pleased to support the CAE Symposium that will follow this conference on Thursday and Friday to promote use of the NICE Framework by academia. 

And next month in California, NICE will celebrate the 5th anniversary of the NICE K12 Cybersecurity Education Conference. It will convene educators from across the nation to explore how to “Harness the Talent of Today to Build the Cybersecurity Workforce of the Future,” and highlight uses of the NICE Framework.

The NICE Strategic Plan goal to “nurture a diverse learning community” continues to be advanced through the relationships and collaborations we are building at K-through-12 schools, colleges and universities, training providers, and certification bodies. Through meetings such as these, and the efforts of both the public and private sector, we can increase the participation of women, people of color, and other underrepresented groups. 

A skilled cybersecurity workforce requires diversity of thought and experiences, so we need to embrace inclusion as a strategy that will help us to improve our cybersecurity defenses. We all know that in the dynamic field of cybersecurity, students are not just being prepared for a single career, but for a journey of multiple careers.

The third imperative is “to align education and training with employers’ cybersecurity workforce needs, improve coordination, and prepare individuals for lifelong careers.”

The U.S. Departments of Commerce and Labor are two of the principal federal agencies committed to supporting the needs of private sector employers. This is why the NICE Cybersecurity Workforce Framework has identified tasks actually performed in the workplace so that training providers can help learners acquire the knowledge, skills and abilities they’ll need. 

But if you are an academic institution, you are not just preparing students for that first job. Rather, you are preparing them for a productive lifelong career. In a field like cybersecurity — that requires the ability to continuously discover, innovate and learn.

The final imperative is “to establish and use measures that demonstrate the effectiveness and impact of cybersecurity workforce investments.”  

This imperative shouldn’t surprise members of the NICE community, as your strategic plan embraces data collection and metrics of success. In leadership, for results, “you get what you measure.”

Many of you are familiar with the CyberSeek website that NIST funds. This website provides excellent data regarding the status of cybersecurity workforce demand. We are pleased to have been able to extend funding for CyberSeek, and I understand they will be providing new data here this week. 

Next, we need to better understand the supply of skilled cybersecurity workers being produced. And as stewards of citizens’ tax dollars, federal agencies need data that can demonstrate that our investments are making an impact.

We look forward to learning more about both the quantity and quality of the graduates being produced by the institutions of higher education that are designated Centers of Academic Excellence in cybersecurity. And we believe that the CyberSeek resource can help to further illuminate our understanding of the future supply of cybersecurity workers.

In May 2019, the president issued an executive order on Strengthening America’s Cybersecurity Workforce that draws from fact-finding and research conducted by NICE and its partners in response to the 2017 executive order. I was pleased to participate, along with Chris Krebs from DHS, in the White House announcement that recognized the country’s cybersecurity workforce as a strategic asset.

The recent executive order recognized the mobility of the American cybersecurity workforce and the need to make it easier for cybersecurity practitioners to move both within sectors as well as between the public and private sectors. 

Our belief that a mobile workforce is the new normal is why we are pleased to promote efforts like the Cybersecurity Talent Initiative led by Mastercard, Microsoft and Workday. The program provides student loan repayment for those who agree to work for the federal government for two years and then transition to one of the private sector employers supporting the initiative. 

While many of the details behind the actions contained within the 2019 cybersecurity workforce executive order are still being worked out, I wanted to highlight several of the ways it will help us “Reimagine the Future of the Cybersecurity Workforce.”

In October, the U.S. Department of Education began accepting nominations for the Presidential Cybersecurity Education Award. Each year, the award will go to two educators — one elementary and one secondary — who instill skills, knowledge and passion for cybersecurity and related subjects in their students. 

The U.S. Department of Homeland Security is establishing a cybersecurity rotational assignment program that will serve as a mechanism for knowledge transfer and a development program for cybersecurity practitioners. This program will encourage mobility within the public sector and make it easier for employees to obtain diverse workplace experiences. Employers will also benefit from an ongoing cadre of new workers who will bring in new experiences and ideas.

The General Services Administration is working with NICE to incorporate the NICE Framework lexicon and taxonomy into workforce knowledge and skill requirements used in contracts for information technology and cybersecurity services.

Requiring that federal contractors use the NICE Framework to ensure alignment between the task order requirements of federal agencies with the personnel that contractors supply will ensure that we are standardizing our approaches to workforce development with the purchase of services.

Finally, agencies, including Commerce, are encouraging the voluntary integration of the NICE Framework into existing education, training and workforce development efforts undertaken by state, territorial, local, tribal, academic, nonprofit and private-sector entities. Commerce provides annual updates to the president regarding effective uses of the framework by these nonfederal entities and makes recommendations for improving its use.

The topic of workforce development and job creation more generally has been a priority for this administration. That’s why the president established the National Council for the American Worker, a federal interagency body designed to increase job training opportunities for students and workers. 

The council, which is co-chaired by the secretary of commerce, is working toward the development of a National Workforce Strategy to be announced next year. That strategy will include recommendations on how the federal government can work with public and private employers, educational institutions, nonprofit organizations and others to create and promote workforce development strategies. 

The goal is to provide evidence-based, affordable education and skills-based training for youth and adults to prepare them for the jobs of today and tomorrow. 

Of course, it’s not just IT or cybersecurity workers who need to understand cybersecurity and information technology. What we really need is a workforce skilled in cybersecurity, and that includes our lawyers, acquisition specialists, law enforcement and policy experts. 

The jobs of tomorrow look very different from those of the past. But this means there are many opportunities for people with different experiences and interests to participate.

The president also established the American Workforce Policy Advisory Board, which recommends a campaign to raise awareness for and promote multiple pathways to well-paying jobs for all Americans.

Too often, educators, parents, policymakers and workers themselves have assumed that a traditional university degree is the best or only path to a fulfilling career. We need to offer more options for skill development and for reaching those high-wage, high-skill jobs such as those in cybersecurity.

There have been many other presidential actions over the past three years, including the 2017 Presidential Executive Order “Expanding Apprenticeships in America” and the corresponding recommendations of the Task Force on Apprenticeship Expansion developed in 2018.

If you are interested in exploring or understanding how apprenticeships are being used for cybersecurity work roles, I encourage you to join the NICE Working Group — Subgroup on Cybersecurity Apprenticeships.

As you can see, there is a great deal of activity in the cybersecurity workforce and education arenas these days. You have a lot to be proud of as you celebrate 20 years of the Centers of Academic Excellence program and 10 years of NICE Conferences, which have contributed significantly to moving the field forward. We have been pleased to see the interests of Congress demonstrated through sponsorship of the HACKED Act of 2019, toward securing the future cyber workforce of this country.

And as this conference theme suggests, the landscape is changing. 

Nowhere is that more obvious than a place like NIST, where we are actively studying and discovering challenges and solutions to emerging technologies, such as advanced communications and the internet of things, artificial intelligence and machine learning, quantum computing, structural biology, space commerce and more. 

So, let’s look back with pride but also look forward with excitement and enthusiasm. Let’s reimagine how the cybersecurity students of today become the defenders of our nation’s economic growth and opportunity in the future. 

Let’s recommit ourselves to ensuring that our best and brightest, regardless of their background, gender, or any other demographic category, see cybersecurity as an exciting and impactful career.

Let’s work together to create the next decade of NICE’s history and enable the cybersecurity workforce that America needs. 

Our nation is counting on us. Let’s get to work!