BSidesCharm 2024 - CI/CD Talent Development Pipeline

[Music] so my name is Kristoff ful um I am a Founder I'm a fractional ciso also I like to support non for-profits like the whole cyber human initiative that helps transition vets into the cyber security industry so uh a little bit more about me is um I've been in the cyber security industry for over 15 years and the main thing about it is that I I just love giving back and the idea behind this talk is that we'll create a Workforce Development pipeline using a cicd model so that's the idea um around my talk so yeah we're going to take a couple different approaches we're going to look at the value of a cicd pipeline

especially within the Workforce Development approach we're going to talk about assessing the different threat um Talent Landscapes building a tailored program and how we can continuously develop our Workforce so those of you within the software development in the Stream might know what a cicd pipeline is but if there's anyone not familiar with it it's a way of continuously integrating and continuously developing the code within the within the software pipeline in this case I want to treat the workforce as that Pipeline and look at ways that we can continuously integrate and continuously develop new Talent different Talent from various sectors and the value that that brings to the Workforce Development effort so from a strategic perspective the diversity that you can

pull in from bringing segments of the workforce like the military private sector public sector allows us to tackle very diverse problem sets so for example if you're looking at AI having someone with a data science background really helps bring that value to your team but you wouldn't have gotten that if you didn't expand your horizons to someone outside of the cyber security Niche so the idea around this is that as we look at the pipeline we have on one end the consumers of the talent that's at the top we have our cyber Workforce in the middle and then we have our value addition down at the bottom with the different types of universities so the idea here is that we

would identify different gaps within our current Workforce work with the universities to better tailor the training and development that we're getting from them as well as private education um development corporations so that we can continuously develop our Workforce one of the problems that we're facing today is that for example students coming out of University are lacking experience or lacking practical knowledge within the cyber security industry when they come out with their degrees so if we could work with the consuming Industries to better tailored program we can craft better outcomes for everyone involved so to do that we need to start with better understanding the spectrum of the backgrounds of our Workforce Development teams the skills that they

bring to the industry and how we can take advantage of creating customized Pathways that we can help develop the workforce with so one of those ways is to cultivate better knowledge sharing within the industries so one way to do that is it's not going to be a one-size fitall approach it's going to be working with each sector government private sector public sector kind of crafting the the program prrams that they need working with them to create um transitional work opportunities for students rather than the current internship programs that we have right now that really are either marginalizing the students or underpaying them during that internship so that they can fight for the number of jobs that are out there but treat them

as a continuous module that comes into the workforce and potentially goes out of their Workforce while building up that experience so part of that is working with the organization to provide that platform for continuous training creating love s within their Employments so rather than just having a junior and say a senior developer we can work to create Junior mid seniors but have specific educational targets for them spe specific experiential targets for them so that as they grow they have levels that they can go in and out of different roles within an organization within the government the government does a really good job at this right now but unfortunately due to things like economic constraints with regards to

income and um location they struggle behind a private sector at retaining the talent so if we could work with Private Industry to create this inflow and outflow of different levels of candidates with different um skill sets we can create this cicd effect within the overall cyber uh Workforce pool so some of the ways that this can be built is by promoting this continuous learning mindset Within each of the companies each of the Departments and not keeping all of that information within them but providing that both publicly so that it could be consumed and so that we can learn from the evolutions of different companies so for example learning at scale at a larger Enterprise like a meta or an AWS or a

Capital One will provide candidates with a different level of experience whether it be help desk infrastructure security and they could take the learnings that they're providing and provide that to smaller companies so that they could take advantage of that grow their Workforce at the smaller company size and provide better opportunities overall so your smbs now can take advantage of this knowledge set and upskill their Workforce at a lower cost rate and on the the flip end once they've grown out of the smaller company rate they can go to government or military provide that experience from that level and continuously build up the workforce in that level so the idea here is to provide emerging Talent with the technology and

with the opportunities to learn so with the emergence of cloud and artificial intelligence machine learning different types of Technologies you can now provide the Workforce with simulated environments where they can learn grow and mature at a fraction of the cost than it did before before you had to invest in an entire Tech stack for a developer to be able to code in a certain language now you can provide them with a simulated work environment within a cloud infrastructure at a smaller cost provide them with tailored environments for say learning how to tackle a certain vulnerability that was learned at a larger Enterprise or at a government research facility provide that to the larger private sector or the

larger um state or local government so that they can upskill their employees at the fraction of the cost providing knowledge sharing without necessarily providing that intellectual property to say threat actors because you have potentially more control over your environment you can allow them to have that simulated growth that was gained at the Enterprise or at those research facilities and now your small medium-sized companies can take advantage of that additionally using the cicd approach you Embrace diversity you Embrace Innovation that comes from people from different parts of the country that look at problem sets differently that have different cultures that might approach attacking a problem in a different way and you can integrate them within your

team that paired with your simulated learning now they can go oh well have you ever thought about doing it this way or that way you can enhance your Team Dynamics by really looking at where your gaps are saying okay from a team perspective we need need these different skill sets and we can integrate these different skill sets from different parts of our organization or from different parts of our economy pull them together and have a dynamic team that can better tackle a certain problem if you look at this graph you can see the intersection of these different approaches really leads to resilience because from a certain perspective if everyone has the same approach the same mindset you become

blind to the evolving problem because it's not looked at from a different perspective so in order to adjust to the changing threat landscape by integrating new ways of thoughts from say kids that never grew up knowing what a potline is or a rotary telephone is and grew up learning how Alexa works and how to prompt engineer at age seven integrating them into your Workforce they come in with a different mindset and a different skill set that your older evolving teams won't have so by taking advantage of all the different Dynamics from your Workforce and integrating them into your team you now have a more overall resilient team that paired with your continuous learning now you can look at your

problem and say okay based on working with this set in the government we need to adjust our educational model to integrate this type of learning at the grade level so that by the time they get to College this is not something that's new to them and they have to learn and grow out of their old habits into their new habits Additionally you look at your future Workforce and even before school you start to say okay these kids are growing up with tablets and know how to navigate a guy you're not as likely to become engineers on code unless you provide them with that opportunity to do so so providing them with that opportunity at a younger level they start to see the

problem in a different way so overall I'm proposing that we create requirements for different roles truly identifying the skills Gap through analysis defining how we can internally promote our stakeholders from one level to another even if it's within the same job family so that you can retain them because without that growth your Workforce is going to leave and if you don't have that continuous Learning and Development model for them you're going to lose out from that that goes for the government and any Enterprise additionally by providing those educational requirements and sharing them within our economy within our different levels of government within our small mediumsized companies we can create Pathways that you can grow people

from small mom and pop shops up to Enterprises with that model and you can take groups of talent sets and be able to deploy them where you need to you can also forecast your needs by truly understanding what sorts of skills you're going to need when like who knew two years ago that prompt engineering was going to be a job family that we needed today it is we need to be able to think now with a question mindset to really ensure that this AI chatbot that we're going to put on our web page or that we're going to have our marketing department use isn't going to bleed our intellectual property all across the web so don't just chase the newest

vendors the newest shiny object out there instead look at what you have how you can align their skills and potentially redeploy them within your organization look at this cicd pipeline model within your organization within your local economy even within your National economy last this is just a mention of a not for-profit that I support it's fully funded on open source education that we find we help veterans and others that are looking to transition into the Cyber family and provide them with that educational Workforce road map that they can use at their own pace to join our cyber family and with that I want to thank you for sitting here at 5:00 p.m. and listening to me and if you have any

questions I'm happy to

answer any questions okay yes yes

so the the idea behind that is that with a gap assessment of your skills here you can look at how you need that Workforce within your organization and truly identify the skills and competencies needed at each level and then you can take that and scale that across organizations of different sizes so a meta might be able to do that assessment and create an entrylevel job path whereas a smaller SMB might not be able to have that and then if you could do that knowledge sharing within our local Workforce or our national Workforce then we can scale that at at size the NIS nice Workforce Development framework does that for the government but it's not as modular when

it comes to the private sector because many of the private sector job roles require a mixture of those different job categories in order to function once you get to the private sector they never really do this analysis on how to develop their Workforce so part of the cicd model is that you create that skills assessment on the private side as well to create your continuous development and educational path from say entry level to senior but within each job category so that you understand the skills and competencies not just a job description that you're going to copy and paste from someone else any other questions well thank you for joining me and I appreciate your attention