In the world of SAST, DAST, Secrets Scanning, SBOM and the list of tooling and technologies goes on, the most impactful tool in any organization’s arsenal is the workforce. The workforce is what wields the technologies used as part of digital transformation. The workforce is what ultimately determines the impact of any modernization and innovation efforts. Cyber Workforce Development is a topic getting attention at the highest levels of government. Just this month, the White House and National Cyber Director hosted their National Cyber Workforce and Education Summit. The event focused on building our Nation’s cyber workforce, improving skills-based pathways to cyber jobs, educating Americans so that they have the skills they need to thrive in our increasingly digital society, and improving Diversity, Equity, Inclusion, and Accessibility (DEIA) in the cyber field.
In this article, we will discuss some examples of keeping workforce development front and center in an organization’s attempt to adopt DevSecOps and drive effective security and digital modernization.
Training and Professional Development
Organizations are full steam ahead on adopting technologies such as cloud, Kubernetes, Containers, and more. However, as part of that adoption, the workforce must be equipped with the requisite knowledge, skills, and abilities to make these technologies effective. While traditional degree programs have long been a mainstay in the workforce development arena, with many organizations offering tuition assistance or reimbursement programs (often in exchange for agreements to stay with the organization for some time), organizations are now increasingly turning to alternative forms of learning and development.
One area that really has taken off is the use of digital learning platforms. Companies such as PluralSight, ACloudGuru, LinuxAcademy, and Udemy have become wildly successful and popular within the digital workforce. Organizations are purchasing subscriptions for teams or even entire companies to get access to these organizations’ vast catalogs of courses and training. As an example of their success and the raving market adoption, ACloudGuru earned over $100M in their first five years of business, which led to their acquisition by PluralSight.
Communities of Practice and Ask Me Anything (AMA)
Organizations are also rallying around the concept of “Communities of Practice” (CoP). A CoP is typically defined as “a group of people who share a concern or a passion for something they do and learn how to do it better as they interact regularly.” This is taking place within organizations but also across entire industries.
Some of the most notable examples include the Department of Defense (DoD)’s DevSecOps Community of Practice (DSoP). This group has been meeting for nearly a couple of years at this point and includes stakeholders from across the entire DoD. Its meeting topics have included everything from API Security, System Authorizations, Software Bill of Materials (SBOM), and more, just to name a few. All of its meetings are recorded and available on their website. These recorded meetings are an awesome learning resource and an example of a community rallying together to foster widespread learning and development.
Another excellent example of not just learning and collaboration, but also transparency, is the Center for Medicare and Medicaid (CMS)’s “CISO Forum Ask Me Anything.” During these sessions, the CMS CISO, Robert Wood, often along with his deputy, make himself available to the CMS community to answer questions, hear concerns, and also raise awareness around critical cybersecurity initiatives and activities within the agency. The talks also touch on career growth, industry trends, and relevant technologies.
In an organization of several thousand federal employees and tens of thousands of contractor support staff, with over 10 regional offices and a robust distributed workforce, this level of transparency and openness is incredibly refreshing. It isn’t common for a C-Suite cybersecurity leader to be available for uncanned questions, critiques, and inquiries in an open forum at an organization of this size on a regular basis. For this reason, Robert Wood is a security leader I really respect and know many others in the ecosystem feel the same.
Security is often seen as an obscure or secretive activity, and transparency of this level breaks that misperception, which aligns with the broader push of breaking down silos in DevSecOps.
Want more cybersecurity insights? Visit the Cybersecurity channel:
