• United States



Building our cyber workforce (part 2 of 2)

Nov 20, 20146 mins
CareersIT Jobs

In part 2 of this look at growing our cyber workforce, we'll address the IT Security staff, executive leadership, suppliers, customers and also consider how we might engage the wider community.

In part 1, we talked about some practical things we can do to grow our cyber workforce by expanding the competencies of general employee community, high risk staff, supervisors, and system administrators. In part 2, let’s look at our IT Security staff, executive leadership, suppliers, customers and how we might engage the wider community.

IT Security

Clearly, your IT Security staff require the highest level of competency in your enterprise. You will want to set aside at least two weeks of training for your staff to grow and maintain their cybersecurity skills. A couple of the formal training resources are SANS and the InfoSec Institute. In addition, there are great seminars and training events associated with conferences like RSA and Blackhat.

However, there are other important ways to grow your staff.

  • Establish a rotation program within your teams for both the supervisors and the employees. It is very easy in this business to become pigeon holed into being “a network guy” or “a malware guy”. It is important to have exposure across the many aspects of IT Security, from policy to identity management to threat intelligence to incident response. Each skill builds on and enhances the others.
  • Consider holding friendly competitions amongst your staff, or encourage them to become engaged in external competitions.
  • Have your key vendors provide training on their tools; many will be willing to do this for free.
  • Connect with your local colleges and universities; cybersecurity programs are becoming more and more common. You may be able to establish discounts for your employees. In addition, your staff may wish to become instructors themselves, and this is a great way to connect with the wider community and to enhance your own skills.
  • Encourage your staff to join InfraGard, a partnership between the FBI and the private sector.

Executive Leadership

Your company executive leadership are in the best position to influence the culture of your company. Without their clear support and understanding, it will be very difficult to grow the cybersecurity competency of the company. They should be provided with at least quarterly briefings on cybersecurity activity within the company, in your specific industry or sector, and in the broad public. When there are high profile events in the press, be sure to summarize the event and its impact and communicate with your leadership in a timely manner. They should also be included in the High Risk Persons group and provided with those briefings. On an annual basis, your executive leadership should be briefed on the major cybersecurity risk areas that threaten the company operations and strategy. This should drive a dialog around targeted investments and policy adjustments to pull those risks back into tolerance.

Most importantly, recruit the leadership to become advocates for good cybersecurity practices and encourage them to speak to their organizations on the topic.


In any modern enterprise, your supply chain is a critical element in the information flow that drives your operations. At a minimum, your suppliers should be aware of their obligations with regard to your information and the services they operate for you. They should be providing you with an annual attestation of their compliance with your applicable policies and guidelines (they will obviously need this in a checklist format), and should be providing you with timely reports on events and the disposition of those events. The language driving this should be part of the contract enlisting their services. If a supplier tells you that you are the only one asking for this, or that they cannot provide you with this information, then do not do business with them. The Internet Security Alliance published a couple of excellent documents on “Contracting for Information Security in Commercial Transactions” in 2005 and 2007. They are still excellent and relevant today.

Invite your key suppliers to some of your cybersecurity awareness events. Share some of your relevant training material with them and solicit feedback. Ask them what they are doing to drive cybersecurity awareness and how they are elevating the competency of their employees. Invite them to speak to your employees on their best practices and experiences.


Depending on your business, you may want to connect with your customers on matters of cybersecurity. This is particularly true if they are providing you with sensitive information or if they are logging into on-line resources you are providing them. At a minimum, be prepared ahead of time to communicate with them on any cyber events that your organization may suffer that affects your customers’ information. Don’t wait until the event occurs to start putting a communication package together. In addition to crisis communications, however, consider offering guidance on how they might protect any user accounts and the information moving between your companies.

[Note: At some time, your customers or your suppliers may suffer a cyber compromise that affects your operations; for example, you may start receiving spam from them, or you may receive trojanized documents from their email accounts. Be prepared to help them with understanding what you are seeing. A company is often judged with how they respond to sensitive problems like these more than they are when things are running smoothly.]

Community Engagement, including Universities and High Schools

Building a cyber workforce necessarily means engaging with your community. But, this should not be limited to job fairs. We must foster cybersecurity as a profession if we are to fill all the positions that we will need. Become engaged with your local colleges, universities and schools. Let them know what kinds of jobs you are seeking to fill, and what this type of profession entails. Get involved with the National Cyber Security Alliance. They have resources to help you with your own business, and you can encourage your staff to support them through teaching in their communities. Look into the National Initiative for Cybersecurity Education, check out their conferences and workshops, and make sure that your local communities are engaged.

Take Away

Building a cyber workforce and filling the talent pipeline involves more than just our IT department. We need to connect with our entire enterprise and wider community to develop interest and competency in cybersecurity as a profession. By involving the many other disciplines in our companies and communities, we will foster new talent and find innovative ways to combat cyber threats and make our businesses more resilient.

Michael K. Daly is CTO, Cybersecurity and Special Missions of Raytheon Intelligence, Information and Services. Raytheon Intelligence, Information and Services provides cyber security products and services and offers a full range of training, space, logistics, and engineering solutions for government and civilian customers.

Daly is a Principle Engineering Fellow and provides leadership in Raytheon’s cyber technologies, develops cyber solutions for domestic and international government and commercial customers, delivers quick-reaction mission solutions, and provides support to high consequence special missions. He supports the National Security Telecommunications Advisory Committee to the President of the United States. For 13 years prior to his current role, Daly served as the corporate director of Information Technology Enterprise Security Services. With more than 27 years in security and information systems, Daly has worked with both the private sector and the federal government with responsibilities including software engineering for law enforcement, and manager of enterprise applications and distributed computing.

Daly has also served as vice president of advanced networking for a consulting company and launched a not-for-profit organization that was commended by the Massachusetts House of Representatives.

Daly has served on the Governance Board of the Transglobal Secure Collaboration Program, and the Board of Advisors for Exostar. He was the 2006 recipient of the People’s Choice Award for the ISE New England Information Security Executive of the Year and the 2007 recipient of the Security 7 Award for the Manufacturing sector.

Daly holds a world record for highest altitude luge run and is credited with a first ascent of a mountain in the Wrangell-St. Elias Range.

He earned his bachelor’s degree in mechanical engineering from Boston University, is a certified information systems security professional and a Raytheon Six Sigma Specialist.

The opinions expressed in this blog are those of Michael K. Daly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies. Neither are his opinions necessarily those of Raytheon Company.