Filling the gaps in DC’s cyber community

Day by day, the D.C. region is becoming more and more driven by knowledge workers. However, there’s one problem: actually finding talent to fill holes in the cyber industry, from cybersecurity to big data analytics. Thankfully, a handful of people are working hard to find these holes in the industry and devise solutions to draw in more talent. To discuss these issues, we’re joined by Dr. Erran Carmel, professor at the Kogod School of Business at American University; Jennifer Thornton, director of workforce initiatives at the Greater Washington Partnership; and Rob Terry, senior writer at the Washington Business Journal.

ABERMAN: Jennifer, I’ll turn to you first. The Greater Washington Partnership has been in existence now a year and a half or so. It’s really focusing on making this region sing economically. Why is talent the first big initiative that the Greater Washington Partnership approached? Why is it so important to us?

THORNTON: So, the Greater Washington Partnership chose to focus on a very narrow set of issues, where they thought we could make a difference by taking more of a regional perspective. So, with that, transportation and skills and talent rose to the top of the employers entrepreneurs that form the Greater Washington Partnership. I would say, right now, we’re seeing some areas, such as cyber, where they’re critically important to the economy, yet skills and talent are really a limiting factor as to why we can’t grow, and do all the work that we’d like to be doing this region.

Subscribe to the What’s Working in Washington podcast on iTunes.

ABERMAN: I recall talking, it may have been with some of your colleagues at the Greater Washington Partnership, that the potentiality gap, the lack of talent in this region, is holding our economic growth down significantly.

THORNTON: Right. For example, we released a report back in December, talking about the importance of digital technology fields and cybersecurity to the region. The economic impact of cyber is more than 14 billion dollars a year, which is nearly two percent of our GDP. The report also talks about the unique role that cyber also plays to develop adjacent high-tech growth fields, such as AI and data analytics. When you look at cyber jobs in this region, and the number of openings that go unfilled, we really have a disconnect.

So, for example, taking a very, very narrow definition of cyber, in 2017, we had 18,000 openings, or 17 percent of the national openings, located here, just in this region, spanning from Baltimore to Richmond. And if you take a broader definition, we had 52,000 openings in this region, which is also at 18 percent. So, it’s a significant number of openings, and a significant share of jobs, and we have a significant mismatch in terms of being able to fill those jobs.

ABERMAN: We’ll come back to that, because I think the mismatch is a big theme. Rob Terry, I’m going to turn to you. You’ve been looking at this region both as a writer and with your experience in a large integrator here in town. What’s your perspective on the town situation here?

TERRY: A couple thoughts there. To Jennifer’s point, companies are crying out for talent, there’s no question about that. At the same time, I spoke to a Silicon Valley venture capitalist a couple of weeks ago, who had invested in a Herndon firm, a 21 million dollar series B round. He spoke very highly of the talent pool here. One of the things he pointed out was that it’s not as competitive, say, as it is in Silicon Valley, which is why he likes to invest in companies here. But then, you get to the issue of this old “is the talent pool too risk-averse to cast its lot with a cybersecurity firm, or they do they prefer to stay in a comfortable government job?” That’s something that these companies have to deal with.

ABERMAN: So, your understanding, when you talk with people who are investing in companies, is that there may not just be a talent gap with respect people who want to do the work, but their perception is that there aren’t enough people who want to take the risk of starting a business?

TERRY: That’s correct.

ABERMAN: That’s interesting! Erran, I want to bring you into the conversation. I know that you’ve been working on this with the team over at Kogod. What’s your view of the entrepreneurial community, and the talent involved in cybersecurity and high-tech here?

CARMEL: Jonathan, let me frame this a little bit for our discussion. So, like Jennifer at the Greater Washington Partnership, when we looked at the the industries that are particularly strong in greater Washington, cybersecurity is probably the number one industry that has emerged here in the last decade, that is relatively strong in Washington. Another framing of this is that, when you look at the big cybersecurity clusters or ecosystems around the world, there are three big ones. There’s Silicon Valley, they’re up way at the top, and nobody can compete with Silicon Valley, nobody. There’s two other major ones. One is here in Washington, and the other is in far away Israel. And of course, there’s several others as well. But those are the big three.

So, those are the ones that I think are interesting to look at, and Washington is unique, because, and this this connects to our study, we examined the founders. Why did we examine the founders? Because, anecdotally, we think that we knew that the roots of these founders are in the ecosystem of Washington. The NSA, the military, the Pentagon, government, and the ventures that support them. But we never really had data until we conducted the study in the last year. We found 177 pure play startups, in products and services and solutions. And of those companies, 72 percent of them had founders, and in quite a number of companies there’s more than one founder, had at least one founder who came out of our national security ecosystem here. And so, this is much higher than it would be in any other cluster. So, that’s one of the things that makes Washington quite unique.

TERRY: It’s an invaluable resource, and it’s very much like what we saw, I think, with biotechnology and the emergence back in the 90s and 2000s. The wellspring there was NIH, you had all these companies formed to sequence the genome, or to develop new treatments. You’re going to see the same thing now. To your point about Silicon Valley, it’s a great one. I don’t think anybody is suggesting we need to eclipse Silicon Valley. But we do need to, I think, market the region in a stronger way, as a cybersecurity hub. I think that’s what it comes down to.

ABERMAN: When we come back after the break, it sounds to me that the conditions to create a really dynamic industry exist, but yet, I continually hear from employers that they can’t find talent. So, there has to be a disconnect some place, and after the break, I think we’ll talk about that.

ABERMAN: I want to turn the conversation now to the pyramid of talent, the whole conveyor belt from business founders to the people, ultimately, who join these companies at entry level positions, and break it down a little bit. Erran, let’s start with with the founders. My impression of this community, as an investor, and somebody who works with a lot of cybersecurity startups, is that we don’t have a problem when somebody comes out of the government, and has really strong skills. We just have a problem finding enough of those people, or those people being able to successfully start businesses. What do you think?

CARMEL: As I said before, 72 percent of these companies have at least one founder who came out of the national security ecosystem, of the 264 founders in our data. So, that’s most of the companies, close to most of the companies, of our region. Seventy-eight percent of them had cybersecurity experience when they founded the company. So, there is a basis, at the top at least, in terms of the founders. They are are coming from a good ecosystem, and they are coming with experience in cybersecurity.

ABERMAN: I’ll come back to you in a moment, because there’s something interesting about your data that I want to touch on. But before that, Rob, a lot of the dealmaking that goes on here, the financing, people say that there is a shortage of capital for cybersecurity startups. Do you think that’s so?

TERRY: Certainly not what I’m seeing currently, in terms of anecdotes. Not a day goes by without, seemingly, a big funding announcement involving a cyber startup. I mean, just this week, we learned about a company called Looking Glass out of Reston that acquired a cyber platform from Goldman Sachs, and they’re going to commercial that. This is significant for a couple of reasons. The big one, to my eye, being that it’s a product play, as much as a services play.

A lot of the cyber firms around here focus on services. You can get a really big home run, though, with a product. So, that’s interesting. And then we learned about a company out of Fulton, Maryland called IronNet Cybersecurity that closed a 78 million dollar second round of funding, led by a gentleman by the name of Keith Alexander. Who’s Keith Alexander? Former director of the National Security Agency. That’s really significant. He’s a really high-profile founder for this region to have.

ABERMAN: And that, I think, is where I was going to. Erran and Jennifer, I’ll turn to both of you. It strikes me that, unlike other places in the country, a lot of our founders aren’t coming out of universities.

CARMEL: That’s right. So, data that we have about founders is pretty clear about that. Only eight percent of the founders really emerged in this field out of the University, either an R&D lab or as a professor in something that’s related to this, or something vaguely like that. And that’s low. If you think about it, universities are really in many industries and many disciplines. They’re the incubator for startups, but that’s not happening in cybersecurity.

THORNTON: Yeah, one other piece that I’ll add to that is that cybersecurity jobs here are different than in the rest of the country, which would make sense why we’re hearing that so many founders are coming out of security-related jobs. So, 31 percent of jobs here are national security related, versus 13 percent in the rest of the country. So, it makes sense that that would be such a feeding pool into those founders. So, there’s a real significant difference there.

ABERMAN: So, our Stanford, or our MIT as it were, basically is the national security establishment.

CARMEL: That’s right.

ABERMAN: So, that explains where we get the people who have, say, the technology insight to be the driver of new business. Jennifer, I’ll turn to you now, because I know that this is an area that you, and others at the Partnership have really been focusing on. It seems like, when you move down the funnel, away from founders to the people who are actually getting hired to do the work, we got a real problem.

THORNTON:We do. It’s a significant problem. For example, I mentioned that, last year, there were 18,000 openings using a very narrow definition of cyber, 52,000 with a broad definition. We had about 6,000 graduates in our region in cybersecurity. And, the plus is, that’s the highest in the country. So, we are producing the most, but you can see the disparity between those coming out of school with relevant degrees, and the need that employers have. There’s also a disconnect, in that most employers, it’s out 85 percent, require three or more years of experience for entry level jobs. So, even though you’re having students graduate with this degree, you can’t immediately come out with three years of experience. So, we really need to take a look at aligning how employers look at their needs, and what students can meet.

ABERMAN: So, we’re in this situation where we’ve got the universities and technical colleges creating a lot of skilled people, but they don’t have practical experience. Rob, I’m going to turn to you, and I want you to think about this, because when we come back, we’re going to turn the conversation to what we do about it. Isn’t this really a problem of government procurement, and how they look at hiring people? I want to stop there. When we come back, we’ll start with that conversation, and what, here in the region, we can about closing this talent gap.

ABERMAN: Rob, before the break, I teed this up. We’ve heard from Erran and Jennifer that founders coming out of the federal government are clearly having an effect. How about from the standpoint of employment? How has federal government’s employment practices affect the region, and how we’re looking at growing out talent base?

TERRY: Well, if we agree that the engine of this ecosystem here is the federal government, then it stands to reason that it has a big role to play there. I mean, annual unclassified cyber spending reached almost 20 billion dollars in the most recent fiscal year, according to Govini out of Arlington. That’s more than double contract obligations from 9 billion just five years ago. So, the impact there is significant, I think what needs to happen, to a point Jennifer made earlier, is that we need to have a more creative conversation about filling this gap, talk more about skills versus just regulatory box-checking.

I mean, I’m covering a company out of Maryland called Tenable Network Security that’s very likely going to go public. It’s a very closely-watched company. I mean, we could be talking about a unicorn here, evaluation north of one billion dollars, and talking to their co-founder a little while ago, one of the things he said to me was that they still have a talent gap, and finding people like project managers, and really skilled software developers, there’s still that siren call from Silicon Valley that those companies attract this talent. So, how do we get creative about about keeping them here? And we haven’t even touched on security clearances, which remains a huge issue.

ABERMAN: Why is that a big issue?

TERRY: We’re not getting people cleared fast enough. I don’t have the numbers in front of me, but I don’t know if you’d want me to share them, because it’d blow all our hair back. It’s a real issue. Not a day goes by, seemingly, that I don’t talk to a contractor or a cyber company that mentions, in terms of filling talent, and Tenable’s a great example. They’re going to have to hire thousands of people, especially if they go public. It’s one of their goals. Where do they find cleared personnel?

THORNTON: Well, and just to add onto that, with these undergraduate students being in such high demand, and that lengthy process, why would some of them want to go through it when they can get a job right out of school in a non-defense related company? So, so they could take an immediate offer right here, versus going through what’s a very lengthy, cumbersome process. So, there’s some drawbacks to so many jobs here requiring a security clearance, even though we understand why it is that way.

ABERMAN: So, as long as a large part of our industry is related to national security, are we saying that we’re always going have an available talent gap, because of the constraints of national security clearances? Is that just a fact of life here?

THORNTON: Well, I do think it goes back to what Rob was saying, to, how do we get more creative? Can we potentially start getting people in the pipeline sooner, for that security clearance, so that they’re ready to go at an earlier point in time? I also think, as we look at the gap, how are we preparing young people, or folks coming of the military, transitioning careers, any other ways, through work-based learning experiences, internships, or others. What are we doing to get more people excited, and beginning to get that work experience, in cyber security? So, I think there are things we can do there. I also think one could look at what are transferable skills, and start adding onto to those once they’re within a company. So, I think there are creative ways that industries could start looking at hiring talented people, that may not look like what they think they need, but could well do the job.

TERRY: Even going back before college, to high school. Start teaching high school kids who are in STEM classes things like cyber hygiene, so they don’t post something stupid on social media that dings their national security clearance four, five years later. I mean, these are things that all need to be coordinated, and really thought about creatively.

THORNTON: Within high school, that’s when kids really are thinking about their path, and what’s available. So, making sure that they know the huge role cyber plays in this region, and the great economic opportunities that would exist if chose that as a career path.

CARMEL: One of the largest companies in the region has a new program where they vacuum up young college kids, freshmen and sophomores, give them paid internships to do summer cybersecurity at their company. So, I would suggest that other companies in the region start doing that as well.

ABERMAN: You know, it seems to me that we, in fact, have have two different cybersecurity industries here. We have the government cybersecurity industry that provides a lot of our talent, and we have a smaller, but hopefully growing, commercial sector. I think about Cap One for example, companies that are heavily involved in growing the region, and employ a lot of people. They have profound cybersecurity needs. Jennifer, I’ve sat in some meetings with you, and some of those employers, and others, and it sounds to me like, in the private sector, they all want experienced people, the experienced people aren’t there. So, what are they doing to solve that problem?

THORNTON: You brought up Capital One, for example, and many other companies. They do internships, just not enough. I think the scale just isn’t there to meet the need, which is understandable. You know, they are in business, and interns are not necessarily the most productive, but they can really help them grow their talent pipeline. A number of companies are working closely with us, and twelve universities, to look at how we can work together in this region to really both help us be seen as a leading global hub, and produce that talent that we need within the digital technology area. So, we’re really looking forward to some fascinating partnerships that are really productive, to both increase the number of students coming out of undergraduate programs, but also the alignment with what they’re producing and what employers need. So, we’re expecting some exciting things to come.

ABERMAN: I mean, something has to break. Either employers have to be willing to take people on who don’t have any experience at all, or they need to help train them. We have to break this log jam. Erran, you educate many people at your university. You’ve been involved in this ecosystem over in Israel and so forth. Can you teach these kind of practical skills in a University setting?

CARMEL: Oh yeah. This is a young discipline, so it’s only really been around for a maximum of fifteen years, for all intents and purposes. So, we need more degree programs, and we need more attractive degree programs, and in a lot of ways, in terms of milieu, to attract demographics. And let me bring up beginning to segment our talent. So, one of the things that we looked at in our founders data, is that when we looked at at women, only 8 percent of the firms has at least one woman amongst the founders. There’s 22 pure cyber companies in the region that had one or more women as founders. And that’s low. If you look at crunch based data, 17 percent of entrepreneurs are women. So, in cybersecurity, women are definitely underrepresented.

ABERMAN: Every now and then, I get a chance to talk to policymakers, and you do as well. I think this is one of those podcasts I’ll send to a few of them. What’s our best advice, what do the people need to do?

THORNTON: One of the things I think policymakers can really look at, is programs being offered at both four-year universities and 2-year colleges, and looking at the degrees, and how aligned degrees are with employer demand. Everybody wants students to come out and be able to get a job. This is an area that there’s a clear need. So, how well aligned is that? And technical faculty, such as those in cybersecurity, they’re expensive, because they can make so much money on the private market. Are there other ways to fund, to be able to have universities be able to get that faculty in that they need? Also, I’d like to go back just a moment and share how some of the other things that business are doing to help universities are about supplying adjunct faculty, and also by advising on capstone projects, to help give that real world information and perspective to students.

ABERMAN: Rob and Erran, we’ve got about a minute left. If you were in charge, and you were king, what would you advise somebody do?

THORNTON: One other thing on the policy front that I would add is, how do we look at ensuring that girls, and students of color, are also in the pipeline to fill these jobs? We’re very diverse, yet, the cybersecurity field is predominantly white and male. So, if we want to increase that pipeline, we really need to expand the communities from which talent is coming. And so, how do we encourage that, incentivise that, I think that could really be a big benefit to our community, and also a differentiating factor.

ABERMAN: Rob Terry, final thoughts?

TERRY: That’s a great point. You know, I have a fourteen year old daughter, and I’d be fine with her pursuing a career in cybersecurity. I know she’d have a comfortable life. Somewhat related to that is, I just wanted to touch on this whole drive for federal IT modernization. I think, for this region, that’s critical. That has to continue to be highlighted, it has to continue to be funded, because that obviously ripples through lots of cybersecurity work, be it resiliency or offensive cyber, defensive or analytics. And then what happens then, getting back to Erran’s point about the ecosystem, is that you have government employees who work in cyber who have an idea, and they leave, and they start a company. And if there’s access to capital here, and if there’s talent here, it all feeds on itself.

ABERMAN: It all does feed on itself. Greatness is within our grasp, I think, is the big message from our panel today. That was professor Erran Carmel, American University, business in the Capitol; Jennifer Thornton, director of workforce initiatives at the Greater Washington Partnership; and Rob Terry, senior writer at the Washington Business Journal. We’ve been talking about the cybersecurity industry, and how we can make it grow faster and better in the D.C. region. Thanks for joining us.

TERRY: Thank you.

THORNTON: Thank you.