Podcast Season 5 Episode 3: Season 5: Cyber Workforce Development – Building Community with Mary Beth Borgwing and Adam Sheffield
When building a career in cybersecurity and the IT industry, it’s important to seek community and build your network. Mary Beth Borgwing, co-founder of the Cyber Guild, and Adam Sheffield, co-founder of The Undercroft, are here to talk about why they started their respective guilds, as well as how it benefits those new to the industry and the veteran talent that helps mentor and connect through the communities.
Welcome to NeoCast. Join us each week as we discuss challenges in government contracting, strategies and solutions for your businesses. We’ll dive into managed IT, cybersecurity, workforce advancement and much, much more. Sharing is caring. And we’ve got top shelf advice to help you navigate today’s biggest challenges. Let’s get to it.
Welcome everybody back to NeoCast brought to you by NeoSystems. We are doing an exciting series on workforce development, specifically in the cybersecurity and managed IT area. And we’ve talked about a couple of different challenges, how challenge is opportunity, how people shouldn’t be fearing change.
Also been speaking with a few experts on how to train up for the career in cybersecurity or IT. We are in a particular time that’s interesting for people. We either have folks that are underemployed, maybe unemployed, and it’s also May. So we can’t miss the point that it’s graduation season, even if it’s done virtually where people are coming out and potentially thinking about a career in cyber security or IT. And one thing that’s been really consistent amongst all my conversations is that networking, who you know, building community, interviewing people who already have jobs in this field, those things are all really critical and important for people to learn more about the industry and how they might be successful.
So we’re super excited to bring two powerhouses to the conversation today, both of which who have careers that are booming and busting at the seams while also trying to do well by their community and by their industry by creating what is termed as guilds.
A lot of people have been referring to the talents and skills they’re developing in cybersecurity and IT as crafts. And obviously the word guild is from way back in the day and normally was focused on other types of crafts, metalworking and so forth. And so you all have created and founded organizations for individuals within this career.
And so I’d love to talk to you about your individual organizations. Mary Beth Borgwing, very nice to have you back on our show. Thank you so much for being here as a founding member of the Cyber Guild based in McLean, Virginia.
And we also have Adam Sheffield here who is with the Undercroft, which has a portion of that business outfitted as a guild. So he can speak a little bit more to how that fits into the equation coming to us from Tampa, Florida. So thank you both so much for being here. And if you would just take a moment actually to introduce yourselves. Again, you have big careers outside of just the work you do with your guilds. It would be great to hear from you on what you do outside of the guild. And then we’ll focus on some questions, Mary Beth, if you want to take it from here.
Mary Beth Borgwing:
Thanks, Erin. Thanks for having me today. So yes, I’m Mary Beth Borgwing, and actually my day job is to be the chief strategy officer for Cyber Plan, which is a growing company headquartered in Vancouver, Canada, but also in the US here in Washington and in California and in the UK and going into the AMEAS. So we are a 25 person company. We do incident response and we manage security services. So it’s a very exciting time to be working virtually because our company is a 100% virtual. And my passion is in actually helping people to create opportunity in cybersecurity to bring talent and to actually collaborate and communicate around what the needs are within cybersecurity. So I started something called the Cyber Social Club a couple years ago, and we quickly learned that there was a lot of companies coming around the Cyber Social Club that wanted to understand how to get betterment in their workforce and hire people with a cybersecurity background.
So a few of us got together here in McLean, and we started something called the Cyber Guild where science meets trade craft. Because we believe that there is a science to this, but you have to have a mentor, and you have to have an education that’s hands-on because a textbook cannot really, really get you to an incident response. Trust me… Because we do ransomware all day long at Cyber Plan, and it is a real trade craft. So we started last year, and we’re growing this year. And we tried to do a conference in 2020 for Uniting Women in Cyber, but the current new normal kind of put a stop to that. So we’re doing a lot more virtually.
So we’re really trying to get together with people virtually. And we see that as an opportunity to actually grow the guild and collaborate with others who have this same mission.
Awesome. How about you, Adam? Can you tell us a little bit about the Undercroft and the guild associated with it?
Thank you. Yes. So in terms of what we do down here in Tampa… So the Undercroft itself is a cybersecurity guild and development center. So we kind of take a lot like what Mary Beth was talking about, which is that kind of that community of practice aspect that, that group of folks that have a similar passion for growing the community… Not only for economic security, but also for security for our small businesses, a lot of our underserved segments of the community.
So we look at how do we build that aligned with very much what an apprenticeship model would look like and guild times when you’re becoming a blacksmith, how do we create that community of practice built on what we call situated learning theory? Which is really a concept where you take individuals with a common interest, put them together, provide a physical space and resources for them to collaborate.
Good things will come. So really kind of two lines of effort we focus on within that is workforce development in concert with partners. So how do we augment traditional university programs? How do we augment certification programs to take individuals and get them involved in a true community of practice that focuses on professional development from when you’re initially hired to when you retire from the industry?
And then on the flip side, and this is where the development center comes into play is, well… I always to say, out of every 10 security practitioners that go into this career field, at least half of them usually have a side business, a side hustle, or have aspirations of starting their own business.
So how do we take those folks and use them as a mechanism or leverage that passion to start new businesses? So from a Tampa, my hometown standpoint, we can train as many people as we want. But how do we continue to ensure we have meaningful, fulfilling careers for them on the backend that are going to really anchor a true, what I would say, whole of community effort to solve some of the problems that exist in this field? Whether it’s once again, that individual small to medium sized business side, all the way to your enterprise company.
Very cool. So I’m curious, we’ve been trying to talk about people who might be pivoting in their career or might just be starting out in their career and not necessarily have a full grasp on what types of roles or challenges are in the cybersecurity and IT industry.
Again, Mary Beth, I know that your company has a lot of work in incident response and remediation and so forth.
How would someone coming out of college or maybe coming out of a completely different career, be able to utilize the guild or your respective organizations to get a better handle on what the industry is and what types of roles there are, and potentially how to look for the training they might need?
Mary Beth Borgwing:
Yeah. So we’ve already put that into action. We are not as mature as Undercroft is, but we are getting there. So I’ll tell you a couple of stories. We had a woman who came out of a investment banking firm who wanted to learn more about cybersecurity. So we took her in as an intern, and she actually wrote a white paper with me on the cybersecurity ecosystem here in DC, Maryland, and Virginia. And she’s a very good writer, but she didn’t really have a background in cybersecurity. So taking her through that three month process was a big learning process. So she got a lot of the lingo. She said she got to learn about where she herself could get resources.
Then we’ve had other colleges like George Mason in the area here where they have come in to the conferences, and they have ideas about what’s needed in the space.
They’re very deep into the academia side of being an engineer. And so they came to the conference, and they met other people that are doing really good work in the space, but maybe don’t have as deep a technical background. So what we’ve done is we’ve tried to put together people with leadership skills and then people with an education background that wants to actually utilize their engineering background within cyber.
So we’ve done that from a meetup perspective and from the conferences that we’ve had over the last few years with Uniting Women in Cyber and the Cyber Social Club. What we want to do at the guild is we want to actually build programs where these meetups become segmented by topic. So if you’re interested in the cybersecurity maturity model, you will go to a meetup for that. If you’re interested in learning more about threat intelligence, if you’re wanting to learn more about 5G… So they’ll be people with that same interests around those different areas.
So we’ve already built several of those around the guild. And we’ve had some meetups last year in 2019 around 5G, which was incredibly successful because it affects everything. So we figure that we can bring people from telecommunications, students with backgrounds in different types of project management that want to be in cybersecurity because it takes a village to really build out the skillset on these teams. So it’s not just about engineers.
It’s about people with project management skills. It’s about people with writing skills and communication skills because if 5-G is going to be successful, it needs all of those things. That’s just an example.
So I think that really where Mary’s coming from is exactly kind of what we saw the opportunity to help kind of cultivate and choreograph down here at Tampa. I would say one thing based on my experience kind of spanning former military to defense contracting sector to academia back to the private sector was we wanted to create a pull versus a push system and a model that was built around being community driven and community validated at that local level.
So kind of like what Mary Beth’s talking about up in DC, they have a totally different need in the community up there than Tampa. Tampa has a totally different need than Colorado than California than what have you.
Long term, I would love to talk about how we want to connect all of these local communities of practice together, but really kind of going back to it… Pull versus push system, community-driven, community-validated in my experience specifically in academia, it really kind of boiled down to why.
So when I talk to employers, when I talk to instructors, professors, it’s “How do you identify individuals that have a passion for making an impact in this field?” It’s tough. It’s tough, especially in an environment where, and I hate to say it, cybersecurity field or industry right now is growing exponentially. The investors have fear of missing out. Everybody wants to get in. Everybody wants to make their impact in the field, but marketing in certain ways is killing cybersecurity. So in my experience with students in particular… I’m still an adjunct at the University of South Florida. I’m grading 50 student final policy papers this week. And I asked them at the beginning of the course, “Why are you here? Why do you want to get into this field?”
And it’s funny because that kind of triggers a response. One, “I grew up coding in my basement. I grew up playing games.” That’s somebody that I can start to see where that passion is.
The other side is, “I saw a Facebook ad that said if I want to make $100,000 a year to join this program.” So I spend a lot of my time, a lot of our folks within the guild… And that’s where the guild comes into play is helping individuals. If you want to come into the security field, before you make any decisions based on that Facebook ad, that paid marketing, that promo what have you… Understand where you want to go and why you want to be here.
And that’s why I think that guild is very important, even from our standpoint, before you get that development centerpiece. Before you get to that training piece, that master’s degree bachelor’s degree, what certifications should I get? You have to start with the why… That’s kind of my two cents.
Yeah, that’s great. And Mary Beth, you mentioned the Uniting Women in Cyber. I think that’s a really unique program as well.
The idea that you’re also having this focused group and like you said, moving into maybe CMMC’s focused groups, 5G focused groups and things like that. But it’s one more industry where perhaps a lot of people don’t immediately think of women being a big part of.
And so being able to have part of the guild focus on that is really important. And I know that there was an intended event that I was excited to be a part of that really spanned across the area. And you mentioned communications writing, project management, there are so many different ways to get engaged in the industry. How are you thinking about developing programming for both companies as well as individuals looking for employment in the industry to really be able to blow out all of those different areas in which this industry touches and how you can bring your skillset based on what your skillset is, but still get interested in this particular industry?
Mary Beth Borgwing:
Yeah, I think it comes down to a lot of partnering because it takes a village. So I was on the board of CompTIA for a couple years, and they do a lot of great certification work. So I think, but a lot of people don’t know what the value of that certification will be. I happen to have a friend in New York, whose part of the Cloud Security Alliance. He runs Cloud Security Alliance in New York, and he’s pretty much got every certification there is. And he teaches and mentors people about certifications.
So I think if you’re a certification geek, you can go like my friend, Jim. Or you can actually just take and learn that maybe you want to cherry pick and figure out what certifications you want… That builds confidence. And it doesn’t matter if you’re a student coming out of school, or if you’re re-entering from a different industry.
There are a lot of older experienced executives that come into cyber because it’s exciting, and it’s meaningful, and it helps people. And they’re bringing their toolkit, but they maybe need a certification. So Uniting Women in Cyber actually kind of started with that… At the Me Too movement in 2017 and 2018.
And we invite… 40% of the people who are a part of that are men because they see a different perspective in how we view our workforce. So that communication and getting people to stay in the workforce is really, really key.
We’ve had some of the major government contractors in the DC area say to us, “I want to keep my women engineers. They add so much diversity to the team because they think differently.” So we kind of help build that confidence. And we’ve had Capital One, and we’ve had Verisign, and we’ve had even NeoSystems who has done a great job of getting the United Women in Cyber word out there, especially to the smaller contractors, the Eight As who are minorities and women.
So we really want to highlight that because we feel that collaboration will actually add a tremendous amount of value to the ecosystem.
Adam, given that your career path has served as an instructor… You said that you’re still an adjunct professor at the University of Florida I believe you said. How are you thinking about maybe as Mary Beth’s guild is getting even further developed like yours, how have you been thinking about creating mentorship programs? Are you turning to seasoned professionals and asking them to take official roles within your guild to mentor individuals? How is that working for you?
So that’s an excellent question, Erin, and just point of clarification, the University of South Florida, not Florida. If my wife hears you, actually will kill me. She’s an FSU grad.
No Go Gators, okay.
There we go. But once again that’s a great question and incentive. That’s the word I would use… Incentive. So I struggle with this, specifically being in a hiring role in defense contracting community early on in my career when I had to find that proverbial unicorn that spoke Arabic or Farsi, understood security, was a digital native… These unicorns that we have to find.
So I was like, how do we do that? And that’s when I kind of went into academia, I was looking at the same problem set. Well, we’ve got this problem here in industry. We’ve got this problem in academia, whether it’s more researcher or curriculum development standpoint… How do we create an incentive for faculty members to want to innovate, not to recycle content, things like that?
And then even kind of backing off from that down to that really more training or bootcamp area where I worked when I left academia, try to look at how we could accelerate talent into the career field. What’s the incentive for the existing security community to want to help facilitate that?
So what we did with our guild is we really looked at how do we develop a rank structure that incentivizes individuals that are aspiring security practitioners as we call them. Those are our premises. How do we incentivize them to want to put as much effort forward as they can?
One thing I learned running grant programs for workforce development, you make anything free… You have no skin in the game. And you get a lot of wash out. You get a lack of real passionate folks coming on the back end. So we create an incentive structure where we have a dues, just like you would pay at a fraternity or sorority or a country club.
You come in as an apprentice. Our goals is as quickly as possible to get you into that first entry level role. And the first step of that is building a network. Getting you introduced with folks are on the front lines of this fight, which are our journeymen, our members that are existing security practitioners. That from a self-interested standpoint, their incentive for being involved with the guild is they might have to hire folks from the companies they work for. They might have to hire folks for side projects they want to do. And they want to have that ability both physically and digitally to spot assess good quality talent and help develop that talent over the course of a career. And then we tie that into what we call our masters and residents, which are aligned with the top level domains of the nice framework.
And we create a mechanism where our guild actually annually votes for those seven masters and residents based on how engaged they are within the guild. How much they’ve supported or kind of metrics assigned with how the community is growing. And as part of that are our masters and residents, they have no dues.
A lot of times we are able to through the development center, pass work down to the Guild where they then employ journeymen or apprentices on projects that help those individuals build experience. So it’s really what we’re trying to build is that base… You think about a medieval times and guild. You’ve got a village. I think Mary Beth said, “It takes a village,” and it’s true. It takes that blacksmith. It takes that farmer. It takes that seamstress, what have you. That’s kind of what we’re trying to build within that guild model.
And that ties back into that pull versus that push system and that community-driven community-validated because by virtue of being involved with the guild for the right reasons, because you want to make an impact and better yourself in this field, everybody’s going to win. If that makes sense.
It certainly does. To that point, Mary Beth, I know that you are heavily connected and have had quite the career in this industry.
How have you seen this really benefit being able to not only pull together your networks, which I’m sure is how you had to start with the Cyber Social Club and then turning it into the Cyber Guild. How have you seen this benefit seasoned career professionals? We’re focused on people who are pivoting or just graduating, but certainly you need those other individuals to be involved with the guild in order to have that safe landing for those who might be seeking a career in the field. So can you talk a little bit about what you’ve seen in your network and how they have truly benefited from being a part of an organization like this?
Mary Beth Borgwing:
Yeah, so we all go to Black Hat and we go to RSA and we go to the big conferences. And when someone says to me, “Well, what do you do at RSA?” I’m like, well, okay, I’m going to be honest with you that 90% of us who have been in the security space for a long time, we don’t mostly go to the events that RSA is putting on. We actually go there to see people we can’t see because they’re not local or whatever. So most of my meetings at RSA are with a network that either people want to meet or we have common groups that we’re part of. And so we want to get together and sort of solve problems and just figure out how we can sort of help each other across the different work that we all do within security.
But I think that is great, but those shows are getting very diluted. And so getting into smaller forums and now thinking about the new normal and what we are going to do to stay connected and keep the education process going is going to be the next challenge that we all face. So we all… I have a very big network in Boston and New York and DC, and even in Florida and San Francisco and Europe.
So you just keep building so that you have to keep current with that network. So building… Being part of an organization where you can bring your network to an organization and creates a meaning for it. And I’ll give you an example of that.
A friend, Lauren who works at Neustar, she was at another threat intelligence company before Neustar, and she’s bringing her network into the Cyber Guild, and she’s building a leadership and a meetup because she knows in order to grow her business and actually to grow her community, she needs to be part of a bigger community.
So I think it’s about sharing and creating an opportunity for people to build their networks within these networks. That’s what the real science meets trade craft, I think means. That everybody brings a different value to it. And then those of us who have been doing this for a long time, we bring a foundation. And everybody kind of grows on top of that.
Well, I think that the organizations you all have set up are really fascinating, and it’s great to see in different stages of development, in different areas of the country. It must depend on what your need is.
Mary Beth, I can imagine being so close to the government community that again, having a committee to CMMC would be super relevant here in the DC area may not be as immediately relevant in an area like Tampa, Florida. I also know that we’ve been talking a lot about security clearance with a couple of other folks who’ve been on this series of podcasts that may or may not have an impact in different areas of the country.
So I think it’s really important that you all are starting these local knowledge bases of contacts and networks for individuals who are coming into the career and also looking to stay in the career and stay connected.
But I do hope that maybe even by chance of this podcast, that you’re getting an opportunity to connect as well. And to really, really show how you can branch out those networks and connect employees and employers across the country and globally even, as Mary Beth suggested.
Any final parting thoughts from either of you on how people can look at guilds as a resource?
I’d jump in, Erin. And first of all, your last point, Mary Beth. Can we get a call set up sometime this week? I’d really like to learn more about what you guys are doing and see how we might be able to engage in some mutually beneficial projects?
Second point I make is with everything that’s going on, we’re small organization. We kind of really grew organically down here, and I’ll be honest, going into January, we were really excited. Things were growing. Then the COVID-19 crisis hit. And I was like, “Oh, that’s it. We’re done. This ain’t going to work.” And it’s amazing how we’ve seen, not only from an individual member’s standpoint where we had a single father with three pre-teens at home still working full time… It was like, if it wasn’t for this guild and how quickly they were able to leverage digital delivery of content, I might’ve gone insane.
And that was amazing personally for me. But I also think really as a community as a whole, we have a great opportunity in this crisis to look at how we build a true bottom-up community, which focuses on those what I call cogs of the industry… Those folks in Tampa, those folks in DC, up in Mary Beth’s organization that are out there every day fighting the fight for security. Making sure my mother, for example, doesn’t get taken advantage of a scam trying to steal her stimulus check.
So I think there’s a lot of opportunity amidst this chaos. And I think this is a great opportunity for groups like us down here at the Undercroft and Mary Beth’s organization up there in DC to start looking at how we can work together to make things prosperous in the future.
Mary Beth Borgwing:
Yeah, I think it’s all about cross-pollination, and we certainly have a need up here for talent. I’m looking for incident response guys and gals. And I’m looking for people that understand how the education piece of security is so important. And we’re weaving all of that into the guild, but also Neo and myself and Cyber Clan and a lot of other companies up here call me every day, looking for people. So we need to cross-pollinate. That is so key to how we’re going to grow this space and get really good people.
I’d agree more, Mary Beth.
It’s awesome. Well and I would say that I’ve just come into this whole industry Mary Beth, to your point, through communications. I would not have necessarily seen cyber intelligence, cybersecurity, IT… I would have thought an incident response meant attending to my children who just had an incident and just fought or something. I wouldn’t have known what that term even meant.
So it’s been a really exciting educational adventure for me. And to also be able to see that my skills could be utilized in the industry. So to everyone that’s listening-
Erin, that’s a good point. I’m sorry to interrupt you, but I’m also going to introduce you to my co-founder, Chris Machowski, who’s our chief influence officer-
Oh, right. Yes.
Slash propagandist. You guys would probably be very interested [crosstalk 00:26:05].
Yes, I remember you mentioning him. Yes. So it is really important that people… For all of our listeners who are listening to this whole series, I have heard it time and again from everyone who comes on… Network. Ask questions. Look to see what the industry provides. Look to see how you can bring your skillsets and talents to the industry.
There are a lot of people out there looking for the talent, and we hope that this was one way that people could connect to what the opportunities are. So thank you, both Mary Beth and Adam.
Best of luck to both of your guilds. And we hope to have you guys back on talking a little bit more about workforce development or perhaps even introducing new members of your teams that you have found through this very podcast. So thanks so much for joining us.
Mary Beth Borgwing:
Thank you. Thank you, Erin. Thank you, Adam.
Thank you, Erin.
The NeoSystems difference. We specialize in serving organizations of all sizes. In today’s fiercely competitive market, is your organization constantly searching for ways to gain the advantage of competitors?
Smart organizations are paying more attention to their strategic back office operations. NeoSystems offers scalable back office services and solutions to improve your organization with a team of industry experts, industry leading information technology tools, and an advanced technical infrastructure.
From software hosting and security solutions to managed accounting services, NeoSystems’ custom builds solutions and services that are tailored to fit your organization’s needs.
Check us out on the internet at NeoSystemsCORP.com. That’s NeoSystems Corp-dot-com.