NIST's Cyber Chief Exposes Shocking Secrets About AI Hiring—Are You Missing Out?

As he prepares to retire at the end of the year, Rodney Petersen reflects on a decade of service at the National Institute of Standards and Technology (NIST) and the profound evolution of the cybersecurity workforce. Serving as the director of education and workforce at NIST’s Applied Cybersecurity Division, Petersen has been at the forefront of standardizing job descriptions across government, industry, and academia, a critical step in addressing the growing skills gap in the cybersecurity sector.

Petersen’s leadership in the National Initiative for Cybersecurity Education (NICE) has been pivotal, particularly in developing the NICE Framework. This framework has gained international acceptance as a taxonomy for defining professional roles in cybersecurity and the requisite skills and knowledge. The demand for a robust cyber workforce has reached unprecedented levels, prompting urgent discussions at the highest levels of government.

“One of the biggest changes in my 11 years here has been the proliferation and the growth of education and workforce efforts,” Petersen noted in a recent interview with Federal News Network. “This is mostly positive because it signifies that we are prioritizing and making investments to increase the supply and understand the demand. However, this also underscores the importance of NICE’s mission to ensure a coordinated approach across the U.S.”

Petersen's career path has been anything but traditional. Initially trained in law, he pivoted into higher education and policy, eventually finding his niche in cybersecurity as it emerged in the 1990s. His diverse background culminated in his role at NIST, where he not only focuses on operational aspects of cybersecurity but also addresses educational and workforce development needs.

Reflecting on significant challenges and successes over the past decade, Petersen emphasizes the critical role NIST plays in establishing common standards. The NICE framework was borne out of collaboration with entities like the Department of Defense and the Department of Homeland Security, culminating in the publication of a foundational document in 2017. This effort has facilitated a mutual understanding among various stakeholders, including private sector employers and educational institutions.

When asked about widespread adoption of the NICE framework, Petersen acknowledges mixed results. “For organizations starting from scratch, the NICE framework provides a solid foundation. However, for those needing to adjust existing practices to align with it, the process can be more complex,” he explained. This challenge is particularly evident in collaborations with organizations like the NSA and CISA, which have their own educational guidelines.

One of Petersen’s significant contributions has been the launch of the CyberSeek database in 2016. This analytics tool, developed in partnership with CompTIA and Lightcast, provides insights into cybersecurity job openings across sectors, helping organizations better understand workforce demands. “CyberSeek emerged as a response to the need for concrete data on workforce requirements, allowing stakeholders to analyze job postings within the context of the NICE framework,” Petersen stated.

As the national cybersecurity strategy continues to evolve, Petersen is keenly aware of the impact of the 2023 National Cyber Workforce and Education Strategy. This strategy seeks to unify efforts across federal, state, and private sectors, emphasizing the importance of building on existing successful programs. “It’s vital to evaluate what works and reinforces progress while identifying areas that need change or new initiatives,” he noted.

Modernization efforts within the federal workforce have also gained traction, particularly with the passage of the Federal Cybersecurity Workforce Assessment Act in 2015. This legislation aims to quantify the number of cybersecurity professionals needed within government roles, relying on the NICE framework for standardized measurements. Petersen highlighted that despite positive efforts, there remains a pressing need for modernization in how federal jobs are classified and filled.

Petersen also touched on the shift toward skills-based hiring, noting increased awareness among employers about the value of skills over traditional credentials. However, he cautioned that hiring practices still lag behind this understanding. “We need to limit job descriptions that exclude qualified candidates based on lack of formal credentials and focus on the competencies essential for the roles,” he advocated.

Cybersecurity awareness has been another focal point throughout Petersen's tenure. While he graded awareness initiatives with an “A” for their reach, he assigned a “C-minus” for actual behavioral change. “We need more interactive training and simulations that effectively change behavior, rather than just one-way information dissemination,” he remarked.

Artificial intelligence (AI) is also reshaping the cybersecurity landscape. Petersen emphasized that AI’s influence is not just a future concern; it is already impacting the present. “We need to consider three main aspects: ensuring AI technology is secure, leveraging AI for cybersecurity, and defending against AI-generated attacks,” he explained.

As Petersen prepares to step away from his role, the foundations he helped establish will continue to shape the future of the cybersecurity workforce. His insights and leadership have been integral in addressing the pressing needs of this vital sector, ensuring that as technology evolves, the workforce is equipped to meet emerging challenges.