By: Stacy Collett
It’s no secret that the world is facing a shortage of cybersecurity talent. The (ISC)² Center for Cyber Safety and Education’s 2017 Global Information Security Workforce study projects a deficit of over 1.8 million qualified cybersecurity professionals between now and 2022.
Many industry analysts agree that the underlying problem is the lack of education in cyber skills – in high schools, colleges, post grad and on the job. While cybersecurity education is maturing and improving at all levels, there is still work to do, including attracting young students to cybersecurity careers, says David Shearer, CEO of (ISC)2 Inc., a global, not-for-profit that educates and certifies information security professionals throughout their careers.
“A lot of organizations are doing a lot of great work” toward educating cyber talent, Shearer says. Here are five innovative ways that the public and private sectors are educating tomorrow’s cyber professionals – and what’s still missing.
High school pathways capture students’ interest early on
As with any field that goes from grassroots to being taught in schools, cybersecurity is in an apprenticeship phase right now rather than a purely educational phase, says Diana Kelley, global executive security adviser at IBM Security.
IBM has been part of an effort to get high school students’ hands on the keyboard and spark interest in technology since 2011 with one of the first Pathways in Technology Early College High Schools, or P-TECH programs. The six-year programs partner tech companies or government agencies with local school districts and community colleges to offer one-on-one mentoring, paid internships, a free associate degree and the potential for a job at a technology company for students who complete the program.
In 2014, IBM helped launch the first P-TECH program focused specifically on cybersecurity training. Some 150 high school students at Excelsior Academy in New York are in their third year of the program. “They’re learning hands-on activities, like network administration skills, how to manage a Unix box and set up users, forensic analysis, being able to look back through log files to understand what happened on a system, even developing and understanding legal issues associated with cybersecurity,” Kelley says.
Through the partnership with the Newburgh Enlarged City School District, IBM and SUNY Orange County Community College, students will graduate with an Associate of Applied Science degree from SUNY Orange.
Today, three P-TECH programs focus specifically on cybersecurity. The P-TECH program at Carver Vocational and Technical High School in Maryland, in partnership with IBM and Baltimore City Community College, launched last fall with 50 students. “We have 87 IBM mentors for those 50 students,” Kelley says. “Some of them, we hope, will work with IBM when they graduate” and work in cybersecurity, she adds.
The program expects to enroll another 50 students this fall. The third program, in Newport, R.I., is a collaboration between Newport Public Schools, Community College of Rhode Island and the Southeastern New England Defense Industry Alliance.
What’s still missing?
“Sometimes content or courses are available but increasingly I’m convinced that we’re just not messaging this correctly,” Shearer says, citing that interest in STEM doesn’t necessarily mean interest in cybersecurity. The message to young candidates should be “that cybersecurity is an exciting, stable career, and we need bright young kids coming in on the right side of the law and the right side of this fight we have globally.”
Boot camps offer crash courses in cybersecurity
Cybersecurity requires “new collar” workers, those who have valuable skills over degrees, says Kelley. “Explorers, problem-solvers, someone with a really strong ethical sense and wants to do guardian-type activities” can do well in cybersecurity, she adds.
The cybersecurity boot-camp model can provide those missing technical skills for professionals from other fields, veterans returning from duty or Millennials who don’t want to attend a four-year college.
Three-to-six-month training programs focus on practical hands-on experience. “Teaching by solving practical cyber challenges with actual cybersecurity tools provides an opportunity for students to obtain up-to-date knowledge and skills in a condensed timeframe,” says Algirde Pipikaite, vice president of information risk at Cybersponse, and an advocate for public-private partnerships and apprenticeships for cybersecurity talent.
Boot camps could also help retrain workers in high unemployment states, she says. “Places like Ohio and Michigan have very strong, talented people that were blue collar workers with skills in the auto industry or in manufacturing operations. Take three to six months to retrain them – they’re smart, and they’re going to get it. They’ll have a well-paid, upper-middle class job.”
Boot-camp-style cybersecurity training is already being applied in both the Department of Defense and Department of Homeland Security. In less than six months, a person is trained to detect digital anomalies and defend a network using the most up-to-date cybersecurity skills and tools.
In January, the DoD announced it will take that model on the road with a six-month cybersecurity boot camp at Chicago’s Wright Junior College in 2018. The program will be based on training prototyped with military students at Fort McNair in Washington, D.C.
The program, funded by the DoD and the city of Chicago, will enroll 20 to 30 service members and civilians who will learn skills in public and private-sector cybersecurity, culminating with the “Offensive Security Certified Professional Certification” test.
Companies including Accenture, Allstate, Aon, ComEd, Keeper Security and Microsoft will offer students internships, mentoring and job placement.
What’s still missing?
Pipikaite would like to see more government-sponsored boot camps like these developed through a cybersecurity presidential fellowship program where workers who complete the funded program would be required to work for the federal government for at least a year. The plan would benefit private sector businesses, too. “Having stronger government cybersecurity would automatically provide better private sector cybersecurity,” she says.
On the job – Certifications may be more valuable than degrees
Industry certifications are considered by some companies to have more value than some degrees, according to Holly Zanville, senior adviser for credentialing and workforce development at the Lumina Foundation, a private foundation focused on increasing success in U.S. higher education.
“As we’re seeing more [certifications] get embedded in [higher ed] programs, we’re hearing some students elect not to complete degrees once they pass some of these certifications. They go and find a good job,” Zanville says.
(ISC)2 awarded 10,130 certifications between 2015-2016, up from 9,017 certifications in 2014-2015. The number of years’ experience required for some certifications used to confound some would-be candidates, but more people are turning to (ISC)2’s associate program, where candidates can pass a certification exam to become an associate of (ISC)2, and then get an extra year to achieve the required experience.
“We provide an extra year knowing that people could have a break in employment [while finding or changing jobs] or other life events while they’re working to acquire the requisite experience,” Shearer says. “It’s an entry-level solution and a career-path change solution – so that experience does not become a barrier to entry.”
When the candidate passes the certification test, they get an associate digital badge to add to their signature block. (ISC)2 is accredited, so it can only award full certifications to people who have passed the exam, received endorsements and completed a background check of experience. More than 15,000 people have held the associate designation since the program began in 2003, and 85 percent have gone on to hold a full (ISC)² certifications.
What’s still missing?
The industry needs a way to vet and validate the many cybersecurity certifications offered by non-profits, institutions and private companies, says Evelyn Ganzglass, co-director of Connecting Credentials, a collaboration of 100 national organizations trying to make credentials and badges easier to understand. “All credentials are based on learning outcomes, but some are not transparent about what those outcomes are,” she says. In 2015, the group launched a national dialog on ways to create equitable and fair credentialing models.
Four-year cybersecurity degrees and graduate programs flourish
Analysts have seen an uptick in the number of colleges and universities developing cybersecurity curriculum, many with the help of federal agency grants and collaboration.
Universities in the U.K., E.U. and U.S. are taking frameworks created by NIST and from cyber centers in the U.K. intelligence world and offering master’s level programs, says Mark Coleman, a research director at Gartner in London. “But the reality is, it’s almost impossible for CISOs to get people out of their current, badly needed job and send them out to university for a year to come back with some qualification. It does build skills, but it’s really slow.”
The threat landscape changes quickly, and skills become obsolete. What’s more, many companies are eager to poach skilled cybersecurity workers, “so as soon as you’ve gotten them trained, they go somewhere else, and you’re back to square one,” he says.
What’s still missing?
“As colleges and universities continue to provide more curriculum that’s cyber-related, we still need to see students in those seats, in those classes, receiving that education,” Shearer says.