Cybersecurity Apprentice Program: A CyberStart JumpStart

My student employment/apprentice/intern program (or whatever you want to call it) needed a jumpstart and frankly, so does the cybersecurity workforce at large. I’m not entirely sure how to begin this post because there is just so much to say. So, let’s just start with some problem statements. If you just want to read more about what we are doing at Stony Brook to establish a cybersecurity apprentice program, just skip this section all together and head straight to the next subheading.


The Problem(s):

  1. We’ve all read the headlines. CYBERSECURITY WORKFORCE SHORTAGE BY THE MILLIONS. While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study, that shortage is close to 3 million globally, but over 2 million of those job vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The same study tells us that ~500,000 of those vacancies are in the U.S. Ok, so we definitely have a problem as an industry. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
  2. Women are one of the groups significantly underrepresented within the cybersecurity profession. That is an understatement. You have no doubt heard the statistic that only 10-11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date…24%. Even if that number is accurate, it’s too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 male/female. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
  3. Hiring students to work within an information security department is not a new concept. Not by a long shot. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs already. For most higher ed CISOs and industry partners however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I’ve spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark and Metasploit. It’s not that we don’t do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students that have realistic expectations and the right qualities to be successful within an ‘all hands on deck’ cybersecurity department?
  4. There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this also makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it introduces a unique barrier as well. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department, and to do so with our existing staff level would cause very serious responsibilities to suffer, and the resultant increase in risk to our organization is not a tradeoff we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
  5. An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a so-callled “relevant” degree or computer science background. I can’t tell you how many students I talk to that are shocked when I tell them my programming experience is limited to “VCR” and “ALARM CLOCK.” (Yes, I do know what a for loop is, but never used one to accomplish anything useful aside from printing “Hello World” an infinite amount of times). How can we we attract cybersecurity talent from groups with non-STEM, academic backgrounds and work experience?
  6. When we have hired students, their gap in knowledge for even the most basic information technology concepts are lacking. With little or no real world IT experience, many did not truly understand how things like DNS and DHCP worked. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we filled in all of those gaps for our student hires, it would be graduation time and we didn’t even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff’s limited time?

The Solution(s)…maybe:

What if there was a fun, online game that we could offer to all current college students that increases security awareness for all who play? What if this same game required no prior technical knowledge, and it could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core information technology fundamentals, and then layered on associated security concepts?

Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals, and fill-in knowledge gaps for thousands of existing professionals. I just didn’t know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. It was almost a year ago today, as he was on his way to RSA 2018 to do his annual keynote and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends in the stream of time, some other higher education CISOs helped us brainstorm on a coherent approach in a one day in-person workshop, and their collective wisdom and insight was priceless. Early on in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. While we are only about halfway through our proof of concept at SBU, here is what we are doing:

  1. As part of Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party, complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
    1. No prior technical experience required.
    2. Play to find out if you are an extraordinary problem solver.
    3. If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.

      CyberStart Pizza Party

      CyberStart Pizza Party

  2. Players first tried an abbreviated version of the game that was free and could be anonymously accessed on the Internet. In fact, it was this version they played during our October pizza party. If they didn’t like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received over 250 requests and issued those students registration codes for the full version of the game.
  3. The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others – more than 50 of our 250 players – kept playing and earned an invite to the next phase of the program.
  4. The high scorers were invited to a celebratory lunch and an exclusive online collaboration space (the start of a cybersecurity club perhaps?), and officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.

    CyberStart Celebratory Lunch

  5. We will be reviewing the scores and the CyberStart Essentials completion percentages, and then invite a subset of the top 50 or so students to interview for up to three student apprentice positions within our Information Security team this coming May. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.

So, will this program address some or all of the challenges I listed at the outset of this article? I can’t be sure yet, but I can tell you this: it has already increased security awareness within our student body, and it has created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this Spring/Summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is copied at other campuses. It’s truly win-win for everyone involved.

So far, I have no doubt that CyberStart is going to be just the JumpStart we were looking for.

Thanks for reading and don’t forget to subscribe.

RSA 2019: RS-YAY or RS-MEH?

It’s that time of year to read countless reviews of the RSA conference. To read the view of someone who has attended many years in a row and is greatly respected for his contributions to the cybersecurity industry, you can read spaf’s post. If you want to know what an RSA first-timer thought of it, you can keep reading (or browse my twitter feed).

Let me start by saying the opening keynote on Tuesday was a spectacle of trolling proportions. A surprise opening speech by the great, no connection to cybersecurity to speak of, Helen Mirren, was followed by a cybersecurity-themed choir song (I wish I was joking). And when one later keynote panelist suggested that developers putting in backdoors should be put into prison (15:30 minutes in on this panel), it was somewhat cringeworthy for, um, well, reasons, but still resulted in a round of applause.

But things got better as I attended other sessions and had the opportunity to hear from legendary cybersecurity contributors and experts. It was an absolute treat to hear Bruce Schneier, cybersecurity royalty and Harvard Kennedy School Lecturer, talk about the role of security technologists in public policy. His keynote was thought-provoking and engaging.

I had the opportunity to attend a two hour incident response (IR) tabletop workshop and I quickly volunteered to facilitate the experience for our table of eight, under the guidance and leadership of the session organizers. Our team of “experts” did some great things along our virtual incident, but in the end we did not apologize enough upfront and paid the hard price of our ‘choose your own adventure’ cyber incident and our CEO was force to resign after a hard hitting television interview (well, he was kind of happy to do so, actually). It was challenging as a facilitator not to jump in with my own advice and opinions, but perhaps the most important lesson I learned was the difference between facilitating and participating in an IR tabletop exercise.

There were many others I got to rub shoulders with, meet and learn from throughout the week. RSA was attended by many industry thought leaders, including the likes of Ed Skoudis, Larry Poneman, Johannes Ulrich, Ron Rivest, John Strand, Alan Paller, Stephen Sims, James Lyne and Paul Asadoorian. I have to plug Strand’s awesome, free threat hunting tool here, named after his awesome, late mother who ensured it will be free forever, RITA. Did I mention that it was awesome and free?

The smaller sessions were truly the gems in my opinion, aside from the always noteworthy 5 Most Dangerous New Attack Techniques Keynote. My advice is to spend a couple hours before you attend and create a schedule, pre-register for the sessions you don’t want to miss, but stay flexible throughout the week. One of my favorite sessions was a “fireside” chat between a CISO and published author focused on communicating with the board, which I had no intention of attending. I followed along a fellow CISO colleague (Hi Okey!) and I’m glad I did because some of the unfiltered conversation that ensued during that session resulted in nuggets of wisdom possessed only by extremely experienced professionals (and those who were eavesdropping in on the conversation)! This resulted in my most controversial tweet of the week…

There was also plenty of sessions that discussed the importance of a diverse and growing workforce within cybersecurity. I had the chance to reflect on how I can personally make an impact in this area, and was able to hear from and meet many others trying to do the same thing on a much larger scale, like 16 year old Kyla Guru.

In summary, San Francisco was a good experience. RSA was a good experience, but I’m sure the excitement of rubbing shoulders with the who’s who of cybersecurity will be gone the second time I go. And the vendors? Noticed I haven’t mentioned them? They weren’t there. SIKE. They were everywhere and working HARD to be noticed. Surprisingly, though, you can spend as much or as little time as you wanted with them because they had over 40,000 targets and droves of folks that were lining up to talk to them. So, I spent some time talking to the vendors I cared about at this moment in time, spent an hour or two learning about new vendors, and now I’m all set to ignore their phone calls for at least another 6 months.

RS-YAY or RS-MEH? I would say…RS-OKAY. I will be back. But not next year. Once every 2-3 years would be perfect in my book.

Thanks for reading and don’t forget to subscribe.