My student employment/apprentice/intern program (or whatever you want to call it) needed a jumpstart and frankly, so does the cybersecurity workforce at large. I’m not entirely sure how to begin this post because there is just so much to say. So, let’s just start with some problem statements. If you just want to read more about what we are doing at Stony Brook to establish a cybersecurity apprentice program, just skip this section all together and head straight to the next subheading.
The Problem(s):
- We’ve all read the headlines. CYBERSECURITY WORKFORCE SHORTAGE BY THE MILLIONS. While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study, that shortage is close to 3 million globally, but over 2 million of those job vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The same study tells us that ~500,000 of those vacancies are in the U.S. Ok, so we definitely have a problem as an industry. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
- Women are one of the groups significantly underrepresented within the cybersecurity profession. That is an understatement. You have no doubt heard the statistic that only 10-11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date…24%. Even if that number is accurate, it’s too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 male/female. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
- Hiring students to work within an information security department is not a new concept. Not by a long shot. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs already. For most higher ed CISOs and industry partners however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I’ve spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark and Metasploit. It’s not that we don’t do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students that have realistic expectations and the right qualities to be successful within an ‘all hands on deck’ cybersecurity department?
- There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this also makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it introduces a unique barrier as well. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department, and to do so with our existing staff level would cause very serious responsibilities to suffer, and the resultant increase in risk to our organization is not a tradeoff we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
- An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a so-callled “relevant” degree or computer science background. I can’t tell you how many students I talk to that are shocked when I tell them my programming experience is limited to “VCR” and “ALARM CLOCK.” (Yes, I do know what a for loop is, but never used one to accomplish anything useful aside from printing “Hello World” an infinite amount of times). How can we we attract cybersecurity talent from groups with non-STEM, academic backgrounds and work experience?
- When we have hired students, their gap in knowledge for even the most basic information technology concepts are lacking. With little or no real world IT experience, many did not truly understand how things like DNS and DHCP worked. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we filled in all of those gaps for our student hires, it would be graduation time and we didn’t even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff’s limited time?
The Solution(s)…maybe:
What if there was a fun, online game that we could offer to all current college students that increases security awareness for all who play? What if this same game required no prior technical knowledge, and it could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core information technology fundamentals, and then layered on associated security concepts?
Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals, and fill-in knowledge gaps for thousands of existing professionals. I just didn’t know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. It was almost a year ago today, as he was on his way to RSA 2018 to do his annual keynote and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends in the stream of time, some other higher education CISOs helped us brainstorm on a coherent approach in a one day in-person workshop, and their collective wisdom and insight was priceless. Early on in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. While we are only about halfway through our proof of concept at SBU, here is what we are doing:
- As part of Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party, complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
- No prior technical experience required.
- Play to find out if you are an extraordinary problem solver.
- If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.
- Players first tried an abbreviated version of the game that was free and could be anonymously accessed on the Internet. In fact, it was this version they played during our October pizza party. If they didn’t like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received over 250 requests and issued those students registration codes for the full version of the game.
- The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others – more than 50 of our 250 players – kept playing and earned an invite to the next phase of the program.
- The high scorers were invited to a celebratory lunch and an exclusive online collaboration space (the start of a cybersecurity club perhaps?), and officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.
- We will be reviewing the scores and the CyberStart Essentials completion percentages, and then invite a subset of the top 50 or so students to interview for up to three student apprentice positions within our Information Security team this coming May. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.
So, will this program address some or all of the challenges I listed at the outset of this article? I can’t be sure yet, but I can tell you this: it has already increased security awareness within our student body, and it has created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this Spring/Summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is copied at other campuses. It’s truly win-win for everyone involved.
So far, I have no doubt that CyberStart is going to be just the JumpStart we were looking for.
Thanks for reading and don’t forget to subscribe.