Students with limited professional work experience may lack appropriate knowledge and expectations to work effectively in cybersecurity departments. A carefully implemented program can find the best students for those positions.
My student employment/apprentice/intern program needs a jumpstart, and so does the cybersecurity workforce at large. Let's start with some problem statements.
- We've all read the headlines: "Cybersecurity Workforce Shortage by the Millions." While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study [https://www.isc2.org/-/media/ISC2/Research/2018-ISC2-Cybersecurity-Workforce-Study.ashx], that shortage is close to three million globally, but more than two million of those vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The study tells us that approximately 500,000 of those vacancies are in the United States. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
- Women are significantly underrepresented in the cybersecurity profession. You have no doubt heard the statistic that only 10–11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date (24%). Even if that number is accurate, it's too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 men/women. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
- Hiring students to work in an information security department is not a new concept. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs. For most higher education CISOs and industry partners, however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I've spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark, and Metasploit. It's not that we don't do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students who have realistic expectations and the right qualities to be successful in an "all hands on deck" information security department?
- There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it also introduces a unique barrier. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department. Doing so with existing staff would cause serious responsibilities to suffer, and the resultant increase in risk to our organization is not a trade-off we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
- An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a "relevant" degree or computer science background. I can't tell you how many students I talk to who are shocked when I tell them my programming experience is limited to "VCR" and "alarm clock." (Yes, I do know what a "for loop" is, but I've never used one to accomplish anything useful aside from infinitely printing "Hello World.") How can we attract cybersecurity talent from groups with non-STEM academic backgrounds and work experience?
- When we have hired students, their knowledge of even basic IT concepts is lacking. With little or no real-world IT experience, many do not understand how things like DNS and DHCP work. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we were to fill all of those gaps for our student hires, it would be graduation time and we wouldn't even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff's limited time?
What if there were a fun, online game that we could offer to all current students that increases security awareness for all who play? What if this game required no prior technical knowledge and could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core IT fundamentals and then layered on associated security concepts?
Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals and fill in knowledge gaps for thousands of existing professionals. I didn't know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. This happened almost a year ago, as he was on his way to RSA 2018 to do his annual keynote, and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends of time, some other higher education CISOs helped us brainstorm a coherent approach in a one-day in-person workshop, and their collective wisdom and insight was priceless. Early in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. Although we are only about halfway through our proof of concept at Stony Brook, here is what we are doing:
- As part of National Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party (see figure 1), complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
- No prior technical experience required.
- Play to find out if you are an extraordinary problem solver.
- If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.
- Players first tried an abbreviated version of the game that was free and could be anonymously accessed online. If they didn't like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received more than 250 requests and issued those students registration codes for the full version of the game.
- The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others—more than 50 of our 250 players—kept playing and earned an invite to the next phase of the program.
- The high scorers were invited to a celebratory lunch (see figure 2) and an exclusive online collaboration space; they officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.
- We will review the scores and the CyberStart Essentials completion percentages and then invite a subset of the top fifty or so students to interview for up to three student apprentice positions within our Information Security team. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.
Will this program address some or all of the challenges I listed at the outset of this article? I can't be sure, but it has already increased security awareness within our student body and created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this spring/summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is used at other campuses. It's truly a win-win for everyone involved.
Matt Nappi is Chief Information Security Officer and Assistant Vice President at Stony Brook University, including Stony Brook Medicine.
© 2019 Matthew Nappi. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.