The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.
The statistics are dismal. An estimated 3.5 million unfilled cyber positions by 2021 and today, we have over 300,000 openings in the U.S. alone. According to a New York Times article, “filling those jobs would mean increasing the country’s current cybersecurity workforce of 715,000 people by more than 40 percent,” according to data presented at the National Initiative for Cybersecurity Education Conference. If you’re a student in cyber or are just undeclared, there hasn’t been a better time to consider cybersecurity as a professional career. The field has come a long way from the stereotypical hoodie-wearing, Mountain Dew sipping worker in a dark room performing tedious coding tasks.
Cybersecurity is so much more than that—and it’s exciting! Don’t believe us? At Divergence Academy, we are preparing the next generation of cyber professionals to enter the workforce and alleviate the skills gap through gamified learning. If more institutions adopted such an approach, we as educators would be more successful at not just engaging our students in teaching relevant concepts and theory, but successful at helping them build skills needed in today’s workforce.
Cyber Teaching and Learning Challenges
But before we get into the “hopeful” part of this article, we need to understand the challenges in teaching cyber in the first place. The way that cybersecurity has been taught throughout the years often include lectures, PowerPoint presentations or online models that students complete on their own. Inherently there is nothing wrong in teaching new information in this way. However, the opportunity exists to help students learn how to apply this knowledge to a real-world setting. The act of doing and creating the needed experience is the single most important quality job candidates can bring to an employer and this is the gap Divergence Academy is hoping to close.
When students sit in a classroom, information can be presented in a systematic way, where in real life this may not always be the case, especially in the world of cybersecurity.
When you think of teaching someone how to think like a hacker, you are fundamentally teaching them how to be creative in how they approach a situation.
The concept of teaching someone to think like a hacker is easier said than done, which is why diversifying the way students can process information is crucial. Not every student learns in the way same.
There’s Hope for Cybersecurity: Continuous Skills Acquisition and Application
As cyber educators and instructors, we know there is no “one-way” to teach and that’s the good news! While certifications and technical degrees are a starting place for cybersecurity readiness and workforce development, instructors must think of new methods that provide persistent access to cyber education.
This statement can best be described with an analogous story. If an aspiring baseball player was training for the major leagues and went to practice to hone his/her skills, they would certainly learn something. However, if that aspiring baseball player then applied for the major leagues a year or so later, without attending training leading up to that point, he/she would be a little rusty, wouldn’t you say? The same situation can be applied to cybersecurity. You wouldn’t attend a class or even complete a full degree in cybersecurity and then apply for a job and say you were a “seasoned cybersecurity professional,” would you? Of course not. There is no “final inning” in cybersecurity signaling a professional’s peak of learning and skills acquisition.
Threats evolved day by day and if a student graduates thinking about phishing or malware detection one way and ends up in a work environment where that knowledge isn’t applicable anymore, we won’t be able to help the next generation of cyber pros be successful in their jobs. To keep current students and alumni actively engaged in critical learning, persistent access to cybersecurity training must be employed. In this industry, the only constant in cybersecurity is change, and for that reason (in addition to the multitude of attacks businesses every day), educational institutions can be vigilant in putting learning to work for the businesses and workplaces we rely on to support our daily functions.
As technology and interconnectivity evolve with each passing day, steps must be taken immediately to adopt a pedagogy that values and emphasizes continuous learning to best prepare our students for the career they want. With gamified learning at the helm of a new teaching approach for cybersecurity, we can be on our way to minimizing the cyber skills gap and empowering today’s students in a more effective way.
For more information about our gamified learning cyber courses, visit https://divergenceacademy.com/.
Here at Circadence, we are dedicated to taking cybersecurity learning to the next level. We do this through gamification that is accessible to all ages and ranges of knowledge on the subject. Our own Cassie Brubaker, co-creative director on our security awareness mobile app inCyt™, helped us understand the differences between learning and training, and how games can bring value to skill building in the technical world.
Why does cybersecurity really matter in today’s interconnected world?
C: When we don’t understand something, we don’t feel empowered. So, when I think about the importance of cybersecurity and cyber awareness, it’s more a story of empowering people to take back control of their lives. It’s a story about not being scared to live your day-to-day life because you understand [cyber] and you’re in control of it and I think that’s a wonderful thing.
I get that everybody needs to make their companies more secure, but I think it comes at a personal level too. If you feel in control over your personal life, you’re going to be a better contributor to your entire business, you’re going to be a better contributor to your family, you’re going to be a better contributor to yourself.
When we learn more about cybersecurity, we are empowered. Given your expertise with game development, what are the differences between learning versus training?
C: Games provide an inherently clever method to promote learning. There is a place for training, but in my mind, it’s a lot more formal. Learning has a broader application for me. It can happen in all kinds of different moments. You never know when you’re going to learn something new and that’s the magic of it. Training is more like, “let’s get this piece of information across in this specific way.” With our game inCyt, I’ve had so much fun trying to find all the different ways you can learn. You can play it again and again and it’s a little different every time. I can’t guarantee what lesson you’re going to learn when you play today and I don’t know what lesson you’re going to learn when you play tomorrow, BUT you’re going to learn something because you’re engaging with a well-designed product that has been crafted in such a way to give you all kinds of realistic experiences as it pertains to cybersecurity.
Let’s talk briefly about inCyt and how it uses gamified learning.
C: inCyt is a mobile app that builds cybersecurity awareness. It is designed to educate everyone on fundamental cyber concepts and attack methods. It does this through two learning paths: a concept learning component and gameplay component for individuals or teams.
The solution is taking the common perception of cybersecurity and flipping it on its head. Cybersecurity, as it exists today, does not conjure up feelings of peace and comfort the way you might expect from a field focused on security and safety. inCyt brings a radically different approach to the existing landscape – one that invites anyone and everyone to step out of the darkness and take their first step towards cyber enlightenment. One of the cool things about this product is that you’re learning organically about cybersecurity as you play, but you’re just having fun battling with your friends. The more and more you play, the more the cyber concepts start to sink in because you’re seeing them applied in real-world scenarios.
Who should play inCyt?
C: inCyt has been designed to reach all ages and experience levels. It’s ultimately designed for people who know very little about cybersecurity, but because we’ve built it to be playful and with a bit of strategy, even people who are cybersecurity professionals could play it and enjoy it. One of the things we found in testing within the company is that people who do this for a living will play it and say, “I think I could actually use this with my family, they don’t understand what I do.”
What is the ultimate value in a game like this?
C: The ultimate value of inCyt as a product for any company is that it is first and foremost fun for your employees to play. They are going to jump in and not going to feel like they’re being put through some mundane training exercise. There are two different ways that were teaching employees about cyber awareness. One of them is what I call “organic lessons” and that’s what happens primarily in the gameplay itself. We give players a bunch of cyber tools and allow them to experiment through gameplay and find what strategies work. In doing this, we’re creating employees that think one level bigger, more strategically about the “whys” and the “what’s” as opposed to a memorized list of rules that need to be followed. Nobody likes that. After learning the basic cyber concepts, players can compete in the gameplay portion of the app.
When working on inCyt, how did you address different learning styles?
C: In terms of different learning styles, that’s really where we’ve gone into playtesting as our method to lean against. Everybody wants something a little bit different when they play – some people want all of the answers up front, they want to know exactly how to use it and they want to know why they’re doing it, while some people want to experiment. Through those playtests, we’re able to make variations of the gameplay that hit the largest range of learning styles. It’s really from a human engagement level, less of a theoretical learning style level. That’s why the playtests have been so helpful for us.
For more information on the benefits of gamified learning, check out the below-recommended reading.
Last week I was lucky enough to be able to attend Circadence’s Cyber Learning Tour at the Microsoft Technology Center in Chicago. This event was hosted by Laura Lee, VP of Rapid Prototyping, and one of the lead creators of the Project Ares training platform.
The opportunity to attend this event and hear from the brains behind Project Ares was an eye-opening experience for me. The passion that Laura spoke with was something that I could relate to. As someone who personally advocates for introducing more people to information technology and more specifically cybersecurity, it was amazing to hear Laura Lee talk about how she utilizes Project Ares in schools as early as middle school to educate students on not only the importance of cybersecurity but also real-world scenarios. Hearing Laura talk about kids using Metasploit, Nmap, Wireshark and learning how to defend simulated cyber-attacks or infiltrating networks with Project Ares is taking learning to a whole new level.
One of the more interesting topics Laura brought up about the platform is the scoring capability and how it works within the learning environment. She often finds students begin competing against each other on the platform by going through missions and assessments over and over again to see who can get the better score. This brings another avenue of excitement and energy to cybersecurity that could lead to more exposure with things such as e-sports using Project Ares.
The fact that Circadence has created a learning environment that brings gamification, cybersecurity, and training to the same platform is ground-breaking to me. Here is a platform that will simulate real-world scenarios like bank networks, power grids, and other enterprise networks and you either must attack (red team) or defend (blue team) using real-world skills and tools. If you’re a rookie at cybersecurity, Project Ares offers a variety of battle rooms and assessments that will help get you up to speed.
To hear more about why gamification and AI-powered cyber learning is the future of cybersecurity skill building, check out one of their other Cyber Learning Tour stops here: https://marketing.circadence.com/acton/media/36273/cyber-learning-tour-with-microsoft.
Follow Zach’s YouTube Channel I.T. Career Questions for all things cybersecurity learning and development here: https://www.youtube.com/channel/UCt-Pwe2fODjH4Wuwf5VqE7A.
We’ve all heard by now that the cyber workforce gap has reached a level of desperation that puts all of us, and our country, at risk. It’s time we start moving the conversation away from the problem and towards innovative solutions.
To truly narrow this cyber workforce gap, it’s crucial to solicit the collaboration and support of the “golden trifecta” – academia, commercial industries, and government. And while educating and training high school and university students is important, this should not be our only focus; re-skilling and upskilling populations such as Veterans, minorities, career changers, women, persons with disabilities and learning differences, and others, have tremendous potential to both shrink the gap and contribute much needed diversity to the cyber workforce.
Recognizing National Cybersecurity Career Awareness Week (Nov. 12-17), we thought it prudent to share three tools that can help prepare the next generation of cybersecurity professionals to address ever-evolving threats and the aforementioned challenges.
Compared to other professions, cybersecurity apprenticeship programs are scarce. Yet, there is hardly a better way for an organization to fill its pipeline with well-qualified cybersecurity talent than by building an apprenticeship model into existing recruiting strategies. By integrating an “earn while they learn” model, employers can leverage a unique opportunity to grow their own talented pool of cyber professionals who have the highly desired combination of hands-on skills and foundational, academic knowledge.
“This is absolutely fundamental, and a key plan in meeting the workforce needs. Our solution to the gap will be about skills and technical ability,” says Eric Iversen, VP of Learning & Communications, Start Engineering. “And the most successful of apprenticeship programs offer student benefits (e.g., real-world job skills, active income, mentorship, industry-recognized credentials, an inside track to full-time employment, etc.) and employer benefits (i.e., developed talent that matches specific needs and skill sets, reduced hiring costs and a high return on investment, low turnover rates and employee retention, etc.)”
These types of opportunities are especially beneficial for recruiting individuals who may be switching careers, may not have advanced degrees, or are looking to re-enter the field. The U.S. Department of Labor, provides guidance on starting apprenticeship programs.
The hardest part of being a young professional is finding that first career opportunity. However, that is a particular challenge for aspiring cyber professionals when just about every job posting they find asks for some level of relevant, industry experience. The problem is, not many organizations are willing to give it! For organizations looking to bring fresh ideas, perspectives and talent through the door, internship partnerships with local academic institutions can be a great workforce development tool. Many community colleges, technical colleges, and universities have well-oiled practices of connecting their students with local companies. In fact, it’s not uncommon for most students, both undergraduate and graduate, to be required to complete an internship in their field of study before graduation. Much like a successful apprenticeship program, a strategic internship program enables a situation where everyone involved, wins.
While there are many models to be considered here, the following two are typically the most accessible and well-received for both students and employers.
- “Stackable” Courses, Credits & Certificates: Simply put, “stackable” learning opportunities allow students to quickly build their knowledgebase and achieve industry-relevant experience that leads directly to employment. The idea here is two-fold.
a). High school students can enroll in college-level coursework and/or earn cybersecurity-focused certificates while completing their high school career.
b). College-level students can leave higher education for a job, and later return with credits that count toward the next certificate or degree.
This approach continues to gain traction as high school counselors and college administrators respond to the rapidly evolving nature of our economy.
- Cyber Competitions & Hackathons: There is hardly a better vehicle for the practical application of one’s skillset than participating in a cyber competition or hackathon. These types of opportunities are becoming more and more common, and many times, cyber enthusiasts of all proficiency levels view cyber competitions and hackathons as the “latest and greatest” in extra-curricular activities. While numerous studies can be cited to support the significant traction cyber competitions and hackathons have gained, the fact is they’re changing the landscape in important ways. For example, cyber competitions and hackathons are often cited as positively impacting one’s exposure to the industry. Cyber competitions:
- Support exposure to new and emerging technologies
- Enable networking opportunities with like-minded folks
- Offer environments for learners to demonstrate their abilities
- Provide opportunity for new talent recruitment
Circadence is proud to lend its platform Project Ares® for many local and national cyber competitions including the cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge so students can engage in healthy competition and skill-building among peers. For more information on cyber competitions and hackathons, check out the Air Force Association’s CyberPatriot, Carnegie Mellon’s picoCTF, Major League Hacking, and the National Cyber League.
Closing the cyber workforce gap will take diversification in all sense of the word.
- Diversity from supporting organizations, institutions, and companies.
- Diversity in learning approaches and experiences.
- Diversity in learners themselves.
Enterprise, government and academic institutions must pursue innovative and engaging ways new to attract underrepresented professionals to apprenticeships, internships and alternative pathways to add diversity to the cybersecurity workforce. And based on the current state of our cyber workforce, this suggestion is not just important, it is essential.
Many desired outcomes become a reality when we emphasize these efforts. It’s the unique perspectives, the inspired teamwork, the widened pool of well-qualified talent, the creativity and the “all-hands-on-desk” (see what we did there?) mentality that will help strengthen the cybersecurity industry not just for students, but for all agencies and businesses. Let’s embrace all of it!