The top cyber security myths CISOs and security professionals fall victim to. Empower yourself with persistent training and skill building instead.
What is immersive, gamified cybersecurity learning? The term was originally coined in 2002 by a British computer programmer named Nick Pelling. The term hit the mainstream when a location-sharing service called Foursquare emerged in 2009, employing gamification elements like points, badges, and “mayorships” to motivate people to use their mobile app to “check in” to places they visited. The term hit buzzword fame in 2011 when Gartner officially added it to its “Hype Cycle” list. But gamification is more than a buzz word. Companies have seen gamification work for them in cyber team training—so we thought it wise to take what is working and apply it at the earlier stages of career development—in the classroom.
At Divergence Academy, we are proud to offer a curriculum that embraces blended cyber learning to cultivate students and transitioning professionals who are ready to enter the workforce and stop today’s cyber threats.
We offer data science, cybersecurity, and cloud computing immersive learning programs that enable students to gain the knowledge and skills needed to work in any of those fields. Many of our courses offer a mix of concept-driven learning and application-driven learning so that students understand new knowledge and, in turn, apply that knowledge in skill building, project-based activities. Through working with messy, real-world data and scenarios, students gain experience across the entire technology spectrum.
Studies find when learners engage in active learning, hands-on activities, their information retention rates increase from 5% (with traditional, lecture-based methods) to 75%. The millennial generation presents radically different learning preferences than previous generations. Thus, educational institutions across the country should consider gamification as a pedagogical technique in the classroom. A study from the University of Limerick notes:
Gamified learning activities could become an integral part of flipped teaching environments. Their social, asynchronous nature can be used to prompt students to engage with pre-prepared content, while gamified learning activities can be used in the classroom to prompt student interaction and participation.
In watching our students engage with gamified activities, we see team-building blossom before our eyes. We see instant collaboration and problem-solving and critical thinking emerge. Those kinds of soft skills can’t always be taught in a traditional lecture-based setting and because of that, it is critical that we continue to offer a healthy mix of concept-driven learning with gamified learning opportunities to our students so that they can enter the workforce with a more holistic understanding of the industry.
Cybersecurity has become a captivating and engaging subject matter for students, which is fantastic as those words aren’t typically associated with the technical field.
“Wow, today we were introduced to Project Ares. Captivating is the best description I can think of. It is like ‘Call of Duty’ for cybersecurity.”
~ Divergence Academy Student, 24 years old
Fellow professors and instructors are looking for ways to make cybersecurity more interesting and attractive to students and we believe at Divergence, the gamified learning approach can help. It is an approachable way for students to engage with a field they may be completely unfamiliar with and it supports instructors by offering a course that students WANT to take.
“We notice an increase in student engagement in the classroom with the introduction of Project Ares. Gamification brings an element of intrigue and satisfaction to the learning experience.”
~ Beth Lahaie, Program Director
We hope our adoption and proven success of a blended learning approach is the nudge other institutions around the globe need to consider its power in building the next generation of cybersecurity professionals.
You’ve read about it, know it well, and can probably instantaneously identify one of today’s top cyber crises: the cybersecurity skills gap. It’s putting enterprises, governments and academic institutions at greater risk than ever because we don’t have enough professionals to mitigate, defend, and analyze incoming attacks and vulnerabilities. According to recent estimates, we are looking at the possibility of having as many as 3.5 million unfilled cybersecurity positions by 2021. The widening career gap is due in part to the lack of diversity in the industry.
- Women only make up 14% of the U.S. cybersecurity workforce.
- A Frost & Sullivan report found that 26% of the cybersecurity workforce are minorities.
- According to Data USA, almost three-fourths of information security analysts are white.
And we’re not just talking about racial and ethnic diversity, we’re also talking about diversity of perspective, experience and skill sets. A recent CSIS survey of IT decisionmakers across eight countries found that 82% of employees reported a shortage of cybersecurity skills and 71% of IT decisionmakers believe this talent gap causes direct damage to their organizations. It’s not just the technical skills like computer coding and threat detection that are needed, employers often find today’s cyber graduates are lacking essential soft skills too, like communication, problem-solving, and teamwork capabilities.
An ISC2 study notes, organizations are unable to equip their existing cyber staff with the education and authority needed to develop and enhance their skill sets—leaving us even more deprived of the diversity we desperately need in the cybersecurity sector. The more unique thinking, problem-solving and community representation we have in the cybersecurity space, the better we can tackle the malicious hacker mindset from multiple angles in efforts to get ahead of threats. Forbes assents, “Combining diverse skills, perspectives and situations is necessary to meet effectively the multi-faceted, dynamic challenges of security.”
In an interview with Security Boulevard, Circadence’s Vice President of Global Partnerships Keenan Skelly notes that as cybersecurity tools and technology evolve, specifically AI and machine learning, a problem begins to reveal itself as it relates to lack of diversity:
“The problem is that if you don’t have a diverse group of people training the Artificial Intelligence, then you’re transferring unconscious biases into the AI,” Keenan said. “What we really have to do…is make sure the group of people you have building your AI is diverse enough to be able to recognize these biases and get them out of the AI engineering process,” she added.
The good news is that is it never too late to build a more diverse workforce. Even if your organization cannot hire more people from different career backgrounds or varying skill sets, existing cyber teams can be further developed as professionals too. With the right learning environments that are both relevant and challenging to their thinking, tactics and techniques, current employees can develop a more diverse set of cyber competencies; all while co-learning with diverse teams around the world.
Companies can also build relationships with local educational institutions to communicate critical workforce needs to better align talent pipeline with industry needs, recommends a new study from the Center for Strategic and International Studies. Likewise, cyber professionals can be guest speakers or lecturers in local cyber courses and classrooms to communicate the same diversification needs in the industry.
While some experts say it’s too late to try and diversify the workforce in thinking, skill, and background, we beg to differ. If we give up now in diversifying our workforce, our technology and tools will outpace our ability to use it effectively, efficiently, and innovatively. It’s not too late. It starts with an open mind and “take action” sense of conviction.
 CSIS, Hacking the Skills Shortage (Santa Clara, CA: McAfee, July 2016), https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hacking-skills-shortage.pdf.
 Crumpler and Lewis, The Cybersecurity Workforce Gap, Center for Strategic and International Studies, January 2019.
Photo Credit: https://unsplash.com/@rawpixel
We’ve all heard by now that the cyber workforce gap has reached a level of desperation that puts all of us, and our country, at risk. It’s time we start moving the conversation away from the problem and towards innovative solutions.
To truly narrow this cyber workforce gap, it’s crucial to solicit the collaboration and support of the “golden trifecta” – academia, commercial industries, and government. And while educating and training high school and university students is important, this should not be our only focus; re-skilling and upskilling populations such as Veterans, minorities, career changers, women, persons with disabilities and learning differences, and others, have tremendous potential to both shrink the gap and contribute much needed diversity to the cyber workforce.
Recognizing National Cybersecurity Career Awareness Week (Nov. 12-17), we thought it prudent to share three tools that can help prepare the next generation of cybersecurity professionals to address ever-evolving threats and the aforementioned challenges.
Compared to other professions, cybersecurity apprenticeship programs are scarce. Yet, there is hardly a better way for an organization to fill its pipeline with well-qualified cybersecurity talent than by building an apprenticeship model into existing recruiting strategies. By integrating an “earn while they learn” model, employers can leverage a unique opportunity to grow their own talented pool of cyber professionals who have the highly desired combination of hands-on skills and foundational, academic knowledge.
“This is absolutely fundamental, and a key plan in meeting the workforce needs. Our solution to the gap will be about skills and technical ability,” says Eric Iversen, VP of Learning & Communications, Start Engineering. “And the most successful of apprenticeship programs offer student benefits (e.g., real-world job skills, active income, mentorship, industry-recognized credentials, an inside track to full-time employment, etc.) and employer benefits (i.e., developed talent that matches specific needs and skill sets, reduced hiring costs and a high return on investment, low turnover rates and employee retention, etc.)”
These types of opportunities are especially beneficial for recruiting individuals who may be switching careers, may not have advanced degrees, or are looking to re-enter the field. The U.S. Department of Labor, provides guidance on starting apprenticeship programs.
The hardest part of being a young professional is finding that first career opportunity. However, that is a particular challenge for aspiring cyber professionals when just about every job posting they find asks for some level of relevant, industry experience. The problem is, not many organizations are willing to give it! For organizations looking to bring fresh ideas, perspectives and talent through the door, internship partnerships with local academic institutions can be a great workforce development tool. Many community colleges, technical colleges, and universities have well-oiled practices of connecting their students with local companies. In fact, it’s not uncommon for most students, both undergraduate and graduate, to be required to complete an internship in their field of study before graduation. Much like a successful apprenticeship program, a strategic internship program enables a situation where everyone involved, wins.
While there are many models to be considered here, the following two are typically the most accessible and well-received for both students and employers.
- “Stackable” Courses, Credits & Certificates: Simply put, “stackable” learning opportunities allow students to quickly build their knowledgebase and achieve industry-relevant experience that leads directly to employment. The idea here is two-fold.
a). High school students can enroll in college-level coursework and/or earn cybersecurity-focused certificates while completing their high school career.
b). College-level students can leave higher education for a job, and later return with credits that count toward the next certificate or degree.
This approach continues to gain traction as high school counselors and college administrators respond to the rapidly evolving nature of our economy.
- Cyber Competitions & Hackathons: There is hardly a better vehicle for the practical application of one’s skillset than participating in a cyber competition or hackathon. These types of opportunities are becoming more and more common, and many times, cyber enthusiasts of all proficiency levels view cyber competitions and hackathons as the “latest and greatest” in extra-curricular activities. While numerous studies can be cited to support the significant traction cyber competitions and hackathons have gained, the fact is they’re changing the landscape in important ways. For example, cyber competitions and hackathons are often cited as positively impacting one’s exposure to the industry. Cyber competitions:
- Support exposure to new and emerging technologies
- Enable networking opportunities with like-minded folks
- Offer environments for learners to demonstrate their abilities
- Provide opportunity for new talent recruitment
Circadence is proud to lend its platform Project Ares® for many local and national cyber competitions including the cyberBUFFS, SoCal Cyber Cup, and Paranoia Challenge so students can engage in healthy competition and skill-building among peers. For more information on cyber competitions and hackathons, check out the Air Force Association’s CyberPatriot, Carnegie Mellon’s picoCTF, Major League Hacking, and the National Cyber League.
Closing the cyber workforce gap will take diversification in all sense of the word.
- Diversity from supporting organizations, institutions, and companies.
- Diversity in learning approaches and experiences.
- Diversity in learners themselves.
Enterprise, government and academic institutions must pursue innovative and engaging ways new to attract underrepresented professionals to apprenticeships, internships and alternative pathways to add diversity to the cybersecurity workforce. And based on the current state of our cyber workforce, this suggestion is not just important, it is essential.
Many desired outcomes become a reality when we emphasize these efforts. It’s the unique perspectives, the inspired teamwork, the widened pool of well-qualified talent, the creativity and the “all-hands-on-desk” (see what we did there?) mentality that will help strengthen the cybersecurity industry not just for students, but for all agencies and businesses. Let’s embrace all of it!
Cyber ranges were initially developed for government entities looking to better train their workforce with new skills and techniques. Cyber ranges provide representations of actual networks, systems, and tools for novice and seasoned cyber professionals to safely train in virtual environments without compromising the safety and security of their own networks.
Today, cyber ranges are known to effectively train the cyber workforce across industries. As technology advances, ranges gain in their training scope and potential. The National Initiative for Cybersecurity Education reports cyber ranges provide:
- Performance-based learning and assessment
- A simulated environment where teams can work together to improve teamwork and team capabilities
- Real-time feedback
- Simulate on-the-job experience
- An environment where new ideas can be tested and teams and work to solve complex cyber problems
In order to upskill cybersecurity professionals, commercial, academic, and government institutions have to gracefully fuse the technicalities of the field with the strategic thinking and problem-solving “soft skills” required to defeat sophisticated attacks. Cyber ranges can help do that.
Currently, cyber ranges come in two forms: Bare environments without pre-programmed content; or prescriptive content that may or may not be relevant to a user’s industry. Either form limits the learner’s ability to develop many skill sets, not just what their work role requires.
Six Components of Modern Cyber Ranges
Modern cyber ranges need realistic, industry-relevant content to help trainees practice offense and defense and governance activities in emulated networks. Further cyber ranges need to allow learners to use their own tools and emulated network traffic in order to expand the realism of the training exercise. By using tools in safe replicated networks, learners will have a better understanding of how to address a threat when the real-life scenario hits.
We also know that cybersecurity attacks require teams to combat them, not just one or two individuals. So, in addition to individual training, cyber ranges should also allow for team training and engagement for professionals to learn from one another and gain a bigger picture understanding of what it REALLY takes to stop evolving threats.
With advances in Artificial Intelligence (AI), we know cyber ranges can now support such technology. In the case of our own Project AresÒ, we are able to leverage AI and machine learning to gather user data and activity happening in the platform. As more users play Project Ares, patterns in the data reveal commonalities and anomalies of how missions are completed with minimal human intervention. Those patterns are used to inform the recommendations of an in-game advisor with “chat bot-esque” features available for users to contact if help is needed on a certain activity or level. Further, layering AI and machine learning gives cyber professionals better predictive capabilities and, according to Microsoft, even “improve the efficacy of cybersecurity, the detection of hackers, and even prevent attacks before they occur.”
With many studies touting the benefits of gamification in learning, it only makes sense that modern ranges come equipped with a gamified element. Project Ares has a series of mini-games, battle rooms, and missions that help engage users in task completion—all while learning new techniques and strategies for defeating modern-day attacks. The mini-games help explain cyber technical and/or operational fundamentals with the goal of providing fun and instructional ways to learn a new concept or stay current on perishable skills. The battle rooms are environments used for training and assessing an individual on a set of specific tasks based on current offensive and defensive tactics, techniques and procedures. The missions are used for training and assessing an individual or team on their practical application of knowledge, skills and abilities in order to solve a given cybersecurity problem set, each with its own unique set of mission orders, rules of engagement and objectives.
There is a lot of sensitive data that can be housed in a cyber range so security is the final piece to comprising a modern cyber range. The cloud is quickly recognized as one of the most secure spaces to house network components (and physical infrastructure). To ensure the cyber ranges are operating quickly with the latest updates and to increase visibility of how users are engaging in the cyber ranges across the company, security in the cloud is the latest and greatest approach for users training in test environments.
There you have it. The next generation cyber range should have:
- Industry-relevant content
- Emulated network capabilities
- Single and multi-player engagement
- AI and machine learning
We are proud to have pioneered such a next generation cyber range manifest in many of our platforms including (as mentioned above), Project Ares®, and CyRaaSTM. We hope this post helped you understand the true potential of cyber ranges and how they are evolving today to automate and augment the cyber workforce.