Higher Ed Brings Hands-On Cybersecurity Experiences to Students
The results of the 2018 (ISC)2 Cybersecurity Workforce Study showed a widening of the global cybersecurity workforce gap to nearly 3 million across North America, Latin America, Asia-Pacific (APAC) and Europe, the Middle East and Africa (EMEA). While those numbers feel daunting, exposing students to hands-on cybersecurity training is one way to narrow that workforce gap.
In an effort to help feed the cybersecurity talent pipeline, higher education institutions are doing their part by offering hands-on learning opportunities to their students. Capture-the-flag competitions are a fun way to get recognized in the security world by honing their skills and networking with people in the industry, and defensive skills are equally as critical in cybersecurity. Students also need to learn how to defend the organization.
Building the bridge between students and industry requires that universities take a collaborative approach so they can bring both offensive and defensive learning experiences to a wider range of students. The good news is, those bridges are under construction. Here’s a look at what some institutions are doing to foster relationships between students and industry.
Calling All Hackers
In the upcoming Collegiate Penetration Testing Competition, Nov. 2-4 in Rochester, New York, Uber, Amazon and the National Security Agency will be both judging and scouting for talent, as the top 10 college teams—Cal Poly Pomona, Cal State Fullerton, Drexel, Stanford, Tennessee Tech, Baldwin Wallace University, Dakota State, Rochester Institute of Technology, University of Central Florida and University of New Haven—compete for the win.
Students at Cal Poly also have the difficult decision of whether to head to New York or stay put and partake in a hackathon hosted by Bugcrowd in the cool new “cyber range” lab it is building with Cal Poly University.
Following the opening of the lab, university students will go head to head with elite security researchers to hack into smart city technology and IoT devices donated by Netgear/Arlo. The event, also taking place Nov. 2-3 is especially timely, given the new California IoT security bill.
“Cybersecurity is not simply about the growing threat of breaches, or even the outside pressure from external researchers, although these are very real drivers. It is about being a responsible citizen in our digital economy,” said Bugcrowd CEO Ashish Gupta.
To that end, Bugcrowd has invested in educating and training the next generation of cybersecurity researchers and white hat hackers. “Both through our work with Cal Poly and the California Cybersecurity Institute to build a world-class training and testing ground for security research as well as Bugcrowd University, we are introducing the power of the crowdsourced model to would-be security researchers around the world to increase the number of skilled researchers looking for vulnerabilities, and then providing continued education and training to empower our Crowd of white hat hackers to find high-priority vulnerabilities,” Gupta said.
Honing the Defender Skills
The cybersecurity industry is about more than hacking, though, which is why RIT is excited that it will be the first campus to receive a visit from the new IBM X-Force Command Tactical Operation Center (C-TOC). In addition to the pen testing competition happening at RIT Computing Weekend, invited students will be immersing themselves in real-world attack simulations with IBM experts aboard the C-TOC so that they can experience how to respond to an attack under realistic, high-pressure scenarios.
“With cyberattacks playing an increasing role in the business landscape, knowing—and actually rehearsing—how to respond to a cybersecurity event before you’re facing one in real life is an absolutely critical skillset in today’s professional environment,” said Caleb Barlow, vice president of threat intelligence at IBM Security, in a press release.
“It’s not just cybersecurity professionals involved in the response process—everyone from legal to finance and human resources has a role to play,” he continued. “Rehearsing how these teams can work together quickly and effectively can make all the difference in minimizing damages in the wake of an attack.”
These learning opportunities on the defender side are rare but increasing. Many universities have been actively trying to get organizations to offer co-ops or internship opportunities to students, but they find themselves running into a scalability issue. In a game of who knows who, building relationships one by one is an uphill battle. That’s why Michael Figueroa, executive director of the Advanced Cyber Security Center (ACSC), is an advocate of building partnerships.
Because students also need the opportunity to develop defender skills, the ACSC is actively testing ways to put college students into more practical operating conditions through its partnership with STEMatch. “The pilot is focused on building industry partnerships on both the product and user side. We are training students in real environments and providing internships within the organizations that are using those tools so that participants gain both the theoretical knowledge in the classroom and practical applications through hands-on experience in the environments,” Figueroa said.
Collaborative Efforts Happening Now
Leveraging the wealth of talented students enrolled in the more than three dozen cybersecurity programs offered at universities throughout Massachusetts, the ACSC and the University of Massachusetts created the Cybersecurity Education and Training Consortium (CETC), a joint initiative to increase connectivity between academia and the private sector in support of the Commonwealth’s cybersecurity efforts.
The CETC aims to help build greater engagement at scalable levels so universities can better create and deliver practical curriculum. Ultimately, the goal is to provide students with the opportunity to practice and hone their skills, which is why outreach is an important part of the equation, said Figueroa.
But how are consortiums designed in such a way that they are able to channel the most students and reach the broadest areas to fill those gaps? “What has worked well in Massachusetts is building a coalition model through the consortium. It’s not a competitive advantage to have one university working with one organization. Doing it in collaboration with a coalition and working toward a common objective will put everyone on a path toward success,” Figueroa said.
Building a Consortium, Step One
Success will come through experimenting with new models that haven’t existed before, but the cybersecurity industry has had a tendency to keep silent about its challenges and failures. What’s important to keep in mind when trying to build a consortium is that there will be some successes and some outright failures.
“To address the broader problem, we need to work together. Massachusetts has a lot of strengths in this area, but it can’t be a regional solution. We need to continue to build collaborations and see what other regions are doing in order to fill the gap overall,” Figueroa said.
These engagements can’t be done on an institution-by-institution basis, which is why universities should instead be reaching out to their peers and building discussion around how to harness the collective talent and get students into positions across the industry, he added. By taking a collaborative approach, “Industry will respond with more attention because they will gain more efficient access to students.”
