The United Kingdom, like every nation these days it seems, really needs to increase the number of cybersecurity professionals they hire in both the private and public sectors. Information systems are at grave risk due to not enough skilled professionals working in security positions.
According to analysts from Frost & Sullivan, there may be 1.5 million job vacancies in UK IT security roles by 2020.
Yet, the very notion of an epidemic cybersecurity “skills gap” is to some nothing but a buzzword. Robert Walker described my feelings effectively in a recent blog post:
“…Stop complaining to your boss that you can’t find anyone who is qualified. Instead, look in the mirror, talk with your HR department, and set your expectations in line with where the best talent actually is… and show up at DEFCON to recruit,” Walker writes.
“The best candidates are there, and if you’re not there making the best offers, today’s overlooked talent (which isn’t exclusively junior) will become tomorrow’s data breach.”
Organizations should definitely be a lot more open minded about who they consider for security positions. They should also be willing to spend time and money on training instead of insisting on finding “unicorn” candidates according to rigid and unforgiving criteria.
Either way, some of the 21st century’s brightest cybersecurity talent currently requires parental permission to play Overwatch on their PS4s. That’s right, they’re still kids!
The UK government’s Department for Digital, Culture, Media and Sport is ready to invest in their potential as future information security professionals, and I think that’s a great idea. Their Cyber Discovery program, aimed at 10 to 13-year-olds, will be delivered with the help of SANS Institute, BT, Cyber Security Challenge UK, and FutureLearn.
The Department’s Karen Bradley said:
“Cyber Discovery will help inspire the digital talent of tomorrow and give thousands of young people the opportunity to develop cutting-edge cyber security skills and fast-track future careers. This important programme is part of our £1.9 billion investment to protect from online threats and make Britain the safest place to be online.”
Head of Education at Cyber Security Challenge UK Debbie Tunstall added:
“Cybersecurity is an industry that’s still in its infancy, meaning very few young people know and understand that there are lucrative careers awaiting them in the field. With a critical skills gap looming and the cybercrime threat growing, we need to educate about cyber security while individuals are still young, piquing their interest in future cyber careers and as a result, filling the pipeline of talent.”
Cyber Discovery’s curriculum covers areas such as Linux, cryptography, web attacks, programming, and ethics, and the program manifests as four different phases.
- CyberStart Assess is available for children and their parents to sign up for now. It’s open to all British 10 to 13-year-olds, and it contains fun challenges that test what kids already know about computers and cybersecurity while obviously figuring out if kids are good candidates for the other phases of the program.
- CyberStart Game is for kids who succeed in CyberStart Assess. In this phase, children go through hundreds of hours of cybersecurity challenges that reflect real-world information security tasks.
- CyberStart Essentials is for kids who pass CyberStart Game. In this phase, children are presented with over 100 hours worth of quizzes, video tutorials, and learning guides.
- CyberStart Elite is the final phase, and it’s only open to kids who succeeded in CyberStart Essentials. Children get to enjoy challenges like Capture The Flag (CTF) competitions, and they also receive face-to-face mentoring.
The UK government has spent about £20 million on Cyber Discovery and it’s currently being piloted in England. The program is expected to expand to other parts of the UK in the second, third, and fourth years.
Are There Similar Programs in the U.S.?
American entities have engaged in efforts which are similar to the UK’s Cyber Discovery program.
The University of Texas at San Antonio established the Center for Infrastructure Assurance and Safety (CIAS) back in June 2001. By 2002, CIAS was a factor in the NSA’s recognition of the university as a leader in the field of infrastructure security.
CIAS develops three different cybersecurity competition and training programs. Their National Collegiate Cyber Defense Competition (CCDC) is open to American college students, where they represent their particular school.
Here’s how CIAS describes the competition:
“CCDC competitions ask student teams to assume administrative and protective duties for an existing ‘commercial’ network—typically a small company with 50+ users, 10 to 12 servers, and common Internet services such as a web server, mail server, and an e-commerce site. Each team begins the competition with an identical set of hardware and software. Scoring is based on the ability to detect and respond to outside threats… A Red Team acts as an adversary who provides the real-world, ‘external threat’ all Internet-based services face, and allows the teams to match their defensive skills against live opponents.”
Most CCDC events involve recruiters, so it’s an excellent way for young adults to start their cybersecurity careers.
CIAS’s CyberPatriot program is similar to the UK’s Cyber Discovery program as it’s open to children. CyberPatriot’s National Youth Cyber Defense Competition is open to kids who are in middle school or high school. In the competition, kids roleplay as IT professionals who must manage the security of a small company’s network. During the competition’s rounds, they’re given disk images of operating systems with certain applications and configurations. They need to find vulnerabilities while security hardening and maintaining network functionality.
CyberPatriot also has an Elementary School Cyber Education Initiative. CyberPatriot visits elementary school classrooms to teach younger children about cybersecurity and other STEM careers. They also teach kids how to be safer on the internet.
CIAS’s third cybersecurity education initiative is Panoply, which takes place at industry conventions such as (ISC)2 Security Congress and Black Hat. The competition is geared toward teens and adults who attend those security events. Panoply has awarded prizes such as convention passes and HDDs.
CIAS isn’t the only entity in the United States that has been educating children about cybersecurity careers. The US Army and Synack hosts r00tz Asylum events. The most recent r00tz Asylum was at this year’s DEF CON in Las Vegas. Their aim is to teach kids about “white hat” hacking.
Wickr cofounder Nico Sell started the first r00tz Asylum in 2010. One of the focuses of the events is to teach kids about the law and ethics so they can hack in a useful and helpful way.
I’m interested to see how this public and private sector investment in children’s cybersecurity knowledge will affect our industry in the next few decades. I’m unaware of anything like Cyber Discovery or r00tz Asylum existing during my life as a Canadian schoolkid in the 90s. I kind of envy these kids today, and I’m optimistic about what they’ll be able to do in the near future.