Creating Cyber Warriors
Educators and businesses team up to address the state’s shortage of cybersecurity workers.
Cybersecurity is top of mind these days as breaches of credit card information and malicious software attacks occur with alarming frequency. Also looming are questions about the security of the upcoming presidential primaries and general election. And the coronavirus pandemic is having a significant impact on cybersecurity due to the increased vulnerability of workers’ home computers and security teams that are short-staffed due to quarantines. The world has changed to the point that cybersecurity is no longer just an IT issue, it affects everyone.
“Not a single person is out of the scope of cybersecurity,” says Ash Mady, head of the University of North Georgia (UNG) Computer Science and Information Systems Department. He cites digital health records, students’ enrollment information and direct deposit banking as a few of the ways cybersecurity touches everyone. “People are looking at vulnerabilities [in these records],” he says. “They don’t know who you are, and they don’t care. They’re roaming around trying to find a way in.”
Dealing with the fallout from a cyberattack is costly. The Atlanta-based credit monitoring giant Equifax has spent nearly $1.4 billion transforming technology and operations following its 2017 data breach that affected 143 million consumers. IBM estimates the average cost of such an attack is $3.86 million. To deter hackers from accessing private information, an army of cybersecurity workers is needed. However, today the demand for this workforce greatly exceeds the supply.
According to CyberSeek, a U.S. Department of Commerce-supported online tool that provides a snapshot of the cybersecurity job market, Georgia has a total cybersecurity workforce of 35,500, but there are more than 18,000 job openings. The site ranks the state very low in the supply of a certified cybersecurity workforce compared to the demand, and workers are needed in all industries.
Patrick Gaul, executive director of the Atlanta-based National Technology Security Coalition (NTSC), a nonprofit that advocates at the federal level for technology security, says the need for cybersecurity workers is not equally distributed right now.
“We don’t have a shortage of entry-level people,” he says. “The shortage is in the mid-career, seasoned, experienced talent.” These workers would typically fill jobs like certified information systems auditor and certified information security manager, and currently there are about twice as many of those jobs in the state as there are people to fill them. The challenge is how companies, the government and the military find and hire these experienced workers.
One option is to repurpose mid-level career executives in other fields who can easily transition into a cyber role – “those who have the ability to discern patterns out of complexity, which is a requirement of anyone in cybersecurity,” he says.
Another avenue is to create corporate internships that are co-funded by the government through the Cybersecurity Talent Initiative, a public-private program in which participants work for two years – for pay – in a government agency like the FBI or the Department of Homeland Security. At the end of that engagement, they transition into cybersecurity positions offered by the initiative’s corporate sponsors.
“The idea is to put people through different training experiences and give them multiple skills over a brief period of time,” Gaul says. Undergraduate and graduate students in cyber-related fields are eligible. When they complete the program, it will pay for their student loans.
In addition, CyberCore® Scholarship for Service pays for undergraduate and graduate education in cybersecurity in exchange for service in a government agency. The National Science Foundation (NSF) provides the funds. But Gaul says the only NSF-certified university in the state where students can take advantage of the program is Georgia Tech.
“We need more universities certified for this,” he says. “By the time you come out, you’re more likely to get a [higher level] job than if you come out with just a college degree.”
Filling the Pipeline
While experienced cybersecurity workers are needed now, Gaul says it’s also important to develop a pipeline. “When you look at the percentage of the workforce that will be retiring, it makes absolute sense to build a pipeline for the future,” he says. “And it makes absolute sense to get them young.”
He’s talking about students who are in middle school and entering high school.
“If we wait and get students when they enter higher ed, we’ve missed so much of where we can attract the future workforce,” says Michael Shaffer, executive vice president for strategic partnerships and economic development at Augusta University and the university’s liaison with the Georgia Cyber Center in Augusta. The $100-million facility is the product of a unique public-private collaboration among academia; state, federal and local governments; law enforcement; the U.S. Army; and private businesses. Currently, the Cyber Center is helping to train local K-12 teachers in how to present some of the cyber concepts students will need in preparation for a technical college or four-year university education.
In addition, a consortium of military, community and education partners, including Augusta University and Augusta Technical College, which offer classes at the Cyber Center, have created the Alliance for Cybersecurity Education (ACE). The goal of ACE is to develop a defined cybersecurity curriculum for grades 6 to 12 that will build a pipeline through post-secondary education and into employment.
Shaffer says the Cyber Center provides the full spectrum of education and training, including individualized cybersecurity training for business and corporate clients. He believes it is the only site in Georgia that houses technical college and university classes in the same building. And beyond the post-secondary course offerings in which more than 500 are enrolled this semester, the center hosts day-long information sessions aimed at local K-12 students to help them understand that cybersecurity is more than technology and processes.
The Georgia Bureau of Investigation (GBI) is among the organizations that make presentations at the center to increase students’ awareness about the scope of cybersecurity. “GBI tells them, ‘we solve crimes,’” Shaffer says. “Suddenly they understand there’s so many more career possibilities. We’re trying to make an impact at an early age.”
Augusta University is one of eight four-year universities in the state that are designated Centers of Academic Excellence in Cyber Defense by the National Security Agency (NSA) and the U.S. Department of Homeland Security. Along with research institutions Georgia Tech and University of Georgia, the schools are: Columbus State University (CSU), Georgia Southern University, Kennesaw State University, Middle Georgia State University and UNG. Augusta Tech is the state’s first two-year college to earn the designation.
Along with cybersecurity workforce needs in the government and private sectors, the military also has shortages of trained workers. UNG, which is one of six senior military colleges in the nation authorized by the U.S. Department of the Army, prepares students for civilian and military careers in cyber defense, cybersecurity and cyber operations. Mady says the combination of military and civilian students in classes provides a balanced environment and “the best of both sides.”
The university began offering cybersecurity bachelor’s degrees in fall 2018 when 20 students were enrolled. Today more than 200 are working on the degree, about a fourth of whom are in the Army Corps of Cadets, and 13 will graduate this month.
UNG complements cybersecurity coursework with hands-on training. “We bridge the gap between theory and application,” Mady says. “We’re training pros.” He says UNG trains students in real-life cybersecurity scenarios so they can “find their way and learn how to get reliable answers and solutions.”
Outside the classroom, UNG students are encouraged to participate in cyber-related activities like the annual NSA Codebreaker Challenge. During the competition, participants must demonstrate skills in database and network analysis, reverse engineering, cryptography and forensics to prevent a terrorist cyberattack. The tasks required over a 110-day period are those expected of a junior- to mid-level field analyst in the NSA. Last year, UNG’s team of 184 participants won the competition, beating out 530 other colleges and universities and more than tripling Georgia Tech’s second-place score.
Understanding industry needs is an important facet of providing a trained cybersecurity workforce, and close collaboration with industry partners is something CSU specializes in.
“TSYS came to us and said, ‘we’re desperate for cybersecurity people.’ They gave us a generous donation, and from that the TSYS Cyber Center was formed,” says Michael Barker, director of the center at CSU that launched in 2017. He says feedback from Columbus-based companies like TSYS, AFLAC and Pratt & Whitney was instrumental in the university creating a bachelor of science degree in cybersecurity and a bachelor of business administration degree in cybersecurity management. But the companies kept saying they needed cybersecurity professionals now.
In 2018, when the University System of Georgia announced the new nexus degree, a short-term credential that augments other post-secondary degrees and emphasizes hands-on experience, CSU saw it as an opportunity to further serve businesses.
“We’ve taken that and created a nexus degree in cybersecurity in FinTech [financial technology] since most of our partners are in the FinTech arena,” Barker says. “But it can be applied to any industry.”
He says a survey of companies revealed that they wanted to hire individuals who have multiple cybersecurity certifications, soft skills like good communication and professionalism and IT/network fundamentals. Students pursuing the nexus degree will fulfill these requirements and gain valuable experience through two apprenticeships. They will also spend time on CSU’s recently opened cyber range – the state’s first academic range that’s also open to industry, Barker says – where they’ll learn how to handle, mitigate and prevent cyberattacks.
According to Barker, the cyber range will give students the equivalent of three to five years of experience. “They’ll have more experience handling threats and attacks than people who work in the industry,” he says. “There are 50,000 different malware attacks we can train them on.”
CSU’s nexus degree was set to kick off this month and accept new cohorts of 20 people every eight weeks. Its boot-camp approach requires participants to be on campus for classes half a day, five days a week for a year, leaving time open for employment and apprenticeships.
“The goal here is that whatever the entry-level barrier has been, we’re hoping our students can jump over it,” he says. “We’re providing battle-hardened students who are ready to walk in [to a company] and understand their role and how to fulfill it.”
In addition to hiring new workers trained in cybersecurity, businesses also need ways for current employees to update their skills in emerging technologies and cyberthreats. It’s all part of developing the workforce on the job. That’s where institutions like Georgia Tech make valuable contributions, including offering an online master’s degree in cybersecurity. “It’s an opportunity to have quality education come to working professionals at an affordable cost to help them pursue their career aspirations,” says Nelson Baker, dean of professional education at Georgia Tech.
Along with the online master’s, Georgia Tech provides professional development programs that consist of short courses – one to three days in duration – on a variety of topics. The university also offers a boot-camp approach to cybersecurity for individuals who want to transition in their careers. The 24-week boot camp consists of evening and weekend classes and work outside the classroom.
“We listen to companies and what their workforce needs are and to individuals to come up with a format and delivery that meets lifestyle and work schedules,” he says.
Another way the university works with companies is by providing on-site training. “We take the course to them,” Baker adds. “These are self-funded; revenue from enrollments keeps them going. It’s a part of Georgia Tech’s statewide outreach.”
Companies in FinTech, retail, technology, aerospace and defense have taken advantage of the chance to have workers trained at their location.
“When it’s a company engagement, it’s more cost effective for our faculty to go to them,” says Baker. “We go for three or four days and offer programs in one of the conference rooms or in a [computer] lab setting. Then we might go back two months later and do a different course for the same group. It’s focused knowledge on a timeline that fits the companies’ needs.”
In the future, technology automation may help reduce the need for cybersecurity workers. “The entire workforce issue may be moot within five years with artificial intelligence and machine learning,” says NTSC’s Gaul. He believes these tools will automate eyes-on-the-screen jobs, allowing those workers to be repurposed into higher-level positions that focus on things like threat intelligence and analytics. “It’s going to change the dynamics significantly within the next decade,” he predicts.
UNG’s Mady agrees that the need for cybersecurity workers will become more standard, rather than ever increasing. “We’re gaining ground in terms of automation. [The workforce gap] is not going to continue like this forever,” he says. “This is a dynamic field, and we’re evolving and growing.”