Tobin Shields - Giving Back: How to Support The Next Generation of InfoSec Professionals

yes

yeah yeah it's it's the graphic

cool it's a good well thank you I mean I'm good so I didn't go myself

okay all right we're gonna wow that's louder than I remembered it we're gonna get started in a minute is that what I sound like oh wow no wonder my coworkers are so annoyed anyway if you'll take your seats if you're gonna if you do me a favor if you're gonna stay in the room we normally get people coming in late to these things so if you're on the edge of the row if you wouldn't mind like scooting into the middle a little bit so when people come in you don't get that a whole like personal midsection of a stranger coming across your face it's a possibly not what you paid for when you got the ticket it'd just be appreciated

and yeah so people are gonna file in in the middle of us anyway you don't have to fill them in what they missed it's their fault please make sure your phones are on silent mode would you probably bought a fancy watch to talk to your phone anyway so you don't need it to buzz your wrist is gonna do that for you now because you spent the extra money the scale of that I still don't understand anyway let's talk about education so uh who your who here has gone to a four-year university who extended their childhood by going another two years all right who skipped all that nonsense and went to a community college cool there's some of

you so you're gonna love this because that's what we're talking about today is actually using a community college to kind of promote a larger number of security professionals our speaker today is Tobin shields he's a full-time instructor at Mount Hood Community College with security plus C e HC h Fi and RHS CA certifications I know but some of those are he primarily teaches topics in IT and InfoSec as part of its intensive two-year CTE program is a master's degree always got to in education and cyber security and information assurance with five years working as an educator is a passion for teaching stem topics what is today everybody shields [Applause] thank you thank you I definitely am NOT

a big fan of the alphabet soup after my name but I worked hard enough where I guess things like this I do have two masters degrees and it is because I hate myself apparently and I don't like free time no I actually started as a high school English teacher if you can believe it my mom was a high school English teacher she was great role model to me and I actually I knew I just wanted to be a teacher and my favorite subject in school was in English I loved reading I loved literature but when I went to the Oregon educator fair which is actually held right here at the Oregon Convention Center it's where they get a giant

amount of sort of fresh teachers to go and apply for jobs and when I applied for the Beaverton School District there was an English language arts position I was one of 300 applicants so it was a little discouraging trying to find that work I ended up having something like five or six interviews and I just kept getting callback that said look you were really great but there's someone who had five ten years of experience who just needed picked over you so then I ended up applying to a CTE school in Gresham a CTE stands for career tech and they primarily focus on vocational studies and I had a little bit of background in web development it was just kind of a

hobby I had in college so they had a computer science teacher position and I'm like oh my god I've got my fifth you know rejection letter I'm gonna go ahead and apply for this and I was one of two applicants the other guy didn't show up to the interviews so I got the job by default now a colleague of mine he said he turned to me and he's like a teaching web development great I knew how to do that teaching Python programming like cool I kind of know how to do that and he's like you're also teaching this class called cybersecurity and I said what is that so over the summer I ended up dating myself in technology I was

already kind of a tech nerd I build my own computers was a big gamer so it was not hard for me to jump into this but I'll tell you about that first year was probably the hardest professional year I've ever had in my life if you know any teachers please make sure you pay due respects because I'll say oh man teaching is ridiculously hard that first year I did not know it was gonna be that hard and learning a brand new subject but I survived and I developed a brand new passion for technology topics I know idea I could go to school for that I know yeah I could teach that and so again because I don't like free time I

decided to go back and get a masters degree in cyber security because I knew that that's where my passion was that opened up the opportunity the opportunity for me to add a little bit talk about today where I actually have now the wonderful privilege to be teaching there full time it was heartbreaking to leave the high school but I am thrilled that I get to be supporting the next generation of empathic professionals and I've done a lot to make up for lost time I'm going to talk about it's kind of what some of the things I did and some things that the program is doing to also make it so that students don't have to go through

to master's degrees in order to get an endo sack which is really going to be the the main goal of hopefully the call to action that I have for you all again I kind of talked about this one of the things that I've done to make up for lost time is I am going through industry certification prep I got all the theory the disaster cover II the stuff and my master's program but I still didn't know how to configure a router I still didn't know how to make group policy and a Linux you know didn't you know distribution and so that's really what I'm using these certifications to do it's not because I want to be the

smartest person in the room but it's giving me a roadmap to actually learn the things that I want to learn so this is definitely gonna get the alphabet soup after my name and I've taught a range of topics as well and again I did teach English I did happen who's one random section of English and I had I loved it a lot so before they talk too much about our program and the things that you can do to support these students is I want to talk about the need for industry talent now obviously if you're in this room and you're in information security you know that it's hard to find good people you know it's

hard because how do you have been on a hiring committee to try and find someone it's probably kind of challenging to find that sort of unicorn person who has all the suits you want on the background you want nine times out of ten if you can find a decent person you're still training them up on half of the things that you need them to know and that's that's from what industry keeps telling me over and we're again this is pulled from cyber seek org it's a collation with nice the national initiative for cybersecurity education which is under NIST which as you guys know there's a lot of none of the government policies along with compte ia so take this with a grain of

salt because there are some vendors influenced in this but according to this data there are over 300,000 open cybersecurity jobs nationwide about seven or thousand folks working in information security that read middle number here I think is one of the most interesting which is for saying for every 2.3 open positions which is an odd way of saying that but for every 2.3 open positions there's only one qualified candidate nationwide so we have a negative unemployment and information security and as the professionals the room know you're probably doing the work of about 2.3 people right but you know whenever I show students these numbers and I talk to people about this you know everyone says well it's in Silicon Valley or it's

all in DC with the defense contractors the number is a lot smaller when you drill down to the poor in the metro area but the poor the metro area still has plenty of opportunity according to the same data this is by county so this is the Multnomah of kind of an Coover County and there are 2600 open positions and information security but 5300 of those folks are currently employed which is crazy exciting is about one-fifth of the entire InfoSec communities kind of here at besides registered and while we do have quite a cool security community and is not only 2.0 ratio supply and demand we still have a lot of open jobs that are going unfilled and so one of

the things that we've been tasked as educational institutions is we are being tasked with solving this crisis of we're trying to graduate as many people as possible to fill these roles for a plethora of reasons the government obviously wants highly qualified people so that they can work for the government right industry needs qualified people so that you can defend your stuff but my students really value this because this is a highly livable wage it is an exciting career opportunity that requires a skill set yes it requires training but does it require a master's degree and in a lot of cases it doesn't even a bachelor's degree if you're focusing primarily on technical topics and so

community colleges are really really specially placed to be able to offer what we call CTE programs has anyone ever heard that acronym before CTE stands for career technical education and you know education swings back and forth all the time right back in like the early 20s it was all about vocational unit really learned a lot of literature you didn't really think about the humanities and then we realize that well it's pretty enriching to learn that stuff and so then the modern day school that we know it today is very liberal arts focused which again I'm speaking as an English major so it's it benefited me personally benefited my soul but it sure didn't benefit my career right I mean I

the joke is you know you are you're a well-rounded human being after an English degree but then you can either go to tech writing or you can be a novelist or you can do something else and the other two are kind of hard to break into and so there's a swing back toward that vocational based study where community colleges are offering two-year degrees we call them applied associates of science where the entire focus is on getting you skilled up in a subject and we started with things that we did really well already like welding technologies and automotive technologies Mount Hood has the craziest coolest automotive technology where you go through a whole apprenticeship program you're working with Subaru and Chrysler

and all these name brands and you're working in these shops and these students have guaranteed jobs at another program pulling in between 50 and 80 thousand dollars a year at the end of two years and so what we wanted to do is we wanted to see well look there's this giant need for cyber security we know that if we scale them up rapidly as possible in IT system administration InfoSec topics that we can still give students that ability to have a livable wage and a high knee high wage job and so that's exactly what we did and in 2011 now that Community College revitalized our traditional IT society men sort of networking degree and talking with our Advisory Committee of

our Z councils we realized that hey we're gonna offer a degree path that focuses exclusively on cybersecurity so two-year program that our students can walk into industry with the competence to do the job of effectively a security operations analyst but they can go into network and with the kind of a focus of security and things like that but this is not a pitch for the program it's not why I'm here some good is we have graduated hundreds of students out of our program the more the majority do go on to find meaningful employment it's always hard to track alumni but we've had a lot of success stories and our students tell us that our training works we always ask them

hey what's one thing that you wish you were taught what's one thing that was a total waste of your time because we want to ask those hard questions because we want to responsibly train our students I don't want to bore you we have primarily three course that our students go through networking where they get a CCNA Cisco they have an IT or system administration we do Windows we do Linux we do Python scripting database management they kind of do a little bit of everything and then of course we have an information security core where students are going through effectively the security plus or fundamentals tracks they're doing capture the flags we have ethical hacking courses cyber operations

courses forensics and really it's a combination of all three of these that make you not just a good security person but a great IT person as well right so a lot of our folks and a lot of our students don't actually want to should say a lot so our students don't go this is security they go into network engineering they go into system administration I was student right now who's an azure cloud engineer we don't even teach that stuff in our program and she's able to still land that job because he had the confidence to be able to grapple with this stuff fun fact we are gonna be offering cloud and virtualization starting next year but

I'm gonna talk about the bad well let's talk about what we're still not doing enough and this is where I have a call to action to you all academia lives in a bubble and I'm gonna ruffle feathers from some of my other full year and and six you know master's degree in Advanced Studies but I'm sorry if you're teaching cybersecurity and you actually have a done cybersecurity in a couple of years you don't know what cybersecurity is you know ideas if you haven't done in a couple of years and so the problem is that a lot of academia approaches this in a very theoretical standpoint they approach it as oh we're gonna harp on the tcp/ip stack we're

gonna think about everything as the OSI model which is important for implementing and doing research and reverse engineering then you're not gonna effectively do the work that's required of the daily job and I guess you can pick that up you know while you're working but what's the purpose of getting an entire degree we have to learn everything on the job when you're done so one of the things that I have tried to do on our department is trying to do is break out of our bubble and we really really want to seek the help of industry professionals to be able to make our program a lot better so I have a mighty need from you all I want

to talk about some ways that you can give back not just our program but I'd love to connect you if you're a PCC alumni oh I see alumni if you alumni if you're PSU alumni there are so many schools now that are embedding InfoSec technologies that I want to connect you with the faculty in those organizations to be able to do the following things now these are the things that I personally want but I do know that other faculty will find at least one of these valuable for their students I'm gonna challenge you to teach courses seriously we teach online and night courses mentor faculty offer internships and sitting on our Advisory Council so I'm actually

serious when I say I want you to come teach a class at Mount Hood Community College even if you have no teaching experience even if you have never thought of yourself as a teacher we need help right now with four classes cloud and virtualization primarily we're gonna be teaching AWS but convince me why we should do Asher or Google we need help with digital forensics because none no one on our team or digital forensics pros we're going out of a textbook we have some online labs that we've bought students will have an okay time but we want someone who actually knows forensics to be leading this class we want to implement log analysis I spent

some time at OHSU doing sock work over the summer and I got to learn Splunk for the first time and it made me realize how have I not been teaching this in my program so we wanted to log analysis and log analytics and I would love someone who works with Splunk on their daily basis to come and help me teach that class and finally we've been just parked with a Red Hat and now we're delivering official Red Hat curriculum that I'm only a one-man army and I can only teach so many classes and so if you work with Linux or some Red Hat variants you're qualified to teach this class and I do want to emphasize that industry

experience here is going to trump degree requirements so while it's cool if you have a master's degree or through bachelors degree we would really really like you to come in if you're a pro in your topic we would love for you to come in and help teach some of our classes now I know different schools are different but I'm out in the community college if you're teaching at a CTE program like ours you do not need the master's degree if you have the industry experience to back about plus you get a geek out about a subject I mean how cool is that you know a lot of times in your day job you don't get to just geek out

about a subject you're certain you're serving the needs of your organization but here's what you're actually get to go in and deep dive into a subject and share it that passion with a room of students who also share that same passion in addition we would love you to help mentor faculty and even help with lessons so maybe you don't want to eat a whole class but let's just say that I want to do a Wireshark lab where I want to have my students take a look at a brute-forcing attack or some latest vulnerability that's out in the wild it takes me hours and sometimes days to build these simulated environments because I have to create all these VMs I

have to research the vulnerability I have to go through this process where you've literally captured this data and your day job if you're able to sanitize it or you can share with me interesting logs Wireshark captures new tools that are supporting your work or news news updates in the industry that's the kind of stuff that's really valuable to our faculty and it might come off as patronizing like oh well you don't know this and I know this I'm going to share with you and I could just not respond your email like that's the worst thing that's gonna happen right but nine times out of ten if you're sharing something really cool with me if you want to

comment and say hey there's this really cool new tool and I have the ability to do maybe like an hour lab I have the stuff that could set it up you're literally saving me hours of time and giving me a better product than I ever could because my job is to leave classes my job is to advise students and I do not have the time that I want to sit and build these amazing experiences so why we default to having online environments for students but I think it was a much more meaningful experience if I can actually take what's actually being seen in industry and present it but again what you do in your day job takes me

hour to simulate the other thing as well is to build and offer internships this is a thing that's really hard on IT and I totally get it you don't want to have some random kid come into your entire critical InfoSec infrastructure teach him how to do the stuff and then bail after three months like I understand the hesitancy around that but internship experiences apprenticeship programs projects that students can work on are so incredibly valuable because we're experiencing the weirdest thing remember I talked about how there was like a two to one ratio people are like we're not finding jobs I still have students who tell me that they can't find work I ask them all the

time I ask employers why aren't you hiring my students and they say well they don't have a year or two Cheers experience and I'm like do you don't have that luxury when this job has been open for four or five six months and no one is filling it but we still have battles with HR who won't even look at particular applications it's not everybody we're working on it but the reality is that we're still fighting traditional HR so one of the most important things that you can provide my students is an internship that six months that three months of job experience so that it gets through the horrifying AI HR filters that were really experiencing today and it's

everything from basic IT or helpdesk which I know is an InfoSec but at least they're inundated in the technology they're gonna be securing at a couple of months vulnerability analysis is great because I doesn't take a lot to run an SS scan does it it doesn't take a lot to monitor for alerts I figured out how to do sake analytic work really relatively low stakes in about two weeks get set up basically and I sent emails to people when they had infected USB drives right like it was the daily work that sustains an organization but it doesn't require a lot of privilege right it doesn't require a deep look into your network especially if you're paired with a

mentor who has that those those permissions controls testing we had a really great experience where we had a handful of students coming to an organization and just do basic controls testing wasn't a penetration test but as an example they were really worried about a particular type of vulnerability so he had the students leverage a couple of tools just built in a Cali limits to see if the vulnerability would work they tuned a little bit and it turned out it worked pretty well and it turned out here a typo in one of his Splunk alerts which caused the alert to not actually run so he found that just these really basic control testings were incredibly valuable to basically allow proof of

concepts for the blue team defending work that he was doing and the finalist project aid if you just have like a hellacious project coming up and you could really help an extra pair of hands for a couple of months I have an army of students willing to help you and they would find it so incredibly valuable I don't want them getting coffee for you I don't want them running prints for you but if there is some grunt work that needs to be done there I find that work valuable because they've never done it before if they need to run for eight hours a day for six months yeah right it's still brand new and fresh to them

and now these are the kinds of things that again not only provide meaningful experience to students will be literally changing these students lives but it also gives them the ability to break into the industry because again that HR filter is really really starting to screw some of our students and the most successful my students are ones who have previous work experience an IT or want to know someone who knows someone which is kind of how half of getting hired works if you want to shout out to organizations who have allowed for internships with our students silence has done some really good work due to the controls testing we create an internship model where students come in

for two summers now it was really successful the second time around if you want to give a shout-out to OHSU and their blue team Department because they allowed me to come in and I'm setting up talks with them to have a student come in and do a rotating basically stock analytic role with them what I found is that if I can get in front of you and I can brainstorm some ideas about how to get a student in your organization we tend to be able to make it work the problem though is I just don't know who many you are and I don't know the organizations that you represent and that's my call to action to you is say

hey I'm interested I don't know where to start let's talk and again if it's not me PCC if it's not me it's oh I T it's not me it's any organization that you maybe are close to you or again know that you're possibly an alumni and then finally I need you to give us advice one of the things about being a CTE program of study which basically means that we're focusing on career tech ad is we have to demonstrate that we are working with industry and one of the ways that we do that is we have something called an advisory council this is a requirement that the state has and effectively what it is it's a group of

really smart people who work in industry who take a look at some of our classes our program as a whole and they tell us the direction that we need to go they tell us whether or not we should be teaching AWS versus asher powershell versus bash they get into the nitty-gritty about really what she we should be teaching because the worst thing isn't that we're not teaching the right thing it's the Mis qualification that kills me I would hate to invest 10 weeks of time with the student and have them waste their time learning a tool that's being faded out rather than the the tool that's emerging and that's what the Advisory Council can have us do now

I love the colleagues who came before me he filled that Advisory Council with CISOs and managers and and vendor reps which looks good on paper but it doesn't help me answer the question should I be teaching AWS or Azure right so my goal is I'm gonna get more engineers I'm gonna get more blue team defenders I wanna get more stock analysts on that advisory committee to help guide some of those really particular questions to help inform our practice and it's not just me I know that PCC has a similar Advisory Council I'm not sure about the four-year institutions but I know any Community College has those Advisory Council if there are CTE programs study so I don't want to take too much of your

more of your time I know this is a shorter talk but I am gonna have a table in the CTF room and really what I want to find most valuable is if you come and have a conversation with me because if you're serious about wanting to give back to an organization if you're serious about wanting to connect with students and actually make a meaningful difference and I don't mean that to pay lip-service I mean you will actually make a meaningful difference for 15 20 30 people and you can do so by partnering with your local school if it's not Mount Hood I know my logos all over this and this is my name but I would love to put you

in contact with the department heads at PCC lyt and I can't speak for my colleagues in other schools they can tell you to just blow off and live in their bubble that's fine they have the right to do that but at least put you in contact with them and if they say no I'll say yes I promise you so that's the biggest thing that I want to do again if I graduate a hundred students a year we're still not hitting that 2,600 open job positions we need to work with our fellow schools we need to work with industry to ensure that we are training the next generation of professionals and it's so easy for you to get tunnel vision and it's so

easy for you to just want to focus on your own day job to forget that maybe the people around you are aging out maybe if you don't have a lot of new talent and maybe you're just listening to the same four or five people talk about the same four or five things and you just need another colleague in there I can tell you that my time at OSU their security and privacy department ballooned from a team of ten to a team of 30 or 40 so they're looking for good talent and I imagine that's also the same for you guys so I want to be respectful of time right now so I actually have about five ish minutes for

questions I would love it if anyone wants to ask me questions about the program about how you could help or anything else that might be on your mind I saw hand over here

yep yes actually what I want to focus on that so we have a you know Mount Hood is a big enterprise network right we have our own IT staff and again every other security department and so it took a little bit of massaging but I actually worked with our IT department and we've created an apprenticeship for our students so they had a seasoned veteran Pro tire they use the FTE to hire four students which has been probably one of the most enriching and meaningful experience for my students so I do want to speak to the fact that the apprenticeship model is ideal but hitting the ground running if you've never welcomed a student in before we

could start with a 2 or a 3 month experience and if you have a need for a longer term student then I think an apprenticeship model is it's better for everyone because then you waste less money on retraining the students right and you're also getting the the most that you can out of that student as well we just gonna make sure respecting their time if they're still in school that they are able to balance the work in school because we are right exactly right just kind of like a part tiny thing yeah absolutely yeah anybody who has additional questions if you could come to the microphone so everyone could hear but we've got more than 5 minutes

for this ok we got you know we get at least 10 minutes for questions so please and again if you don't have a question right in the second and you want to have a one-on-one with me I literally I'm gonna be at that booth I do want to like attend talks cuz I'm a nerd about this stuff too but I'm gonna try and be at my table as much as I can today I am gonna be reppin the school so so feel free to grab fliers about the program but my goal here is not to sell you on something my goal here is to ask for your help but if you pick up flyers to

take classes that would be cool possible high school programs high school program was do you know catching on at this point yes so Community College is really great at offering what's called dual credit so you could take an English class while you're in high school and we've had a pretty well-established program for the humanities I am been working with a number of the local high schools to offer our fundamentals of cybersecurity class at the high school level we've offered what I call PLC's which are pretty non professional learning communities where I've trained high school teachers to offer that class in the East moment accounting area we have schools in the Gresham Barlow School District we have schools in the

Centennial school district and as well as the Sandy School District that are offering cybersecurity classes at the high school level thank you yeah but it's something we need more on absolutely cuz they don't even know what cybersecurity is until I talk to them about it any other questions

well you guys oh yeah I was just going to encourage the audience do you thank you with applause thank you thank you [Applause] again me please a week from now contact me I am totally open I'm totally approachable and I would love love to hear from you thank you guys

[Music]