Where Are the Reinforcements? Building a Cybersecurity Workforce Pipeline

all right welcome everybody hopefully my my mic is gonna work here this is new I feel like Britney okay so I am breathing Yeltsin and part of my description and who I am is it really really important to this discussion I am a semi-retired or ragequit information security professional I had 20 years of IT and information security experience I started in a secure computing environment in the army I worked for Gonzaga University anybody in here execs fan know anybody know who can zaga is oh that's very sad one yay all right I worked there for for a quite a while my last job as an IT security professional was at a publicly traded company we were a retailer manufacturer

we had over a billion dollars in annual revenue and three months after I left they went bankrupt not my fault I had the opportunity to go teach and one of the reasons that I selected to do that was I felt like I was losing I decided that I wanted to train a hundred replacements to go out there and make a difference when we were trying to hire additional staff it was very difficult to find anybody with any experience or any training at all in the security world and this isn't probably a new story for any of you but I've been a tenured faculty for four years now at a community college and community colleges a little bit different we do hands-on

it's vocational training it's been interesting I've dove headfirst into teaching I love the academic world as I said I worked at a four-year school and it was an opportunity for me to really embrace academia so when I started teaching as a full time tenured faculty member I joined the curriculum committee I went to workshops on how to discuss pedagogy and how to deliver classes and all those things that I have never really done before even though I already had two masters degrees it was things that I had never really ever taken into consideration it was stuff that was new so as part of my journey I kept in contact in the state active in my local

information security community and I started hearing the same stories over and over again that we have difficulties finding people with the skills that are needed so as I mentioned I'm from Spokane and Spokane is not Seattle don't talk to me about the weather it's completely different there's a mountain range that separates Spokane in Seattle Seattle gets rain we get snow as a matter of fact the mountain range in between us is closed usually about ten days out of the year so we can't even drive to Seattle it's about 300 miles between my house the Space Needle to give you a little bit an idea and that's actually very material to my experience because we have to compete with Seattle

Seattle's pay scale is about two to one when we talk about Spokane Spokane greater area is about a million people Seattle proper is about three-quarters of a million people and that doesn't include any of the outlying areas Seattle has Amazon Microsoft Boeing we don't so as I'm talking with local employers our local utilities company posted a security analyst position for almost 300 days before they got a qualified applicant and that person said sorry I already took a job in Seattle so it became very apparent after I've been teaching for a couple of years that we have a serious problem and I already knew that but as I started to pay attention regionally and nationally it's

obvious and this is the problem and if you haven't already heard there's a huge shortage in staff with cybersecurity skills and I'm not just talking in senior security analyst with 10 years experience I'm talking about a network administrator I'm talking about even even helpdesk anybody that has cybersecurity skills and awareness is helping the cause so I SACA says hey there's already a million shortage we're looking at a two million shortage in the next on a two or three years about every month there's a new study survey or paper that says this if you don't know that there's a shortage talk me later I'll get you a list of about a billion links that reinforce this so one

of the things that I hear as the description description of what they are is information security info SEC cybersecurity information assurance here a digital warfare I've heard that quite a bit in where I'm going at and I've heard several keynote speakers in the last couple months say that we're really under attack this is really world war three there just aren't human casualties the casualties data data connectivity it's it's identities we're at war so that's kind of the mindset that I took when I decided that I wanted to give this presentation as we look at this before I get started I really start talking about what I'm proposing is there are a lot of brilliant people and

organizations out there today that are working on this problem I am by no means a pioneer I am NOT unique in in the fact that there's there's work that needs to be done here though my intent is not to say anything bad about all the people out there that are already working on this and their organizations because they've started and that's what we really need but really they're starting and the focus is going to be that their ideas and their needs are what they're focusing on there's not really anyone out there today who's looking bigger picture of where are those extra bodies we need coming from and that's really the problem that we're taking a look at

now I would love at the end of this conversation for somebody to stand up say hey dummy you can't you google somebody's already got this picture somebody's already got the idea somebody's already got this fixed shut up and go home please somebody do that for me okay so the logical fix for your schools anybody here with a four-year degree from a four-year school nice okay so it's the logical fix right of course who else would we need to treat to to fix this problem but to teach more people as the four-year schools there's a definitely great opportunity there but when we talk about four-year schools the real he is there all abuzz about STEM science

technology education and math and to them technology is computer science and I spent a few minutes googling what kind of resources and what kind of graduation rates and I discovered that roughly 50,000 computer science graduates in the u.s. a year if I go back to the previous slide there's a million shortage in information security already and I also stumbled onto the fact that those computer science graduates mostly end up in app development and they already also have a shortage so we can't rob Peter to pay Paul so I as a faculty member at Community College's I love what we are doing the reality is if I go talk to a mom or a dad or if I go talk to somebody

who's looking for career advice or wants to change their job community colleges where you go to get the first two years of a four-year degree that might be where you go to learn to be a firefighter or a beautician nobody says if you want to be an IT or a cybersecurity you go to Community College and community colleges have done this to themselves that's how they market it that's how they make their money that's how they get their funding is in those two-year transfers they're really big on things like dual enrollment where they get high school kids that will take a college class and get credit that's an awesome advantage it's a great opportunity but it doesn't really help

us put cybersecurity professionals in the chair okay so if it's not schools it's the government and I just came from Community College cybersecurity symposium last week in Portland and I'm amazed at the programs that the government has funded National Science Foundation the NSA partnered with NIST and Department of Labor is working on apprenticeships there's a lot of stuff going on but my example of how effective that their programs are is the cyber they have a scholarship for service program which is awesome they give a hundred percent cost to the students they pay for all their schools all their academic needs their books tuitions fees and they pay them an annual stipend of between 20 2014 dollars a year depending

on what type of school it is the only requirement is when they're done for every year that they get tuition paid they go into public service they work for a federal state local tribal government I think they've spent 50 million dollars in the last five years I think they have less than 200 graduates that's not very cost-effective and frankly 200 is is a fail for what we need when we're talking about millions so they have great intentions they have great programs really what we're talking about though is small numbers I've been reading about industry trying to fix their own problem and as saw some great programs last week iBM has an apprenticeship program Google has a

introductory training that's available for free cisco has outreach programs that tries to reach all kinds of people but when it all boils down to it it's they're addressing their needs so we've got our traditional trainers we've got you know the is c-squared a nice sack and oh Sam's I don't have a sans logo on there they do great but they only train the existing people nobody walks down the street one day and has an aha moment and says I need to spend four grand on a sans training so I become a cyber security professional it just doesn't happen you don't Google how do I become awesome and sans shows up and you can write a

check for four grand it it doesn't happen I'm not saying they're bad I'm saying their focus and their purpose doesn't meet the workforce needs also in there that I don't have logos forth it's a an honorable mention ACM and I Triple E are awesome they've done a lot of work but when it comes down to it they're creating resources for everybody else to use but nobody's using them that's part of our problem okay so how do we fix it that's the whole meat and potatoes of my presentation I still consider myself an information security professional I still really lean that direction I just happen to be working in an academic world and as weird as it is that's

that's where I go so the real issue is how do we fix it we have to fix it ourselves there's nobody else out there that's going to do it anytime soon and it's going to get really bad before it gets any better they're going to have to have some horrible events occur before any other entity steps forward so obviously my proposal is going to be we're going to use technical schools and community colleges as the fix and the reason that I lean towards them is they're not the ivory tower they don't have the tenure structure they don't have the advisory committees the Community College is all about meeting community needs and while I talk about

information security as a greater issue it's each local region that needs more bodies and that's what community colleges are therefore the focus at a community college is hands-on skills it's vocational it's not theoretical it's a great opportunity so one of the other advantages is you don't need a PhD to teach there and to develop the program you're able to with a four-year degree or even no education formal education whatsoever with industry experience you might be able to step in and get the ball rolling in your environment so what I propose what we really look at is tools for the trade if we're going to start to develop a program or a methodology to train people

off the street and to market it to people who don't know what cybersecurity is we have to build it and when I started to really contemplate how to do this I had flashbacks to building my first incident response plan and the first time I tested my instant response plan and I wasn't in the room and I said okay I'm on vacation we have an emergency we have a critical issue here's the binder and they all kind of looked at me like I was stupid because it's my job to respond to the incident right and my response was I'm not available you know you can't really schedule me being here when there's a hack or an issue or a denial of service

and I realized that I had to dumb it down I had to make a playbook that anybody at the helpdesk could open up and go to page one and that's what we need to do we need to build a playbook that anybody out there can pick up and run with part of the issues we run into is that each region has its own needs as we build and work towards this common goal there's lots of opportunity there's lots of need there's not lots of demand but the key is that we have to get people in each region to step up and do it and if we have a group that works together to build that template it's a

whole lot easier and I can tell you having come in from the information security world to become an instructor and diving in headfirst I built curriculum I built a four-year degree as a matter of fact my school this year we just completed our first first year of a bachelor's degree in cyber security which most people are like at a community college how do you do a four-year degree there are 24 states that offer a bachelor's degree at a community college level and part of that has to do with meeting demand

so as part of my proposal I'm looking at a working group and I was here four years ago at it was really the second year of I am the cavalry and I was really inspired by what they were doing and I think it was awesome but I well he wasn't able to participate and contribute much but I took mental notes and as I started to reflect on the problem that we have with the shortage of technical skills their model came to mind and while I kind of feel a little bit like I'm mimicking what they're doing our problem is very similar to the problems that they have we have a huge problem I just saw today stories there

was an MIT technical Journal that says hey black hat has a whole new track about burnout and mental health and cybersecurity the problem is real and I had saw that when when I am the cavalry started and I was kind of hoping that they had made advances and that problems not there one of the key stressors is that there's not enough bodies to do all the work and I am definitely one of those examples where I got tired of patching on Saturday night and being there Monday morning to make sure it worked and and to pull a 60-hour workweek and get phone calls at 3:00 a.m. no way it's just they could literally couldn't pay me enough they offered me more money

to stay and I'm like no way I'm gonna have a heart attack I'm gonna die you're gonna kill me at this job and that's that's a reality that we need to work with so part of the problem is nobody out there is really looking big-picture there's individual spokes in the wheel but if we don't do it for ourselves as an information security community nobody's going to do it for us we're going to be stuck dealing with whatever crap they throw at us and I can tell you having spent a lot of time around academics in the last four years you don't want what we put out my replacement the person that I replaced would have been teaching windows 98 if

they would have let him if we allow them to determine what we're doing they're gonna be teaching out of a 5 your textbook they're not going to understand any of the labs and it's all going to be theory and it's going to be theory that's no longer relevant and you're going to get replacements who show up and their dunce and what good is a dud I might as well go down to wherever and just pick somebody off the street and say hey here's 80 grand a year come sit in a desk because that's what we're looking at one of the keys of success that I think is is going to be here is that we have to identify a

generic set of skills that covers an introductory level and then meeting individual demands of industries and regions and it's very difficult for any one person or one group to tackle that because depending on how small we break down the group we're talking about thousands of potential skills and there isn't anybody out there that's particularly good and I go back to my pile ocol Power Company and when I talked with their information security director he says there's there's probably a hundred people in the u.s. that I actually have the truly have the skills that I need everybody else we hire we have to train and I'm like well could we do that for you this is why I

hire two a year like well that's not really cost-effective but if I take a look at all the power companies across the u.s. if we built the materials for somebody to learn how to do that it meets a demand that's not huge but it's very nice very necessary oh so what I'm looking at commit we need you and I gotta tell ya I may be up here talking and I may be presenting but I don't know if I'd be the right leader I'll take the reins and do what we need to do because it needs to be done and I've kind of already started that on the academic side but I'm really looking at the

industry participation because that's truly where my heart lies so lots of opportunities lots of struggles I don't know if any of you have ever worked in an academic environment two years is quick to them two more years without reinforcements is bad enough as it is and one thing that I'll definitely learn by taking a look at all of the money that the governments threw it out there just because we build it no one will use it we have to be very vocal we have to be aggressive we have to be localized I don't know if we necessarily need to be coordinated but the tools need to be there what we need to do is look locally but have a

repository for everybody to be able to go hey you know what my region needs help let's go to whatever working group this is going to be named I have a couple of ideas but I don't know they might be stupid from here what I'm looking for is people to say I'll contribute whether it's a couple hours a month a couple hours a week I don't know I don't know anybody that's ready and willing to quit their full-time security gig to become a teacher frankly the pace not worth it that's really not and you can volunteer your friends and this probably won't be the only place that I'll present this idea but at some point in time if I don't get enough support

from industry I'll just be like hey I tried I did my best but what I'm really looking for is contact me after this I've got a lot of academics that are willing to contribute but without industry support it's going to be another failure so with that I'm still not sure thank you so if anybody has any questions I'll be willing to feel them I'll hang out here afterwards I've got a stack of business cards fortunately there's only a 30-minute presentation so we've got lots of time there isn't anybody in here for a while so other than that thank you [Music] [Applause]