State of Cyber Education

today's talk really isn't I have a teacher voice oh I might walk in and out of the mic so today's talk really focuses on two things one if you have been out of the education industry for a while and by awhile you mean like five or ten years or you never touched cyber education it's really good for you to know as veteran security professionals to know how our future educators actually getting educated what are the kinds of skills that they're actually learning from and more importantly I'm gonna be a little critical of the security education industry so I want to start first of all by saying all my thoughts are my own and not mount hoods

even though that the giant logo is right there because I am going to be critical of some of the ways that I think that cyber education is failing not just our students but also the industry as well but I'm also really excited to honor and be really pumped about what we're doing well and I think that that's one of the really great things about this B track is that it is really focusing on how do we encourage the professionals within our industry to skill up and how do we bring people into this industry so that not only that they're qualified but they're not miss qualified right so that we're not teaching too old technology or

that we're teaching the right technology for our given community so the obligatory Who am I by the way this is my favorite cybersecurity joke ever of all time so I am a cyber security and information security instructor at Mountain Community College my degree nonsense I have a master's in cyber security which is pretty new thing by the way so you have to get it online there's not a ton I think OSU and does this PSU offer an MS in cyber security do you know so it's it tends to be overwhelmingly a computer science track right which for many of you know if you are really into develop in computer science that doesn't necessarily mean that you're going

really heavy into IT and cyber right so it's kind of cool come a new thing but I actually came originally I was a k-12 educator so I also have a master's degree in education and weirdly enough I have a bachelor's in English so talking a lot about the humanity is the crossing of Technology it's really I feel like that does aid me personally but again we are track on getting where we are today and for those of you who care about certifications I am a ceh I I really didn't want this one this is my master's program I'm not really big in a forensics but I have it and I am CompTIA Security+ so I want to talk

first of all about the talent gap how many of you have heard a headline or know about the cybersecurity talent gap that exists okay so I literally typed into Google like last night talent gap and I was able to grab these headlines all published in 2018 now I will say I think there's a lot of fear-mongering I think that there's a lot of vendors trying to sell certifications right so you're trying to get as many people into the workforce as possible but there is a consensus that there is a skill gap that exists within cybersecurity and has anyone ever tried to hire someone in cyber like maybe like or let me rephrase that how many do they say that generally

it's either it's either neutral or hard to find a good cyber person when you're recruiting okay that's true right neutral the hard whereas like when I went to apply as an English teacher a high school English teacher there were 300 other applicants that were more qualified than me right so that definitely it's not an industry where we have a glutton of talent as anyone knows cyber seek work so this is a will called a research project published by burning glass Bureau of Labor Statistics and certification providers so CompTIA e CH things like that and what they decided to do is pull a ton of open source data places like burning glass and decom monster to basically say how many open

jobs are there in cybersecurity now we're looking at this at the nation level and what we're seeing is that there are seven hundred and sixty eight thousand or so currently employed in cyber security that there are over 300 thousand open positions in cyber security that's a lot right especially at a national level but what's cool about this map is that you can also break it down not just by state but also even large metro areas where a lot of this information comes from and according to site receipt org so you always take all this stuff leave it with a grain of salt and there supposedly 2,400 open cyber security positions in the Portland metro area and I would see

Portland metro not she talking downtown but also you know the city of Gresham that needs an IT person Mount Hood Community College who literally just hired their very first security analyst in their own IT Department so we're not talking about the big pull you know the big players but also just your general IT staff and in general IT departments that's realizing they need a security but security professional for the first time so as an educator my job always is to try and train my students for high wage high need jobs right because and again I came from a liberal arts background when I got a bachelor's in English I knew that the job market for the English

major is limited to say the least now there's journalists and there's writing and I don't I don't bash my experience it was such a rewarding experience to engage in the humanities like that but we're talking about a career pipeline it's kind of a scary thing to train someone up in right so for me as an educator one of my personal passions is to make sure that I'm doubling down on skills that not only are useful and needed in the industry but will give my students liveable and even high wage jobs that's my personal commitment and in the community that I serve which is Gresham which is you know a suburb of Portland but Gresham nonetheless we have

a lot of people who really need that opportunity who needs to be able to bring themselves out of a situation and cybersecurity right now is one of the I think easiest and most important ways to fill that so we see this giant skills gap that exists and so educational institutions are trying really hard to jump on this and fulfill this need again the obligatory so again this is the fear-mongering right supposedly Symantec published in 2015 that there will be six million jobs in cybersecurity globally with a shortfall of 1.5 million another study shows it as two million shortfall right so we're rising and how many people are gonna be missing and this is probably the most

insane number but 3.5 million cybersecurity openings by 2021 okay let's just say for instance it's even a fraction of that number that is still an amazing opportunity we're talking about zero percent unemployment in an industry where you have like my dad who worked for Holly a video god rest the soul of Blockbuster and Holly we have video right right you know you have industries fading right Millennials not buying this or that killing industries and yet you have a 0% unemployment rate that's only going up right now so again I don't buy into this but at the same time as educator I try and look at generally what's being said and I try and build programs that can honor and like I said

push students into filling these jobs um and kind of an interesting snapshot we graduate who's we have about 60 to 80 students in our program at any given time which means that we graduate what 30 or 40 students a year and our program which is pretty good for a small program so even if there truly are 2400 open jobs in the area we're only we're hitting a small dent right and let's just say all of the Portland metro area graduated 300 cyber focus right and we're not just talking about developers right because students who have bachelor's degrees computer science they're filling all the programming jobs although all the dev jobs right so even if we optimistically say we're

graduating 300 students a year right to do math right 3 6 9 12 it's like 5 6 7 years before we can even fill the open jobs that exist right now there are plenty of other tracks not through education to get an info sack how many of you don't have a formal education in the in info sack right so that's the reason it's because we're reaching out to non-traditional ways to fill these roles because education isn't filling it fast enough so if you were to walk away from anything in this whole talk this is the core thing if educators are not staying current teaching the right skills and setting the right standards then you are stuck with terrible

co-workers and everyone just has a bad time all right so I need and when I say I I'm I'm representing the education community but I'm not actually putting words in anyone else's mouth we need your help as an educational institution we need to lean on industry partners for a lot of different reasons to ensure that you have awesome and high talent peers to be filling those critical positions within your organization so who's actually teaching information security this is a brand new field when it comes to education now I have worked in the public sector long enough to know how slow and sluggish government is and has Justin talked in his earlier talk he was you know I Sai projected a date for

getting some interns into silence like in a year from now right because that's how slow works he's like no let's do it this summer and that was like mind-blowing to me right and so the fact that a lot of four-year institutions are adopting cybersecurity is actually really impressive especially on the rate that they're doing it so I'm missing I'm sure I'm missing things here however the way that I split them up and this might be an inappropriate split I'm sure that people the CS focus degrees will get mad at me but generally speaking there are two major tracks that schools were trained cyber security one I call IT focus which tends to lives in their

business IT colleges really focuses on networking hardware infrastructure versus you taste someone who has a computer science degree which is typically you know development programming data science that then they lay or something on top of it so they'll maybe say okay you know you've taken your core fundamental development courses and now you can either get a minor or a focus area in a given particular field of cyber and that tends to be things like AI deep learning cryptography things that really lean on that development background right a bit more often than not you don't have the CS focus degrees saying all right here's how you plug in a Cisco router and here's how your network interface card

works right and that's because they're just two different beasts right like I have no business teaching data structures I'd zero concept of what that even means right but I have business talking about networks and network interface cards right so again these are the two Cal as was mentioned earlier is actually a vocational tech high school that has been teaching cybersecurity a two-year focused program for almost five years now which is really cool Mount Hood Community College was the first Community College in the state of Oregon to be offering cyber education and as a very recently Chemeketa Community College is now pioneering a cybersecurity program as well PCC offers I think they call it a certificate it's

like three classes you can take so there's definitely a lot of push right now and trying to get cyber education in traditional colleges PSU I know offers a 40-degree of course in computer science but I think is it a minor in cybersecurity or what it what exactly is it certificate okay so definitely you know students are going through that BS program have a great option to go through and sort of get exposed to a lot of really cool facets of cyber George Fox actually did just release focus area as well but again it's computer science focus UFO is a four-year institution they do have a master's degree in computer science and information assurance and same with OSU

but one of the things that and this is where I'm gonna talk initially about the things that we do well are the things that we don't do well if I want to look at a student right now and I want to tell them okay they want a degree in cyber right like I'm looking at a 16 year old when I was teaching in k-12 well I'll tell them okay well if you want a degree in cyber that's not a two-year because some people just don't like the two years then they have to go through a full four years maybe at PSU where they're able to get a really great certificate and then they have to go to

a master's degree where they're primarily focusing thing on threat research malware right the stuff that requires just ultra in-depth knowledge of cyber security systems but if they're like I'm just really pumped about defending a network well you don't need a masters for that right in fact it's and I love that term it's more like the blue-collar work of cybersecurity which is to be honest where a lot of those open jobs are and of course there's plenty of open jobs for those master's degrees right and plenty of open jobs for even those bachelor's degrees but we need to be filling all ranges of the industry and we need to have our educational institutions successfully doing that and again so that's

information technology and there's not anyone or right answer we have jobs of course in both itn and computer science or data learning I am of the camp of information technology that's where my program primarily lives but I still encourage students to go into computer science if they're really pumped about development and programming and secure coding so like I said Cal is in Gresham I won't spend too much on that they do a lot of great CIS courses so cows are really great school and of course Mount Hood we are incredibly certification focused now some of you're like oh cool I have some of those and some of you like oh god I could hate certifications

right I put this here not because we're slave to certification so much as I like to let you guys know that our students go through the equivalent of like how many of you have a CCNA or at least have know what that training is like if you are CCNA even if you don't value the cert at least value the rigor it takes and the knowledge that the students at least have as a result of those certifications so students who have no knowledge of networking go through our curriculum sure they might get the certification or not least they know what a network heart is and they know how to configure those networks so they go through the Cisco

series a plus is sort of our primer if you guys are familiar with the A+ it's like help desk right helping us stuff how to build a computer you know basics of networking but again we have so many students who are like I have no idea what a computer is right so it's a really important primer we do Linux plus again more for Linux foundations security plus for security overview and I'm fighting really hard to get ceh again not because I value that cert as it is I really I think that they need to have some offensive security as well we also view a Python program and disaster recovery business continuity SQL as forensics bla bla bla this isn't

a pitch for my program what I want to talk about though is I get so many people especially when I'm talking to CISOs or you know HR people and I basically I mean I can read between the lines you Community College right I will say and again this is where I do not want to down any of the four-year institutions but I have I know the process it takes to build a new class I know the process it takes to build a whole new degree program and it is horrifying like it takes years for me sometimes to be able to suggest a class to offer it so let's say for instance at the awesome internship and I'll talk

about this in just a moment experience I learned about PowerShell Empire right which is like oh dude that's but that's all news from any of you right but I just learned about it's really cool and so if I wanted to be able to say okay based on my understanding there's so much of living off the land PowerShell Empire is so powerful well we need to offer a class that really focuses on how to use PowerShell for automated tasks and how to defend against it like that's something I feel like was really important a community college is much more flexible than a four-year university so I was able to approach my Dean and I was able to offer

it this year so that's one of the things about community colleges especially when you're teaching technology courses not just big abstract concepts but like the nitty gritties of what buttons to flip community colleges are a little better suited for that so I build my program much more as a vote tech program where the students maybe aren't going to be CISOs that's fine they're not going to be the admins they're not even gonna be the threat researchers but these are the guys who are gonna be sitting in that sock these are the people who are gonna be sitting in these in these actual rooms defending your networks and hopefully they skill up as they move on right so

they're not just stuck in whatever tech they learned in my program okay so one of the things too is I learned very quickly that cybersecurity is kind of a laughable term in the industry where as we much prefer information security InfoSec unfortunately the public just just digs up cyber cyber security so I have to code switch all the time between what I'm talking to students and when I'm talking to you know even like you know sometimes we'll have like our state reps come in I'm like all about cyber but then if he has laugh at me when I called cyber so I'm gonna try and call it InfoSec from now okay and one of the things too about

it's important for you to know that I have a hard time doubling down on any particular set of technology like yeah we do Cisco but networking right that's pretty general so we train our students and inch deep and a mile wide and this is the approach of a lot of cyber education where you take a survey class you take a survey of web application been testing you take a survey of cryptography you take a survey of X Y & Z which means that your students or new emerging people coming out of these colleges are gonna have an approximate knowledge of many things right but when they enroll into your actual organization when you hire them you

might need to do a little bit of that extra work to then train them and say okay you know what DNS queries are or you know what the generals of pentesting are but now you're gonna be a dedicated red team right right and we're really gonna talk to you about what that means because as a result I can't double down for the sake of my students on any one particular piece of technology because then I'm not exposing them to the range of the industry right so my job remember always is to serve my students and to make sure they have the greatest opportunities as possible so as an industry that's one thing you you need

to be keeping in mind that we are training generalist more often than not than we are ultra specific you know compliance managers so why should you care about cyber education well first of all this is where really I have I have a lot of opinions about this certification bodies like CompTIA EC Council and Cisco they dominate the IT and InfoSec curriculum 100% so when I basically put that I was teaching to A+ I take all of the exam objectives and I build lectures around hitting every single one of those objectives so if you don't agree like let's say you're like wow half of this isn't really relevant then we need to know that right because we're getting

sold we're getting pitch we're getting lobbied we get free curriculum fully built lessons so I was an instructor it's really hard for me to say well I'm not gonna I'm not gonna accept this resource right especially because I do see a lot of these certifications on job descriptions right they do appear but one of the things you have to know is that this almost exclusively dominates the IT sector not so much to the computer science right what's going on in like the development shops but specifically the IT focus schools we want to just slam as many of these certs on as possible so one of the things that I need to be able to reach out to

industry is I need to say okay does nobody actually value security Plus like is that something that like is laughable at most people and if that's the case we need to stop teaching that but until we reach out to industry before we hear the last on her face we continue to teach it because that's the direction that we're getting pushed and I'm not saying when I say we I'm literally saying at a national level that's who's going to these teacher conferences that's who's sponsoring them and that's where the majority of educators are turning so as an industry you need to be aware of that whether or not you agree with it that's the state of education right now the other thing

too is you do need good people right you really mean high quality oops sorry you really need high quality Talent so if saibra if education institutions are not teaching the right skills or if they're not prepping students for the realities of the field then you end up with under-qualified and I used that term miss qualified it's funny because PowerPoint yells I mean it says that's a misspelled word but I like that word the reason why I say miss qualified is because let's say that we double down on the Cisco certification and you're like okay Wow all of Portland doesn't use Cisco technology which I don't think is true I think most people do but let's

just say that was the case right we have miss certified them we have miss qualified them so I want to be able to look out nonlin area but even at a national level and really see what skills do we need to be teaching because let's be really guys most cybersecurity and structures at a four-year university they there came from the science the math or the computer science background and trained themselves up in cyber right that's the evolution that's occurring so most of the people who are teaching cybersecurity are either approaching it from an academic standpoint or like in my case I just got the master's degree and started teaching like I have zero professional experience and supposedly

I'm training other professionals right like that's kind of messed up a little bit especially in an IT level now I'm not gonna discredit myself I think I'm a pretty good teacher but my point being is that I I need to supplement my understanding I absolutely need to and when I look at the majority of my peers they're all in the same boat as me at least again of the IQ technical level so you need a high quality Talent so we need to reach out to industry to help guide us what we need to teach and then lastly one of the things as well is that we saw that giant skills gap we can't close the skills gap by just

hiring the right people Microsoft released a study about a year and a half ago that most girls become interested in STEM at the age of eleven and a half but they start to lose interest at fifteen fifteen is when you can pinpoint and say wow I don't see myself in stem anymore right so if you're trying to fix the problem with a new workforce but people just graduate in college you're missing where we need to be focusing and doubling down our efforts in cybersecurity education yes right I mean I can tell you know in my and mine when I was teaching a cow I was working out juniors and seniors and I had I mean I I

saw all the same stereotypes existed and I tried really hard to recruit but I mean there's only so much you can do at the end of the road right like you have to be up touching more and more of those middle spots okay so again state of cyber education pivots so there's much a national and state cyber education pushes that are really influencing us one is nice which is a god I hate the acronyms NIST we all know NIST right National Institute of Standards and Technology they created nice they really like their acronyms which is the national initiative for cybersecurity education they offer tons of frameworks and they are the big push on grants that are

available to us right now they dominated they broke down all cyber jobs into these core what do they call them like domains and then we get money as schools if we teach to those domains so again you're we're letting government dictate what we should be taught right it's not coming from industry but I do know that many of people who sit on the nice board are hopefully from industry the NSA they will certify schools as sinners for academic excellence which is actually pretty cool for us because it qualifies us for grants but we have to do a pretty rigorous review of our curriculum so that's cool and if you know that you know about cyber Oregon it was an

awesome initiative kate brown set signed Senate bill 90 into law which basically restructured cybersecurity at the state level but one of the big things that did is it opened up money for workforce development so schools are trying to pull from state funding to be able to successfully do more cyber initiatives now this is where and with respect to my time this is the thing that based on our keynote how many of you were kind of pumped after today's keynote I know I was right and you're probably wondering like well okay what does that mean how do I even find someone to mentor like what do I even do what are my next actionable steps as a result of this I'm

literally going to give you a checklist of things you can do right like literally there's a paper I'm gonna give you that you can pick from any of these ten things and you will make measurable actionable differences in your community the first are internships now we've heard a lot about what internships mean but I cannot tell you the amazing benefit that internships have on budding security professionals because not only do they see what an actual development shop looks like but they also know like do I really need to wear a tie to work what does it mean to interact with a boss how do I write this report like those are things that even returning

adults don't know how to do if they're shifting from one industry to another right so internships are incredibly important as was discussed earlier I had the amazing opportunity to send two of my students along with myself and a colleague to silence to go through a full five-week internship experience where we did controls testing and as an educator I learn an immense amount from this intensive experience with an actual enterprise level company so not only can you offer internship experiences within your organization's but you can even invite other instructors to come in and learn like like especially during the summer I will spend portions of my summer hanging out learning cyber with you and helping you do your job instantaneously

again like I said we did that I just wanna be really respect so let students surprise you a lot of them are actually really good and they pick up skills really quick I'm gonna pick on Justin for just a moment one of the things that he I think really I'm I was so glad here was he basically just said hey go learn power channel empire and three hours later my students on the new PowerShell Empire right so even though they didn't know it they were able to follow guys go to tutorials and they were able to pick it up and immediately start working at within our environment so let our students surprise you even young young people who are really pumped

about cyber they will do good work within your organization and believe me I will not recommend my terrible students to you just know that there are some students who I would not in like a batch chance in hell send your way I will only send you the students who I think are ready for it have the skills set for it and who I think would be really successful be guest speaker seriously like a good example I'm teaching a unit on forensics and even they'll have that damn shirt I still don't know what forensics means right so one of the things that I want to be able to do is pull a hex editor and dig into

like I don't know some students like stenography right so I can follow these these old tutorials or I could literally say hey you want to swing by the mouth of campus for an hour to and show my students how a hex editor works sweet do I'll buy you lunch right seriously that's the kind of thing where when we say guest speaker we don't need a formalized talk you can literally just come in and sub me out for a topic I don't know super well because my day is access databasing cyber fundamentals a plus and then I'm teaching ethical hacking class like my day is so fragmented on the skills I need to know that I sometimes just need a pro to come

in and help me out we have just as well Jen Jen cyber there's an amazing opportunity for serving our k-12 students the Northwest cyber camp is an awesome camp that is also run during the summer it features CyberPatriot curriculum but it also has guest speakers everyday so you can come in and give it like an hour talk like I said I make guesses about what should be taught like I'm a pro at Penn testing okay cool I have a web development background but I have no idea what should be taught when it comes to databasing like should I still be teaching SQL should I be doing a survey of no SQL things like that so sometimes I just want to pick

your brain and if let's say you're in database security it's really helpful for me to say hey what are you working with the things that you're seeing an industry trend and even that informal conversation can really dramatically help shape my curriculum and then as a result positively impact my students and again another opportunity let's say that I'm teaching forensics and you have a really great on alone again that's of course depending on NDA's and everything let's you have a really great snippet of network traffic that is totally fine there's no sensitive data in it that you think would be really interesting for me to show my students I'll take that pcap load it in Wireshark and show off this

really cool anomaly that shows up that's the kind of thing that might take me literally hours to build that lab that's something that you spun up in like two seconds right so if you think about something really cool that's going on something that is really citing some new idea some problem that you just solved share that with local info sections teachers and that can't get turned into an entire lesson that would be really beneficial and again it's something that would save me hours of time for a really positive and meaningful impact for our students in addition one of the things that in order for me to get funding from the state I have to have something

called Advisory Committee where I have a group of people who are supposedly industry experts who help guide our program a lot of these people again their programming folks they're not actually cyber folks so if you want to actually help come in and help serve one your local community colleges or help serve one of your local universities a lot of them all need an advisory council and let's say I have ten maybe five actually show up to the meetings right because of also scheduling conflicts so we like big rosters of advisory committees so that when and we actually have a meeting of ten or fifteen people show up we have really great conversations about what we should be

teaching from a multidisciplinary field and right now my advisory committee is all CISOs to the security folks we have which isn't bad but when I'm saying hey should we learn PowerShell they're like well let's talk about the soft skills I'm like okay but do they actually need to know PowerShell because they don't know the answer that another thing too there's tons of awesome cyber competitions that we would love to have any comment and coach some of our students helps we can help to spin up a club we have like ASB money for that so if you want to come in and help really dig in a blue teaming a red teaming you can help coach a team and again just

share stuff that's really cool I am seriously this isn't a plug but I know that there's a junk faculty positions open right now at PSU I'm serious you guys teach a class it's great side money and most of the time you can just focus on an area that you need like Mount Hood for instance we're offering two database classes like an advanced database courses none of us know anything about databases so we're looking for adjunct faculty who are just really pros at databasing right you could probably make about $1,500 about Hood per month just by doing adjunct in one or two classes so if you will are maybe a contractor or you're looking to have a

more flexible kind of schedule this is a really amazing opportunity for you many of the students I'm gonna wrap up my speakers I know one I'm running out of time many of my students walk into a degree program to skill up and build a better future for themselves we need your help to fulfill that promise you personally can enrich the lives of others with your professional experience and support you can make a positive change and investment into your professional community and that's our call on to you believe me I mean I got it if you never talk to me ever again I'm sure I would be fine but I know that my experience and my students experience

is that all the students in our local community could be so enriched by positively partnering ice it's every time I've worked with industry it has been an amazing amazing experience okay last thing it's the checklist I promised you so please come and grab it and again this link is on the back this is a good example we're rebuilding our cyber program right now and I just need a bunch of like insight around like specifics like sure you Splunk or the elk stack I have no idea right so I so but my point right it's like that's what this is asking this is asking really specific questions that I just in need industry pros around so if you have an

opportunity take like maybe 15 minutes go ahead and please take the survey and then you can make a meaningful change right now frog for our program at Mount Hood Community College that being said guys thank you so much [Applause]

you