Training program helps find future cybersecurity talent [Q&A]
The shortage of cybersecurity talent is well known and among attempts to address it in the UK is the Cyber Discovery program, backed by the Department for Digital, Culture, Media and Sport (DCMS) and delivered by the SANS institute.
Over 46,000 teenagers have taken part in the last two years, so as the program returns for its third year we spoke to James Lyne, CTO of the SANS institute to find out more about its aims and achievements to date.
BN: Who is eligible for the program?
JL: This year the age limit has dropped by a year, based on teacher and student feedback, and anyone aged 13-18 in the UK is eligible to take part in Cyber Discovery. It's a completely free program funded by DCMS which sits within the CyberFirst portfolio of skills development initiatives. The program was developed and is being delivered by SANS Institute.
BN: What does the scheme aim to do?
JL: Cyber Discovery aims to introduce young people between the ages of 13 and 18 to the field of cyber security, and to educate and inspire them to learn more about potentially working in the profession as they start to make choices about their future careers.
The program teaches students a broad range of disciplines including digital forensics, penetration testing, defending against web attacks, cryptography and ethics. It is comprised of four phases: an initial assessment stage, CyberStart Assess; CyberStart Game and CyberStart Essentials, designed to enhance the skills of those who have made it through the initial assessment stage; and finally the top performers then attend CyberStart Elite camps, designed to further prepare them for a career in the cyber profession by providing industry-leading training, career advice, soft skills development and a Capture the Flag contest.
The Cyber Discovery curriculum is in depth, with hundreds of hours of gamified challenges and teaching. It prepares teenagers for the world of professional cyber security work by exposing them to problems that are faced by security professionals on a daily basis, and giving them the skills and knowledge to either enter the industry early, or to go on to learn more about cyber security in higher education.
Some students have participated individually and others through a Cyber Discovery club, often set up by a teacher at school, but also by parents, industry members and other enthusiasts. It's really important to mention that it's not necessary to be an expert in cyber security, even to facilitate a club, as everything the students need is included in the program.
BN: What has industry response to the scheme been like?
JL: Everyone has been positive as there has been recognition for some time that we need to get to young people at a younger age. The role of industry in closing the cyber skills gap is critical. Today every organisation is reliant in some way on technology. This means that every organisation is also at risk of something going wrong somewhere -- such as a data breach or hack – as the result of either an internal or external bad agent. Without enough skilled staff to mitigate and manage these situations, organisations are in a difficult place. Industry is just beginning to recognise that it needs to change its recruitment practices when it comes to cyber security roles -- there just aren't enough cyber security professionals with 5+ years of experience to go around. However, instead of a trickle of companies trying innovative new ways of finding and training new staff, taking in graduates or even school leavers and offering schemes such as apprenticeships or placements, there needs to be a flood. We welcome members of the industry setting up Cyber Discovery clubs and mentoring students through the programme.
BN: Have many of the scheme's participants gone on to cybersecurity careers?
JL: It's early days for most of the students but many of the older students are going on to either study cyber security or a related subject at university. There may well be more as we don't track the progress of all ex-students, but we are aware of one student from year two who at the age of 18 has just started a job in cyber security. Daniel Milnes says:
Cyber Discovery has really been revolutionary for me and my future plans. As I came to the end of my GCSEs, I was expecting two more uneventful years of education before beginning a career in systems administration, but then I attended a presentation about Cyber Discovery. I decided to sign up as just something to pass the time, but quickly found myself in a whirlwind of education on topics I'd never even considered before. When I started, I couldn't have told you the first thing about web application security, cryptology, digital forensics, and the countless other topics covered, so to be able to learn about and practise them for free was amazing. I've made friends through the programme, pushed my existing skills to their limits, and learnt so many more, so much so that I'm now working as a Cyber Security Consultant, which is something I would never have dreamed of before Cyber Discovery.
Another student is already finding vulnerabilities and reporting them via bug bounty systems, and these are just the ones we know about. There will be more as there are so many super bright students that have taken part. The SANS instructors who taught at this year's summer camps were blown away by their talent.
Jon Gorenflo who taught the 16-18 year olds at Birmingham says:
The Cyber Discovery Elite students were absolutely amazing. With SANS, I’m used to teaching classes to professionals who are working in the industry. The majority of my usual students are over the age of 30, so I wasn’t sure was to expect from this class, but they blew me away. They were engaged every minute of class and were so curious. Usually I share many stories and anecdotes to help the material come alive, but during Cyber Discovery camp I had to shorten many stories and skip others because the students asked so many pertinent, in-depth questions! Overall, it was an encouraging week for me. I walked away excited because these young men and women exercised curiosity, tenacity, and courage all week long and demonstrated that despite being young compared to the average professional, they have what it takes to learn the critical skills that are in such short supply in the cyber security industry.
This year our 16-18-year-olds had the chance to take an industry-level GIAC qualification after their training camp. They are the youngest ever to do so. Some have still to take the exam in the next few weeks, but we've seen the results of those who already have, and they've done amazingly. Having that industry qualification on their CV will give them a huge head start when it comes to getting onto a university course, if that's what they want to do, and ultimately finding a job.
Finally, anecdotally we know that there are many students who are now thinking of cyber security as a career who might not have done before taking part in Cyber Discovery. It's great to know it's having such an impact.
BN: Is there scope for security professionals to help out and how do people get involved?
JL: Industry and security professionals in particular have a key role to play in helping to educate young people from a young age about the advantages of a career in cyber security. One of the problems with cyber security is that most young people know very little about what a cyber security career could look like. And neither do their parents or teachers.
The great thing about the F2F elements of Cyber Discovery is that we've been able to involve members of industry in panel sessions and other presentations at the Elite camps, so that students can get a really good idea of what it might be like to work in the profession. Several companies have also hosted visits for groups of students, again to help them get an idea of what it would be like to work in the industry. We welcome more companies in this capacity in year three.
Image Credit: SANS institute