Cybersecurity pros continue to lament the lack of skilled professionals to fill the cybersecurity skills gap. To see how a Georgia university is addressing this, JB and I recently took a road trip two hours south of Atlanta to visit Columbus State University (CSU) in Columbus, GA and check out its Cybersecurity Nexus Program. The Cybersecurity Nexus Program is a one-year certificate program designed to give students of all ages and backgrounds intensive, hands-on learning to prepare them for early career SOC or offensive security roles with a focus on FinTech (GA based Global Payments and Synovus are big backers of the program).
Students are taught by former practitioners, earn several foundational IT and security certifications, engage in weekly live fire exercises in a cyber range, and complete an internship at a local company or in CSU’s own SOC. They can also earn a Cybersecurity Nexus Degree with additional general education hours and participate in national cybersecurity competitions as a National Security Agency (NSA) Center of Academic Excellence.
Refreshing, right?
Yes, it is. And this got me thinking about higher education and its role in developing security talent. Until recently, colleges and universities treated cybersecurity as a niche field and area of study. In fact, in my report Rethink Your Reliance On Cybersecurity Certifications, our research found that the top 50 undergrad computer science programs as ranked by US News and World Report offer, on average, just 2.68 security-focused courses for undergraduates.
Thanks to the widely publicized cybersecurity talent shortage, degree requirements are fading from job postings – even for US Federal contractors – and being replaced by demonstrable skills challenges, making expensive four-year programs less appealing to high school grads and those in the workforce looking for a career change.
To keep up, colleges and universities are doing some rethinking of their own as many attempt to carve out a slice of the cybersecurity skills and training pie. In the process, these institutions are renaming the traditional “three Rs” of education to:
- Relevance: The term academic, while fine for degrees in Classical and Ancient Studies, takes on a different connotation with cybersecurity. For a career in a field other than, well… academia, theory must give way to practice. Staying relevant in a sea of skills and training options offered by certification bodies, boot camp and conference organizers, and learning management content providers, finds many higher ed programs offering hands-on experience with the technology and processes found in most enterprises.
To produce hirable grads, these programs must also provide foundational knowledge of those enterprises by offering labs and exercises to better understand networking, infrastructure, and applications. Too many aspiring security pros with visions of six figure salaries dancing in their heads skip those fundamentals in pursuit of pure security certifications and find themselves in entry-level IT roles to gain that experience.
- Readiness: In my conversations with Forrester clients about security talent management, many expressed frustration when looking for candidates with the right skills and levels of experience to quickly become a productive member of the team. They know degrees and certifications on their own are no measure of a candidate’s ability to perform in complex environments and under pressure.
Students need time in real or realistic environments, using the tools and, more importantly, techniques found within them. The SOC, often the gateway to other, more specialized security roles, is evolving. In fact my colleague Allie Mellen is calling for the dismantling of the tiered SOC system in favor of a more holistic, mentor-centered detection engineering practice. Early career practitioners coming from many cybersecurity degree or certificate programs are now equipped with knowledge of both security products and principles as well as experience working in diverse teams to solve problems.
- Revenue: Facing decreased enrollment in four-year degree programs and increased interest in job training or retraining, continuing education and certificate programs fill revenue gaps. These programs are also often funded (or sponsored) by local companies in need of specialized talent, allowing schools to devote resources to traditional undergrad and graduate programs (you’re welcome, Classical & Ancient Studies).
Virtual courses and online access to hands-on labs and cyber ranges allow programs to expand their reach beyond the local community and attract students – and fees – from other regions and countries. Additionally, many schools, like Miami Dade College, open up their cyber ranges to another source of revenue — corporate training engagements.
How is higher ed doing it? There’s a secret sauce.
That cyber range featured in CSU’s Cybersecurity Nexus Program and Miami Dade’s corporate training offering? It’s from Cyberbit, who offers a higher ed specific version of their full cybersecurity skills and training platform. Several colleges and universities in EMEA use RangeForce, and many others globally include Hack The Box and TryHackMe labs and exercises as part of their cybersecurity curriculum.
Whether through specific academic licensing for some platforms or exploiting the loopholes in licensing models of others, higher ed cybersecurity programs run on the backs of cybersecurity skills and training (CS&T) platforms.
Given higher ed’s strong need to deliver those three Rs and the platforms’ strong need for greater market exposure, I’d expect changes to the relationship between platform providers and higher ed institutions to become one that ensures CS&T platforms are 1) fairly compensated for the critical content they provide and 2) given the opportunity to form a more direct relationship with students who will then advocate for continued use in their professional lives.
But Let’s Get Back To The Students
According to Patrick Aiken, Director of CSU’s TSYS Center for Cybersecurity, 27 graduates of the Cybersecurity Nexus certificate program were hired by local companies since its inception a little over three years ago, and I can understand why.
Our time with the CSU Cybersecurity Nexus Program students and staff was incredibly inspiring. These students are excited to be in the program, eager for a challenge, and preparing themselves for a future role built on a foundation of practical experience. Be it through a degree or certification program at a local college, online university, or through direct access to labs and ranges – practical and continual upskilling is the future of cybersecurity skills and training.
Connect With Me
Want to discuss changing cybersecurity skills and training landscape and requirements? Reach out! Forrester clients can schedule a guidance session or inquiry with me here.