A pathway for cybersecurity students to become cybersecurity professionals
We’ve all heard of the Catch-22 phrase, “In order to get experience I need a job, and in order to get a job, I need experience.” Liz Ryan, noted author of Reinvention Roadmap, and a contributor to Forbes Magazine described this as a “membrane that seems to be thick and impenetrable, but once you get a foot inside you will see that it’s not(.)” Ryan identifies the importance of getting involved in “networking events whenever you get a chance … Start to form relationships with business people in your area.”
For cybersecurity students with professional ambitions, the term “business people” can be substituted with IT and cybersecurity professionals. As both an educator and cybersecurity professional, I’ve been in a position of teaching and mentoring a large number of students over the years, with the express goal of creating great taxpayers. In order to achieve this goal, educators need to focus on key competencies that students need to succeed in these job roles. Those competencies are:
● Having the ability to be an effective communicator (both oral and written).
● Having the ability to work with other individuals in a group setting.
● Having the passion for your work, as evidenced by demonstrating you are a life-long learner.
In designing curriculum, my goal is to translate these competencies from course objectives to something that we in education call “student learning outcomes.” The best way I’ve found to do that is to explain in relatively simple terms how my students can achieve these outcomes. My method in achieving the “effective communicator” outcomes is to provide students with in-class and outside the classroom opportunities to communicate.
Yes, that does include homework, but it must be relevant to the profession. The same is true with the participation of group activities. Both of these lend themselves by providing specific assignments that involve students participating in the activities of professional organizations that exist in the IT and cybersecurity industries.
Introducing cybersecurity students to the organizations that exist in this field is a critical step. In my classes we explore organizations that are receptive to student involvement, and commonly have local chapters that provide students with the opportunity to attend and participate in chapter meetings. Some well known examples include:
The Association of IT Professionals was developed by CompTIA, providing students with the ability to obtain membership at no cost. Its vision is “to be the go-to resource for individuals seeking to start, grow, and advance careers in technology, seeking to fill the pipeline with the next generation of talent, attracting and supporting the largest, most diverse, innovative and skilled workforce.”
For Cybersecurity professionals obtaining a security clearance is an important requirement. Infragard, created by the Federal Bureau of Investigation (FBI), is a partnership between the FBI and members of the private sector:
“The Infragard program provides a vehicle for seamless public-private collaboration with government that expedites the timely exchange of information and promotes mutual learning opportunities relevant to the protection of Critical Infrastructure.”
An important factor relative to becoming accepted as a member is students must agree to a “security risk assessment,” that may be sufficiently detailed to identify a number of activities that could serve as a basis for denial of membership. This assessment is identified as not constituting a security clearance, but it does serve as a basis for potentially identifying an issue that might serve as a problem down the road for someone seeking a security clearance.
ISSA and ISACA are international professional organizations that have some overlap relative to their primary focus. ISSA, from an organizational perspective concentrates on managing technology risk and protecting critical information and infrastructure. The ISACA focus is “to help business technology professionals and their enterprises around the world realize the positive potential of technology.”
The action of both joining and participating in the activities of these groups is something that should be discussed with students. They are representative of an individual striving to show that they are involved in professional activities, willing to participate, and demonstrate a commitment to the profession. There is probably no better place, from a social media standpoint, than utilizing LinkedIn as a resource to let the potential employer and industry professionals know what you are doing.
With LinkedIn, its members can advertise their professional affiliations that include “volunteer” activities like participating as a member of the Information Technology Disaster Resource Center (ITDRC). Joining involves a commitment that, if you are in a position to be active in response to a man-made or natural disaster and have skill sets that would be useful, you can volunteer to participate.
Another volunteer activity that I strongly promote is asking my students to participate in the Air Force Association’s CyberPatriot program as a “technical mentor.” This program provides middle school and high school students with the opportunity to participate in cybersecurity defensive competitions and has achieved great success over the past dozen years.
Another key component for a student’s LinkedIn profile is identifying industry recognized certifications from organizations like CompTIA, that they have earned through their educational coursework and passing certification exams. There is a specific section of a LinkedIn member’s profile for listing certifications.
The layout provides the ability to direct interested potential employers to the certification issuer’s website where certification attainment can be verified. While it can certainly be argued that certifications are not a substitute for experience, they can help to identify a person who is committed to the profession and serve as some evidence of the potential characteristic of a life-long learner, willing to participate as a certification holder with a willingness to meet a certification’s continuing education requirement in order to retain the certification.
I encourage cybersecurity students to follow a recommended pattern of certification attainment; CompTIA, for example, publishes the flow chart shown below. In education jargon, this is what we refer to as stacking credentials, and is aligned to cover many of the knowledge, skills, and abilities identified by entities like the National Institute of Standards and Technology (NIST) through its National Initiative on Cyber Education (NICE) program.
In today’s world where we see strong evidence of an acute shortage of cybersecurity professionals. Meanwhile employers continue to demand that such professionals come equipped with a four-year college degree, a laundry list of industry recognized certifications, and 10 years of cybersecurity experience. In essence, their only option is to hire such individuals through an over-bidding process.
The good news for students lacking the degree and lacking the experience is that there is an unwilling pain point that employers face as they attempt to justify paying higher than expected wages to candidates meeting their announced qualification requirements.
Use the student membership opportunities in organizations identified above to effectively network with members of the profession’s workforce. Ask questions, request an opportunity to job shadow, ask about the possibility to serve as an unpaid intern. You will find that many members of the cybersecurity community are more than willing to respond to your curiosity.
Through the processes identified above, students can work towards providing evidence of their commitment to the profession, a desire and ability to work in a group setting, and their characteristic as a life-long learner. This combination may well serve to cause a potential employer to relax their stringent demands, giving that entry level student the opportunity to prove once hired, they can do the job.
 See https://www.forbes.com/sites/lizryan/2017/03/09/how-will-i-gain-experience-if-no-one-will-give-me-a-chance/#5b36574e34d5