Cy Says Blog & Podcast

Why Free Cybersecurity Resources Don’t Work

In 2020, we launched a cybersecurity competition for middle and high school students called PowerUp Cyber Games. Capture the Flag competitions (or CTFs) are a great way for students to learn about cybersecurity in a fun, low-stakes environment, earn awards and recognition among their peers, and determine if cyber is a career they want to pursue. After 3 years of running our CTF, we had hundreds of students across the country involved. It would seem that our program was, by most metrics, extremely successful. However, we were plagued with a nagging question: Are we helping the students who need help, or giving more resources to students who already have all of the resources they need to succeed?

The issue with the CTFs, we found, is that they rely entirely on a teacher or other adult to make it successful for their students. For example, with PowerUp Cyber Games, we created lesson plans, practice packets, and a virtual practice gym, we hosted live streams to cover the topics, and we made an online portal for students to ask questions and play relevant games. But still, the success of the teams came back to their coach–usually a teacher–and whether or not they pushed this content out to their students or encouraged them to use it. And with all that has been happening in education over the past few years and the mass exodus of teachers who are overworked and burnt out, how could we expect them to take more onto their overflowing plates? 

Typically, the students who are the most successful in the CTFs come from districts that had the funding and resources to dedicate to cybersecurity education. This is not the majority of districts. In fact, according to a study by Cyber.org in 2020, only 18% of school districts even offer cybersecurity classes. Missouri has only recently started implementing general computer science graduation requirements for high school. The fact is that most public school districts in America are still way behind when it comes to computer science education. There is a huge pile of free, “easy to use” cybersecurity resources out there for teachers to incorporate into their lessons, but again, this requires that teachers commit time and energy outside of their already packed schedules to learn and prepare these lessons. So, how do we teach students about this important topic while also lightening the load on teachers? 

This is the question that led us to develop our new PowerUp program.

A New Approach to Cybersecurity Education

Starting in Fall 2023, we will be entering several St. Louis Public School District elementary and middle schools to teach students as young as Kindergarten about cybersecurity. Rather than simply giving teachers a lesson for them to prepare and teach, we will be using industry volunteers to deliver the lessons. Teachers will only be expected to stay in the room while our volunteers explore cybersecurity with the class through hands-on activities and relevant, age-appropriate lessons. Volunteers will have the chance to share their experiences and use their expertise to answer questions as they arise. 

CyberUp has developed activities for every age. The program aims to teach students how to recognize and avoid potential online threats. It encourages students to think critically and make informed decisions while using the internet. 2nd graders will learn about talking to strangers online and how to hide their personal information from these people. 3rd graders will get an introduction to how the Internet works with an activity that gets them out of their seats and working together. 7th graders can expect to learn all about cyber crimes and a peek into a career in cybersecurity. These are just some of the many topics that will be covered during our volunteers’ time in the classroom.

Creating Accessible Pathways for All Students

The intended impact of our new PowerUp program is twofold: to educate the youth about their personal online safety, and to inspire students to pursue cybersecurity as a career.

We know that almost all data breaches are caused by human error. The general public uses the Internet every day for work, school, and entertainment. Between phones and computers, we are connected to the Internet at all times. But do most people know what to do if they receive a phishing email? Does the average Facebook user have a secure password? Would your employees download something to their work computer without a second thought? The need for more informed digital citizens has never been more important. We teach our kids not to cross a busy street or to take candy from strangers in vans, but kids aren’t playing in the streets without supervision anymore. They are, however, playing online games and watching YouTube, and chatting with people they met on apps. By teaching them about online threats and how to stay safe while they use the Internet early, we can protect our children and educate the future workforce on avoiding data breaches.

Going back to one of the major questions we had to ask ourselves while we were hosting PowerUp Cyber Games, who are we helping with our services? If our goal as a non-profit is to fill the over 750,000 open cybersecurity jobs with diverse candidates, we should be putting our efforts into help those communities who wouldn’t receive these types of services otherwise. The school districts with plenty of funding for computer science and parents who can afford to pay for their students to participate in CTFs and clubs don’t need our help. The districts that can’t afford enough Chromebooks for all of their students, that struggle to find enough substitute teachers to fill the vacancies every day, and have students who are struggling at home as well as in school–those are the districts we want to help.

If you ask kindergarteners what they want to be when they grow up, they probably won’t say security analyst or information system security officer. In fact, most high school seniors aren’t aware that these jobs even exist. And by that age, they’ve mostly made up their minds about what kind of career they want. They don’t know that they could be making an entry-level salary of $80,000 or that they can get that job without having to go to college. They don’t know that they could start accumulating generational wealth in a career field that’s constantly growing and changing and offers endless opportunities regardless of their background or where they live. It’s not their fault that they don’t know all of this–nobody has told them! That’s why, at the same critical time in a child’s life that they are learning about jobs like firefighter and doctor and teacher, they should be learning about tech jobs, too. And that’s why we include our industry professionals in our program, to help guide and inspire these young people as they form their ideas of what their future could look like.

This is also why we are offering our program for free to public schools in the St. Louis area, as well as supplying all of the materials and volunteers for the lessons. Our activities don’t require technology, so even if a classroom has an outdated SmartBoard, those students can still learn about cybersecurity in a meaningful way. We also gift books and other resources to the classrooms we serve. Our goal with this new program is to make cybersecurity education accessible to all students and, in doing so, encourage a more diverse cyber workforce. 

If we want to fill cybersecurity jobs with capable, hard-working people, we have to start introducing these topics as young as possible. If we want to live in a more cyber-secure world, we have to step in early. Children are the future–so we need to invest in them if we want to change the world.

Traditional Hire vs Apprenticeship

Have you noticed how challenging it is to find new employees in the cybersecurity industry lately? It seems like we're constantly playing catch-up with the number of people needed. As of this morning, May 11, 2023, there are over 750,000 cybersecurity job openings listed on cyberseek.org, and that number continues to grow. It's a real struggle!

To compound the issue, hiring new employees through traditional methods can be prohibitively expensive, and the costs only rise as the demand for talent increases. However, there may be alternative approaches worth exploring. Have you ever heard of apprenticeships as a potential solution to our hiring problems? Let's delve into that and examine the expenses associated with hiring new employees.

The Cost of Traditional Hires

Traditional hiring involves posting job advertisements, receiving applications, conducting interviews, and selecting candidates. This process can be quite costly, requiring businesses to invest time and money in various tasks, including:

• Job Advertisements: Companies must pay to post job advertisements on job sites or other platforms, and the advertising costs can vary based on the location and type of job.

• Recruiting Costs: Companies may also incur expenses associated with recruiting, such as hiring a recruiter or covering the costs of job fairs or other recruitment events.

• Screening and Interviewing Costs: Once the applications are received, companies must sift through them and conduct interviews with candidates. This process can be time-consuming and expensive, particularly if the company needs to cover travel expenses for candidates coming from out of town.

• Onboarding and Training Costs: Once a candidate is selected, the company must invest resources in onboarding and training the new employee.

The cumulative costs associated with traditional hiring methods can quickly reach $20K-$30K, or if you're fortunate enough to fill the position within a month of posting the job, around $16,999, as reported by James Elliot. Examining the cost breakdown is crucial.

The Cost of Apprenticeships

On the other hand, apprenticeships offer a cost-effective option for businesses. Apprenticeships involve hiring individuals with a work history and a passion for a new trade. Some of the benefits of apprenticeships include:

• No Recruitment Costs: Companies do not need to pay for job advertisements or recruiters when hiring an apprentice.

• No Screening Costs: Apprentices are already qualified and screened, saving the company time and money.

• Reduced Onboarding and Training Costs: Apprenticeships provide on-the-job training, allowing the apprentice to learn while performing the job.

• A More Skilled Workforce: Apprenticeships provide a structured learning environment that helps the apprentice develop job-specific skills and knowledge. This translates into a more skilled employee who can bring greater value to the company.

Why Apprenticeships are the Better Option

In addition to the cost savings associated with apprenticeships, there are other compelling reasons why they outshine traditional hires. Consider the following:

• Reduced Turnover: Apprenticeships provide apprentices with a structured learning environment and a clear career path, leading to increased job satisfaction and reduced turnover. According to a study mentioned in Apprenticeship USA, the average retention rate for apprentices is an impressive 93%.

• Better Cultural Fit: Since apprenticeships introduce individuals to the field, it allows for the cultivation of a well-aligned employee who fits seamlessly into your work environment. This, in turn, helps minimize conflicts in the workplace and fosters a positive team dynamic.

• A More Diverse Workforce: Apprenticeships play a crucial role in promoting workforce diversity by offering opportunities to individuals who may lack a traditional educational background or who come from underrepresented groups. By embracing apprenticeships, companies can tap into a broader talent pool and foster an inclusive work environment.

Conclusion

While traditional hires may initially appear more familiar and straightforward, the cost of employee acquisition can be exorbitant. Conversely, apprenticeships provide a cost-effective and invaluable alternative. By embracing apprenticeship programs, companies can create a workforce that is both highly skilled and diverse, effectively reducing turnover while providing a clear career trajectory for their employees.

With all the buzz around Artificial Intelligence and chatbots, it's prime time to discuss cybersecurity concerns. A chatbot is a form of artificial intelligence that surveys previously posted content online to synthesize answers to questions placed in its terminal. Being a function of Internet commentary chatbots may provide erroneous information. To better facilitate accuracy some companies have integrated these chatbots to automate workflows that expose data to potential issues.

Chris Cockburn, cybersecurity advisor for CISA, discusses how to get into cyber with federal jobs. He explains how to match knowledge, skills, and abilities (KSA's) on your resume for USAjobs.gov. Networking with those in roles you want to be in is vital. Ask reqruiters plenty of questions to determine what you want to do and explore strategic partner universities  to potentially get internship opportunities. Most importantly find a mentor. 

Cybersecurity is more than SOC analysts and penetration testing. Popular culture may glamorize the two previously mentioned occupations but there are other cyber careers like cybersecurity awareness training, product management, network security, cloud security, governance & risk, privacy analysis, identity access management, and more. There are many parallels between SOC analyst and these other careers namely the investigation methodology. A good resource for risk management is following a cybersecurity framework

Online safety is paramount for Amber as a mom of two small children. Parents and guardians of elementary students especially need to exercise parental controls like cutting off in-app purchases and chat features. Amber also discussed limiting physical access to devices by having blackout times and requiring devices to be used in common space areas. Offline activities for devices are preferential and maintaining open communication with your child is a must. Knowing that your child is properly equipped with online knowledge and prepared to tell you if anything concerning happens is the goal.