The pressure was on. Someone, somewhere, was attacking computer systems so customers couldn’t reach certain websites. In a windowless room in Denver, Zack Privette had worked all morning with his security team to figure out what the cyber strangers were up to.
“What’s happened is that we have an attacker who has been going through our different websites and they found a vulnerability into our active directory and …,” Privette explained to Richard Mac Namee, identified as chief operating officer of the company under attack.
“OK, I’m not technical. What does that mean?” interrupted Mac Namee, who is really the director of the new Cybersecurity Center at Metropolitan State University of Denver. And he’s actually quite technical.
This was a simulation.
The makeshift “Cyber Range” command center inside MSU Denver’s Cybersecurity Center had multiple TV screens showing ominous maps of live cyber threats. It’s part of a unique training ground for students, recent grads and people who don’t even attend the college but are interested in cybersecurity careers.
Privette, who isn’t an MSU student, got to experience the Cyber Range program because it’s open to outsiders. The industry needs more outsiders. According to one estimate, there are 66 cybersecurity professionals for every 100 job openings nationwide. It’s tighter in Colorado, where there are 59 for every 100. And demand is growing faster than training programs like MSU can graduate.
Mac Namee is behind the school’s Cybersecurity Center and getting the school designated as a National Centers of Academic Excellence in Cyber Defense in March. A former commander in the United Kingdom’s Special Forces who’s worked as a specialist in counterterrorism, Mac Namee keeps it practical. During the simulation, he pretends to be an ordinary company executive. Students must figure out how to explain the cyber mayhem to non-techies — and fast!
“It is a giant database that … holds their DNS server. And what a DNS server does is when you type in Google.com, it will change that to the IP address that the computer actually reads. That went down, which is why people are not able to access websites correctly,” Privette told Mac Namee. “That was down at 3:30:29. We have since brought it back up at 3:44.”
“So, 14 minutes of outage,” Mac Namee said. “Fourteen minutes with our athletes and the way they’re trying to log on, that’s quite a big problem. How will we resolve this?”
Privette went on to explain that there was a backup so the data is safe. But he acknowledged the attackers were still inside the system and his team was now trying to figure out if data had been stolen. His team thinks credentials were taken, but he doesn’t think the theft involved customers’ personally identifiable data, he said. Mac Namee gave him an hour to figure it out.
— How it’s going
Targeted training programs have been popping up nationwide for the past decade as nearly every business with a website, ecommerce offering or other internet-based operation must deal with data breaches, ransomware and other cyber threats.
According to the Identity Theft Resource Center, which tracks breaches and supports victims, the number of publicly reported data breaches in the U.S. more than doubled since 2015 to 1,862 last year. Regulations in Colorado and around the globe also put the onus on companies to protect customers’ personal data.
Back in 1999, partly to address the lack of qualified professionals, the U.S. National Security Agency launched its National Centers of Academic Excellence program. It certifies schools with a cybersecurity curriculum for cyber research, defense education and cyber operations. There are now about 380 colleges and universities in the U.S. Such designations require standardized cybersecurity curriculum, active challenges and professional development. There are 13 schools in Colorado and include state, community and private colleges.
The partnership with industry and MSU Denver is credited to Mac Namee, said Steve Beaty, a professor in the school’s computer science department. While Beaty started teaching cybersecurity courses in 2004, a cybersecurity degree debuted just four years ago. The new center and partnerships with private cybersecurity companies such as Atos, a European information technology firm that is now taking up space in the facility, really took off after Mac Namee arrived.
“He had the bandwidth. Some of us haven’t had the bandwidth to do a lot of this stuff. Atos is due to him,” Beaty said. “Richard is the one who put the fire under what’s going on here.”
And looking at the heat map of cybersecurity job openings at CyberSeek.org, the U.S. needs it.
In the past 12 months, 714,548 cybersecurity jobs were posted in the U.S. according to EMSI Burning Glass, a firm that analyzes job openings and labor data. EMSI partnered with the Computing Technology Industry Association (CompTIA) and the National Initiative for Cybersecurity Education on the CyberSeek effort to document the need for more trained workers. Colorado, among the top 10 states with the most openings, had 25,761 as of April.
“The field is just growing so fast that even if we churn out many graduates, which we have seen a significant uptick in, it still often doesn’t keep pace with the growth in demand,” said Will Markow, an EMSI Burning Glass cybersecurity expert. “We’ve seen about a 40%-50% increase in the number of graduates from cybersecurity programs across the country. The problem is that during the same timeframe, demand for cybersecurity workers grew about twice that rate.”
— Retraining employers to rethink hiring
The industry has a number of unique issues that compound the shortage, Markow said. New threats erupt all the time, so the industry is constantly scrambling. Workers need a mix of different IT skill sets plus credentials, some that require years of experience. That makes it difficult for those starting out who have no experience.
“Employers are also not offering many opportunities for people who either don’t have a bachelor’s degree or who don’t have at least three to five years of prior work experience,” Markow said. “What that means is that there aren’t many entry level opportunities (and that) presents a unique challenge for building the pipeline of cybersecurity workers.”
Cybersecurity jobs stay open 20% longer than other tech jobs, which are already notoriously hard to fill, he added. And because of the required degrees and certifications, the jobs pay about $15,000 more compared to other IT jobs.
Government agencies are more open to hiring skilled workers without college backgrounds. That’s true with the state Governor’s Office of Information Technology. A paid apprenticeship for veterans requires “some IT experience but no degree,” said Ray Yepes, Colorado’s chief information security officer.
“It’s also worth noting that for the majority of OIT positions we will accept years of experience as a substitute for education,” Yates said in an email.
With the growth of college programs, boot camps and other training programs, Markow said that it’s up to companies to adjust hiring requirements if they really want to fill openings and feed their own talent pipeline.
“I think that really the question is whether employers are going to be receptive (and) hire those workers,” he said. “They’re learning the right skills for cybersecurity. What we need are employers to also recognize that they need to take more of a skills-based lens towards recruiting cybersecurity workers as opposed to a credential- or experience-based lens which they have done historically.”
— How it went
While security simulations were happening in one part of the room at MSU Denver, in another, Nathan Shelley was at work. Literally. The recent MSU graduate with a Bachelor of Science in cybersecurity was hired by Atos as an intern just before his December graduation. He became a full-time employee May 30. Atos is a massive European IT firm based in Paris.
“We monitor public-sector clouds,” said Shelley, who grew up in Estes Park and was drawn to MSU Denver because of its new cybersecurity degree. “We are responsible for monitoring log traffic and determining if there are false positives or true positives.”
Shelley was monitoring computer systems of actual government agencies that hire Atos to make sure what is stored in the internet cloud isn’t being compromised. Security analysts like Shelley spend hours watching the online activity and thanks to artificial intelligence and monitoring tools, they get alerts when something is awry and must determine if the issue is real.
That may not seem very exciting but a cheery Shelley speaks enthusiastically about his gig, which includes plugging holes discovered only after software was released. In other words, bugs born on day zero that online mischief makers are constantly hunting for.
“Probably the most active that I’ve been this week was yesterday when we were patching for a recently discovered CVE, that is a vulnerability with Follina, it’s a proliferating, zero-day exploit,” he said. “This is very widespread for the Microsoft environment. It’s an Office 365 zero-day vulnerability so that means (the software) was released with the vulnerability. It’s now flaring up in the cybersecurity realm. It allows remote code execution and that can be done through a certain domain.”
Microsoft had not yet issued a fix for Follina, named after an Italian village with a postal code that was found in the exploit.
The MSU Cybersecurity Center is a resource for others, too. Helping potential IT workers get hired is the mission of ActivateWork, a nonprofit IT recruiting and training organization that connects employers to the overlooked talent.
“We believe the traditional hiring process leaves extremely valuable talent out. We help employers solve talent gaps by finding underrepresented candidates and preparing them to excel in new careers,” said Susan Hobson, the nonprofit’s director of apprenticeships and evaluation.
Its first-ever 15-week security fundamentals course culminated last week with MSU Denver’s Cyber Range simulation. Hobson said ActivateWork focuses on the workforce employers need.
“We know that cybersecurity has a gap, especially here in the Denver area,” she said. “If you look at local area labor data, there were 13,000 open cybersecurity jobs as of March this year. We knew the need was there and we drive our course offerings based on local employer needs.”
ActivateWork’s learners aren’t typical students. Most don’t have a college credential. Many are unemployed or are looking for a better job in IT. The recent cohort of security fundamentals graduates left with CompTIA A+ certification and over 100 hours of soft skills and life skills training including resume reviews, interview prep and financial capability training. After graduation, ActivateWork helps them find a job in the field and coaches them for 12 months as they transition into a career.
The organization also has a registered apprenticeship program with the U.S. Department of Labor and works with area employers to hire graduates from their boot camps. Three of the 20 graduates start cybersecurity apprenticeships this month, and ActivateWork is always looking for more companies to partner with to build a talent pipeline in cybersecurity.
“They’re struggling to hire because they’re looking for individuals with three to five years of experience,” Hobson said. “This is a way to equip talent through 12-months of on-the-job learning with the exact skills an employer needs.”
Privette, who was part of the MSU Denver cybersecurity simulation, stopped the bug from wreaking more havoc. They brought back the websites and, well, he hopes he continues to keep learning more. He is very excited to start his ActivateWork cybersecurity apprenticeship on Monday as an information security analyst.
“I’ve been wanting to get into this since high school and I feel like ActivateWork has really given me the opportunity to pursue it,” said Privette, an electrician until he fell from the ceiling at one client location. “I didn’t have the money to afford college. And then I didn’t really realize the path to get to it (cybersecurity). I didn’t want to be an electrician forever. Falling through the ceiling gave me the opportunity to pursue this.”
Related: Measuring Cybersecurity Training Effectiveness
Related: Cybersecurity Training Firm Hoxhunt Raises $40 Million