Breaking Down Barriers to Entry in Cyber Security

The infamous cyber security staffing shortage has been a focal point for a few years. As companies continue their digital transformations, and many formerly human-based jobs are being replaced with technology, the need for people who can understand and secure technology will grow. With a projected deficit of over 3 million unfilled security openings by 2021, it’s not enough for companies to be looking “outside the box” for security talent. It’s true that people with diverse capabilities and experiences can be groomed into competent cyber practitioners—especially for less technically-focused positions—but some jobs simply require technical proficiency right out of the gate.

In the last decade, hundreds of colleges and universities have added dedicated cyber security programs, which is a comforting recognition of the need. That said, two- or four-year degrees aren’t accessible for everyone. On the other end of the spectrum, industry organizations like SANS and ISACA have been offering best-of-breed training for years. Many of these programs, however, are designed to be “quick hits,” a few days to a week of concentrated training, and are geared towards individuals with a basic understanding of, minimally, IT infrastructure and/or networking. Unfortunately, these programs don’t help people without baseline skills enter the field, which is obviously obligatory if organizations are to fill millions of jobs in the coming year and a half.

School is about to change in a big way

With one successful startup focused on career guidance under his belt, Spencer Thompson eyed an opportunity in cyber security. A year and a half ago he tapped industry veteran Ed Moyle, who has worked as a practitioner for 20+ years and was, at the time, developing training programs for ISACA. Thompson needed an insider’s view on the heart of the talent shortage. After a series of conversations, Thompson snatched up Moyle to lead course development for what is now The Prelude Institute. Last week, Ed Amoroso and I spoke with Moyle about how The Prelude Institute fills a critical training need.

“Our mission,” Moyle explained, “is to re-skill people who are in a career transition so that they’re equipped to work as incident responders. We work with employers directly to find out what they need from a requirements standpoint, then teach viable candidates the specific tools and techniques they’ll need to land a job after graduation.” So far this sounds like traditional education or training, but Moyle explained that there are a few things that make Prelude very different from a university setting or well-known industry training.

To start, prospective students take an online assessment to determine if they’re a good fit for the program. The assessments Thompson created for his previous company and the massive data repository that’s been built up over the years is different from a typical application. The focus of the assessment is to learn which prospective students have the right mindset to be successful in a cyber security career—someone with innate creativity and desire for fixing problems and sidestepping obstacles. The assessment isn’t just about finding people who are technically inclined; it’s about finding people who will thrive as an incident responder based on their interests, habits, and personal characteristics. “The goal,” said Moyle,” isn’t just to graduate students, but to make sure they’re successful in the field.”

Once students have been accepted (the acceptance rate is ~5%, meaning, this isn’t just pay-for-play education), they begin a 6-month, hands-on, in-person course (there are a few exceptions to the in-person requirement) that teaches the tools and techniques that will make students effective immediately upon graduation—everything from reverse engineering to how applications work, UNIX and LINUX scripting to installing and patching tools, how to effectively monitor a SIEM, and tons more.

Those who complete the coursework participate in a “mock SOC,” working as a group through various incident response scenarios, to learn what it’s really like to sit in the hot seat, taking real responsibility for an organization’s security and risk. If all’s still going well at the end of six months, students are granted certification, and Prelude guarantees job placement with a participating enterprise. This last point is very important to the Prelude team; once they train an individual to be proficient with the real-life skills demanded by employers, they want to ensure that person is matched with an organization in need of qualified employees. It’s not only about granting a certificate and sending people into the wild. It’s about improving the quality of cyber security practitioners and changing people’s lives through acquisition of a skill set that will afford them job opportunities that will serve and support them for years to come.

From zero experience to security hero

As a new venture, the Institute only offers the one training program at present. However, the team has plans to expand the curriculum bit by bit over time. Said Moyle, “We decided to start with incident response based on industry need and because this curriculum gives students the widest set of skills. It's much harder to go from, say, a compliance specialist to a SOC analyst. The technical piece is hard to get, and we see a lot of people in the industry who are not equipped with those skills to move beyond their initial job easily.”

The Prelude team is focused on the future of cyber security—finding and training the right people for the jobs that will become available as more and more of our everyday necessitates data and system security. But what they don’t believe is that people should have to go into debt or spend years fighting the age-old problem of: “You need experience to get a job, but you can’t get a job without experience.” As such, the fee for the 6-month program plus job placement is less than what other industry trainers charge for approximately two week-long, hyper-focused courses that build proficiency in one specialization.

“We’re working to give people more than a minimal viable skill set,” said Moyle, “and we don't think that someone who, say, works for minimum wage in a retail job should be prevented from improving their life because of the potential for tremendous debt.” Organizations need skilled security practitioners—much sooner than later, by all industry assessments—and The Prelude Institute is working to eliminate the barriers to entry. Of course, if you’re reading this article it’s likely you already work in security or a related field. We therefore invite you to share this post in your non-security networks. After all, finding, attracting, and retaining good security talent will help us all.