Rethinking Cybersecurity Education To Meet Growing Demand

By Mary Hansen

Weasle Forsythe is an information assurance apprentice with SuprTEK – a government contracting firm in O’Fallon, Illinois, outside of St. Louis. In the quiet office of cubicles with two screens and near-silent coders, her cubicle is decked out.

“I have all my toys here and my huge fidget cube, and my Spider Gwen and my X-Force Deadpool,” she said.

Amid the color and chaos of superhero posters and figurines – Forsythe pulled out a big black binder. “I mean, this isn’t really sexy, but I think it’s awesome. It’s the NIST compliance,” she said.

It’s hundreds of pages of technical language and guidelines – laying out a framework for protecting companies and government entities from hackers.

She learned about the guide while getting her associate’s degree in cybersecurity from St. Louis Community College. But when she first started looking for work, postings for entry-level jobs would ask for experience or certifications she didn’t have yet.

“There’s no path. There’s no way to get there from here and that’s what’s frustrating,” she said.

Yet, there are literally thousands of openings for cybersecurity positions – companies saying they need the skills Forsythe has.

One estimate put the number of openings at around 11,000 in the Chicago area and around 4,500 in the St. Louis area.

“We don’t have like five or six candidates to choose from. We’re fortunate to have one, if not maybe a couple,” said Dan Shaffer, a program manager at SuprTEK where Forsythe works. He says competition for professionals with skills in network security is tough.

And it’s a challenge across the country.

The string of high-profile data breaches, like Marriott, Equifax credit and Target, have businesses scrambling to ramp up their information security.

So, why are both applicants and companies frustrated?

“Part of that is because they’re not willing to train people up. And partly because schools in particular have not done a particularly good job of training for this area, because things change and advance so quickly,” said Todd Thibodeaux. He runs CompTIA, a nonprofit that develops cybersecurity certification and training programs.

One part of the solution, he says, is better training – making sure that the skills and experience being taught are the same ones companies are looking for.

“Being able to say, okay, a cybersecurity analyst needs to have these kinds of skills,” he said. “But those skills can probably be acquired over a six-month period, not on a two or four-year degree program.”

Thibodeaux’s nonprofit runs 14-week trainings for security analysts around the U.S. They’re in Chicago, Minneapolis and Charlotte – and looking to expand.

Tony Bryan (left) is the executive director of the Midwest Cyber Center, a St. Louis-based apprenticeship program for cybersecurity. Weasle Forsythe (center) is an apprentice at the government contracting firm SuprTEK, where Mark Donovan is a solutions engineer. CREDIT MARY HANSEN / NPR ILLINOIS

It’s not just the education programs that need to adapt, Thibodeaux says employers also need to change the way they hire.

A survey of cybersecurity job postings from 2015 found that 83 percent of them asked for at least 3 years experience. The average requirement was 5 years.

“The majority of companies want people that come out of a program and can walk in the door and be 80 percent of the way there,” he said.

Thibodeaux says apprenticeships could be a part of the solution, like the one Forsythe has.

She found her apprenticeship with the Midwest Cyber Center.

“This idea of an apprenticeship is a fairly new concept in industries that are not trade specific,” said Tony Bryan, head of the St. Louis-based center. “So there’s been a lot of education on our end to explain to employers the advantages of hiring apprentices.”

It’s one of three federally-registered cybersecurity apprenticeship programs that serve Illinois.

Bryan says the advantage for companies is the structured training and support, while apprentices can get the certifications they need, and earn money in a job in the field.

No previous education or training in cyber-security is required to qualify for the program. Applicants need to have a high school diploma or GED.

He says part of the goal is to attract people who don’t typically have access to the cybersecurity workforce.

“So for us recruitment, it has been very targeted for women, people of color, and veterans,” he said. They currently have a dozen apprentices, including Forsythe, and the goal is to have 50 more this year.

For Forsythe, it’s helped her get the job she wants.

“Now I can do it because I have the [certificates], I have my clearance, and I have my schooling,” she said. “I have what I learned from Midwest Cyber Center, and now I can do the job I’ve wanted, which is so exciting.”