Brent Lundstrom, Washington State Cybersecurity Center of Excellence, Bret Arsenault, Microsoft, Michele Robinson & Anna Ritchey, National Cybersecurity Training & Education Center

Skills Gaps – Current and Future 

According to Mr. Arsenault’s global perspective, these are the hot areas that deserve more training in the college sphere. 

Containers and Microservices 

Mr. Arsenault said, “This is a growing global problem. It’s a skill gap problem, but also a technology gap problem.” Containers and microservices are small, fast, and easy to deploy. Thus, their proliferation within an organization can grow beyond the ability of IT Security to keep them safe. The world needs tools and standardized rules to govern and secure containers and microservices. 

SBOM Skills and Supply Chain Security 

SBOM stands for Software Bill of Materials. According to CISA, an SBOM is a nested inventory, or a list of ingredients that make up software components. CISA and its affiliate organizations are working to formalize and promote procedures and tools to advance the adoption of solid SBOM strategies.  

According to Mr. Arsenault, every company should define how they control provenance and be able to defend their adherence to good SBOM practices in the face of an audit or in a post-incident report. Additionally, he states that every company should “track where their code comes from and be able to say if it has been modified and by whom. Is it open source or is it proprietary? Who touched it and when?” 

Hardening and adopting strong SBOM procedures is a global need, as is codifying rules for it within federal and state laws. Mr. Arsenault has a strong interest in building strategies to protect open source code from corruption by evil actors.

College programs for IT Project Management, Cybersecurity, and Software Development should include up-to-date training in this area. 

Securing Hybrid Environments 

Mr. Arsenault stated, “Not everyone is ‘cloud-first’ because it doesn’t make sense in all environments.” Therefore, many organizations continue to build and use in-house, or “on premises”, hardware and software stacks. These usually must blend seamlessly with cloud resources and must be accessed by remote workers. Securing these hybrid environments is a challenge. 

IT personnel in charge of hybrid environments must understand how to manage resources, capacity, and security across the two realms. The procedures and rules are different between on-prem and cloud. 

Colleges that teach cloud technology should teach security best practices throughout all classes. Conversely, every cybersecurity program must teach cloud technology – how it works and how to secure it. 

Cloud Native App Development 

IT professionals are needed who can govern and manage the whole development process for cloud-native applications. 

According to the Cloud Native Computing Foundation, “cloud native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.” 

Everything that lives in the cloud should have a cloud-native design and approach. But this means that all parts of the stack should adhere to a unified set of standards, for example standardized logging and events along with the ability to match those logs and events to a standardized catalog that multiple microservices can use. 

The college grad who understands all this is ready for hire. 

Artificial Intelligence 

Regarding AI, Mr. Arsenault says, “We see people writing code 30% faster now with AI assistance. But how can we keep up with the security needs of so much new code? DevSecOps people are needed who understand the whole ecosystem.”  

DevSecOps is a tactical and operational methodology that seeks to unify development and operations with security as the continuous force that propels every step. But now, as AI is rapidly adopted, DevSecOps must evolve even faster.  

Cybersecurity students should be taught business decision-making factors related to AI. They must learn how to securely use AI tools, how to protect them from abuse, and learn effective AI prompting. 

Threat Modeling 

Threat modeling is a “massive gap” that Mr. Arsenault sees in today’s college programs. He says, “Code must be designed from the very beginning to account for what bad guys might do to the product.” Along with writing User Stories in the Agile development process, teams should brainstorm “Evil User” stories too.  Envision not only how the end-users will enjoy the software product, but also predict how evil users might exploit it, and how innocent users might blunder and break a feature that’s poorly designed. 

Threat modeling is used in infrastructure planning and support too. So, network designers, technical support engineers, and system administrators also need this skill. 

College instructors can lead students through threat modeling exercises as a form of hands-on practice. Secure design principles should be taught in programming classes. And networking students can practice table-top exercises for disaster planning.  At all levels, it is useful to teach the mindset of threat actors. So, it is appropriate to add one psych class to a college IT program, especially if it’s criminal psychology. 

Planning for Disasters 

Mr. Arsenault sees a huge gap in the tech space around planning. “When something goes wrong, what’s the plan? Who will do what, and how? Is the plan documented? And have you done practice drills? Every company should do formalized threat modeling which should result in a documented plan for a variety of scenarios.” 

IT Project Management programs are an appropriate place to teach disaster planning skills. 

End to End Security and Access Management 

Most breaches are an access and authentication problem. Access management may sound boring, but it’s critical. We need people who can secure accounts and guard digital assets. Protection of digital assets should not come at the cost of time-consuming security challenges that frustrate legitimate consumers. This is made ever more complex by the nature of hybrid environments with remote access. 

We need technological advancements to help us with access management in complicated infrastructures. And we need skilled people to deploy and manage these technologies. 

 Summary

These skills listed by Mr. Arsenault are tightly interconnected with each other. None of them can stand alone. In like manner, each class within a cybersecurity college program must incorporate these skills from start to finish. Thread them throughout the entire learning process from enrollment to graduation. Clarify how each skill connects to the others.

We look forward to future meetings with Mr. Arsenault where we can support each other's initiatives in the world of cybersecurity education.

Whatcom Community College Explains Challenges 

One of the instructors from WCC’s cybersecurity program explained to Mr. Arsenault some of their challenges and successes. The associate in applied science – transfer (AAS-T) degree at WCC has earned the CAE-CD designation. This is an award of academic excellence defined by several federal organizations including the FBI, the DoD, and NIST. 

After earning this prestigious designation, WCC went on to increase enrollments and send more graduates into the field of cybersecurity. 

Mr. Arsenault asked this instructor about the barriers to success. The following were mentioned.

Challenges

• Students need to attend part-time because they often work full-time jobs. This can stretch out the duration needed to finish a degree. In that longer journey, life’s challenges can interrupt students and cause some to leave the program.
• Students struggle to acquire the necessary technology at home: powerful enough computers and reliable internet with sufficient bandwidth.
• Remote and rural students need a hybrid classroom configuration with the ability to attend classes remotely, but commute to campus occasionally.
• Flexibility is needed for students with families. Their attendance can’t always be required when emergencies arise, but they must report to the instructor as if this were a workplace setting, fulfilling required assignments and completing makeup work as necessary.
• Adopting new technology can’t require a student to spend money. For example, cloud resources. The instructor must purchase the subscriptions, but the students are the consumers. So far, most vendors have been responsive and helpful when a teacher requests more credits on behalf of a student. Vendors must understand the teacher-student relationship and treat them as a single combined consumer.
• Not enough faculty. Enrollments could increase if there were enough people to teach and we could produce more skilled cybersecurity workers.

Opportunities for Collaboration 

From Microsoft, the college community could use the following: 

• A job taxonomy. What do entry level jobs look like?
• A list of the knowledge, skills, abilities and degree requirements for roles at various levels.
• Internship opportunities at Microsoft and how interns can apply.
• Further discussions about how professional IT workers can become adjunct instructors at community and technical colleges.
• Participation in cyber clinics where students can gain hands-on experience, providing keynote speakers for virtual town halls and Industry Nights at college campuses, volunteering at student cyber competitions, and becoming an advisory board member for a local college.

Article written and provided by the  Washington State Cybersecurity Center of Excellence