Building a Cyber Security Academy

Introduction

We have skills gap and an aging cyber security workforce. We need new blood, and skilled blood at that. However there isn’t a magic cyber tree that we can simply pluck skilled resource from to bridge this gap. There are differing methods to bridging the overall gap, of which one part is through the development of cyber apprenticeships. Keen young blood to mould into the cyber security professionals of tomorrow. This does not address the whole gap by any stretch of the imagination. It is merely one way to start building tomorrow’s cyber security workforce, and should be done in conjunction with other activities; like hiring well rounded IT professionals and teaching them the nuances of cyber.

What I will outline next is just the approach I would take in building a cyber security academy construct that serves to create and shape your future professionals. What we are looking for here is an accelerated development combining theoretical learning in conjunction with and augmented by practical, real world, experience. This is not an answer to everything, but an approach to addressing part of the skills gap.

OK, one quick point. Theoretical learning only gets you so far. And that is not very far! In the majority of cases this will be formed of ‘sheep dip’ courses on a particular ‘qualification’ or subject. We’ve all done them. Intensive ‘boot-camps’ that are frankly tailored towards passing an exam, NOT learning. That’s broad brush, but it’s true. If you want to learn a subject matter it takes time. If you simply want to pass an exam and get a shiny badge of honour it doesn’t. That is where apprenticeships that are built solely on theoretical learning are simply doomed to fail. You’ll still get a professional at the other end of the apprenticeship, but they will be nowhere near the level you could achieve if you approach it in a different manner.

What I would propose is that to consolidate and embed the theory you need to gets hands on and practical. Cyber is a big topic, and not something that consists of a single course and one area in which to get your hands dirty. It is far more diverse than that. If you want to ‘do cyber’ then you need to understand technology in all its glory, and security, and adversaries, and intelligence, and risk, and data, and analytics, and….you get the picture.

This is where you need to be a little more creative in your approach to building your apprentice into a somewhere near competent burgeoning cyber security professional.

The simple premise is to provide the fullest experience of an apprenticeship programme to maximise the return on investment in your apprentices and build out a fully rounded foundation. It is just a foundation mind. Set expectations early. You’re not getting a 8th Dan ninja grade professional at the end of your scheme. You’re getting a competent learner; able to build on the foundations you have created together. They might one day become a black belt, if the dedication and opportunity to continually evolve is there. Also recognise that everyone has different ceilings in terms of their potential.

This foundation of knowledge and skills is key. You need to plan this out. What are the learning and skills building aspects that you want your cyber security apprentice to develop? There are some obvious areas that spring to mind:

·      IT Fundamentals                                        

·      Infrastructure

·      Networking

·      Technical Security Fundamentals

·      Information Assurance

·      Architecture

·      Service Operations

·      Incident Management

·      Policy / Standards / Guidance

·      Risk

·      Development

·      Engineering

·      Coding

·      Project and Programmes

·      Data Analytics

And then some of the more subject specific aspects like forensics, malware, intelligence, exploits, hacking, adversarial understanding, security controls and how they actually work, VA / pen testing, etc. And complimentary skills like report writing, presentations, customer service, team working, and skills in the use of the tools pertinent to your organisation. That’s not exhaustive by any means, but hopefully shows it’s not about learning cyber, or security in isolation. That’s pointless. There are many facets to a well-rounded apprenticeship. The narrower the scope the narrower the foundation and thus the professional you create.

Profiles and scheme definition

Ooh hang on a minute. Before we get too deep into learning, let’s just think about the type of apprentice you want to bring in to this academy construct. It’s important. There options here as always. Is it school leavers? Graduates? Existing professionals, both inside and outside of your organisation? Or of course a mix of all of them. Personally, if I’m looking for new blood, I try not to restrict my viewpoint by focussing on one demographic in isolation. There are rewards in all of them, though each comes with a differing overhead. There are obviously differing levels of maturity of the person themselves, a different starting point in terms of knowledge as well as understanding of the nuances of the workplace. There is a fair amount of pastoral care involved, especially with school leavers. This should not be underestimated. It is highly likely that you will be providing their first ‘office experience’. Be cognisant of this and the overhead in introducing them to the joys of the office working environment.

Then of course what are the prerequisite skills you are looking for from prospective apprentices? STEM subjects and particular grades; pertinent university degrees; knowledge of the subject matter; computing experience / ‘hobbying’, analytical mind-set; problem solver? Take the time to build the profile(s) of the prospective talent you want to bring in and where you are likely to locate them. This might help drive the profiles that fit you best. I would advise against being too granular here. There is no point looking for working knowledge of IDS/IPS if you’re looking at school leavers. It’s just not realistic. Think about the base entry requirements for your bright young(ish) things.

You also need to consider the length of the apprenticeship. This again may differ for each type of intake profile. I’d err from trying to build Rome in a year or 18 months. I’d be looking at three years ‘learning’, ideally followed by maybe two years placement in IT. Yes that’s a long time, but skills do not develop overnight, not by a long stretch. You need to consider your desired outcomes from your scheme(s) and realistically map out how long that will take. Then also throw in pay and rations and of course what happens when they ultimately graduate from your academy. What is the end offering, grade, responsibility, landing team, pay etc. Not forgetting of course where they will ultimately land upon graduation. Again I’d not be too prescriptive here. You might want to build up your SOC team, or of course create one, but have one eye open on other areas that might benefit from the professionals you are building, for example architecture, or risk assessments etc.

An additional consideration is that an academy construct should effectively be a conveyor belt of talent. There should be a continual intake year on year, however this does require continual investment, alongside the natural constraints of headcount and salary funding. You will develop a natural churn in time as the professionals you are building and employ will be very marketable. Some will drift away during the scheme and some will ultimately leave for ‘better’ opportunities elsewhere. Make no bones, this is going to happen. Maybe not on day one, but maybe a year down the line. If you don’t have the continual growth investment for your security construct then you will hit saturation, which in turn will hamper or even close your academy as you simply cannot take any more in. This is an incumbent risk of any scheme like this.

Lastly here of course, is your success criteria. What determines that an apprentice has successfully completed their scheme to the point that you want them to continue in your employment and how will you measure this?

Learning plans – Theory and Practical

OK, so you’ve built your profile(s) and defined the basic scheme(s). Great stuff! So what are they going to learn and in what order? And of course how will it be delivered? I’ve outlined some aspects earlier on. They are, in the main, pretty universal. You might not want to cover all of them, nor necessarily have time depending on the length of your scheme(s), but there will be core aspects that you will absolutely need to factor in. Start at the beginning. There’s no point assuming a level of knowledge, which may or may not already exist. Build the core basics of the technology construct as your starting point. If you want a well-rounded professional upon graduation, with the starting of that top two inches of cyber specialism then you’ll need to cover off a lot or learning. Remember you will be balancing theory and practice throughout.

Again invest the time to map out the learning ‘modules’ you want your cohorts to undertake, and again in what order. Why learn forensics before you’ve learnt how a computer works? Define the building blocks of knowledge. Try not to overload them either. Six weeks of intensive ‘sheep dipping’ is likely to frazzle them considerably. It also doesn’t allow you to consolidate the learning in a practical manner.

What I would aim for is pinning the theoretical learning with breaks in-between. The breaks give you opportunity to take that theory and put it into practice. What do I mean by that? Well take networking fundamentals. Your apprentice has just done their 5, or whatever, days learning the theory about networking fundamentals. Great! Now, place them in your networks team so that they get actual experience of networks, be it administering firewalls, sorting routing tables, implementing network components, etc. Hopefully you can see from this very simple, and most basic of areas how you can augment and consolidate the theory with hands on experience of actually doing it. What is important here is that in all likelihood your network is not the same as the one in the book. It is important to contextualise that perfect theory with a healthy dose of reality.

So from that, take your learning modules and identify the relevant teams within your organisation where the apprentice can actually get hands on, bet it coding or development, building servers, undertaking risk assessments, defining policy and many others.

It sounds simple in theory, and really it is, but it does come with overheads again. There is naturally an amount of coordination required here, even if you have an academy consisting of one apprentice, as you’ll need to move them around your organisation and still provide a central pastoral point for them, as well as ensuring they have a ‘home’ to consolidate their learning, with meaningful work. Again, there is little point placing them with the network team if all they are going to do is make tea and take meeting notes. They need actual work. This in itself is an overhead for the receiving team, as is ensuring they have the requisite supervision, mentoring and of course tools and permissions with which to undertake their nominated tasks. It is an overhead, but well worth the investment. They will learn far more from a ‘tour of duty’ on the front line of networks than they will from the book or the 5 day course. Combine the two and its better still.

It’s eminently doable to provide the hands on access to augment the theoretical learning. At the end of the scheme this would create much more rounded apprentices in technology and application thereof. It would also provide a better opportunity for the organisation and the graduating apprentice to determine where their interests and skills best fit.

In order to make this a success it requires buy-in and adoption across your organisational construct to ensure that the apprentices on rotation are accepted into an area with appropriate work to align to their learning modules, enabling them to demonstrate their expanding skill-set.

They are going to be quite a transient workforce, and as such may well feel like the Littlest Hobo at times. Factor in that you will need to bring them back into centre regularly and provide that additional pastoral case, and of course illicit feedback throughout, both from the apprentice themselves and the work areas you have placed them in. You’ll also want to continually assess their progress against objectives.

Wider Learning

As I mentioned earlier there is more learning than just technology and security. Soft skills for example, as well as conceptual constructs. These are less likely to be learnt straight from a book, but moreover an exposure into environments where these skills can be developed, or the opportunity to undertake research.

Think about how you are going to give opportunity to grow some of these skills. I am a firm believer that really good security professionals have spent time in customer service. I would recommend any kind of help desk type environment to provide them with an insight into the customer perspective. There is an art to dealing with people, especially if you are the security person contacting them. Good customer focus and interpersonal skills are a truly worthwhile investment.

Likewise give them opportunity to present. That could be on a given topic, their choice or yours, or even replaying what they have learnt in a particular placement / course. It’s quite daunting speaking in front of people, even in a friendly environment. The more you do it, and the more confident you are in your subject matter, the easier it becomes. Some people will never enjoy it, but they will learn to do it.

I’m a fan of giving recruits a research or delivery project that they can own, allowing them to demonstrate self, or team, learning as well as displaying the ability to bring to a successful conclusion. You could look at conceptual security models, like OODA loops, or attack trees, maybe analytical constructs like N-triples, or understand common taxonomies like STIX. They not only get the opportunity to self-learn and display understanding, but at the same time get to grips with wider cyber security concepts.

Additionally, you should give your apprentices exposure to your wider business / organisation, so that they can start to learn and understand the overall mission and develop business empathy. There are a mixture of elements in this space this sit alongside the core learning activities, which in my opinion are just as important as learning how a computer works.

How is it going to be delivered?

You’ve got quite a construct on your hands here, and we’ve not covered how this is all going to be delivered. In essence there are three ways, of which one can almost universally be discounted, in my opinion. That option is the DIY option. Literally doing all of this yourself, including the theory aspects. You might have trainers, or people of that ilk in each of the subject matters, or decide to dispense with theory and only do practical. For most organisations the former is non-existent, whilst just doing the practical has its limitations. For example are they really going to learn the wider concepts of a subject matter, or that subject matter in the round? I think the scope of their learning will be narrower this way, and it also makes defining learning objectives a lot harder. That said there are a lot of free resources out there, which can, and should be utilised, but it’s always worth having a support structure in place rather than just relying on an apprentice to self-learn through books and videos.

The other two options require assistance. That is essentially to work with a learning partner, or partners. There are providers who will undertake almost all of this for you, in terms of theory learning, assessments, projects, some pastoral care and measurement against success criteria. This removes a lot of overheads, though you’ll still need to provide most of the organisations pastoral case and the practical opportunities / coordination. This obviously has benefits and is arguably the cheaper of the two options of working with providers. A lot of the leg work is taken away. My two bits of advice on this are that often these partners will be chosen by price (i.e. cheapest), which doesn’t necessarily mean you get a good partner, nor for me is the training as good as if you sourced it yourself from individual providers.

The second option of working with partners would be to research and then source providers for your theoretical learning activities, for example maybe SANS for some of the cyber / security aspects. This is again a not to be underestimated overhead requiring really good coordination and planning. It does, in my opinion, provide the opportunity to find the best training courses and delivery partners, in turn giving your apprentices a better learning experience. It is likely to be more costly as well than a one size fits all partner.

There is no right or wrong answer to this. It’ll probably come down to cost and overhead. Just be cognisant of the fact that some providers are better than others, and even then some trainers within providers are better than others. I wouldn’t dream of influencing you here. I have my personal preference, but recognise that comes at a cost.

Coordination

So none of this just magically happens. If you are going to do this then you need to build a coordination construct within the academy, and governance therein. The more planning and coordination you do up front the easier it becomes to run and manage day to day. This will require investment in the right people to shape, define, build and then run this construct.

As I’ve said there is all of the learning coordination, planning, booking, and then the follow on placement coordination. Pastoral care throughout. Continual assessments, feedback gathering. Ideally you want to be agile in that if something is not working then fail fast and change it. Easier said than done, but there is no point repeating something that doesn’t work.

You should also be assessing the overall construct as well as the individuals themselves and continually evolving your approach to maximise your returns.

There are a lot of overheads throughout, which differ depending on your desired approach, but they are manageable. It requires strong leadership and good people to make this work, but doesn’t need to be an army of people if you plan it right.

Summary

So, in a nutshell, that’s a whistle stop tour of what I think makes the basis for a cyber security academy construct. There’s lots to think about even before you embark on the journey, and then lots of work throughout. This in isolation does not bridge the gap. There are many other complimentary ways to build more skilled cyber security professionals. Remember that learning security without learning technology and business empathy is not going to deliver great results. You need to learn practice alongside theory. Security should be the top two inches of a well-rounded technologist.

Think about what you want your intake to look like, their profile, base entry requirements, which talent pool you are going to fish in etc. Define the learning pathways and objectives and the areas within your organisation where they can spend time to actually develop the juvenile classroom skills. Make sure you’ve considered and agreed the headcount and funding pathways to continual intake, and of course the graduation criteria and landing roles. Don’t forget that the learning goes beyond security and technology and that they require pastoral care throughout. You should always look to measure the effectiveness or your approach and seek continual improvement therein.

There’s lots and lots to learn. You need to make sure that theoretical learning is well provided, and that practical learning opportunities are meaningful and aligned to what they have just learned and ideally what they are going to learn next.

Not all graduates of any scheme like this will be at the same level. Some of the intake will not make the grade. You might choose to take these people on or let them go, but be clear not everyone gets a ‘passmark’. If you choose a longer apprenticeship period then bear in mind it may frustrate some apprentices who look for an early get out, be it within your organisation or outside.

Although this is tailored towards the Cyber Security Academy construct it can easily be transposed into a wider technological apprenticeship academy. Most of the apprenticeship schemes I have seen broadly focus on single areas of expertise. By utilising an approach to provide wider exposure to technology and the operation therein across teams and concepts you will be able to build a new generation of technological employees with far more knowledge and cognisance of IT than a siloed apprenticeship approach ever will. For example an apprentice developer with an understanding of wider integration and operational constructs, networking, security, customer service, service management et al will be a far superior asset than one who concentrates solely on development in isolation.

In an ideal world this would be centrally coordinated and funded construct, with organisations incentivised to take on graduating apprentices, but we’re a little way off that altruistic approach yet.

There isn’t a pre-populated pattern for any of this, and it’s just a suggested outline from my experience. Give it go, or at least consider it.

Or we could just shake the magic cyber tree.