A New Approach to Finding Cybersecurity Talent: A Conversation with Alan Paller

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

A group of technology luminaries have launched an effort to find and train a new generation of cybersecurity talent, an effort that will gain steam tomorrow with The Cyber Talent CIO Forum. The event is free and open to the public, and that’s central to the group’s goal, which is to find talent in new places through alliances with schools, state governments and others.

We sat down to talk with Alan Paller, founder of SANS and the SANS Technology Institute and president of the Cyber Talent Institute, to discuss the event and the group’s goal, which is to “discover and train a diverse new generation of 25,000 cyber stars by the year 2025.”

At a time when cybersecurity job openings number in the millions and major cyber attacks are an almost daily occurrence, finding people to fill those roles has become a matter of national security. The Cyber Talent Institute has developed a fun and effective game model that can help find and develop that talent while also expanding diversity and opportunity in the tech industry.

Here’s the bulk of our conversation with Alan Paller.

KR: Tell us about the Cyber Talent Institute and how it came to be.

Alan Paller: You do know about SANS, so you know that SANS trains more than 50,000 people a year. But what SANS doesn’t do is find the talent early. SANS is an organization that finds people who are already in the field and makes them better.

What CTI is doing is going down a step in the pipeline, to the students, to find the talent earlier, so that we don’t lose them. Because the way the education system works, only a few people seem to go into cybersecurity. We wanted to change that.

You did an article earlier this month about looking in different places for talent, looking for people who are already working. That’s the purpose of CTI. To reach out to students. It’s to go beyond the pipeline that we automatically come into cybersecurity through math, computer science, and networking and open the funnel much wider. Find people who have not already found technology, but who have three characteristics that seem to make superstars — tenacity, curiosity, and love of learning new things. They don’t mind being faced with new problems. They like them. And what the game does is find those people. So CTI is just moving to earlier in the pipeline.

KR: Through the years, Russia has produced more IT professionals than the United States. What should the roles be of the government and the public sector in discovering and developing future talent?

AP: The government has two big roles. One is to be a welcome employer, to welcome this talent when it’s found. But more importantly, reaching out to the schools, the teachers, and the students. It’s very challenging for a private organization to do. We’re doing it as well as we can. But the government has much better outreach to students.

We found wonderful partnerships with state governments like Texas, New Jersey, and a bunch of other states, where they’re reaching out to the schools and the students, and let students give this game a try. Because they probably have talent and you’ve never noticed the talent because you don’t have other programs to find it. So, the state governments have been wonderful. We think that if the federal government does it, it would work even better.

There’s a model in the United Kingdom called Her Majesty’s Government Cyber Discovery Programme, where the government reached out and they found 250,000 students to try the game. We’re hoping that other countries, particularly the United States, will have a similar program. But right now, it’s working fine. We have 29,000 students playing the game this past year without any government support. So we’re on our way.

KR: Can you tell us about the game and how it helps you resolve the talent shortage?

AP: That was the magic. It was developed by one of the top cybersecurity people in the UK, by a man named James Lyne.

He was asked by the government to find a way to identify people like him. What he did is he built no training, but just challenges. He made it a game, in the sense that each player is a member of a cyber protection team. They have a field guide that they can go to for information, and then they are given realistic challenges.

So a message just came in, you found it, but it doesn’t seem to make any sense. It might be in code. Can you crack the code and find out what that message says these people are trying to do? And they don’t know anything about code-breaking. But in the field guide, there are some pointers to places where they can learn more. There are some examples of different kinds of ciphers. If they are the kind of person we’re looking for, who loves to learn new things and loves the challenge, they dig in and try different ciphers until they find out that, if I use the Caesar cipher, I can crack this.

But it’s a discovery process. It’s not something where they already know it at the start. We are looking for people who want to discover how to solve a problem. Not for people who come in having been taught to solve the problem. Because cyber problems aren’t old. They’re all new. And if you want to use yesterday’s solution on today’s problem, you’re probably not going to be successful.

KR: How do you bring this approach to the people, to the grassroots, to the schools?

AP: We started by connecting with all of the teachers who teach technology classes — people who teach computer science, networking, and STEM information classes. We invited them to have their students try the game. And they did, and the students had such a good time that they invited others.

Like there’s a teacher in Spotsylvania, Virginia, who showed 12 of her girls how to play the game. They had such fun that they went out to get 110 other students from the school to come and play the game as well.

KR: Do you have partnerships with private organizations for this program?

AP: We have partnerships with two kinds of organizations. We have a partnership with, well, this whole project is funded by the National Cyber Scholarship Foundation, which is the sister organization to the CTI. Pretty much all of the resources come from the foundation. And that money goes to set up the game, for the outreach, for the $2 million in scholarships that we gave out in May. And that helps draw students in. Because there are very few high school scholarship programs that will pay $2,500 for their college education. So they like that.

It’s a partnership with the CTI and the National Cyber Scholarship Foundation, and everyone else is just helping.

KR: I was looking at how community colleges can be tapped by organizations for talent. Are you also reaching out to community colleges?

AP: Yes, the first one we did was Montgomery College, the largest community college in Maryland. They actually use the game to find students who might be good at cybersecurity. And then they run a special course, like the course that we use in Cyber Foundations Academy to advance their skills. So, yes, there’s a wonderful partnership here.

What we hope is that they will partner with the kids in high school. Because in community colleges, there are dual enrollment programs, where you can be enrolled in high school but also take college courses.

KR: Tell us more about the upcoming forum.

AP: When you asked about partnerships, I almost started there but I did not. I’m glad you’re asking about the forum.

Organizations, like FedEx, Vanguard, and Raytheon, are all helping us because they want to have early access to talent. They don’t want to wait until kids get out of college to begin relationships with students. Those companies and organizations like Girls Who Code, and other large national organizations are all speaking at the forum in very short sessions about what they’re doing to accelerate this pipeline.

James Lyne, the person who created the game, is going to be telling about the game in the forum as well. So you got the game, the educational development through the Cyber Foundations Academy, and you have all the partner organizations that are interested in having all their members try it.

The corporations will be telling the very innovative things they’ve done. FedEx, in particular, has a wonderful program, where they’ve set up an internship on campus, at the university. It’s not where you leave school and go to work at the company; you go work at the company while you are in school. It’s a part-time job in school, but also you’re starting your career.

We’re hoping that we can show innovation across the pipeline — that’s an example toward the end. The game has an example toward the beginning. And we’re hoping companies will say they wanted to do some of that. We don’t care which of them they do. We want to just give them new examples of the things that people are doing that they never heard of before and go out and try.

The forum is going to show what a company is already doing to give other companies an idea of models that they might try or they might improve on to accelerate the pipeline, so they don’t have to fight with other companies for talent.

KR: What is the most important idea or insight that organizations need to grasp that will lead them to establish a partnership with you?

AP: The most important idea, I think — that companies, like FedEx, is doing — is this: it’s the first time that they have a direct way to reach out early in the education system to accelerate and grow that pipeline. They’re seeing — and we’re hoping that coming out of it — that they will reach out to the schools in their area so that they have or they are discovering homegrown talent.

There are two wonderful quotes I have to share. One from a student, and one from a teacher. A teacher in Wyoming said, “Before I found this game, the students in my class thought that they’re too dumb to do computers, computer science, or cybersecurity. When they played the game, they discovered that they were good at it. And now they’re talking with the counselor about going into computer science.”

The other one came from a quote made during International Women’s Day. A young woman was being interviewed, and she said, “I’m an athlete, I don’t think about computers. If you told me if I was interested in computers two years ago, I would’ve laughed a long time. But I played this game, and I found out it’s exciting. It’s competitive. It’s fun, and I’m good at it. Now I see that this is a field that has nerds in it, who were the people I thought were in cybersecurity… and they’re athletes.”

There’s room for everybody. That’s the innovation here. It’s not that the game will accelerate bringing the same people who are going to come through anyway. It’s that the game opens the field up. People who never thought they would be good at it at all, discover that they are. Then we can stop this poaching problem because we have enough homegrown talent to fight back against cyber attacks.

There’s a lot more potential for cyber stars than our system has been able to tap. We need real innovation. We need real change in the way we search for that talent and develop that talent if we’re going to catch up with Russia and China. And that’s what this program is all about — to reach out to every single person who might have any chance of being good at it and give them the chance to play the game. If they don’t like it, for fifteen minutes, they’re not going to waste any of their time or throw away resources. We need to get to a million more people literally. That’s what we’re about.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis