Are we going back to the future with Cybersecurity Apprenticeships? Are they the key to closing the cybersecurity skills gap?
In this article, we will explore what is a cybersecurity apprenticeship, the history of apprenticeships, a theoretical/conceptual model of apprenticeships, examples of current cybersecurity apprenticeships, and alternatives to cybersecurity apprenticeships.
According to Cyberseek (www.cyberseek.org), there are 597,000 total cybersecurity job openings in the United States when retrieved on January 1, 2022.
Source: (Cyberseek.org on January 1, 2022)
Cybrary released a report called Cybersecurity skills gap threatens job effectiveness amidst global talent shortage. There were three takeaways from the report that I found fascinating:
- Skills gaps among computing professionals negatively impact security team effectiveness (72% agree that a skills gap exists)
- Computing professionals understand the need for improving their job skills.
- 40% spend time every day
- 38% spend time every week
- 48% invest their own time
- Cost and lack of time are barriers to improving cybersecurity skills
- Organizations are not investing in or supporting skills development
We have known about skills gaps back to the early 2000s and we seem to be reinventing the wheel every 5-10 years. I did my entire doctoral research on cybersecurity skills gaps from 2002-2007. I tried implementing apprenticeships 15 years ago. I even had a grant with a staff that tried to sell the concept to the industry. At that time, they were not interested in using the traditional apprenticeship model that already exists in most states.
What made business and industry change their minds on apprenticeships? There seems to be more openness to the concept than there was 15 years ago. I have spent my entire career researching the skills gap and how to bridge the gap. I have a lot of knowledge and expertise in this area. I launched a network security program in 1998 and I have been working on this topic ever since. I have launched multiple cybersecurity programs over the last 20+ years.
Let\’s explore the world of cybersecurity apprenticeships. I will also share my research with you of what I found what the gap is and why there is a gap and discuss the way forward.
A cybersecurity apprenticeship is not just about getting a degree. It is learning to become a cybersecurity professional as you are earning a degree. The cybersecurity apprenticeship is a rotation between going to school and work. You are learning about becoming cybersecurity specialists by participating in the practice of cybersecurity and also learning the hands-on theory/concepts that make up the cybersecurity practice.
There are multiple models of cybersecurity apprenticeships that exist today. What do these cybersecurity apprenticeship models look like?
- Work for an employer in cybersecurity and work on your degree online
- Cooperative education model of rotating between going to school and work varies by program
We will review examples of these programs below but first, let\’s review the historical context of engineering/technology apprenticeships in the United States.
In the 1800s, engineering and technology education was radically different from the model we have today. In the 1800s and early 1900s, engineering and technology professionals learned using an apprenticeship model of education. The apprentices learned their craft by emulating practicing engineers and technologists.
That model of instruction shifted in the 1900s after World War II after the launch of Sputnik. Support for more adding more science into engineering and technology education grew. The possibility of the new, science, versus the design capability of making something useful, technology, became the new norm.
As the shift to a more scientific focus, doing experiments in a lab was commonplace. The idea of transferring a body of knowledge to the student from the teacher was the new theme. The concept of work seems to disappear from the language. Skill gaps between the old engineers from the 1800s to the new engineers of the late 1900s became very common.
In the early 2000s, there was a lot of talk of skills gaps with lots of grants trying to address the issue by the National Science Foundation and Department of Labor. The idea of apprenticeships started to come up as a new model of technology education. It is really not a new model at all. Remember apprenticeships were the norm in the 1800s and early 1900s.
The government in all states regulates the traditional apprenticeship model based on the trades. But, that changed in 2008. The US Department of Labor in Title 29, CFR Part 29. In a DOL fact sheet from 2008, here are the regulations:
- Integrated technology-based and distance learning is supported
- Additional pathways to certification:
- A traditional time-based approach where the apprentice completes a specific number of on-the-job hours
- A competency-based approach requires the apprentice to demonstrate competency in different subject areas
- A hybrid approach that combines both the time-based approach and the competency-based approach
These are the key tenets of being able to register apprenticeship programs.
Learning to become a cybersecurity professional
The theoretical foundations for my research became situated in the cultural-historical school of psychology in which mediation was through artifacts, historical development, and grounded in a human being\’s activity. With this foundation, learning is a social process and learners construct their own knowledge through experience. Participation in the cybersecurity profession\’s activity is critical to learning to become a cybersecurity professional.
I developed my educational philosophy based on activity theory, communities of practice, and practice fields. I presented this framework at the Workplace Learning Conference in the fall of 2003 and the training officers conference in Ocean City, MD. These presentations were based on a paper I wrote called The Art of Knowledge Work.
My framework for cybersecurity education is based on three principles – activity theory, practice fields, and community of practice.
Activity theory is the first leg of my three-legged stool. The day-to-day activities of a community of practice can be modeled as an activity system The historic or current activities of the community can be viewed through an activity system lens. The profession of cybersecurity is a constellation of overlapping communities of practice and learners must participate in the communities to become practitioners.
Communities of Practice (Wenger) are a group of people who share a shared practice and interact on a continual basis. A shared practice example is cybersecurity. That is the second leg of my three-legged stool.
The last leg of the stool is practice fields, a concept developed by Dr. Sasha Barab. You can think of practice fields as a type of problem-based learning. Projects in classes are excellent learning activities but do not develop a student\’s professional identity as working provides.
Participating in the activities of a cybersecurity community develops a student\’s identity. Let\’s look at a sports analogy to explain my theoretical framework. Since football is in season, let\’s use that as an example.
In football, players practice techniques during practice over and over again to gain fluency. Players are students of the game during practice. The coach puts the players through drills to learn the plays they will use during a game. The game is where the players earn their identity. There are metrics used to measure each player\’s effectiveness. Those metrics are what players are measured to each other. Football players are developing their identity in the game. Practices don\’t provide players metrics; only games do. Players develop their identity during games and not practices.
The same goes for students. Classrooms, whether in person or on the ground, allow students to practice their knowledge and skills. But, it is the cybersecurity apprenticeships that students develop their professional identities. To employers, a combination of degree, certifications, and experience are what employers use in their hiring decisions. But, there are no metrics such as competencies that would help employers understand what students know and do. There are efforts to fix that nationally but no consensus on what that looks like. Employers use different techniques to understand a candidate\’s level of expertise.
US-based examples of cybersecurity apprenticeships
Let\’s look at a few examples of cybersecurity apprenticeships in the United States. I know there are a lot of initiatives in this area so this is not an exhaustive list at all.
Let\’s look at a few programs sponsored by the industry.
- Cisco Apprenticeship Progam is a worldwide cybersecurity apprenticeship that combines both work and degree. It is a three-year program that combines school and work.
- Lockheed Martin Cybersecurity Apprenticeship is a program that combines fast-tracking a student\’s education along with working in a cybersecurity position.
- Microsoft\’s LEAP Program allows an apprentice to choose a cybersecurity specialization that combines classroom study with hands-on projects working on real teams in different areas of Microsoft.
- Cyberdenses allows an apprentice to learn key skills, gain industry certifications, on-the-job training, and job placement assistence in collaboration with Austin Community College.
Let\’s look at a few programs sponsored by colleges and universities.
- Colorado Cybersecurity Apprenticeship Program is a 100% online program that combines college courses boot camps and on-the-job training.
- Purdue Cyber Apprenticeship Program is a cybersecurity apprenticeship program where a student can earn associates through a master\’s degree online while they are working.
- NEXT Apprenticeship is a program in partnership with five colleges throughout the eastern United States that combines courses, certifications, and work.
- In 2016, Tidewater Community College launched the TCC\’s Apprenticeship Institute where they monitor students working on apprenticeships in partnership with cybersecurity employers.
These are just some examples of colleges and universities along with private sector companies trying to use apprenticeships to close the skills gap. The biggest issue with all these programs is that these programs are highly competitive programs for only a select number of students. Not all students who want to are able to participate in these programs.
So, what do we do for those who do not get those opportunities? Let\’s explore some alternatives to apprenticeships that do work in helping bridge the cybersecurity skills gap.
Although cybersecurity apprenticeships are an excellent way for students to break into cybersecurity not all students are able to participate. So, what do we do?
Cybersecurity Competitions, both red team hacking competitions to blue team cyber defense competitions and also capture the flag events are all valuable experiences for students. In my experience, the intense practices to prepare for the competitions to the actual game-like competition experiences are very crucial to a student\’s development as cybersecurity professionals. There are a lot of these events every year for students to be able to participate in. An example of the largest blue team competition is called the National Collegiate Cyber Defense Competition (CCDC). They have qualifiers, regionals, and nationals every year.
For the ones who do the competitions, they are highly likely to be offered a higher-level tier-two position vs those students who do not participate. They also get a higher salary. I have had teams of students who got immediately hired after the competitions. Through the intense practices and the actual competitions builds a students skill and also confidence in their skills.
These cybersecurity competitions fulfill the three legs of my stool of activity theory, practice fields, and communities of practice. I know it works because I have lots of students who graduated and were placed because of their work with the competitions. To enhance their competition participation, an internship provides the icing on the cake if students are able to work.
In this article, we explored the world of cybersecurity apprenticeships and their role in closing the skills gap. I applaud the embracement of cybersecurity apprenticeships by education and industry. Until we get to these being mandatory for all students similar to the clinicals in medical education we will not completely close the cybersecurity skills gap. But, it is a start.
If we consider also the value of cybersecurity competitions where colleges and universities can make it mandatory for all students along with apprenticeships maybe we get closer to our goal of closing the cybersecurity skills gap. Making sure we satisfy the three legs of my stool framework we will finally bridge the cybersecurity skills gap.