Millennials and Cybersecurity Careers

A new survey commissioned by Raytheon in conjunction with the National Cyber Security Alliance (NCSA) has some interesting titles including:

Latest Raytheon research on millennials finds rising interest in cybersecurity careers and

Report finds high schools not addressing student interest and employer demand as National Cyber Security Month begins

The survey included responses from 1,000 adults in the U.S. aged 18 to 26 completed from Aug. 27 to Aug. 28, 2014. Take away summary messaging included:

  • Sixty-three percent said they were not sure or did not know the typical range of responsibilities and job tasks involved in the cyber profession.
  • Sixty-four percent of respondents indicated they did not have access to computer classes in high school to build the skills necessary for cyber careers, including computer science.
  • The millennial generation’s interest in a cybersecurity profession presents a golden opportunity for parents and educators to build on this awareness by introducing cybersecurity topics with millennials and younger generations. Or as Harrington states, “Both the private sector and educational institutions need to help inspire millennials to join our next generation of innovators and cyber defenders”.

The survey indicated that millennials are increasingly becoming more aware of their need to stay current and continuously update the security of their own devices. Indeed, this supports other studies that show a growing awareness across the age groups of C3® (Cyberethics, Cybersafety and Cybersecurity) awareness. In my own studies, I have also seen a growing trend in students moving beyond the “me” mentality; there’s a growing recognition that we have a shared responsibility to make the U.S. a safer and more secure place. Cyber security is not a local problem; it may impact you locally, but the issues and threats are global.

The survey also indicated that respondents were not sure of or did not know the typical range of responsibilities and job tasks involved in the cyber profession. This is interesting for two main reasons. First, “cybersecurity” has only recently been in the public eye (in terms of career options). So for adults ages 18-26, this would be a reasonable answer. It would also be an explanation of why eighty-two percent say no high school teacher or guidance counselor ever mentioned to them the idea of a career in cybersecurity. Secondly, the survey broke out specific job titles such as app designer/developer, entrepreneur, social media professional, computer software engineer, scientist, lawyer, and college professional, but listed cybersecurity professional as a standalone entity. So the question is, aren’t these job titles part of the cybersecurity workforce? Is listing cybersecurity as a standalone job title accurate?

Indeed, this was the impetus for the National Initiative for Cybersecurity Education (NICE) developing the National Cybersecurity Workforce Framework (the Workforce Framework). The framework helps define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize workers. The National Cybersecurity Workforce Framework classifies the typical duties and skill requirements of cybersecurity workers. The Framework is meant to define professional requirements in cybersecurity, much as other professions, such as medicine and law, have done. [Learn more]

The Framework organizes cybersecurity into seven high-level categories. Within each category there is a list of specialty areas. In total there are 32 specialty areas of cybersecurity work and the framework provides a description of each. The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSA’s) associated with each specialty area.

Another interesting survey finding highlights that 64% of respondents indicated they did not have access to computer classes in high school to build the skills necessary for cyber careers, including computer science.

Several earlier studies give another view into this issue. For example the ATE Student Success: Building a Diverse and Entrepreneurial Workforce gathered 2 and 4 year Cybersecurity/IA faculty input into what skills were needed most for students to succeed in their programs. The leading skill sets were not programming or computer science curriculum, but math and soft skills like writing (English) and communication skills. Sometimes we get so excited about something that we forget the backdrop the effort is situated in. if we only have $10 to spend where do we spend it? Better efforts to increase written and communication skills or getting students to program?

Some have argued that it is a misconception that students who want to go into cybersecurity MUST first have a strong foundation in computer science and/or programming. Now, I totally understand the reason behind this opinion, and should state up front that I’m all into programming—I encouraged/pushed by own kids to take computer science and programming in high school, and all of our after school and summer programs include a fair share of programming, however, we have to also ask ourselves; could we be turning off some students if we mandate programming? Is understanding of networking or other skill sets just as valuable? I ask this question, as our own records have revealed some interesting results. Teachers have enrolled in our Cybersecurity Education CTE Academy. The original target audience included educators teaching computer science or Cisco/networking courses. One of the first courses the teachers were to complete was the Security + course. Not one computer science teacher could complete the course on the initial try. Supplemental training was needed to give them the networking and hardware background to feel comfortable in the course.

The National Research Council’s report, Professionalizing the Nation’s Cybersecurity Workforce? Criteria for Decision-Making lists several conclusions that should be considered:

Conclusion 2. Although the need for cybersecurity workers is likely to continue to be high, it is difficult to forecast with certainty the number of workers required or the needed mix of cybersecurity knowledge and skills.

There are many indications today that demand for cybersecurity workers will continue to be high, but it is notoriously difficult to measure or forecast labor supply and demand for any field, especially one that is as dynamic and fast moving as cybersecurity. Moreover, there are several factors that may affect future need.

Conclusion 3. The cybersecurity workforce encompasses a variety of contexts, roles, and occupations and is too broad and diverse to be treated as a single occupation or profession. Whether and how to professionalize will vary according to role and context.

Cybersecurity is a field that encompasses more than one kind of work and more than one occupation or profession. Some kinds of workers may come to be considered as professionals, but the committee believes that the field may also include a range of personnel and functions that are best not considered as professionals, much as many other fields contain both professionals and other workers who are not formally professionalized, including some who are designated as paraprofessionals. For example, there are today large numbers of people within organizations who have responsibility for cybersecurity functions, such as frontline IT support staff, for whom there may not be any formal education or accreditation requirements.

Conclusion 4. Because cybersecurity is not solely a technical endeavor, a wide range of backgrounds and skills will be needed in an effective national cybersecurity workforce.

For example:

  • Attackers target organizations and individuals as well as machines and networks, so cybersecurity is inherently concerned with human adversaries and behaviors of those in the organizations they target. Protecting cyberspace thus involves human, behavioral, psychological, and economic factors and management expertise as well as technical skills and knowledge.
  • Cybersecurity is a function of organizational policies and processes as well as technologies. As a result, people are needed who understand the organizational context—mission requirements, business processes, and organizational culture.
  • Cybersecurity work often involves teamwork and collaboration across organizational boundaries. Soft skills, which include the ability to work in teams and facility with oral and written communication, are essential in many roles.

As a result, education, training, and workforce development activities that focus too much on narrow technical knowledge and skills may discourage participation by people with much-needed nontechnical knowledge and skills, may overly concentrate attention and resources on building technical capability and capacity, and may discourage technically proficient people from developing nontechnical skills. The result would fall short of delivering the workforce the nation requires.

I want to highlight some key points that should be made as I can see the handwriting on the wall—the report indicates a need for cyber professionals (something we have known for some time) and the need for students to be aware of the pathways (again something those of us in the trenches already have recognized). However, before we spend millions to develop career pipeline awareness programs and/or resources, we should first look at what has already been done. In doing so, we marry survey data and the needs identified with existing efforts and programs that can help address the knowledge gaps. We must look at the holistic environment to get  deeper answers and examinations of the data being raised by instruments such as the millennial survey.




National Cyber Security Awareness Month

National Cyber Security Awareness Month has come a long way since the initial brainstorming sessions and roundtables. It’s so exciting to see the effort in full swing.

Although it has to share the spotlight with other important venues like some of the ones listed below–we can’t forget the importance of getting the word out about both C3 awareness (Cyberethics, Cybersafety and Cybersecurity) and careers that support this important field!

Health observances

Culinary observances

  • National Pizza Month
  • National Popcorn Poppin’ Month
  • National Pork Month (United States)
  • National Sausage Month
  • American Cheese Month

To learn more about the efforts leading up to NCSAM visit

Video Crowd Pleasers

Last week I gave a presentation at a local school for students about careers in cyber security. One great way to capture the imagination and attention is by opening with a short video.

Below are a few I have used before that are big hits with students:

Description: Theodore “Internet Safety” briefing but focuses on security; cartoon format


Description: Internet Threats – Vírus, Worms, Trojans, etc  Projecto Internet Segura – Tipos de ameaças

Description: Antivirus & Internet Security Cartoon by Kaday Aung (Panda Security)

Description: Focus on IT use and explosion

For those who are wondering whether the prediction that a “super-human” computer would exist by 2013 came true, it did. Cray’s “Titan” at Oak Ridge National Labs computes at a rate of 17.6 petaFLOPS (17,600,000,000,000,000 Floating Point Operations Per Second), and was initialized in November 2012. China’s Tianhe-2 can do 33.9 pFLOPS, but was only started in June 2013.

Description: Overview of viruses and other malware through the years

Description: Cyber Facts and CW promo




Developing classroom presentations for your community’s k-12 schools may seem like an overwhelming task, especially for an already busy professional. However, it can be done and it can be very rewarding for both the presenter and the attendees. The presentation tips and recommended materials below will help you develop exciting and successful presentations that leave students and their teachers wanting more.

KEY #1:

It is important to understand the difference between career/workforce awareness and cyber awareness. In many cases teachers/schools are asking for a career briefing, and become disappointed when the content covered seems more geared towards cyberawareness (internet safety). Topics such as strong passwords, privacy, use of social media, and online reputation management are usually covered in great detail now-a-days due to the federal mandates associated with E-rate funding. Teachers may be disappointed and students may also become bored if the presentation content is cyber awareness—as they have already heard the messaging. While these topics can be briefly covered, the key is to make the connection between the cyberawareness topics and the career options.

What are jobs in cyber security? How does choosing a strong password make the job of a cyber security professional easier? Can students think of other ways besides passwords to make information confidential and secure? What are different job roles/responsibilities/titles in cyber security?

KEY #2:

Depending on the school/school district, you may be asked to provide evidence of a background check/fingerprinting. You or a representative of your agency might want to verify the requirements. Always ask that a second adult be present during your presentation. Make sure you have a formal form of identification on hand when arriving at the school. Most schools now require it at the main office before allowing you to be escorted to your presentation location.

Tips and Tricks

Grab their attention

The key to a successful presentation is to capture the audience’s attention from the start and hold throughout. You might want to start with a brain teaser, short video, open ended question, magic trick, age appropriate story, or demonstration that introduces your topic.

NOTE: Handouts and give-aways should be given towards the end of your presentation.

Presentation pointers

Here are some tips to help your presentation go smoothly.

  • Introduce yourself with age appropriate vocabulary.
  • Avoid (spell out and explain) acronyms; assume the audience is not familiar with any acronyms or titles.
  • Make eye contact.
  • Whenever possible, make it active, animated and include discussion and hands-on activities.
  • Use minimal PowerPoint and/or video.
  • Do not assume there will be electricity, laptop, projector, screen, or internet access.
  • Get students engaged by asking questions and continue to check often for understanding.
  • Use props, activities, student demos and other visual materials to make more interactive.
  • Close with a summary of your key points or better yet ask students to summarize the key take aways.

Be sure to thank the students, teachers, chaperones, parents and administrators for allowing you to visit.

Career Fairs and Presentations

Increasingly I get asked for information and resources to present to students, educators and/or parents. I thought I would take some time and share a few tips for sharing with the K-12 audience.

One of the first things I ask is what grade level and is it a career fair (table format) or a presentation format. Both the format and the age group of the audience determines the strategies, resources and delivery of the material.

Let’s first explore the Booth format.

Hosting a booth at a career fair can be an effective way to engage students (and parents) to learn more about careers in cybersecurity, but only if you can persuade them to visit your table. Creative displays that are innovative yet substantial will entice attendees to stop. Encourage them to spend more than a minute at your booth — and perhaps learn more about your program or company– with a well-planned booth display.

Here are a few pointers:

Confirm the Audience

Confirm with the event sponsors the audience logistics. What is the audience age group? How many students will be attending? Will students rotate through informally or formally? Will students be accompanied by parents? Inquire about the following:

  • What is the general age range that will be attending?
  • About how many students can I except?
  • Is the event during school time or after school?
  • Are students allowed to explore on their own or are they escorted as a group by teacher?

Confirm the Display Logistics

Ask the event sponsors for the display size and specifics. K-12 events typically come in two flavors; classrooms organized by theme or entire event held in the cafeteria or media center. If themes, you will be assigned a room with several other organizations based on topic (medical, financial, technology). Cyber security typically falls under the technology theme. Six foot fold out tables are the norm for the displays. Table clothes are usually NOT provided. Typically small pull up banners are allowed but not large display cases. Electrical outlets may be hard to find. Ask that your table be placed near an outlet if you need electricity, and bring long extension cords. Internet access is usually NOT provided; if you need access make arrangements to use a personal hotspot connecting to your iphone or something similar.

A display poster or name recognition is usually not provided; make sure you bring a table cloth with name display or some other means to display who you are. Don’t assume you can tape signs up on wall. This is typically not allowed.

Inquire about the following:

  • Are table clothes provided?
  • Can we use display or pull up banners?
  • Are electric outlets available?
  • Is Internet access provided?

Include table cloth and organizational banner  NCC K-12 Division Table Display

Offer Icebreakers

Students may feel shy and reluctant to approach your table, so display some fun items to act as conversation starters. Along with brochures and other handouts regarding your organization or institution, consider passing out candy (no nuts or peanuts) or party favors. Better yet, offer gifts that are entertaining or useful and also include information about the group you are representing.

For example, wrap water bottles with custom labels printed with your organization information or give out promotional gifts with your  logo. Find give-aways that connect with Cyber security. Below are a few possibilities.

  • Band-aid dispenser:   Be safe and secure
  • Computer mirror: Are you secure?
  • Tape measure: How do you measure up?
  • Whistle/light: Be safe and secure

Make It Exciting

The table display needs to be exciting to look at. A three way display board can draw attention. Use display holders to organize brochures and other paperwork. Easels with posters or posters with T-shirts can also attract attention. You should also include hands-on interactive activities.

Make It Interactive

A hands-on display that students and parents can explore on their own will pique their curiosity. Or you can include a game or task that needs to be solved; perhaps leading to a give-away prize. Make sure you can explain how each relates to broad field of cyber security and to the group or organization you are representing.

Here are a few of the crowd favorites:

  • Lock Picking
  • Break the code
  • Computer parts
  • Invisible Ink
  • Puzzles

In the future I will include some lessons for the interactives above and others that are crowd favorites.