Experience: one of the most valuable things to have as a cybersecurity professional, and one of the hardest things to get. Hands-on experience—not formal education or specific training, personal endorsements, or official certifications—is what really differentiates qualified cyber talent, according to a recent study by the global IT governance professional organization ISACA.
Two cyber competitions concluded in the last few months that provided teams of college students with the kind of real-world experience the cyber and information security sectors desperately need. The National Collegiate Cyber Defense Competition was the first national cybersecurity competition to test how well college students operate and manage a network infrastructure like those in the commercial sector.
This year, students from more than 230 colleges tested their defensive cyber skills, coming out battle tested and workforce ready as Raytheon’s Jennifer Griffith, who manages the partnership with NCCDC as the title sponsor, told WashingtonExec.
“At the same time as trying not to get hacked, they have to field customer calls, talk to the CEO—a whole bunch of different things in a short amount of time to simulate real-world application,” she said.
This was the fourth year Raytheon served as the title sponsor of NCCDC, “and watching these students practice their skills in real-life business scenarios gives me confidence we are growing the workforce-ready cyber talent that will meet the future demands of this important field,” said Dave Wajsgras, president of Raytheon Intelligence, Information and Services.
According to the ISACA survey, it’s not technical skills current cyber professionals lack; it’s the inability to understand the business of the cybersecurity industry. University of Maryland, Baltimore County won this year’s National Championship, where the competing teams worked to secure a multisite retail corporation with 160 employees, a point of sale system, an inventory system and other systems you find in a typical retailer.
Moving Beyond the Tactical
But the future of cybersecurity relies on more than just technical practitioners in the private sector.
Figuring out how to counter cyberattacks is a national security imperative, a strategic and operational matter for diplomats and lawmakers, military leaders and law enforcement. That’s what makes the Atlantic Council’s Cyber 9/12 so valuable.
Sam Visner, senior vice president and general manager at ICF for cybersecurity and resilience, is also an adjunct professor at Georgetown University, where he teaches cybersecurity policy operations and technology. He coached the university’s team that placed in the top three at this year’s Cyber 9/12.
“The Cyber 9/12 competition is very important,” he said. “Most of the conversation around cybersecurity takes place in the context of technology, capability: What can an adversary do, and how would they do it? What can we do; how would we do it? What exploits or attacks might we face? What defenses should we mount?
“There’s plenty of good work taking place on the technology side,” he continued. “On the other hand, governments are not as well-suited as they need to be to think about cybersecurity and cyberspace as a domain of action that affects their interests in real space.”
Cyber 9/12 launched in an effort to “bridge the gap between the really technical parts of cyber and combine it in with national security, international relations, security studies thinking,” said Jason Healey, senior research scholar in cyber conflict studies at Columbia University and senior fellow at the Atlantic Council’s Cyber Statecraft Initiative.
“What might be true at the technical level doesn’t have to be true at the national security level,” he said. “We need both of these to come together if we’re going to solve the problems that are facing the world over the next five, 10, 20 years.”
Professionals for the Future, Solutions for the Present
Ultimately, it’s not just students who benefit from these cyber competitions. Cyber 9/12 in itself is an important learning experience for students, Visner said, and just as important for current cybersecurity professionals across stakeholder groups.
“It can drive the development of curricula and academic research, and it can drive the way people are going to be thinking about this problem, because the problem is going to become real,” he said. “My hope is that [competition judges]listened carefully to the students’ presentations and that, in addition to judging them, they learned from them.”