Cybersecurity is a big and growing deal. Every week, there are stories about some hackers breaking in and stealing data, or extorting money from companies with ransomware attacks. This struck close to home last spring when a cyberattack led to the shutdown of the Colonial Pipeline, and we ran short of gasoline in North Carolina.
Companies and governments are hiring folks to defend their systems. There are a lot of vacant cyber jobs, nearly 600,000 nationally, and around 21,000 in North Carolina. If you want a secure, good-paying career, this is one.
I talked last week with Carolyn DeSimone of Wake Tech, who plays an important role in training the state’s cyber security workforce. DeSimone is program director for cybersecurity and an associate professor in the Network and Computer Technologies Department. She has been teaching at the state’s largest community college since 2001.
“Our program has grown like wildfire,” says DeSimone. While Wake Tech has been offering classes in information system security for around 15 years, its two-year associate’s degree program was started four years ago. Students take courses like digital forensics. Think about being a crime scene investigator when the chalk outline, metaphorically speaking, is around a hacked computer. Who did it? What did they take? What was left behind, hidden?
Community colleges are a big part of solving the shortage of cyber professionals because they have very skills-based programs aiming to produce graduates ready to go.
“It’s a constantly evolving process of making sure our courses are up to date,” says DeSimone. Wake Tech has an advisory committee of local employers who meet with DeSimone and her colleagues. “This is what we’re thinking, this is what we’re seeing. What are the skill sets you need.”
In 2018-2019, Wake Tech had 476 cybersecurity students, according to its annual report. By last year, that had grown to 610 students, making it the second-largest degree program, behind general business administration.
What limits growth is a shortage of faculty, says DeSimone. “These people can make so much money working out in industry, that it’s very difficult to get them to come and teach at, let’s say, a community college system.”
“It’s very difficult when you have a student who graduates and they’re making more money than the faculty who taught them,” she says.
Over the two decades DeSimone has taught at Wake Tech, cybercrime has grown into a major global problem, costing businesses and governments $600 billion a year, by some estimates. As the Internet grew exponentially, businesses and governments rushed online. Cybersecurity struggled to keep up.
DeSimone experienced this when she bought a home during the pandemic.
“I had been in my prior home for 20 years, and I was shocked that 99% of the entire process to buy a house was online. All the documentation, all the financial things that you submit to the lender. And it was devastating for me to do those things, but that’s how they function now.”
“’Oh, no, we secure it,’” she was told. “I’m like, ‘Yup, sure you do.’”
Cybercriminals try to break into Wake Tech. “We have some internal servers at our campus that our instructors use to host data, for grading purposes and whatnot. One of our instructors is tracking, I mean, hundreds and hundreds of hits to this server on a daily basis,” she says. Because they’re using robots out there to ping these things. It’s like the velociraptors testing for weaknesses in the fence.”
It isn’t easy to know the scale of the problem here in North Carolina. For one thing, companies don’t talk about it, because they don’t want it out that they were vulnerable. State and local agencies are required by law in North Carolina to report significant incidents to the state’s cybersecurity staff. This includes the Enterprise Security & Risk Management Office, and can involve the Joint Cybersecurity Task Force. By law, these reports are exempt from public disclosure.
Central Piedmont in Charlotte experienced a ransomware attack last February that disrupted the state’s second-largest community college for two weeks.
The leader of the state’s cybersecurity efforts is Rob Main, the chief risk officer, who occasionally will talk to high school students about careers in his field. Main says that for folks starting out in a cyber career, working in state government can provide a wide range of experience.
“Private sector jobs might lead you down a very narrow path,” he says. “The value proposition of the public sector is that you’re going to be exposed to a lot of technology, a lot of opportunities.”
College graduates who sign on with the state will find themselves dealing with an operation that treats significant cyber attacks like natural disasters, through less of an IT lens and more an emergency management approach.
“Creating that mindset that cybersecurity incidents should be looked at no differently than natural disasters,” says Main. “Flooding in the mountains, hurricanes on the coast. And having that structure already in place to support flooding and hurricanes.” It makes sense to include cybersecurity incidents in that model, he says. That is why the Joint Cybersecurity Task Force draws from law enforcement, emergency management, the National Guard, and local government, as well as state and federal cyber specialists.
One increasingly common crime is the penetration of computer systems, locking them down with encryption, and demanding payment from the company or agency to unlock them.
In the recent state budget, legislators put in language prohibiting state and local agencies from making these ransomware payments, the rationale being that bad guys will eventually find out that public entities in North Carolina can’t pay.
“One thing that we’ve seen with the Joint Cybersecurity Task Force is local governments who are in the midst of a cybersecurity incident having to make a very tough decision on whether they pay the ransom,” says Main. “And there’s no guarantee that even if you pay the ransom, you’ll get the decryption key. So this is a good tool to have in our tool box to eliminate that from the equation and really focus on the recovery efforts and preventing the means by which the local government was exploited.”
I talked to DeSimone and Main because I was interested in the efforts to try to attract more folks into cybersecurity careers. One tool is CyberStart America, an online cybersecurity competition for high school students sponsored by the National Cyber Scholarship Foundation and SANS Institute, a Bethesda, MD, company.
CyberStart America presents students with a series of games in which they solve cybersecurity-related puzzles, and get exposure to code-breaking, programming, networking and digital forensics. Students who do well can gain access to scholarships and training. Last year, 1,165 North Carolina students participated, and 18 won college scholarships and the opportunity to participate in Cyber Foundations Academy, several weeks of cybersecurity training. Emily Chen, a student at Panther Creek High School in Cary, was among the top 30 students in the nation and gained a $3,000 scholarship. In the current contest, there are 886 North Carolina students registered. This is a good introduction to cybersecurity.
Another strategy is what Wake Tech is doing at its RTP Campus, which opened in 2018. Beginning this fall, the second floor of one of the buildings will be, in effect, a dual-enrollment high school. “We’re going to have cybersecurity,” says DeSimone. We’re going to have computer programming. We’re going to have network management there. So students can, basically, after four years of high school, [earn] either a certificate or an associates degree along with their high-school diploma. So it’s going to be a very interesting opportunity to get them at the high school level and take them on through.”
One challenge to filling those cybersecurity vacancies may be with the folks advertising them. Many of the jobs they are trying to fill can be performed by DeSimone’s graduates, with two-year degrees. Still, many job postings require four-year degrees.
“You talk to the employer, and they say, ‘We’re accepting two-year students.’ Well, why doesn’t it say that,” says DeSimone. “That is a big hurdle,” because community college students will see the four-year requirement and not necessarily know they can probably get in with an associates degree.
The average age of students in her program is around 29. “We’re not talking about 18 and 19 year olds. We’re talking about people who are coming back and retooling and retraining.
“A lot of the people who are working in IT came up in IT and they never got that academic credential. They have mad, mad technical skills and they never took the time to get that academic credential. Because of where we’re located, particularly in RTP, we have a lot of those high-tech workers who are now coming in to get those academic credentials.”
So those are some of the strategies – get young folks interested while they are in high school, and bring in the older students who are back in school to learn how to fight cybercrime. With a little more flexibility from employers on community college graduates – and maybe more money for faculty – North Carolina should be able to boost its cybersecurity workforce.