Students today are seeing more options than ever to learn cybersecurity.
Yet many students struggle to find work and fully realize the promises they’ve been sold.
In fact, nearly a quarter of 2,800 students (23.6%) recently surveyed by Hack The Box (HTB) voiced serious concerns about finding a job after education.
As a college educator and security practitioner, I interact with learners from all around the world who are striving to break into this industry. And they echo some common concerns about the quality of education they receive:
“It is far too much theory and not enough hands-on.”
“I feel like I am trapped in an LMS (learning management system).”
“Everything is online and it's lacking a community to collaborate with.”
“I feel like I am doing this all on my own.”
“I need a mentor or instructor to guide me on this journey.”
“I can’t seem to get any interviews.”
“There’s no labs to practice skills.”
On top of concerns about the quality of education, a skills or talent gap exists in the cybersecurity industry.
But the gap is not really a demand for more candidates. It’s created by the demand for more qualified candidates.
I give a talk at conferences that I playfully call “CVE EDU” because I believe the skills gap itself is one of the greatest vulnerabilities we face as an industry.
We should address it with the same urgency and collaborative spirit that we apply to resolving technical vulnerabilities on servers, end-user devices, and network infrastructure.
There's a demand for highly skilled talent to fill cybersecurity roles, but there is not enough qualified talent to fill these roles. Keep in mind that credentialed and qualified are not the same thing.
Credentials can be helpful, but they will not do the job for your students. It is the skillset (technical and interpersonal) that matters most.
The World Economic Forum also refers to the skills gap as a “real threat” in a recent post written in May 2023. ISC2 conducted a workforce study in October of 2022 that indicated: “3.4 million more cybersecurity workers are needed to secure assets effectively.”
When encountering research like this, aspiring cybersecurity professionals may think:
“If this skills gap is such a big deal and there are so many unfilled roles, then why am I having such a hard time getting an interview or landing a cybersecurity job?”
The main guiding question I use when I mentor learners in this situation is:
“Are you sure your skillset is where it needs to be to address the needs of these organizations?”
The response I often get is something to the effect of:
“Well, I have x certification(s) and this degree.”
This helps me understand how a learner sees themself. It reveals what they choose to lead with in order to establish themself as a strong candidate to a potential employer.
In other words, it helps me see what their focus is.
Many educational institutions and private training companies can place far too much focus on stacking credentials over building skills.
This misleads learners into thinking that obtaining credentials should be the primary focus when it shouldn’t.
Related read: (Realistic) cybersecurity interview questions & answers.
Traditional education is the system from which I spend most of my time teaching and mentoring learners. I teach IT and cybersecurity at the community college level.
Many of my students desire live interaction with an instructor in a collaborative environment hosted in an interactive IT lab. In this setting, I have students working with IT equipment (servers, desktops, laptops, routers, switches, firewalls, etc.,) and working in teams to complete lab challenges.
I combine this with a blend of cloud platforms to simulate the hybrid-cloud approach that modern organizations use. This approach can have the following strengths for learners:
Hands-on access to equipment and software used by businesses.
Access to an instructor or mentor for real-time questioning and conversation.
A collaborative environment to build communication and teamwork skills. The right schools will have a rich sense of community and support on campus (in-person and online).
Career coaching and assistance to connect employers with learners at a personal level.
Opportunities to do community outreach. I have led many of my students on educational trips to companies and even helped them facilitate workshops to teach people IT skills in the surrounding communities.
Focused on giving students a comprehensive education that goes beyond technical skills. Think about writing, speaking, and developing a well-rounded professional.
Although this is my approach wherever I teach within the traditional education model, not all institutions approach it this way, and there are some downsides.
Some of the shortcomings, issues, and weaknesses that I have noticed and work to change as I partner with educational institutions are:
Many institutions are putting all classes online with very little instructor interaction and rely heavily on 3rd party developed content to do all the teaching. This essentially means the learner is paying the institution for access to an online book that they could’ve bought on their own and self-studied for a fraction of the price.
Most institutions offer degrees that take multiple years to complete. That said, there are some schools doing competency-based and on-demand curriculum that allows students to complete courses at their own pace.
According to Statista, the average cost of tuition in the US is between $13,470 (for a public two-year degree, often from a community college) and $23,250 (for a public four-year degree, often from a University).
The cost often causes students to take out student loans and start their careers in debt. That said, there are programs like FAFSA and scholarships available that can make schools more affordable.
Some institutions have allowed themselves to fall out of date with the technology they use. Even worse, some schools with in-person IT and cybersecurity offerings do not have IT labs, this is a red flag for potential students (a sign to stay away).
Leaders of college IT and cybersecurity programs should advise prospective students to conduct a detailed exploration of educational offerings before enrollment.
It is essential to ensure that the program aligns with the student's individual needs and career ambitions within the cybersecurity field.
Encourage visits to campus, discussions with professors, engagement with program alumni in the cybersecurity sector, and allow students to request tours of IT labs to fully understand the practical, hands-on training your program provides.
Platform-based education is a learning experience based online on a cloud-based platform that is accessible on-demand with realistic hands-on labs.
Please know that even though we are comparing these different approaches to teaching and learning IT and cybersecurity skills, they can—and should be—combined.
A platform-based approach to teaching has the following strengths:
On-demand, allowing learners to participate whenever they want to learn.
Completely browser-based, so not much equipment is required on the learner’s side.
Current, relevant, and able to adapt quickly to industry changes. Because this is a relatively new and exciting approach to learning, there are a lot of incredibly talented people contributing to these platforms. These experts spend lots of time focused on developing engaging content and learning experiences.
Affordable. I’m specifically considering Hack The Box and comparing it to the cost of traditional education. Its various services are priced fair enough that your students can up-skill for about the same price of a TV or movie streaming platform subscription per month.
Community-based. I believe Hack The Box is one of the pioneers of the recent crowd-sourced learning movement in IT and cybersecurity.
That is where learners using the platform are creating supplementary learning content for the platform. (HTB is actually encouraging that instead of trying to take it down out of fear of competition.) Writeups, YouTube videos, live forum discussions via chat apps like Discord, and more.
Creating video walkthroughs and write-ups for retired machines on Hack The Box is one of my favorite parts about it.
Since the beginning, it has made me feel like part of a community and ultimately helped me establish a working relationship with HTB and many other cybersecurity professionals operating at a high level in cybersecurity.
It’s creating opportunities for countless people.
Platforms like Hack The Box have a lot of strengths but they are not perfect. Some weaknesses are:
One of the critical technical skills in IT and cybersecurity is network infrastructure and network security (routers, switches, and firewalls). These devices are expensive. So generally aren’t scalable from a business context.
If thousands of learners spawned a challenge that lets them interact with actual network infrastructure, how many physical infrastructure devices would be needed to provide a good learning experience?
Yes, there are certainly virtualization-based solutions. But it’s still not quite the real thing.
Most businesses these days have their systems connected via network infrastructure devices. So knowing how to install, configure, manage, and secure network devices is important.
Hack The Box does have a meetup system where learners can go attend or even start their own in-person meetup, but these are not quite structured or built to intentionally assist learners in developing soft skills.
We discussed some strengths and weaknesses of the traditional educational methods and the platform-based education movement.
The goal in doing this is not to decide which is better than the other, but rather to identify how best to prepare your students for highly technical and ever-changing cybersecurity jobs.
Innovative educators around the world are starting to implement both methods, which give learners the best of both worlds. The weaknesses of one method are being canceled out or filled in by the strengths of another method.
In a Wireless Networking class I taught recently at a community college, I was able to give my students hands-on access to actual wireless equipment to learn enterprise WiFi skills. I had them set up RADIUS and force authentication on WiFi networks to happen through Microsoft’s Active Directory.
I required learners to set it all up from scratch to get a realistic experience.
In the next lab, my students and I worked through a retired machine on Hack The Box called WiFinetic, then I required them to do their own written or video walkthrough explaining the problems with WPS as the graded assignment.
I tried to combine the best of both worlds and the learners benefited from it. It doesn’t have to be one or the other, it can be both.
As educators and leaders, we should continually strive to create innovative, engaging, and effective learning experiences for our students.
Educators at the University of South Florida (USF) are also implementing Hack The Box offerings in creative ways to innovate within the traditional model of education. Thus far, they have realized the following benefits:
Reduced time spent preparing material from days to hours.
Improved student knowledge and skills in less than six months.
Increased student enrollment in cybersecurity classes.
Elevated interest and engagement with course material.
Aligned lectures and projects with current industry trends.
Provided an effective training environment for the USF CyberHerd competitive team.
As leaders in education, we must redefine how we deliver quality learning experiences to our students.
A major part of this should be focusing on the outcomes of the learning experiences we deliver. Not just in terms of learning outcomes and outcomes that benefit the institution, but overall career and quality of life improvement outcomes for our students.
Historically most institutions measure success based on one or a combination of the following:
Graduation rate (completion of certificates and/or degrees).
Student satisfaction surveys.
These are important metrics but they don’t often guarantee students are benefitting from the education we deliver.
I am proposing that we raise our standards according to the best interest of students. This includes but is not limited to:
Prioritizing the student’s learning experience above all else.
Innovating in IT and cybersecurity classes by giving our students access to the latest technologies (hardware and software used in the industry), learning platforms (like Hack The Box), and custom challenges that help students develop skills that are in demand in the industry.
Ensuring instructors are consistently upskilling and refreshing the course content they teach. This means moving away from copying and pasting course shells from past semesters and building brand new ones each new semester. (I personally do this to force myself to consistently innovate and combat potential attempts at cheating.)
Tracking student success beyond graduation. Our classes and degree programs should ultimately lead students to jobs in the field.
Tracking students' satisfaction and success throughout a course, not just at the end. Education should be enjoyed, not just endured. We should place more emphasis on making the learning experience enjoyable by catering to students' needs and even actively looking for fun and engaging ways to deliver content.
Hack The Box does a great job at this through engaging scenarios in Academy modules, fun-themed CTFs like University CTF 2023, Pro Labs, Sherlocks, a competitive ranking system, the look and feel of their websites, gamification, and much more.
Part of this can involve integrating practical platforms like HTB into curriculum and community events.
An innovative University in the Netherlands called NOVI University of Applied Sciences, experienced great success integrating Hack The Box offerings into their curriculum:
4x increase in enrollment/class size
87% of their graduates getting jobs in cybersecurity
Improved academic performance among students
87% of students secure cybersecurity jobs
Learn how NOVI University grew its number of cybersecurity students by 450% while improving the average grade scores and employment rates for graduates.
Proving the success of such initiatives starts with measuring the right outcomes.
As educators, we can start measuring success by engaging with career services, current students, and alumni to track student’s career progression.
We can start helping students get jobs in the field and then, with their permission, track their career progression. This ensures our educational programs are actually helping them become employable.
Sites like LinkedIn have made it easier than ever to track career progression.
Keep in mind that this also requires educators and educational leaders to establish rapport with the students in their programs to remain in tune with the students' experience and realized outcomes.
As educators, we have been called to the incredibly important mission of leading others into successful futures. Our students trust us to lead them in the right direction, and we should honor that by providing the best IT and cybersecurity learning experiences possible. A crucial part of that is adapting to the new trends and demands for learning cybersecurity.
Thank you for taking the time to read this piece. I hope that it is insightful and inspiring to you in the next steps of your mission. Keep leading, teaching, and learning; your students are counting on you!
Author bio: Robert Theisen (LTNB0B), IT Program Director/Cybersecurity Professor
Robert loves learning, but he loves to empower others even more. He never takes off his IT/infosec professional hat and never will so long as he is preparing others to succeed by mastering the various tactics, techniques, procedures, and tools at their disposal. He has been in the industry for over 10 years, accumulated over 10 certifications, and assisted thousands of people around the world with entering and leading successful careers in the industry. None of his accomplishments would be possible without great mentors, friends, family, the Internet, and God.
You can connect with him on LinkedIn.