The Cyber Retraining Academy is an HM Government program delivered in partnership with SANS to address the cybersecurity skills gap. Today, March 31 2017, 55 students – who previously had no experience in the industry whatsoever – will graduate and move on to (cybersecurity) pastures new. Infosecurity editor Eleanor Dallaway attended the Academy industry day and spoke to the organizers, students and industry supporters to get to grips with the program’s objectives and results
The second class of the Cyber Retraining Academy, run by SANS and funded by the UK government, are graduating today. The objective of the Academy is to target and train untapped talent in an effort to reduce the cybersecurity skills gap.
“The remit for applicants is to have no cyber experience”, says Stephen Jones, managing director of the SANS Institute, but that’s where the requirements end. “There is a special target on military leaders and law enforcement, but absolutely anyone can apply.” This is evident in the diverse backgrounds of this year’s 55 students, including a bartender, a professional gamer, a journalist, a psychiatrist and police officers, to name a few.
Whilst there is great diversity in age (the Academy offers places to 18-60-year-olds), of the 55 students only six are female. “This is really disappointing and we need to work out how to get more involved in the future”, says Jones.
Academy applicants took aptitude assessments so that SANS could assess “if their brains worked in the right way.” The overall problem, says Jones, “isn’t training the people, it’s finding the people to train.”
Creating Immediately Deployable Cybersecurity Professionals
SANS Institute independently ran the first Cyber Retraining Academy in 2015, showcasing its success to government and industry.
“The government saw that it worked and decided to invest as part of the national strategy”, explained Jones. The government put it out to public tender, and SANS won the contract.
“The idea behind the Academy,” explains Jones, “is to show organizations that they don’t have to wait two years for new candidates, there is talent outside of the industry. We need to change our view on what a good cybersecurity professional will be.”
It is the Academy’s objective that on graduation, students will be “immediately deployable” into entry-level roles. “It’s basically a fast-track graduate program”, Jones explains.
This was certainly the case with the inaugural academy in 2015, with all 32 students deployed straight into roles in the industry, and consequently resulting in accelerated career paths.
“With industry claiming they don’t have the time and resource to train talent, and not enough STEM graduates to go around, employers are desperate for hands-on skills”, says Jones. That is exactly what the Cyber Retraining Academy provides: both theoretical and practical knowledge and skills.
“The course covers a foundational understanding of operating systems, networks and a secure infrastructure"Chris Pizor, certified SANS instructor
How the Academy Works
The Cybersecurity Retraining Academy is a 10-week program which introduces general cybersecurity principles and builds foundation and knowledge across a wide breadth of topics.
During those 10 weeks, students have to be in London Monday-Friday and obviously have to give up the day job.
Chris Pizor is a certified SANS instructor and is teaching one of the Academy modules.
“The course covers a foundational understanding of operating systems, networks and a secure infrastructure. From there, we jump into incident handling and hacker techniques, malware, threats, and how to respond to them. We look at all parts of the cycle: Identify, detect, eradicate, recovery.”
The Academy course begins with 75% theory, explains Pizor. This reduces throughout the 10 weeks and by the end is 100% hands-on work. “We consider real-world problems with the students, giving them a good foundation to hit the ground running.”
Pizor considers this Academy’s students the best he has ever taught in over a decade of instructing. “There are people of all ages from all backgrounds and they are all really intelligent and I’ve been blown away by their understanding of technology. There are definitely feeder industries – healthcare, defense, law enforcement, IT.
“What’s really impressive is the motivation to learn,” says Pizor, “the students are putting in many hours of study outside the classroom, the dedication is incredible.”
The Industry Perspective
The Cyber Retraining Academy has many industry partners waiting in the wings to snap up the brightest talent from the Academy graduates. Given that every company involved in the inaugural academy in 2015 returned to sponsor the 2017 Academy, they must have been pleased with the results.
In February, half way through the course, the Academy hosted an event at the Grand Connaught Rooms in London to connect its candidates with industry. The small career fair allowed Academy partners to meet with candidates, many offering hacking games and activities to assess students’ talent.
Supporting companies are able to track students’ progress throughout the academy on the online portal, send representatives to participate in talks during the course and can contact the students at any time.
Huawei has supported both Cyber Retraining Academies. So what convinced them to participate for a second time? “The guy we found and hired in the first program is phenomenal”, says Chris, a pen-tester at the firm.
“We have a technical director who is really interested in finding the right people – people with passion. The only people that get hired at Huawei are those so passionate that they do this stuff in their own time.”
The job fair at the Cyber Retraining Academy is better than a public job fair, he says, “as everyone here has both the passion and has the SANS skills. Talent is handed to us on a platter.”
Of course, with 55 passionate, talented cybersecurity professionals in the making, the industry supporters, like Huawei, are competing with each other to find and recruit the best people.
Huawei has built a hacking challenge to test the skills of the Academy students and “aid with categorizing people into those that know their stuff.”
Mike is also a pen-tester with Huawei. “We’re looking for natural passion and curiosity and so far we’ve been really impressed by what we’ve seen from the students.”
Mike and Chris believe that the skills gap is exaggerated at Huawei because they look for a higher quality of talent. “To find someone who goes home and lives it is really difficult. At Huawei, people have different skillsets, but we’re sort of clones. It’s a company of geniuses.”
It is their belief that industry should be funding schemes like the Cyber Retraining Academy. “What we don’t want is industry dictating what kind of professionals we want. SANS should judge that and teach the right skills”, says Chris.
The National Crime Agency (NCA) is also a supporter of the Academy. Greg works for the NCA and tells Infosecurity that they are “seeking new avenues for recruitment to acquire specialist cyber skills through diversity of background. Diversity is generally really important for the NCA because that’s what makes it tick and we have to represent the public that we’re protecting.
“It’s a very competitive market and good talent is hard to come by. Public sector pay is challenging from a recruitment perspective, but we don’t want the kinds of people motivated by pay. We want those that want to achieve something.”
Working for the NCA has other benefits, adds Greg. “Working with international partners and the ability to do something that is for the benefit of the country.
“At the career fair here at Cyber Retraining Academy, there has been lots of interest in what we do, and lots of people with the relevant skills. We’ve done a lot of work around tailoring the recruitment process and being cognizant to what appeals to people when applying.”
“It’s a brilliant opportunity and I’m very grateful to be part of this great initiative where the government and SANS are trying to break down the barriers in the workforce”Marion Dakers, Cyber Retaining Academy student
The Student Perspective
Jim Newman is one of the Academy’s students. A qualified teacher, Newman’s career to date has been diverse: teaching French, running his own business, doing collision investigation for the council and working in IT.
He recalls the application process as being “more challenging than I thought. Initially, there were a few easy questions, then came the lengthy application, aptitude test and finally face-to-face interview.” With his “very supportive” family in Somerset, Newman is living in London for the duration of the academy. For him, his objective is professional development and an exciting career in cybersecurity. “I’m really enjoying it,” he says of his time at the Academy. “Now we’re getting our hands dirty, doing practical exercises and working in groups, it’s getting even better.”
The Academy students have a good rapport, he explains, with a good social scene and a remarkable lack of competitive tension.
Marion Dakers, former financial services journalist at The Telegraph, is also a student. “There’s more than enough jobs to go around at the end, and we’re all from such diverse backgrounds offering such different things that there’s no sense of competitiveness”, she agrees.
“I did the assessment for the Academy on a whim,” Dakers confesses. “This isn’t my field of expertise so I was surprised they said I was capable.” She describes her technical ability before joining the Academy as “just about being able to install a printer”, and originally classed herself as one of the least technically proficient in the group.
“I’ve had to do a lot of homework, but everyone is learning new tricks at every stage. It’s intense, exhausting and it’s a lot to take in at once”, she says, admitting that she’s still trying to come to terms with the acronyms and language used in the industry.
When asked if she ever questions her decision to leave journalism to embark on this career change, she says “most days I feel nervous that I quit my job for this. It’s a long-term decision because cybersecurity is growing faster than journalism. I hope I timed that jump right.
“It’s a brilliant opportunity and I’m very grateful to be part of this great initiative where the government and SANS are trying to break down the barriers in the workforce.”
“The idea behind the Academy is to show organizations that they don’t have to wait two years for new candidates, there is talent outside of the industry”
The Future of the Academy
Whilst jobs at the end of the Academy aren’t guaranteed, the 100% success rate to date speaks volumes. There is also no obligation for graduates to stay in the industry after their training is complete, but with their passion, talent and drive immensely impressive, SANS and its industry supporters are confident that most will.
With the cybersecurity skills gap vast – predicted at 1.5 million by 2020 according to the latest (ISC)2 workforce study – Jones admits that although the Cyber Retraining Academy “makes a dent, it doesn’t solve the problem.” The Government can’t support this on a great scale, so the goal for the future is to get it supported by industry.
Jones has hopes for a similar scheme offered through Open University style learning. “There are many excellent candidates who we lose because they can’t move to London for 10 weeks or give up their wage.” A home-education opportunity would make the Academy accessible to many more candidates, he says hopefully. After all, that’s what the Academy strives to do, make cybersecurity careers accessible to all.
For aspiring cybersecurity professionals who have the passion and the aptitude but lack the formal education and training, the Cyber Retraining Academy opens doors and offers them a route in. “The beauty of the Academy is finding people from ordinary walks of life, and finding them from anywhere other than cyber. It’s all about being able to do the job and all that’s about is having the right brain,” concludes SANS’ Jones.
Congratulations to the Cyber Retraining Academy class of 2017 on your graduation.