How boot camps may fill the need for more white hats in the US

Cyberspace is the fifth domain of warfare, yet there is a critical shortage of security experts ready to combat cybercrime.

How boot camps may fill the need for more white hats in the US New study: 3 in 5 have experienced discrimination in the workplace

As cybersecurity threats increase so does the need for more experts to combat the problem. TechRepublic's Karen Roby talked with Mark Davis, the managing Director of Fullstack Cyber Bootcamp in New York City, about the supply and demand of cybersecurity experts. The following is an edited transcript of their conversation.

SEE: How to become a cybersecurity pro: A cheat sheet (free PDF) (TechRepublic)

Mark Davis: New York City has created a project called Cyber NYC, which is basically, it's a  $100 million public-private investment where they're essentially trying to turn New York City into like the Silicon Valley of cybersecurity. Part of that project is they want to create 10,000 new cybersecurity-related jobs here in New York City. Part of that project is they need to train 10,000 New Yorkers. That's where we came in. They invested in us to build the official cybersecurity boot camp for New York City, which is Fullstack Cyber Bootcamp, which opened earlier this year.

Karen Roby: Talk a little bit about supply and demand related to cybersecurity experts.

Mark Davis: I guess the headline is it's pretty bad out there, right? We read it in the news everyday, "Another huge hack," or, "data breach." Sadly, I think the truth is that there's a war--I don't want to be alarmist, but there's a war being waged in cyberspace, and it's started already, right? If you look at historically, the sort of four domains of warfare: Land, sea, air, and space... now the US government has designated cyberspace as the fifth domain of warfare, and it's an active one, right? If you look at globally what's happening, cybercrime will cost the world $6 trillion annually.

Companies and governments are struggling to keep pace with the rise in cybercrime. They're trying to hire technical cyber people, but there's a critical shortage of them. If you look at the numbers right now, there's 3 million open jobs in cybersecurity worldwide. That's a big number already. I don't know any other industries that have that many open jobs. Maybe there are, I just don't know of it. It's a big number now, but it's growing quickly. In two years, that number will be 3.5 million open cybersecurity jobs. There really is a critical cyber talent shortage.

Karen Roby: What type of skills do cybersecurity experts need to possess? 

Mark Davis: In our boot camp, the basic premise is that you go from beginner level with no previous technical experience or capabilities to a well-rounded security analyst with 750 hours of immersive, hands-on training. There's no specific skills that you need. You do need to like solving puzzles, right? That's a kind of a piece of this. You need to be able to think through math brain teasers. If you can do those sorts of things, then that lends itself to success in this field. But it really does just come down to putting the hours in and learning the skills so that you're hireable as a security practitioner.

Karen Roby: Tell us more about the hands-on program that allows people to try and hack into NYC.

Mark Davis: There's a couple things there. In terms of the curriculum, we're teaching what we call, "red team and blue team": Offense and defense. Offense is ethical hacking, essentially, and defense is how to defend against the attacks. Now if you look at the numbers, about 85% of the jobs are on the blue team, which makes sense, defending systems, defending country, defending companies. But the reason we teach red team is because it's developing something called the security mindset, which is if you know how to attack, you'll be a better defender. We're teaching our students how to attack on all sorts of different platforms with different tools and different processes. One of the areas that we as a city here in New York City need to protect is what we call, industrial control systems, ICSes. These are the little tiny computers. They're called PLCs, programmable logic controllers that power a lot of industrial controls, so nuclear power plants, the power grid, water supply, those sorts of things.

Those systems are vulnerable to attack, so New York City needs to protect those systems. What we've done is we've built something for our students to use. We call it Hack NYC, which is basically ... it's like a tabletop model of New York City with lots of flashing lights and activity going on. You, as a student, try and hack into different things. So you'll see a train going around, Hack NYC, and we'll try to hack into the train. You'll try to hack into a public Wi-Fi hotspot. You'll try to steal data off of a Wi-Fi hotspot. You'll try to shut off the power grid. We describe it as a kinetic hacking platform that students can use to learn how these attacks happen, how the bad guys do these attacks so that we can better defend against them.

Karen Roby: Expand on that idea of NYC becoming the Silicon Valley of cybersecurity.

Mark Davis: It really comes down to, we need more white hats. In industry jargon, we don't say good guys and bad guys. We say say white hats and black hats. I think the truth is, the black hats are winning, and we need more white hats. For us, at Fullstack Cyber Bootcamp and working with New York City, there's really four things we need to do. First of all, we need to drive awareness. Like this conversation here, we need to let people know what's going on and what the vulnerabilities are. Based on that, we need to inspire them to say, "Oh. Hey, maybe I want to help. I want to get on the battlefield," for lack of a better word, "I want to be a white hat."

Once they've made that decision, then they need to do the training, and there are different types of ways to do the training. You can do a four-year undergrad degree, you can do a two-year master's degree, or you could go to a boot camp, like Fullstack Cyber Bootcamp. Then you need to get hired by a local employer, whether that's government or industry. But those are sort of the main steps in terms of going from beginner to hired security practitioner.


TechRepublic's Karen Roby talks with Mark Davis, the managing Director of Fullstack Cyber Bootcamp in New York City, about the supply and demand of cybersecurity experts.

Also see