Preface: If you are already thinking, “Finally! Someone has the answers to all our cybersecurity education woes!” you might as well stop reading now. I’m basically just here to complain about the state of things from the perspective of someone who, while admittedly being fairly new to the field, has a good deal of experience in a variety of educational subjects and modalities. I don’t necessarily have solutions… yet. But what I do have are some observations that might, handled properly, eventually lead me somewhere interesting. Maybe.

Can of Worms, Meet Can Opener

Q. What is the Purpose of Education?

I know what you’re thinking. “Easy answer. The purpose of education is to make people smarter, right?” In one sense, I suppose that isn’t far off. But the answer really depends on whether we’re talking about the purported purpose of education or education as it actually works out in reality. If my decades of experience in teaching technology, language, and martial arts have taught me anything, it’s that education in the Real World™ certainly appears to manifest significantly differently from what it could be in my Androgogical Utopia.

Reality: Education in the Real World™ (as I see it) is largely a means to, as efficiently as possible, train mass quantities of people to complete specific, prescribed tasks in specific, prescribed ways to eventually make them useful enough that someone else might be willing to pay them to complete specific, prescribed tasks in specific, prescribed ways. Minimum effort is exerted to eschew cramming vastly different people into the same box. In this model, already-overworked teachers can be somewhat freed from having to be excessively creative or spending copious amounts of time (which they don’t really have) getting to know students deeply, identifying their learning styles, discerning their individual needs, and shaping their methods and activities to suit their students.

Androgogical Utopia: Education is a means for building a holistic human being who is capable of creative thought and problem solving, eventually leading to autodidacticism.

The State of Cybersecurity Education

Q. What is the Purpose of Education in Cybersecurity?

From what I’ve been able to ascertain from my meager 3 intensive courses and 2 certifications, the purpose of education/training in cybersecurity would seem to be for the student to quickly cram a metric shit-ton of technical information into his or her brain for the express purpose of passing a certification exam and getting the paper. This, alas, isn’t that dissimilar from higher education in the United States right now. So, I guess if your goal is to get the paper to get the job, you can worry about figuring out how to do the thing after you get the thing. After all, if it works, it works, right?

If you’ve attended a [insert famous cybersecurity training company here] course at some point in your cybersecurity career, you might think the purpose of such training is to turn the fire hose up as high as possible and hope that 0) it doesn’t blast your head completely off and 1) some of that water actually gets into your think-meat in some usable and—hopefully—later-retrievable form. (If it also quenches your soul in some meaningful way, so much the better.) Once said course is over, one takes the associated certification test. Then, assuming one has vanquished one’s foe, one ascends the mountain, certification held aloft, bearing witness to all in the land one’s mastery over the subject.

So. Having completed said course, did you find yourself intellectually refreshed? Did you find yourself with a newfound foundational connection between existing and new knowledge in a way that usefully plugged you into the world? Were you able to suddenly make new connections and experience novel realizations, almost as if by voodoo? Were you suddenly technically competent and ready to jump into action to utilize your newly-gained knowledge in completely appropriate ways? Or did you just end up drenched, wiped out, mentally pudding’d, and even more clueless about what you had just survived? If you’re like me (Buddha help you), you probably identify more with the latter than the former.

In my experience having taken a few such courses, they strike me as more of a right of passage than suitable education. Chances are, if you can both pass the certification exam and apply the knowledge gained right afterward, you probably already had a decent grasp of the material in the first place and the training was either a refresher or completely unnecessary. These ordeals are something to be survived rather than what I’d call a useful educational experience. (And this is from a guy who learned to speak Russian in a year and Japanese fairly well in just a few months.)

The Cult of the Cert

Be honest: How many security certifications do you have? Two? Three? Fifteen? Too many? How many of them reflect the actual degree of serviceable mastery you have over the subject matter? In how many of those areas can you function competently? Did you just cram before the test and immediately do a brain vomit of the info afterward? Did that process actually do you any good educationally-speaking (beyond just allowing you to post the bragging rights on your LinkedIn profile)?

While I am still fairly new to cybersecurity as a profession (~ 2 years in as of this writing), my brain has been wired for security from a variety of angles from decades of martial arts training, military intelligence experience, obsessing over language and linguistics, and trying to solve puzzles since childhood. I have a decade in military intelligence collection, analysis, and reporting for various TLAs. I have a technical background, involving networking, web design, some programming, building computers, and a lifetime full of tinkering with gadgets and gizmos. I have an academic research background. I even spent years of my young life learning to create and break codes and ciphers. And yet, breaking into cybersecurity was harder for me than getting into the military and snatching one of those shiny TS-SCI security clearances. Why is this?

Spoiler Alert: I didn’t have certs.

Knowledge, Skills, and Abilities didn’t seem to matter at all to hiring managers. Fortunately, I was eventually able to speak to a friend of a friend who works as an infosec hiring manager. He came clean with me: He didn’t care whether an applicant had a BS, an MA, or 7 PhDs. He looked for cybersecurity certifications first. Then, assuming they had the desired certs, he’d use academic degrees to figure out how much he needed to pay the person. While I can understand this might make the hiring (rather, the tossing of excess resumes into the trash bin) process easier, to me, this seems somewhat backward and counterproductive developmentally-speaking.

What Could Cybersecurity Education Look Like?

Fruitful education needs to first build a solid foundation. From there, connections need to be made between things the student already knows and the next layer of things that the student doesn’t know. This can be accomplished by a student-centered educational technique known as scaffolding, which comprises a variety of strategies designed to bridge gaps in knowledge and set the foundation for further learning.

Another educational concept to be aware of is the Zone of Proximal Development (ZPD). Researched and developed in the early 20th century by the Soviet psychologist Lev Vygotsky, ZPD is a space wherein the student is capable of completing certain activities with the help of a mentor or teacher, but not quite capable enough to do it him or herself. Note that this teacher doesn’t not have to take the form of a more seasoned practitioner; it could come from a video or book. According to Vygotsky, the ZPD is:

“The distance between the actual development level as determined by independent problem solving and the level of potential development as determined through problem-solving under adult guidance or in collaboration with more capable peers.”

Vygotsky (1935)

In blacksmithing, iron has to be at just the right temperature for the blacksmith to forge and re-shape it; this is different from the temperatures required for other processes such as annealing and heat treating. If the fire is too hot, the student burns out. If the fire is not hot enough, they aren’t forge-able.

Reflecting on the Past

There’s really no sense in reinventing the wheel here, as education has been studied and written about in various cultures for centuries. While the last thing we want is to get mired in tradition for tradition’s sake, it might make sense to do so to get the wheel spinning. Let’s take a look at Shū-Ha-Ri, a rough educational model (of sorts) in used in Japanese (martial) arts and other scholarly pursuits. Note that this isn’t a how-to manual so much as a set of general categories through which a student passes through while on the path. Detailed andragogy will have to come later.

Shū means to copy, protect, or obey. In this stage, the student copies what the teacher presents to them as exactly as possible. The reason for copying is that the student doesn’t really know anything yet and a lattice of fundamental knowledge must first be built up before anything else can be stacked or slathered upon it. (Note: Even after moving out of this phase, the knowledge must be maintained as-is (i.e., protected) in order to be able to pass it on intact to future generations.) Think: Apprentice.

Ha means to tear or break. In this stage, as you might guess, students are invited to break apart the principles they learned in the shū stage for the purpose of digging deeply into how things work (and don’t work), which hopefully leads to a deeper understanding of the material. It can take years—decades, even—to reach this stage in a martial art, depending on how often one trains, natural proclivities and talents, the skill of one’s teacher, and other factors. Think: Journeyman.

Ri means distance. In this stage, the student can break away from the teacher and form his or her own understanding of how to do things and how to teach (if such a thing is desired). This stage generally implies a high degree of proficiency in the topic being studied and perhaps even a different understanding of and approach to explaining/teaching the subject matter than one’s own teacher. One is viewed as a legitimate expert practitioner in one’s own right. Think: Master.

Putting the Hart Before the Corse

One major mistake I sense in the cybersecurity world is that it is demanded of the aspirant to hack their way, so to speak, directly into the Ha (Journeyman) stage without ever having a concrete, structured, logical grounding in the Shū (Apprentice) phase. Doing so skips right past the notions of scaffolding and ZPD and jumps right into the metaphorical cyber meat grinder. This approach can lead to frustration, a poor overall understanding of fundamentals, gaping holes in one’s knowledge that can only be discovered piecemeal through years of trial and error, or even quitting altogether. While dealing with a certain amount of frustration is, itself, very useful in the developmental process, it shouldn’t swallow up the entire process.

I don’t see how this whole rigmarole can reliably create solid practitioners or benefit the discipline as a whole in the long run. Sure, it may seem all sexy and Bond-James-Bond-y to require aspirants to hack and chew their way into the field SAS-style, but where does that realistically leave us? Where does this leave the security of our data, banking, businesses, and national technological infrastructure? It leaves us with a global shortage of 3.5 million cybersecurity professionals by 2021 (that’s next year, BTW) — 300,000 of those in the U.S. alone. Do you like apples? Well, how do you like them apples? And I don’t even know if those numbers account for the surge of remote workers due to COVID-19, requiring even more security.

While this hack-your-way-in approach may make sense for some—and even be a source of bragging rights—I do think it can preclude a lot of potentially skillful cyber-practitioners from even getting a foot in the door in the first place. Some might argue that going through such a process builds the grit and skills that a hacker will need in the future when they run into the unknown. I’d argue that it’s just a terrible way to learn for people who aren’t already wired to learn in such a way. Note that I, in no way, think that doing this for the sheer fun and adventure of it is a negative thing. I just don’t think it should necessarily be a requirement.

In my dojo, we build students from the ground up. As their skill increases, so does the level of difficulty of the problems we present to them to learn to solve. This is in keeping with both the ideas of scaffolding and ZPD. If the problem is too easy, they might not struggle appropriately. If the problem is too difficult, they might get completely shut down and cease to learn.

First, we teach them how to stand with good alignment (which, alone, can be surprisingly difficult for many students). Then we teach them how to move properly (within this new dojo context) while maintaining that structure. Then we teach them how to keep that structure while moving properly with someone’s weight/force on their structure. Then we teach them—maintaining all of the above—to deal with someone attacking them in 形 [kata] form (a practice through which they work on techniques designed to impart principles into their bodies and teach a great number of lessons over the years). Finally (?), the student learns to break those techniques down while maintaining the proper structure, movement, and target/distance/timing/angles/lines they have learned thus far in their practice. This leads them to eventually delve into the practice we refer to as 乱取り [randori], taking form out of the midst of chaos. The student eventually doesn’t know what attack is coming, what technique they might use, or who will eventually end up on the floor. At some point, advanced students (4th degree black belt) might decide they want to learn how to teach, which opens up a whole new world of learning.

Can you imagine being thrown into the chaos of randori on your first night as a white belt? This is analogous to what I see in contemporary cybersecurity education. (And, frankly, a lot of dojo.)

Enter the Apprenticeship

In the Shū stage, one of the most important, fundamental phases, the apprentice is taken under the wing of the adept and, bit by bit, taught foundational skills while earning their keep by performing particular tasks. They learn not just the what and the how, but eventually also the why. As skill increases, so increases the complexity of the problems. The teacher might also test the apprentice from time to time to ascertain what they have learned, what they are still lacking, and what needs to come next. Ideally, the test occurs in small doses every day instead of taking the form of some huge, anxiety-inducing cumulative formal exam.

Of course, what areas of the field someone is interested in will determine what skills they will need to learn. If, for example, someone aspires to eventually join a red team, it goes without saying that they will need to learn how networks, web servers, smart phones, applications, protocols, etc., work. But someone who leans more toward Governance or Compliance will likely not need to know any of those things, at least not in the same depth; regulations and legislation might be more appropriate for them. But in either case, both will need to learn to embody a fundamental security mindset and logical approaches to accomplishing what will be required of them in the field.

Postmortem

Needless to say, this rambling essay from a once and former educator isn’t likely to change the world of cybersecurity training. Not overnight, anyway. Maybe not ever. Education for the sake of being able to say that your people have been, technically-speaking, “educated” is worse than pointless. It’s boring, counterproductive, and a waste of valuable time. If you’re a bottom-line sorta person, imagine it takes everyone in your company, each making an average salary of $70,000, an hour to complete some training package of questionable use that has been assigned as mandatory. You do the math.

There’s a lot more to discuss related to how to actually accomplish all of this stuff. Teaching philosophy and methodology, looking into education research (i.e., “does homework actually work?”), and the actual nuts and bolts. Perhaps those ideas will serve as fodder for future forays into… (sorry, I’ve run out of clean F-words that fit here). The problem with adopting something similar to what I’ve attempted to outline here is that it can take time, effort, and the willingness to take chances on people that might not pan out and invest in the future of the field.

Doing things the right way requires time and effort. It also takes serious self-reflection, the courage to admit that one might have been less-than-completely-right, and the willingness to change when we realize what we’ve been doing isn’t working as well as it could.