Inept cybersecurity education and training feed into skills gap

Digital transformation is creating a wealth of STEM jobs faster than they can be filled by qualified professionals. Cybersecurity has been disproportionately affected by the workforce shortage, with an estimated 3.5 million open positions globally, according to Cybersecurity Ventures.

Among the strategies proposed to combat this issue include hiring people from diverse, nontraditional backgrounds and shifting the recruitment pipeline to reach students at a high school level or younger. Efforts to close the skills gap should also expand to incorporate updates to cybersecurity education and training practices, said Sam Grubb, author of the upcoming book, How Cybersecurity Really Works: A Hands-On Guide for Total Beginners, published by No Starch Press.

Now a cybersecurity consultant at Edafio Technology Partners, Grubb has a unique perspective on the industry's workforce issues. After spending time as a military historian, Grubb switched careers to become a cybersecurity instructor for the National Guard and then a high school teacher. It was there that he realized the need for a book like How Cybersecurity Really Works to make practical knowledge accessible to students and newcomers alike.

Here, Grubb elaborates on how to modernize cybersecurity education and training so individuals and organizations are better positioned to navigate today's complex threat landscape.

Editor's note: This transcript has been edited for length and clarity.

Click here to learn more
about How Cybersecurity
Really Works by Sam Grubb.

Why was it important for you to write this book for cybersecurity beginners?

Sam Grubb: When I was a high school teacher, I taught an introductory cybersecurity course. The first thing I tried to do was find a textbook for true beginners -- whether teenagers or adults trying to enter the industry. There were plenty of texts about internet privacy and safe browsing, but when it came to the cybersecurity knowledge to use in everyday life and in the field, there were few options that weren't super technical.

Cybersecurity attacks affect everyone. Especially since 2016, when we had widespread disinformation campaigns and election attacks, risks have become more ubiquitous. It's not just large organizations or the government at risk, it's individuals. Normal people who may not have a job in tech need to understand these issues so they can be safe and make informed choices about products, information and platforms.

You have a master's degree in military history, which is evident in how you covered ARPA and APTs in the book. How is this historical context helpful to understanding how cybersecurity works?

Grubb: Cybersecurity is like a game of cat and mouse. An attacker comes up with an exploit or attack and a security expert comes up with a mitigation. Then the attacker tries to counter that response. It goes back and forth in a never-ending cycle.

Everything in cybersecurity is built upon what came before it. The historical context helps us understand how cybersecurity works now, but also where it originated. It helps explain the evolution of attacks and the security problems of today, which don't happen in a vacuum.

As a former teacher, do you see any issues with how cybersecurity is taught that may contribute to the industry's talent gap?

Grubb: One of the issues is about what we deem appropriate to teach. A typical cybersecurity bachelor's or master's program focuses more on the academic topics, including architectures, principals and niche processes. Students may also study advanced material such as AI, machine learning and forensics. But you're not doing any of that when you get a job as a SOC analyst -- you're managing firewalls. That's why there should be more hands-on topics, such as firewall management and how to set up logging, recognize threats and use Linux systems.

I'm also an advocate of teaching nontechnical skills, including critical thinking, writing reports and communication -- which are not typically found in academic programs and there are not enough people in the security fields who are sharing their expertise as teachers.

Did you gain any new perspectives while writing or researching How Cybersecurity Really Works?

Grubb: Absolutely. I gained a new perspective on the importance of democratizing security while writing this book. We need to be able to make complex security topics understandable for the everyday user. For example, it's easy to say that all accounts should have multifactor authentication (MFA). But it's another thing to ask what can be done to ensure everyone understands what MFA is and has the access and ability to implement it. Not everyone has a smartphone. Implementing MFA on all accounts via text message code or using an app means people are left out. We have to think about how to develop solutions that are available to everyone and outside of traditional profit models.

What's the most important advice for people consider a career in this field?

Grubb: There are so many different paths within cybersecurity. If you are not a fan of pen testing and hacking, don't think that you don't belong in this field because that is just one small part. There are other areas including red team, blue team, cloud security, local security and even system administration and network administration to experience. The more you can experience in these paths, the better you will be overall -- you'll never be in a position where that knowledge is not relevant in some way.

What are the biggest security fears that you hear from organizations and are they proportionate to the threats in question?

Grubb: What we see every day in consulting work is someone entering their credentials into a phishing email, as opposed to headline attacks like SolarWinds or the Microsoft Exchange vulnerabilities. This user-caused threat is what we should be focused on. Prevention comes down to making sure users understand security and know what they need to do to keep themselves secure. Much of the conversation is about having all the tools in place to protect against common attacks, but you need a mixture of both technology and user training.

What would you say to organizations that are preoccupied with advanced, sophisticated threats and overlooking the security basics?

Grubb: For me, the conversation always starts with: 'Cybersecurity is boring and if it isn't boring, then you're doing it wrong.' For example, people on red team conduct pen tests, learn about exploits and publish different vulnerabilities. Blue teams do some vulnerability finding, but they're primarily focused on patch management, security awareness training and risk management. Comparatively, this can come across as boring, but blue team is securing your infrastructure, which is critical. Many organizations are too focused on the red team, so they're only finding what's broken and not how to fix it.

There's a new concept in infosec called purple team, which involves a combination of red team and blue team responsibilities. Purple team exists to find out what's broken and needs to happen to fix it beyond simply putting another security control in front of it. I think we're going to see more of this idea applied in the future.

In an excerpt of Chapter 6 available on SearchSecurity, you wrote about network attacks and how to prevent them. What is one of the biggest network security challenges enterprises face today?

Grubb: Shadow IT is a significant problem for network security. It takes place both in internal networks and expanded cloud infrastructure. Adding new services, devices and connections can result in sprawling, complicated infrastructures. It can be difficult to know exactly everything in the environment and ensure things are patched and track changes -- such as a device being added -- in an inventory list.

Sam Grubb

About the author

Sam Grubb is a cybersecurity consultant at Edafio Technology Partners, a managed service provider that works with a large variety of clients. He has six years of experience teaching cybersecurity to both adults and teenagers and holds several cybersecurity certifications, including CISSP.