EPISODE 55
How to graduate skilled cybersecurity analysts in only six months

EP 55: How to graduate skilled cybersecurity analysts in only six months

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

June 9, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discuss how the Prelude Institute is helping to make up the shortfall in qualified cybersecurity professionals with our guest, Ted Ipsen.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So, Kip, what are we going to talk about today?

Kip Boyle: Okay, Jake, in the midst of COVID-19, we are recording as the lockdowns continue to rain upon planet earth, yesterday, the nation of India went on three-week lockdown. And I feel like I'm living in a science fiction movie, but in the midst of all this, we're going to talk about something that's incredibly relevant, a new kind of training organization that provides its students with immediately marketable cybersecurity skills. And we're going to learn all about this new school with the help of our guest Ted Ipsen, he's the vice president of curriculum.

Jake Bernstein: Ted, welcome to the podcast.

Ted Ipsen: Hey, thanks a lot, Jake. Appreciate it.

Jake Bernstein: Yeah, its good to have you. Your school is called The Prelude Institute. Can you tell us a little bit about your mission and maybe the story behind that name?

Ted Ipsen: Sure. The Prelude Institute, we're really focused on raising the economic floor and the earning potential of non-traditional learners. And we can talk a little more about what that means in a bit, and workers who've been largely left behind by the digital economy. We run an intensive training course, that's full time. And by that, I mean it's 40 hours a week for six months. So it comprises over a thousand hours of training and the course gives these workers immediately marketable cyber security skills, and then we actively work with the students and potential hiring managers at industry companies to place them into positions in security.

Kip Boyle: Okay. Ted, there's so much going on in what you said. There's so much to unpack and I think that's kind of what we're going to do in the rest of this episode. And what I think is amazing here is, you didn't just think this up the other day. You didn't just say, ''Oh, COVID-19 is going to put a lot of people out of work, so I better spin up some kind of a school to help them.'' So I just think it's prescient for you and your team to have done this. But the first thing that I want to point out to our audience, our audience of cyber risk managers, many of whom are hiring managers or work directly for the chief information security officer or somebody who's concerned about having a great team, is that Ted is focused on giving his students practical cybersecurity skills, not bachelor's degrees or master's degrees, not certifications. So Ted, what can your graduates do right away?

Ted Ipsen: We spent a lot of time ensuring as we built the curriculum. First of all, we wanted to make sure that it wasn't a purely academic curriculum. So we built out what we thought made sense. As a starting reference point, we looked at this nice curriculum and some other things like that, modified it a little bit, and then shopped it around to large organizations in various industries and basically asked the question, ''Hey, does this curriculum tick the right boxes for entry-level security practitioners that you would want to bring onto your team?'' So based on that sort of feedback, we modified it a little bit, tweaked it here and there. And so we spent a lot of time making sure that our students get a solid understanding of really the technical principles of how systems and software and networks actually function, and how they're actually attacked.

So we built our curriculum around the skills that are really necessary to step into a SOC analyst or an IRA analyst kind of role at the end of the course. And our students do things like perform threat modeling throughout the course, they learn how networking actually functions. They spend a lot of time in a simulated SOC where they use common tools like Wireshark, TCP dumped and so on to analyze traffic, identify anomalous communication patterns and analyzing log data, to look for clues or indicators of compromise. They learn how to ingest large data sets into Splunk, they automate tasks with bash scripting, and we're not focused on turning out actual penetration testers, but we do expose them to tools like burp suite and let them try real world attacks like Cross-site scripting, SQL injection and so on, so that they can really understand and really recognize OWASP Top 10 types of issues in real world web apps. And then we also expose them to tools like Nmap, OpenBAS, Metasploit, and so on, again, so that they can really understand the underlying technologies and recognize how those tools might be used by attackers.

Kip Boyle: I want to go to this school. Ted, let me in.

Ted Ipsen: Now this is great. This is fantastic.

Jake Bernstein: I may have had the same thought.

Kip Boyle: Yes, we shall audit your class, Ted.

Jake Bernstein: So Ted, it's interesting to me, you're focused on what you said is non-traditional learners and workers who've been largely left behind by the digital economy. At the same time, everything you just said is highly digital high. It's the bash scripting is quintessential, nerd teritorio and computer science background. So tell us more, who are these people and how are you working with them?

Ted Ipsen: One of the things that really struck us is that, all of us who've worked in security for any length of time, we all know folks who don't come from a formal engineering background who don't come with a CS degree, that kind of thing, but who are really good at security by virtue of the way they just kind of approach the world or mentally decompose complex systems. So in our first cohort, we had a number of students from backgrounds in retail, in day labor, sheet metal fabrication, food service, bartending, we had a guy who was an airport shuttle driver. We had an underwater welder, we had several veterans. And again, to give you a notion of how we really want to help these folks, there were a number of folks who we actually had to help find stable housing, and it became really clear to us that many times, what prevents people from completing education doesn't have anything to do really with the rigor of the course, but dealing with sort of day-to-day life struggles, if they're already in an unstable situation.

Kip Boyle: So if I'm a hiring manager and I'm considering prelude Institute graduates, I think my first reaction is going to be a mixed one about the fact that these folks may have needed some help finding stable housing. It just sort of strikes me as gosh, will they be able to show up on time to the job every single day? Have they stabilized and gosh, maybe they're addicts or recovering from something? So on the one hand, I'm thinking, wow, that's kind of strange, it's not my normal. But on the other hand, I'm thinking, what a service? Like, this is fantastic for our society, our community, that you've not just have the ability to teach people how to do something that's marketable and it's going to help everybody help our economy, but that you're actually solving a real social issue at the same time. So your training model has some very distinctive features and you're deliberately not recruiting people with college degrees and you don't expect your students to get one. Why is that?

Ted Ipsen: Well, we operate on a couple of foundational principles or theses that we hold. The first one is that the current model of higher education as it exists in the US today is largely the opposite or the inversion of what its original purpose was. so the original driver for higher education in the US, it was meant to be a step ladder for folks to enter the middle class really. But today, if you look at the numbers, you've got over 20 million folks in the US who are enrolled in higher education, and on average, about half of those folks are not going to graduate, but they're going to nevertheless bring huge amounts of student debt loan with them for the rest of their lives. There's about 30 million or more Americans who have some college, but didn't actually get their credentials and they're saddled with debt.

Kip Boyle: So they couldn't get the job that would have helped them bear the burden of that debt. Is that right?

Ted Ipsen: Correct. And then those who do graduate, now they take on average about six and a half years to actually graduate. So they come out of school with even more crippling debt. When you look at that, the cost of that extended period of study. And so we believe that really, because of those kinds of factors, the current higher educational system is in many ways, a really powerful accelerant of inequality in the US. So we are focused on finding a better way to offer training and education that isn't focused on debt, but is focused on really concrete outcomes that help to serve the labor market, that is the employers, the students who go through the program, and local governments, because you're taking folks who are now going from economic floor of maybe $15,000 a year, and they're now taxpayers making $65,000 a year or more.

Kip Boyle: So what was the impetus for you to include local government as a strong stakeholder in the outcomes that you're delivering? That's unusual.

Ted Ipsen: Well, it's part of our overall philosophy that there's also a social work element to this Institute. And so, working with vulnerable communities as well, and working with economic development councils and so on, so that we can effectively... It's like a fault force multiplier trying to create in that, where we also work very closely with the various grants and so on to try to drive the overall cost of the program as low as possible for the students. We can talk about the sort of economic model later if you'd like.

Kip Boyle: Oh, definitely.

Jake Bernstein: So this is really interesting to me, Ted. One of the things I have I've noticed, and I wanted to go back a little bit to what you mentioned earlier, which is that people can be very good at security based on the way they think. And I think that is a really important point to explore, not just for the purposes of the Prelude Institute, but also our listeners who are going to have all sorts of people in their departments, and they might want to be able to locate and at least recognize people who may end up being very good at security, even if they're coming from a non-traditional path. So can you speak a little bit more about that, and what do you think makes a successful security professional, who does not have a traditional background at all?

Ted Ipsen: The first part of the process for folks who want to apply applied to the Prelude Institute is they go through a fairly short online assessment, sort of bringing teasery kind of things that are very carefully designed to elicit certain kinds of innate talents and innate proclivities, and really try to get how a particular person looks at things. So we worked a long time on doing things like taking brain teasers that would traditionally be mathematical in nature, and they are mathematical in nature, but they're sort of disguised as something else. And so we developed a number of questions like this that get at the ability to do abstract thinking, the ability to think laterally, the ability to look at what the rules for the puzzle say, and then intuit what they don't say. And then thinking about how to get around the rules as written and so on.

Kip Boyle: Would you call this an aptitude test, Ted?

Ted Ipsen: We just call it our online assessment. So to give you an idea, we want to make sure that we're selecting for folks who are likely to be successful in the field, and so we're not in the business of simply taking people's tuition, if we don't think we can actually help them enter the security field. So in cohort one, our acceptance rate was about 6%.

Kip Boyle: Wow. How many people did you accept numerically? Like how many students did you have?

Ted Ipsen: So our first cohort was only 30 students.

Kip Boyle: Still, at 6%, you ended up with 30, you had to screen a lot of people.

Ted Ipsen: We did. It's a fascinating thing, really to go through these things and we're pretty data-driven. So we slice and dice the data quite a bit in different ways. It's fascinating to see patterns emerge in terms of what seems to resonate, what certain people who were ultimately successful. And I think ultimately we will have a really interesting set of data over years.

Kip Boyle: Oh, I know you can wheel the spreadsheet, Ted.

Ted Ipsen: Yeah.

Jake Bernstein: I'm curious, with a 30-person cohort, you also mentioned earlier that you see the relationship between student and school as being much different than your typical higher education experience. Can you please tell us about how you do it and what that looks like?

Ted Ipsen: Sure. As I mentioned, the course is six months long. We really view that not as a six month bootcamp or anything like that. We view that as being the first six months in a 20 to 30-year relationship with that student. We ultimately want to provide that student with an ongoing supportive relationship that enables them to continue to be socially upward mobile, through a lifelong membership with us, and our ability to help them navigate this new world of work for them.

We believe that the model for the future is not that we go to school at one point in our lives and then go to work until we die. But instead, we believe that students are going to have to come back to have very focused training, every few years for a very short period of time, a couple of months long, or certainly less than a year, and focus that training to re-skill or to upskill to keep pace with rapidly advancing careers or evolve in fields. So, the model is that after folks graduate and we help place them into a job, they have an opportunity to become members of this organization. It's really structured to be kind of like a call up, so that they have some real vested interest in helping continue to contribute to the Prelude Institute and helping us grow over time.

Jake Bernstein: That's really interesting. And I think that, what you're talking about in terms of career development and education, I think that is most people's realistic experience. I think just another kind of, I would say problem with the current higher education model is that it doesn't really reflect that, and it is so expensive and it can take so long that I really do things that we're seeing. We're going to see a shift in the way things are done like this. But I really liked this idea, and I'm curious. So you said you had 30 people in your cohort. I'm going to just steal Kip's question and ask, have they graduated? How are they doing? What was the before and after of the student of the profiles here?

Ted Ipsen: So, we graduated that first cohort right at Halloween last year. And the average income for that cohort was about $18,000 for the prior year. Actually, even that figure is skewed a little high by one student in particular who actually was making pretty decent money. So if we were to cut out that particular outlier, the average income of that cohort was closer to about $11,000. And we've placed those folks now in positions, in cyber, in things like MSSP. So their SOC analysts at MSSP is doing detection and response for that company's customers, we've placed folks in publicly traded biotech firms, as security practitioners there and in software firms and so on. And so, taking folks who were making 11,000 to 18,000 average to positions ranging from 65,000 to almost 100,000. So it's like 95,000 a year.

Jake Bernstein: That is life altering without doubt.

Kip Boyle: Yeah, it's stunning really to go from $11,000 a year of income or to be unemployed or unemployable, and now you're making... I'm reminded of gravity payments. Dan Praise, I think it was his name set a minimum wage of $70,000 a year for his team. Over the years, there have been sort of updates in the media about what has been the effect of that. And it's been really interesting to see that it looks like quality of life goes up quite a bit for his team members, particularly the ones that were not making very much before the $70,000 minimum wage.

I'm reminded of that because I grew up in a lower economic class. I remember when I graduated from college and I got my first middle-class type job, a lot of the daily anxieties just evaporated for me. I didn't have to worry about where my next meal was coming from, things like that. So, wow. This is really life altering work that you're doing here, Ted. What is the seed, where did this all come from? Was it the employers that you were listening to, and then you were trying to figure out how to with them, or was it more local government or, like what was the start of this?

Ted Ipsen: Really, what we did is we were looking at the various studies and depending on which study you want to believe. There's the shortage impending shortage of anywhere between two and four million cyber jobs in the next couple of years here in the US. So, I've always enjoyed doing training, I've done security training on a consulting kind of basis over the last couple of decades. So, it struck me that it was really a logical thing to try to help fill those positions.

But also then just looking at the huge inequality of access, really to the security space for folks who, again, thinking about folks who I have known throughout my career, who don't come from a traditional engineering kind of background, and yet are outstanding security practitioners, it's really struck us that there isn't a really untapped set of potential out there in the marketplace for us to take folks, find folks who have the native proclivities, native talents to be successful at this work. And even if they've never would have thought of technology as being something that they could do as a career, helping them down that path, and not doing it in a way where it's okay, we're just going to train you now, good luck getting a job, but really walking them through that entire process and continuing to give them long-term support.

Kip Boyle: Well, that's fantastic. And so if anybody in our audience is now saying, wow, I either want to hire some of these folks, or I just want to know more, or maybe they're saying, gosh, my sister-in-law or my niece or my nephew, or my cousin should really go to the Prelude Institute. Ted, where would you tell them to go and how could they find out more?

Ted Ipsen: Absolutely. There's a lot of information on our site, preludeinstitute.com. It's a long URL, but that's the way it is.

Kip Boyle: Tell me about it. Mine's not any better.

Ted Ipsen: And then folks can absolutely email me as well, ted@preludeinstitute.com.

Kip Boyle: That's great. Well, we're so glad you were our guest today. Do you have anything that you want to say before we wrap up the episode, Ted?

Ted Ipsen: No. I appreciate you taking the time to have me on as a guest. I'm really excited about the work we're doing. As you said, I do feel like we're truly changing people's lives and also bringing more diversity to our industry and so on. Again, thanks for having me on.

Jake Bernstein: It's our pleasure, Ted. Thank you very much for joining us today. And Kip, I guess that's the wrap.

Kip Boyle: Yeah. Let's go ahead and wrap it up. Today we learned about how the Prelude Institute is helping to make up for the shortfall in qualified cybersecurity professionals. And we did that with the help of our guest, Ted Ipsen, and we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that Cyber Risk Management is a team sport. So include your senior decision makers, legal department, HR, and IT for full effectiveness. So, if you want to manage cyber is the dynamic business risk, it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein

  Newman DuWors LLP

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.