Survey Says – An Analysis of Survey No. 1

Thanks to all who participated in the survey that I requested you take that relates to the activities we should be focusing on relative to the apprenticeship grant. Of interest were many of the responses relative to industry recognized certifications. As of April 15, 2017, we had 40 individuals participating in the survey, reflecting close to a ten percent (10%) return rate (412 survey requests sent). Limited research indicates that is an acceptable return rate. However, always willing to get more feedback from the cybersecurity community, the opportunity to submit a survey will remain open for more input. You can click HERE to take the survey.

Survey questions generally focused on:

  • Awareness of existing IT and cybersecurity certifications.
  • The value of certifications for a person filling a junior IT/cybersecurity role.
  • Familiarity with cybersecurity tools/products for a person filling a junior IT/cybersecurity role.

You can view the survey results for those three (3) questions by clicking Survey No. 1 – Response to Questions.

The final question in the series was open ended, providing feedback for program leadership about what can be done to make the project a success. That question along with the responses received are provided below. Please provide us with feedback through the comment box provided below.

Please provide us feedback with regard to what you think we should be doing to make this project a success. Of particular help would be what you think we can do to encourage the placement of students participating as apprentices into employment slots so they can meet the “learn and earn” aspect of the Program. Funding for this program includes providing employer incentives that help offset costs associated with hiring an apprentice and are designed to help insure that the apprentice, while certainly not free labor, is providing services that are well worth the cost an employer is having to pay. 

——————————–

An apprentice should understand core security tenants (CIA triad, information asset valuation, risk identification and treatment, defense in depth, etc.). He/she would likely start by reviewing firewall / IDS configurations and compare against hardening standards then work up through the testing environment to production as skills progress. Hope that helps.

——————————–

I would suggest the program to develop soft skills required to be effective in business. The ability to communicate is essential.

——————————–

First of all I think that a prerequisite for entry should apply. If a person can prove that they have a baseline set of knowledge in IT principles (how basic hardware and software works) then they should be able to join the program, if not then they need to sit for their A+ exam or a similar course. I think the program should focus on staffing government organizations, hospitals and other HIPAA governed firms and lastly SMB’s who don’t normally have the budget to hire staff.

——————————–

Great program, let me know if I can help in any way.

——————————–

We need people that understand the concepts, tools and attributes of Security that know how to bridge their academic learning into practical use. This is an art and most educational programs seem to be missing the skill of critical thinking skills.

——————————–

Partnership is the key. Lots of businesses are looking for cyber security professionals, and providing a means to line up quality candidates to learn in a corporate environment will help with placement.

——————————–

One thing that I commonly see among “security professionals” is that many of them are great at understanding the concepts of security and using tools, but few understand how those tools work. Real attackers that are skilled beyond the use of script kiddie tools can out play an analyst team that simply relies on the user of tools. I am a firm believer of understanding computer and network architecture; memory, software, and operating system management; and SDLC, software best practices, and the ability to write scripts on the go for security testing, scanning, attacking, and defending (Python, Bash, PowerShell).

——————————–

I think that the best way to sell this to employers is to have your students focus on the practical techniques and exams. I generally disagree with the emphasis placed on the CEH, Sec+, CISSP, etc., however I understand that industry requires them in order to offset the lack of experience of new entrants into the market. I would take a candidate more seriously that has the OSCP, CCNA, or MCSA certifications. Feel free to contact me for a more in-depth discussion.

——————————–

I’m a strong believer in apprenticeship programs and would like to Thank You for recognizing this! Suggestion: Employers develop strong Workforce Planning Maturity Levels. This offers employers a baseline maturity level to identify employees to invest in their education.

——————————–

Is very important to know In and Out of your systems and to know specifically the whole attacking styles including remediation process. Is not a person who is to decide but your dedication because either you or your skills will do more encourage to make sure you willingness. Not only to learn how to use the tools is very important but your desire to be able to learn deeply into the cyber security.

——————————–

I suggest that the Apprenticeship program give incentive such as additional points or even require an in-person session contact between the apprentice and the College’s mentors to check on the Apprentice’s learning development. Events such as a regular Study session to prepare/study for a Security Certification i.e. for Network+, Security+, Cisco CCNA ICND1, ICND2, the College’s CyberSecurity Events such as NDG CyberPatriot competition and training at HIgh School, College sites to reinforce what they are learning in Class and on the job.

——————————–

As an industry professional I think having to provide incentives for this is nuts. If companies want to have security professionals they MUST pivot from the position of expecting/requiring experience to providing on the job training at their own cost. This is not a question of ‘being neighborly’ it’s a question of survival. Any business of reasonable size that doesn’t invest in training new graduate security staff for senior positions is signing itself up for pain.

——————————–

Tons of opportunity here!

——————————–

Most industry professionals do not view any + certificate with any level of credibility. Students who have these rely on them much too much and hiring managers do not generally favor certificates beyond the CCNA and CEH.

——————————–

Screen and prepare student for oral and written communication prior to apprenticeship.

——————————–

Professional networking is a good thing, like you are doing with this survey. Perhaps joining or affiliating with already established professional associations.

——————————–

I feel there is a need for a cultural change that needs to take place in the workforce. The posture of many companies has been that workers need to be experienced before hire. With the current employment gap and at the rate it is growing, employers will need to be made aware that in-house training “grow your own” will most likely need to take place.

——————————–

Also should include relevant training and exposure to application security. risk management and different industry security frameworks.

——————————–

I have been working successfully with several organizations to place students/interns in their programs. These students are serving as Tier1 analysts for a SOC. We are achieving this using AI that provides prioritization of hosts along with guidance on the attack lifecycle and how the local network works. The thought is the Tier 1 analyst takes the brunt of the load of events/alerts and filters those down to the more expensive tier 2/3 staff. In this method, the students are learning on the front line. It would not work if the tool being used is not intelligent enough to guide the student in the investigation/triage.

——————————–

For people going straight from college to security roles, it’s important that they have the proper general background, but it’s imperative that they can hit the ground running in some of the security operations or testing disciplines. They compete with people that have been in IT/tech for years and have typically started in systems, networking, or app dev which gives them a wide base to learn security from. A person fresh out of college doesn’t have this, so being able to jump straight into a ops role with solid SEIM skills for instance is what would make them both an attractive hire and/or internship.

——————————–

Security industry is moving away from “what is the risk”, to “how to protect against the risk.” There has been strong education and awareness on what are the cybersecurity risk out there, that employers are looking for people that have system administration, network administration, and general technical background, to help them secure the IT environment.

——————————–

For the program to be a success, it will have to show results (based on a metric) Therefore – selection of students has be to properly done. This is a skill that’ll be developed over a long period by students this almost on a FULL TIME basis. So for those that the certification is something different than their daily tasking, it may be a waste of resources – Projects will have to be in-line with desired results. – Mentoring is essential

——————————–

Look for companies that provide internships and partner with them. Also, providing background clearance prior to applying for an internship is an advantage.

——————————–

It Is important to understand that as long as there is enterprise and they are public and on the internet; there are un-scrupulous entities willing to make a quick $. We need to educate future students to the importance of protecting their internal and external assets and mostly their communication methods with the outside world.

——————————–

Encourage the students to realize they will have an easier time finding of job if they have IT security job experience combined with industry recognized certifications.

——————————–

Well some companies just want to be in the media so perhaps they can sponsor the program. If a security company offers to teach the students how to use the tools themselves, it is marketing for them and teaches the student a new tool. Once the students get introduced to the tool they could interview for internships with that company so they can become experts at the security tool/application that the company created/sells/uses.

——————————–

Get the new certification industry recognized as useful. Employers will not ask for this new certificate unless it can be demonstrated as a useful intro cert for junior IT security hires. Also, a lot of what a junior IT security analyst might be expected to do is go through log data that no one else is really looking at and try to find evidence of breached that no one else has detected. If you can train junior staff to be very good at this, the employers are going to be very grateful that someone new way able to come in and find things that no one else has.

——————————–

pay for the training. employers will be loosing money to bring an intern on board already.

——————————–

Foundational courses: Security governance Security policy tied to regulations Identity and access management

——————————–

High level IT Security Governance, Risk, compliance.

——————————–

Provide hands on experience using security tools and applying the knowledge in meaningful, actionable ways is critical. Ensuring understanding security concepts and principles disassociated from vendor specific platforms and technologies is key. Job shadowing would be valuable. Knowing the cyber kill and the anatomy of attack is fundamental. Possibly some workshops taught by security experts in the field willing to do mentoring on a Saturday morning? This could augment other learning efforts in place and build skills ahead of testing for a certification as you have listed above. The worst part about certifications are those that have no experience behind them. Many people are book learning for the exam and that’s the biggest issue with CompTIA (and all of them, frankly).

Welcome to the Coastline Cybersecurity Apprenticeship Program Blog Site

Welcome to this blog site. Its goal is to provide updates relative to the program’s activities and efforts. The grant that supports this program was awarded in December 2016 to the Coastline Community College District. The Board of Governors of the California Community Colleges approved the award in January 2017.

On January 17th and February 9th, the project leadership held informational sessions for potential apprentice applicants. On April 7th the Program’s website became live, providing potential applicants with access to the website where they are able to access the online application.

The application period for the first cohort start is set end April 30, 2017. That cohort is scheduled to begin in on June 5, 2017. Two additional cohorts are tentatively set to begin in September 2017 and January 2018. The application closing date for those cohorts has not been set.