Cybersecurity is a team sport — and it’s recruiting all positions
Stephanie Travis has a knack for knowing the right time to play defense.
Now the director of the Virginia Tech Senior Military Colleges Cyber Institute, Travis remembers a time in the Air Force when she was called into base at 4 a.m. on a Saturday to deal with a potentially catastrophic cybersecurity vulnerability that she knew was a nonissue.
Despite the pressure of the situation, Travis kept her cool: “I was like, 'Hold the phone! This issue is very unlikely to affect us.'”
Travis and her team developed a strategic response to the crisis, but the morning’s events drove home the value of a holistic cybersecurity education that includes how to gauge risk – from barely noticeable to mission critical.
“Understanding context will help us know what to do when the panic is actually justified,” said Travis, who is also a Commonwealth Cyber Initiative Faculty Fellow. “The easiest, cheapest point of entry for hostile agents is through cyberattack, and we need a diverse cybersecurity community that can defend us on all fronts” — through policy, law, education, and risk management in government, banks, schools, and even Hollywood, according to Travis.
“Cybersecurity is a team sport,” Travis said. “I will say that all day.”
In 2022, there were 3.4 million open cybersecurity jobs worldwide, according to the International Information System Security Certification Consortium.
“The good news is that there are many different pathways to join the cybersecurity field,” said Hwajung Lee, a Commonwealth Cyber Initiative researcher in computing and information sciences at Radford University.
In fact, there are 52 distinct pathways, or cybersecurity work roles, according to the National Initiative for Cybersecurity Education. Job seekers will find positions such as legal advisor, crime investigator, and instructional curriculum developer alongside more well-known cybersecurity work roles such as malware analyst and chief information security officer.
Cybersecurity practice field
If cybersecurity is a team sport, where do the players practice? Not just anywhere, it turns out.
“You don't do this at home or on the school network for sure,” said David Raymond, a Commonwealth Cyber Initiative researcher. “It's the kind of exploration that you don't really want anywhere on the open internet.”
Students need a safe place to bungle, play, and explore when they first interact with malware or try their hand at defending a system. Virginia students have access to a unique resource that they can tap through an internet browser: the Virginia Cyber Range.
The range is the cyber equivalent of a clean room – an isolated infrastructure hosted on the cloud that supports networks of virtual machines.
After teachers open an account, they create their own virtual network environment or choose from a list of predefined setups. They build and share templates to support activities such as reverse engineering malware and penetration testing, which involve sniffing out the weaknesses in a system. This courseware repository includes hands-on labs that introduce students to areas such as digital forensics, cryptography, cyber intelligence, and ethical hacking.
The Virginia Cyber Range, directed by Raymond and operating within Virginia Tech’s Division of Information Technology, was created in 2016 to carry out Virginia’s cybersecurity education initiative by providing resources for high schools and colleges. This jump-started a pipeline of tech talent, experts qualified to fill tens of thousands of cybersecurity jobs across Virginia.
Since then, the number of open cybersecurity jobs in the commonwealth alone has leaped to almost 70,000. Funded by the commonwealth of Virginia and free to Virginia educators and students, the cyber range now supports 10,000 students a semester from more than 300 institutions.
Jay Mathis, who teaches cybersecurity and computer science at Blacksburg High School, uses the cyber range in his classes from day one each year.
“I back up everything I teach with a lab in the range,” Mathis said. “Students love it. Hands-on learning beats lectures any day.”
To get things rolling, Mathis plugs his students into a “man-in-the-middle” exercise where they can see just how easy it is to exploit Wi-Fi in a coffee shop or at the airport.
“I know when kids successfully run this because I see their heads pop up,” Mathis said. “They are shocked by how easy it is to crack a password.”
The students take off running from there, Mathis said, but the end goal depends on the individual.
“This is my fourth year teaching, and I’ve got kids who went on to study forensics, computer science, and criminology with a digital focus,” Mathis said. “A few of them have gotten internships with the crime lab in Roanoke and one is going into cyber law.”
Kristi Rice teaches cybersecurity courses at Spotsylvania High School in Spotsylvania County. Rice designed a pacing guide for educators teaching cybersecurity fundamentals via the cyber range.
“Several of my students knew they wanted to do something in cybersecurity as a career, but when we created certain labs, especially the ones in the ethical hacker course, they had lightbulb moments,” said Rice, who is also a K-12 pedagogical expert with Virginia Tech's GenCyber program. “That experience helped guide them to a specific degree area when enrolling in college.”
Competition breeds excellence
While students can establish a cybersecurity foundation in the classroom, practices become skills when you raise the stakes — and competitions can help.
Capture-the-flag cyber competitions gamify cybersecurity education. The most basic form of the game involves infiltrating a virtual computer system and claiming digital flags that designate specific points in the network. Capture-the-flag formats include jeopardy-style, where players steal flags from the game host, or attack-defense, where players capture flags from each other. These exercises cover security-related topics from host-based security and programming to hacking, network traffic analysis, and cryptography.
“The participants might be asked to decrypt a message or carry out digital reconnaissance,” Raymond said. “If it's done right, students have to teach themselves something new in order to solve the challenge.”
Beyond capture the flag
But while capture-the-flag competitions can help students develop the expertise to pursue a cybersecurity career, the old-school motif of outthink, outwit, outhack is expanding to a include wider range of skills, according to Travis.
The National Security Agency's National Cyber Exercise is a bellwether for cybersecurity trends, and this training and competition program features activities that require teamwork, planning, communication, critical thinking, and decision-making, Travis said.
“We’re also seeing practical skills and experience becoming increasingly important for new hires,” Lee said.
Cybersecurity certification programs offered by vendors like Cisco and Microsoft allow students to familiarize themselves with specific information security software platforms. Vendor-neutral certifications are gaining popularity as a way to demonstrate broad compatibility and interchangeability of technologies, tools, and products.
Play the games, get the certifications, Travis said, but also “take it away from the keyboard and typity, typity, type — sit in lectures, talk to cybersecurity practitioners, join a cybersecurity club. Find opportunities that expand to more than just the offensive, technical side of things.”
There’s a position for everyone on the cybersecurity field, which is itself evolving to meet the exploding, dynamic need for well-rounded cybersecurity professionals.