Cyber Threat Competition helps train the next data guardians
The talent and skills gap in cyber security is among the largest in the IT workforce and security professionals remain among the most sought-after of all technologists.
The gap shows no sign of going away anytime soon, but efforts are being made to help reduce it and to introduce more college-age students to career opportunities and skills demands in the field.
One such effort is the Cyber Threat Competition sponsored annually by the Deloitte Foundation. To better understand what the competition is all about and what skills the participants are learning, Information Management spoke with Deborah Golden, Deloitte Cyber government and public sector leader and principal in Deloitte & Touche, LLP.
Information Management: Deloitte just completed its annual Deloitte Foundation Cyber Threat Competition. What is that competition all about?
Deborah Golden: This is an annual competition, designed by Deloitte Cyber Risk Services, and supported by the Deloitte Foundation, that exposes some of America's top students to the business and technology dimensions of cyber risk and inspires the next generation of talent interested in the type of challenges that companies from all industries encounter every day.
The first round was an online cyber competency quiz and the second was an online technical challenge. In both, students competed individually. Then, the top qualifying student competitors from each university were invited to Deloitte’s leadership center, Deloitte University in Westlake, Texas, to represent their schools as teams and compete in the final round — the Cyber Wargame event.
In this competition, the teams faced off during a two-day challenge that simulated a real corporate environment during a cyber-attack. Teams had to evaluate the information available and return a response plan recommendation to a fictitious team of corporate executives, made up of Deloitte cyber professionals.
IM: Who are the participants in the competition and what is the goal of their participation?
Golden: In its fifth year, the Cyber Threat Competition teamed with 15 prominent colleges and universities to engage students in the business challenge of cyber risk.
The competition is open only to students who are: matriculated as an undergraduate or masters student and actively enrolled in full time classes during the entirety of the competition period at one of the participating universities; and age 18 or older.
No matter what field that they intend to enter after college, cyber risk will likely be a part of their job going forward. By participating in the Deloitte Foundation Cyber Threat Competition, students can experience what considerations and challenges organizations face every day in protecting their brands and most critical assets from cyber threats and adversaries.
The first-place team received $2,000 in scholarship money per student, the second-place team received $1,000 per student and the third-place team received $500 in scholarship per student. In 2019, students from Purdue University placed second overall, and the university was a new entrant to the competition this year. Four undergraduate students from Terry College of Business at The University of Georgia finished third.
IM: What types of skills and attributes do participants have to bring to the competition in order to win or do well?
Golden: Each team has to apply logic, creativity, and problem-solving skills to real-world cyber challenges, and showcase presentation skills to a panel of Deloitte Cyber leaders.
In the first rounds, we test their technical cyber chops, but the final round is quite different from most cyber hackathon competitions, as we also test their business acumen. Real-world cyber incidents test even the most capable business leaders and impact an entire organization not merely their information technology environments. It’s important for students to experience how corporations today may be responding to such events, and to test the critical thinking, communication and problem-solving skills they will need as they head into the workforce.
IM: How does the competition fit in with Deloitte’s efforts to help grow the cyber security workforce?
Golden: We try to find compelling ways to bring relevant experience to students and expose them to real-world opportunities. In addition to the Cyber Threat Competition, Deloitte Cyber also runs a number of what we call “capture the flag” competitions.
A cyber capture the flag challenge is a competition that serves as a learning platform for students, professionals and anyone interested in cybersecurity. The competition is designed to help sharpen cybersecurity skills and provide hands-on learning and networking opportunities for participants.
Deloitte’s CTF is built on its own “Hackazon” portal, created by the Deloitte Netherlands firm. The Hackazon portal is a proprietary platform, developed within Deloitte, that is being used as a training and development tool for clients, industry organizations, as well as hosting STEM hackathon challenges for students from middle school through college age.
Deloitte builds a custom set of tasks based on the teams’ level, designed to help sharpen cybersecurity skills and provide hands-on learning and networking opportunities for participants. These are technical challenges such as unlocking QR codes, finding trap doors, and leveraging skills such as cryptology and coding.
Each challenge is worth a certain amount of points based on difficulty; and the winner will have the most points at the end of the challenge. As part of the teams’ strategies, teams can choose which challenges they will crack first during the daylong competition.
IM: What is your sense of the skills gap or talent gap currently in the cyber security field?
Golden: There’s a legitimate gap that is only growing. In our recent 2019 Future of Cyber survey report we cited that by 2021, there is an estimated 3.5 million unfilled cybersecurity positions worldwide.
The cybersecurity talent gap is growing, with the global shortage of information security workforce expected to exceed 1.8M roles by 2022. This scarcity of IT talent makes it more important than ever to attract, recruit, and retain cyber professionals. It’s also important to note that the cybersecurity workforce is no longer comprised of traditional IT professionals.
We must recognize that some roles in cyber require very specific and technically savvy skillsets, while other roles may require people to lead large technical workforces and organizations using strategic thinking and the capacity to communicate technical details to executives and governing Boards.
Organizations are struggling to keep up among their competition in attracting a broad set of cyber roles across their organization to enable their business and mitigate risk. As threats are increasing, the overall demand for cybersecurity talent and specialized skills continues to rise at an exponential rate. The reality of the skill and talent gap spans across every Cyber domain and competition among the talent pool is causing more pressure within some geographic regions due to market concentration.
To help shape the workforce of the future, we are taking a leadership position in defining technical and behavioral STEM and STEM adjacent competencies that can help rising talent succeed, and in collaborating with educational institutions and industry leaders, to help design and influence talent development pathways accordingly.
Deloitte will focus on helping move the needle for two groups in particular, providing opportunities for women and underrepresented minorities to enter into productive careers in STEM and STEM adjacent fields. In an ecosystem approach, Deloitte aims to transform, enrich, and elevate the base of diverse talent ready to fuel a high-performing, robust workforce of the future for our country, our communities, and our profession.
IM: What are some of Deloitte’s efforts to help grow the cyber security workforce?
Golden: Cyber has been and continues to be a leading growth market in both the public and private sectors. To contend with talent gaps, many cybersecurity organizations are capitalizing on the remote workplace, the gig economy, crowdsourcing, process robotics and automation, and alternative career and new talent models to tap into a truly global talent pool.
We are utilizing these methods within Deloitte as we explore the cyber workforce of the future and helping our clients implement them where appropriate for their business models. Leveraging just one of them can provide access to a much broader spectrum of talent than your traditional workforce.
The cybersecurity workforce is cross-functional, cross-geographical, and cutting-edge. But beyond your cyber workforce, you should build a cybersecurity talent strategy specific to your organization and consider the entire workforce as your cybersecurity defenders. Flexibility in the workforce remains important and a growing array of digital platforms is making it easier for potential employers (and customers directly) to pull that talent together to perform specific tasks.
As far as students go, Deloitte’s goal is for students to have a better understanding of the technical, behavioral, and leadership abilities and experiences future employers may seek, how STEM education can help them develop those skills, and the range of work opportunities that can be open to them, particularly in professional services careers.
Given the shifting demographics, introducing diverse high school students to potential STEM careers and activating them to pursue those interests into STEM degrees can help increase the pool of future talent available to enter the field.
We believe we can play an important role in increasing the depth and breadth of the STEM talent base available to serve as our country’s labor force. With strong subject matter leadership in technology consulting and tax services, audit innovation, cyber risk and data analytics, and with our commitment to inclusion and making an impact that matters for our communities, Deloitte is well positioned to make an important contribution to fostering diverse STEM talent.
IM: How can organizations collectively address these gaps through external recruiting and internal training or retraining?
Golden: Organizations need to expand their recruiting pipeline and develop innovative strategies to recruit and retain high-performing talent, including underrepresented groups in the field such as women and minorities, and seek to create opportunities to mold future generations of IT / Cyber staff.
Establishing a talent ecosystem – such as creating synergies with universities for new talent, developing women and minority leadership and mentorship programs, and identifying non-traditional incentives (e.g. student loan repayment, certifications etc.) are just some ways that organizations can reach untapped talent to meet cybersecurity resourcing needs.
Once you get that talent in the door, it’s becoming increasingly important to provide access to top-tier training to equip your employees with the technical knowledge required to be successful in their role and to keep these employees energized and engaged on a day-to-day basis to incentive them to stay within their current job.
A recent study found that 90 percent of workers say they need to update their skills at least yearly to work effectively in today’s digital environment, but just 20 percent of business leaders are developing their people through experiential learning. Innovative learning and development should be promoted from the top to keep employee’s skills consistently refreshed.
IM: What actions should organizations be taking to help attract new workers into the cyber security field, and encourage school-age children to consider jobs in the field?
Golden: The cybersecurity workforce is cross-functional, cross-geographical, and cutting-edge, and organizations need to target new groups to attract fresh talent to the field. Expanding recruitment activities to target women, minorities, veterans, and non-traditional talent models such as part-time “gig economy” workers, contractors, and remote workers will help organizations tap into a broader talent pool. Public Service is also a catalyst for many considering cyber roles throughout various agencies and branches in the Federal Government and Military.
It is also important that cybersecurity be incorporated into the new frontier of career paths for school-age children. Adding cyber-specific curriculum to K-12 computer science programs and university offerings will increase students’ knowledge and awareness of careers in the cybersecurity field.
We also need to reimagine the cybersecurity education experience for employees as a method to continue education in the workplace and integrate cybersecurity awareness into organizational culture. Cyber awareness and savvy is not just for organizations, it also impacts personal lives too.
Deloitte aims to provide curated portfolios of programs to facilitate the development of key competencies in these areas such as tech savviness, digital fluency, data visualization, logical structuring, etc. We plan to do this by:
- Providing practice with and exposure to real-world uses of these capabilities through experiential learning and project based curricula.
- Amplifying STEM educational approaches and experiences that are both infused with the more technical aspects of science, technology, engineering and math, but that also enable students to become well-versed in critical thinking, innovative problem solving, etc.
- Helping students develop employability and leadership skills like communication, collaboration, etc. that are born out of studying STEM disciplines in this way.
IM: What help can organizations get from hardware and software tools that will make the job of cyber security defense easier?
Golden: Before we consider what hardware and software tools make the lives of cyber practitioners easier, we need to consider how disruptors are impacting how the digital landscape has transformed technology everywhere – from smartphones and digital assistants to smart cars and cities – to a tsunami of data generated, processed, and stored more than ever before. Even with an abundance of talent in the cyber workforce, we would not be able to consume and process all of the information.
This has required a shift in how we look at technology and has resulted in a steady rise and significant advancement in artificial intelligence (AI), cognitive computing (CC) and robotics process automation (RPA). These technology enablers provide automation and intelligence advancements and will help automate activities for practitioners to review aggregate data outputs to make decisions vs. combing through sets of data independently to make assumptions and decisions.
When you harness the power of AI, CC, and RPA with your existing and evolving toolkit, you free up time for people to perform impactful work that cannot be automated and creating opportunity to elevate your workforce. Some of this regained time will enable you to leverage capabilities within your existing hardware and software platforms to increase your return on investments before you explore new and emerging technologies.