Application Security/Software Assurance
Education Level: Intermediate
4316 - Solving Cybersecurity Skills Shortage with Apprenticeships and Certifications
Monday, September 25
3:15 PM - 4:15 PM
90% of all security incidents result from exploits against defects in software. 20% of software defects result in cybersecurity vulnerabilities. 92% of vulnerabilities are in application layer, not in networks (NIST). Data breaches exploit vulnerabilities in unsecure software (NIST). Most developers lack sufficient security training. (ISC)2 Global Information Security Workforce Study forecasts a shortfall of 1.5 million cybersecurity professionals by 2020. National high priority need exists to develop workforce which is trained, mentored, assessed and credentialed with the needed competences in cybersecurity professions. The move towards competency based higher education is an urgent necessity.
A skills formation and workforce development model for secure software development that we believe is scalable to other critical cybersecurity occupations in government and industry. Provide government and industry with the workforce to meet growing demands for software developers who are trained, credentialed, and capable of producing software which is secure from cyber-attacks. Utilize a dual “learn and earn” apprenticeship program similar to proven successful vocational training models in Germany, Switzerland and other European countries. Dual here means that theoretical training in a vocational school is supplemented by relevant practical training and mentored experience at participating employers with the apprentices receiving a salary as they gain work-related skills.
In 2013, concerned employers in Central Illinois organized a government industry academic collaborative effort to combine practice, theory, and work to train a globally competitive workforce for developing software that is secure from cyber-attacks. We leveraged the software assurance curriculum that was developed by CMU/SEI with funding from DHS and included recommendations for adopting at the community college level. Other distinguishing features and benefits of the solution include:
• Incorporation of CMU/SEI training modules for software developer certification and competency assessment as part of on-the-job apprenticeship training curriculum.
• Aligned with the NIST Cybersecurity Workforce Framework as well as the NICE framework
• Recognized by DoL as a National Registered Apprenticeship standard for secure software development
• Practicum examination and preparation for standard industry certifications such as CSSLP to validate competency
• Employers directly involved in the education/training process
• Increased participation of under-represented populations such as minorities, women, and veterans in high wage software development careers through the apprenticeship pathway
• An economically feasible pathway for the apprentice to acquire in-demand skills with little or no debt
• Readily employable graduates for secure software development with no additional training
We launched the first apprentice cohort partnering with the community college in Peoria, Illinois in fall 2015. We have begun scaling up implementation statewide in Illinois and nationally.
Employers need to take immediate steps to solve the cybersecurity skills shortage. First step is to be define the competences for the cybersecurity occupations and ensuring they are included in academic curricula. Partner with local higher education institution such as community college to implement the apprenticeship dual model for the cybersecurity occupation. Make sure that what is proposed is aligned with NIST cybersecurity workforce development framework and NICE framework. Incorporate industry standard certifications such as CSSLP to validate competences acquired.
- Understanding that apprenticeships are proven successful in solving skills shortages by providing theoretical training in a vocational school supplemented by relevant practical training and mentored experience at participating employers
- Learn from experience of a successful secure software development apprenticeship initiative and steps to take to scale up implementations for other critical cybersecurity professions
- Learn how to incorporate industry standard certifications such as CSSLP to validate competences acquired