The cybersecurity education problem

And how Prelude plans to solve it

I have a degree in journalism. Not the fun television anchor type of journalism either, print journalism. A job that was obsolete a decade before I even enrolled in college.

Why I chose journalism is a story for another day, but what I learned can aid in understanding the education problem that exists, especially in technical careers.

After getting my degree, I went on a path through many technical jobs, bouncing between offensive security work and traditional software engineering (and sometimes both, simultaneously!). Through the process, I learned what skills are needed as a “boots on the ground” technical worker.

I got my foot in the door with my first technical job by first teaching myself a programming language (I chose Java) and then leveraging that self-taught knowledge in the real world. In my case, after learning the language I started a consulting company which specialized in autonomous SEO article writing, to help boost a company's search engine presence.

As I navigated through my career, I interfaced with many other people like me. Hyper-focused individuals with a passion for the security industry but no traditional education backing them.

The trend became more apparent the more years I had under my belt. I started to realize, many of the best technical people in the security industry had no education at all: their skill sets were honed through years of late nights pouring over a keyboard, reading messaging boards, Stack Overflow posts and trial-and-error building of tools.

What is being taught in college, traditional 4-year schools specifically, is irrelevant the moment you walk across the stage to pick up your degree. The learning process for computer science majors starts the day you enter the workforce, not before.

Because technology moves so fast, traditional education fails in many ways. This is what I recently started coining as the cybersecurity education problem.

The problem

Few other industries face an education problem like cybersecurity. With such a fast-paced environment, required skills change on an almost daily basis. Every year, some skills lose their importance entirely while new ones become essential to do the job correctly. Whether you are on offense or defense, continued education in cybersecurity is an incredibly difficult task.

The cybersecurity education problem has four parts:

  1. It is artificially difficult to enter the industry. Cybersecurity has arguably the fastest growing, most in-demand jobs of any industry. Yet the problem gets worse year-over-year. Many people believe the fallacy that you need savant-level math skills to work in the industry or be a “computer geek.” In reality, there is such diversity in jobs in the industry that most people could work in it. Jobs ranging from project management (people skills) to analysis (eye for detail) exist. Even basic data entry and user-experience research exist at different spectrum of this career path.

    Making security jobs more accessible to the average person is an education problem, and one that can be solved. By making it difficult to enter, we are closing off not only a lot of jobs, but excluding a lot of diversity of thoughts and backgrounds in the job place.

  2. Learning what to learn is the hardest part of the job. In most jobs, it is fairly easy to determine what to learn. Your continued education time is spent learning what you are required to know. In security, this is not evident, even to seasoned professionals. Because the job is all encompassing, you need to know the ins-and-outs of each computer language, database, browser, operating system, video chat application and more. You need to intuitively know these technologies because it is a near certainty you’ll run into them “in the wild” and you’ll be required to hack in or defend them.

    Because learning all of technology is too daunting, you must learn a subset of important parts. This filtering process of what is or is not important is the time-consuming aspect of cybersecurity learning. For example, is it more important to know how the GoLang computer language handles pointers or the multiple ways to conduct string formatting in Python? While writing this post, I literally just found out that Python 3 is deprecating the way I’ve been string formatting for years!

    What is the end result of this problem? Most people working on the technical side of the industry exit when their lives get busy (starting a family, personal duties, etc.) because it is just overwhelming to learn everything.

    This can and should be resolved.

  3. The majority of red (offense) and blue (defense) cybersecurity workers don’t know how to code. Of course, these professionals are not software engineers, so their day job doesn’t require it. But because of how close they work to “the metal” in and around code everyday, the lack of engineering best practice knowledge is crippling.

    This is problematic for two reasons.

    • The first is that, knowledge or not, security pros write applications for their day jobs. Often these apps are not built to scale and are riddled with bugs, creating a larger problem than the one their app was intended at solving. This can be seen clearly by looking at the open-source cybersecurity projects on GitHub. The majority of tools come and go quickly, as they face scaling or maintenance issues.

    • The second problem is that with a lack of code-reading / writing cyber professionals, there are few people who can weed out “security snake-oil salesmen.” As such, the industry is riddled with companies selling products aimed at improving security which are in actuality, just flashy products promising things that are either misleading or flat out technically impossible.

    By teaching those in security how to code, we can foster a community of strong, community-driven tools - and weed out those trying to make a buck by selling misleading technology.

  4. None of the existing education options in the industry satisfy the combination of being fast-moving and comprehensive. Traditional university degrees in cybersecurity are relatively new but are unfortunately modeled after the traditional curriculum of other programs. In a 4-year program, the content you learn your freshman year is either out of date - or completely unimportant by graduation day.

    On the flip side, certification programs have popped up everywhere to solve this problem. They teach, often virtually, several week-long courses on specific areas, capping them off by giving students a physical certificate to prove their knowledge. Most certificates come with an expiration date, sometimes as quick as one year - leading the receiver to retake the course or test out to update their “cert”.

    While the cert model is faster than traditional college training, it has created an environment where security professionals simply hunt for certificates to add to their resume, with most not actually providing value. The ability to pass a multiple-choice exam is not the same as learning how to hack a computer or defend a network. Even the hands-on lab programs tend to lack significant training in realism because the educators make concessions to make the training accessible to everyone.

    In fact, one of my favorite hiring practices in the past was sitting the candidate behind a computer and asking them to hack into a computer 6-feet away. It is amazing to see how many offensive security certificate holders cannot complete the challenge.

The security industry is exploding. According to ISC, there was a 25% increase in the cybersecurity workforce between 2019 to 2020, with 700,000 new entrants into the industry.

To solve this cybersecurity problem, a training tool has to meet the following criteria:

  1. Be realistic about cybersecurity above all else.

  2. Be real-time. There needs to be a concept of real-time and continuous certification, not a one-time thing.

  3. Be affordable to allow everyone access.

  4. Teach the skills that are actually needed in the real world.

  5. Filter the knowledge needed to produce a pipeline of learnable skills without any fluff.

Operator to the rescue

When we started designing Operator, we decided to make training a focal point, not an add-on. As such, training is a built-in section of the desktop application. It is centered around three concepts: programs, courses and challenges. Here is a breakdown of the terminology:

PROGRAMS

A program is like a never-ending college degree. You can sign up or be assigned to a degree program, which will be periodically updated with fresh content that you need to know to master the topic.

COURSES

A course is synonymous with a college class. Each course is a subset of the degree program it sits within, so you should expect to learn a specific topic while taking a course.

CHALLENGES

A challenge is a task you need to accomplish within a given course. Each challenge is organized like a capture-the-flag event, meaning that you are given a straightforward goal to accomplish which has supporting context and details. The challenge needs to be solved correctly to move forward.

Each challenge is accompanied with additional context on the challenge, additional information snippets, links to external reading resources, a marker telling you the difficulty of the challenge and a counter for how many attempts you have made on the challenge.

As you go through Operator training flags, you’ll see that each is marked as either easy, medium or hard. This difficulty level is not random. It is generated by a constantly evolving statistical analysis of all users.

As you go through training flags, your attempts are tracked. If everyone quickly and consistently passes a flag, it may be marked as easy. Like a bell curve, if some users start struggling on a flag, it may creep up to MEDIUM. If the majority of users struggle, it might reach HARD.

This difficulty gauge gives each challenge a 1-10 rating. This is the value that fluctuates over time, giving you a perspective on your peers.

Through this design, we've created a pair of proof-of-concept training programs we think contain the blueprint for solving the cybersecurity problem.

The first program is called Introduction and is free and contains 7 courses and around two-dozen challenges. It teaches you how to get the most out of your Operator instance.

The second program, accessible in the Professional license and called ATT&CK Procedures, contains courses for each tactic on the ATT&CK matrix and challenges for (most of the) procedures you have loaded in your Operator. Each challenge breaks down the commands within the procedure, teaches you why they're important, how a hacker thinks about it, how to detect and respond to it and walks you through running it and analyzing the result.

The Pink Badge training program is a brand-new concept in the world of cybersecurity education. This program, utilizing the structure of our normal programs, is a 5-week course on introductory red team skills. Each week has a recorded lecture and 3-8 hours of homework. By the end of the class, students will be capable of running basic security assessments at their organizations. This program is geared toward technical - but not security - practitioners.

Solving the problem

Now, how can we solve the cybersecurity problem?

As we described earlier, the cybersecurity education problem boils down to these four problem statements:

  • It is artificially difficult to enter the industry.

  • Learning what to learn is the hardest part of the job.

  • The majority of red (offense) and blue (defense) cybersecurity workers don’t know how to code.

  • None of the existing education options in the industry satisfy the combination of being fast-moving and comprehensive.

Within the Operator training design, we are hoping to solve these statements by:

  • Giving free access to the most realistic red team tool on the market, bundled with various free training programs to make it easier for people to break into the security industry.

  • By leveraging the experience of the Prelude development & security teams, we are building training modules covering what people in various security roles need to know. We want to cut down on the enormous amount of noise and filter down to what you actually need to know.

  • We plan on releasing programs to teach you the ins-and-outs of areas like software engineering principles and system administration. These, in combination with how our ATT&CK program breaks down attacks for you, will start building up the coding abilities of those in security roles.

  • We (literally) bring training to your desktop, by making it accessible within your Operator instance, not a static website on the internet. We believe this focus on bringing training to you and making it an ongoing learning experience is essential for applied education.


As we continue building training modules, both within our existing programs and new ones, we hope you connect with us and let us know how it's going.

At Prelude, we hope to stand out by building tools for those with "boots-on-the-ground." We're not in the business of hooking you into expensive certification programs which don't help your bottom line. Instead, we're focused on solving the greater cybersecurity problem. And this can only be done by coordinating with those like you: the ones doing the actual security.