Learning how to hit a moving target: NYU commits to readying future experts in cyber security

It’s estimated that, by the year 2020, there will be around two million open and unfilled jobs in cybersecurity worldwide—currently, the United States faces a 200,000 person shortfall in this critical field. As an answer to Mayor Bill de Blasio’s recent call to create 10,000 cybersecurity jobs within the next decade, the NYU Tandon School of Engineering is taking steps to address the skills gap with the NY Cyber Fellows, an affordable online master’s program designed in collaboration with New York City Cyber Command and such elite partners across a diverse range of industries as Morgan Stanley, IBM Security, and Bridgewater Associates. “When the mayor announced this initiative, we realized that we need to create this workforce,” says Professor Nasir Memon, founder of Tandon’s program in cybersecurity and associate dean for online learning. “We need to create 10,000 experts.”

The barriers to such an expansion of the cybersecurity workforce are many, Memon notes, and NY Cyber Fellows seeks to overcome them in part by partnering with leaders in city government and industry. Being online and part-time, the program allows flexibility for students who are working or unable to relocate to New York City . Scholarships, covering as much as 75 percent of tuition for US residents, bring the cost of a master’s degree down to about $16,000—almost unheard of for such an elite program. And NYU’s Bridge to Tandon—which, for $1,500, gives qualified students without an undergraduate degree in STEM the foundation they need to apply to Tandon in as little as 17 weeks—allows students from diverse backgrounds the opportunity to transition to a lucrative career.

Partnering industry and academia addresses one of the most critical aspects of the skills gap: readiness for the practical realities of the field. According to Serg Rodriguez, who manages Bridgewater Associates’ Security Human Capital and Training, because the subject is not universally integrated into computer science programs, many technologists don’t even learn about security until they’re on the job. “This results in the skills gap coming out the gate,” he says. “It’s hard to find technologists who really understand security because they often enter the workforce with a pure technology focus. Security must be addressed in the educational curriculum.” In a profession as volatile as cybersecurity though—where the volume and sophistication of attacks is ever-increasing—it’s difficult for those not actively engaged with this threat landscape to stay current, let alone to develop syllabi that will be relevant to students year after year. “If you think back on how long private sector has been considering this space, it’s not a very long cycle,” says Jerry Brady, Global Chief Information Security Officer at Morgan Stanley. “Even in the past few years, the nature of threats has changed.” Because of these constantly shifting parameters, Brady continues, syllabi in cybersecurity may struggle to capture the minute-to-minute reality of the field, which is where industry can step in. “It’s difficult without going to individuals that are living this on a daily basis,” he says. Heather Ricciuto, Academic Outreach Leader for IBM Security, agrees, adding that addressing the skills gap goes beyond mere numbers. “Teaching more students frankly isn’t enough, because it’s almost impossible to keep up,” she says. “Collaboration is key, because there’s not one single organization that can close the gap on its own and there’s no single approach that’s going to solve the problem.” Rodriguez echoes the sentiment, adding, “The public sector, the private sector, government, financial services, even the food industry all face the same threats and the same risks, so any leveraging we can do of our learning will help close out the skills gap.”

Because it’s a favored target of cyber criminals, the finance industry has invested a heavily in cybersecurity over the years, and has valuable input for Tandon’s students. Morgan Stanley is one of the firms contributing to the program’s syllabi. “Financial services is targeted earlier than other sectors and unfortunately sees the best of all worlds of attackers,” says Brady. “So, we may have more understanding of how threat manifests itself, and that is one level one which we’re useful to NYU in terms of providing advice for the curriculum: we live this dream everyday.” In addition, Brady notes, having been at the forefront of cybersecurity protections for some time, the finance industry can provide students with both an historical view and an eye on the horizon. “That’s a pretty good combination from an educational standpoint,” he concludes. Bridgewater’s Rodriguez speaks to the ability of the industry to offer financial support as well; the hedge fund provides an important financial contribution to the Cyber Fellows program. “For Bridgewater to be able to provide financial contributions that allow programs like NY Cyber Fellows to happen, providing students these opportunities--that within itself is huge,” he says. “Whether it benefits us directly or not, it’s a plus for the financial services sector and the security industry at large to have young technologists that are more security savvy.”

Professor Memon and his team understood from the start that industry had to be involved even beyond funding and advising on curriculum. This, he says, is because unlike other disciplines within engineering, where a design can anticipate accidents and random occurrences; cybersecurity involves the presence of an unpredictable adversary, which makes it hard to teach. “An adversary will always try to do something that you never anticipated,” he says. “So how do you design for that? What are the skills that allow you to engage with that and understand the moves?” The analogy Memon prefers is sports: “When the New York Knicks are practicing they break up the team into two groups and they play against each other. Cybersecurity needs that—it needs the active learning experience that involves being confronted by an adversary in a setting like real life. You can’t just be talking about it or theorizing about it. You actually have to be getting your hands dirty and fixing things and breaking things and catching people. Industry understands these things well.” Accordingly, some industry partners will also offer internship and mentorship opportunities, capstone projects, visiting professors, speakers, and events. The Cyber Fellows will also have access to NYU Tandon’s own collection of cybersecurity games and challenges, such as Capture the Flag, developed for the annual Cybersecurity Awareness Week, as well as New York City Cyber Command’s Cyber Range, a sort of digital playground where they can get real-world experience in an environment that changes with the current landscape of threats. “It’s large and realistic enough that students can go in and have the experience of being in a real enterprise-like network,” Memon says. “They’re able to attack and defend it and instantly understand the techniques that are used by criminals.” This, Memon adds, in combination with real-world projects offered by industry partners, can help students cultivate vital but hard-to-teach traits such as curiosity, patience, and the ability to question commonly-held assumptions of trust that should be second nature to a good cybersecurity professional.

The benefits go both ways, as IBM’s Ricciuto explains. “One of the biggest complaints of hiring managers in the cybersecurity industry is that applicants don’t have the needed hands-on skills. When we’re hiring, at IBM or elsewhere, we need people who can really step in and hit the ground running.” Programs like Tandon’s will give industry partners access to a group of professionals who come armed with practical experience and the very skills they need. “It gives us a richer hiring environment,” Brady explains, “a more sophisticated and mature talent base.” In fact, Bridgewater’s Deputy Chief Security Officer Tom Ostebo says the Security team is already eyeing the first crop of Cyber Fellows “I’m hopeful that we’ll find candidates who are interested in Bridgewater,” he says, emphasizing that women and other underrepresented demographics in the field are especially welcome. “We’re looking to improve the diversity of our workforce in terms demographics and ways of thinking and every other way.”

Indeed, diversity is one thing all industry leaders speak to: the need for talent that is not only technically savvy, but also equipped with a range of experience that gives them the nimbleness and adaptability to respond as circumstances demand. “How we respond to incidents and attacks, manage vulnerabilities, and build resilient procedures cuts across a number of different roles within the organization,” Brady explains. “We think about agility in being able to respond to threats as one of the best skills you can have, and that’s something we’ll get from picking up students that come from multiple walks of life who can approach the problem from multiple perspectives.” Tandon’s Bridge facilitates this by pulling in talent from areas beyond computer science and engineering, as well as giving communities that tend to be underrepresented in STEM fields access to a career in tech. “Often, one of the key differences between candidates is opportunity,” says Bridgewater’s Rodriguez. “NYU does a good job of ensuring that their students represent the makeup of our communities, and it’s great to be able to empower and enable that through financial contribution. It fosters opportunities for technologists of diverse backgrounds to not only see themselves represented but to become the representation that future generations of technologists will see.”

In addition to fostering diversity and the creativity it brings, Memon says that the Cyber Fellows program was designed with the recognition that cybersecurity’s needs changes so rapidly that a commitment to education beyond the completion of a degree is required. To this end, NY Cyber Fellows will have access to continually updated course content for five years after graduation, with the goal of creating a lifelong exchange between NYU Tandon and Fellows at work in the field. “It demonstrates a commitment to the graduates that I haven’t seen elsewhere and recognizes the importance of continuous learning in this industry,” says IBM’s Ricciuto. “Because it’s not the kind of job or industry where you can go get a degree and say, ‘that’s it, I’m done.’ You truly have to be committed to lifelong learning.”

In the end, all parties agree, everyone stands to benefit from the presence of a better-trained and more diverse cybersecurity workforce. “Selfishly, do we hope to hire some of these [Tandon] students?” Ricciuto asks. “Of course. But it’s not just about us—it’s about our clients, it’s about our governments, it’s about our institutions. Cybersecurity touches every industry.” Such a unique partnership between academia, industry, and government presents an opportunity for collaboration and knowledge sharing that will help all partners address common threats. “We must communicate and share with each other so we can stay ahead of our adversaries,” says Bridgewater’s Rodriguez. “This is critical not just to be good corporate citizens, there’s also added business value when we work together with academia, government, and others in the private sector to leverage each other’s learning and apply it.”

Through this unique collaboration with government and industry partners, Tandon has created a new model for how this crucial profession is taught. Memon’s plan is for the school to become a leader in the cybersecurity field—both spearheading the creation of a workforce equipped with the practical experience needed to address the city’s skills gap and giving a diverse body of students access to good-paying jobs. “We hope that 10 years from now, no matter which company you walk into, there’s an NYU Cyber Fellow there,” he says. For their part, the program’s industry partners hope to see Fellows bring this combination of adaptability and technical savvy, breadth and depth of knowledge, to their own respective hallways even sooner than that.