Menu
Why and How We Must Diversify Cybersecurity
Cybersecurity
July, 2023
Author: Justin Pelletier is the Director of the Cyber Range and Training Center in the ESL Global Cybersecurity Institute at Rochester Institute of Technology. There, he oversees the premier worldwide offensive cybersecurity competition and teaches in the Department of Computing Security.
Much has been written in recent years about the need to diversify the tech industry to accurately reflect the interests, needs, and cultures of people whose lives are increasingly shaped by technology.
Diversifying the tech industry is a massive and complex undertaking that will require institutions across sectors to leverage their resources to make a unique contribution. At the ESL Global Cybersecurity Institute at the Rochester Institute of Technology (RIT), we partnered our cybersecurity training program with the National Technical Institute for the Deaf (also housed at RIT) to develop the Cyber-Protection Apprenticeship Program, tailored to meet the needs of diverse learners. In May 2023, the program graduated its inaugural cohort of six apprentices, and we are eager to build on what we learned to expand the program and share best practices with the rest of the cybersecurity community.
Full findings from this project, which is funded by a PIT-UN Challenge Grant, will become available in the coming months. What I want to share here is the backstory to this project and some reflections on how working with deaf learners has influenced my approach to cybersecurity training.
The initiative started in the early months of the COVID-19 pandemic, as we witnessed 30 million Americans lose their jobs. These were hardworking people from a wide range of industries who had the rug pulled out from under them and their families. Seeing these numbers alongside employment numbers in cybersecurity, where millions of jobs go unfilled every year, I wondered: Of these 30 million people suddenly out of work, how many of them have considered a career in cybersecurity at some point but found the training pathways inaccessible? How many of them could successfully transition into cybersecurity?
As we considered how we could serve our local and regional communities at a time of dire need, a unique opportunity presented itself.
At RIT, a large private university with a mature cybersecurity program, a high percentage of our students find well-paying jobs and go on to earn advanced degrees. To understand how we could expand our impact beyond our enrolled students, we surveyed hundreds of industry partners with whom we’ve developed relationships over the years through programs like our annual global Collegiate Penetration Testing Competition (CPTC). It became obvious that the time and associated costs demanded by the four-year pathway were simply unfeasible for the populations we wanted to reach, and we needed to find ways to widen access.
Our first effort was a 15-week, intensive cybersecurity boot camp for people who lost their jobs during the pandemic or who never had a chance to try a career in tech. The program was successful, but we noticed that people from underrepresented populations — especially those in an all-deaf cohort — were struggling to find job placements. Of course, systemic inequality in hiring practices is already well documented in research, but we wondered what else we could do on the training side to improve outcomes.
My colleagues at the National Technical Institute for the Deaf helped me understand the barriers that deaf people face in job interviews, especially in technical fields. When trying to convince an employer that you can do a job well, you have to demonstrate facility with complex topics in a very short amount of time. This is incredibly hard to do well through an interpreter, especially if the interpreter is not well versed in the terminology. Mistranslating one letter in an acronym can make all the difference when discussing computer protocols.
Similarly, people who do not have college degrees are often at a disadvantage in the hiring process for a multitude of overt and implicit rationales on the part of employers.
With this in mind, it became clear that our apprentices needed to develop very strong portfolios of demonstrated work to bring into the interview process, to compensate for the intractable challenges they face during hiring. That meant not only recruiting and graduating deaf students, but also reexamining our curriculum and teaching methods.
I want to pause here to describe some of the “why” behind our focus on serving our deaf cybersecurity students. In addition to its simply being the right thing to do, there are strategic reasons for our field to invest in broadening access to cybersecurity careers.
CPTC, our global cybersecurity competition, draws students from 70 schools across three continents. My background is in the military and public service, and I’ve always been curious about what makes teams work well. Over the past few years, I’ve studied the teams that did well in our competition, while reading research into cognitive diversity and team performance. It turns out that cognitive diversity is incredibly important for teams that are tackling complex and creative tasks. A team of people who work well together and who each bring to the table a different set of perspectives and cognitive skills will have a competitive advantage over adversaries. However, the majority of cybersecurity professionals come from four-year degree programs that select for a narrow range of cognitive traits and are inaccessible for many people. As a result, the field is missing out on a lot of untapped potential.
For me, learning about this reinforced the need for more diversity in cybersecurity and increased the urgency of our mission to create more pathways into the field for a wider range of people.
New Models for Education
By the time our fourth cybersecurity boot camp cohort graduated in late 2021, we saw that despite our best efforts, patterns of inequity were continuing to persist in job placement for our apprentices. So as we built the next iteration of the project into the six-month Cyber-Protection Apprenticeship program, we created a cohort that would be as diverse as possible to understand the different factors at play.
Three apprentices were deaf and three were hearing; one was a person who’d been homeless, another was a military veteran, and there was a range of racial and ethnic identities within the group. This was not just to benefit this cohort; the core design principle at play is that if you make training programs better for those on the margins, you’ll make it better for everyone.
My most significant points of learning as an instructor came through reexamining my pedagogy. First, some etymology: peda in Greek means “child,” which says something about how we generally think about teaching and learning. Adult learners are not children, and it’s important to recognize that these apprentices bring to the course their own life experiences that need to be valued, understood, and contextualized to create “aha moments” in the learning process.
When I teach my kids about something they’ve never seen before, they’re naturally curious and exploratory. I also have to give them a lot of structure and guidance, because everything is brand new. I have to give instructions in a rote and prescriptive way for them to be able to play the game.
When I teach an adult, it’s very rare that we’ll encounter something that’s completely unfamiliar to them. Even if it’s a new idea or language, they bring a pattern-matching ability that comes from their life experience, which can be leveraged by using analogies that speak to their background in another field. For example, a former sanitation worker was in one of our cohorts, and as I considered his prior work experience, I found myself using waste collection and trash pickup schedules as an analogy to describe how and why we destroy certain data sets in cybersecurity work.
It’s equally important to point out deviations in the pattern, the places where the pattern diverges and the analogy breaks down. Teaching in this way, you co-construct a theoretical foundation with the adult learner that builds on their experience, rather than contradicting it.
Fundamentally valuing and understanding the experience of our apprentices is a prerequisite for creating a training program that actually works for the populations we’re trying to reach. As instructors, we have to approach the process with an open mind. We have to ask our learners, “Will you teach me about your community, your background, your prior knowledge and experience?” That dialogue naturally precipitates patterns that we can turn into teachable moments.
We have to be open to revising our methods and assumptions as we learn from our apprentices. Our approach to teaching deaf apprentices has shifted several times. The Americans with Disabilities Act is often an afterthought in training programs. People hire an interpreter, or provide closed captions on lectures, and assume it’s all taken care of. Can you imagine trying to read captions from a lecture, read a PowerPoint slide, and take notes all at the same time?
It turns out that there’s an inherent processing limitation for humans when it comes to processing image and text. They are two different input and output streams, so we need time to toggle back and forth. As we worked through this challenge, we discovered that our deaf students didn’t need a completely different course structure; they just needed a few more rapid iterations of the material in order to process and learn the new information. We learned this only by continually asking our deaf students for feedback and by being open to trying new things.
The need for a more diverse cybersecurity workforce is evident. In addition to improved recruiting, we need to make changes to our curricula and teaching methods to effectively bring new people into the field and ensure they can find a place in the workforce. What’s at stake is more than corporate profits — it’s our national and community security and well-being.