Why Applied Learning or Immersive Education?
The role of hands on learning when preparing or entering a career in cybersecurity
Guest Blog by Bret Fund, CEO at SecureSet
A Cybersecurity career is creative, exciting and full of challenges and rewards. Once you have broken in, there is ample opportunity for you to move and grow within the field. How one breaks into this career field, however, has not always been well defined and can be somewhat murky to understand.
As the CEO of a cybersecurity education company, I am often approached by individuals wanting to know what they can do to land a job in cybersecurity. Usually the conversation centers on their technical background or certifications, but quickly switches to stories of how employers wouldn’t hire them because they didn’t have enough experience. It all comes down to the age-old question: “how can I get any experience, if they won’t give it to me?” This is a fair question and one that needs to be answered.
Current traditional educational approaches typically struggle to provide either adequate or any hands-on experience to help individuals become workforce-ready, and most corporate training is focused on professionals who are already in the field, with enough experience to understand and absorb the training being delivered. This makes it difficult for those wanting to break in, or for those who have just joined this field.
A different approach, an immersive education approach, is more productive at preparing individuals looking to enter and get up to speed in terms of cybersecurity skills. In a nutshell, immersive education mimics real world environments and problems so that they provide not only the background knowledge for specific job functions, but also the level of experience needed for entry-level positions in the marketplace.
From an employer’s perspective, individuals who come through more traditional channels will have a great base set of knowledge, but they can be very limited in terms of their hands-on experience and actual skill with cybersecurity. That means that employers will have to invest in further education and training to get them to a place where they are able to be productive as a cybersecurity professional and employee. This takes additional time and money, both of which are costly.
What Does Applied Learning/Immersive Education Actually Look Like?
Immersive education or applied learning starts with a problem or task that needs to be performed. The educator maps out what a learner must be able to “do” at the end of the exercise and then creates an environment that allows them to demonstrate (for themselves and for the instructor) that they can actually “do” the task. Once the lab or applied learning exercise has been created, as educators we use a process called backwards design to say, “now what knowledge does the student need to possess, so that they are adequately prepared to accomplish the task in the lab.”
Traditional approaches to learning tend to focus on the knowledge the educator believes a student should possess and THEN they think about the type of exercise that could be used to assess the student on the knowledge that is being delivered. This is forward design in the learning process.
Let’s be more practical though. What does this really look like? Let’s say we want to teach someone totally new to the field how to secure a web application/website. Using a more traditional method of [forward design] learning, we would establish the knowledge the student would need to have (e.g. LAMP stack understanding (A LAMP Stack is a set of open-source software that can be used to create websites and web applications. LAMP is an acronym, and these stacks typically consist of the Linux operating system, the Apache HTTP Server, the MySQL relational database management system, and the PHP programming language.), application vulnerabilities knowledge, exploit knowledge…, etc.). Next, we would want to assess whether that knowledge was received. We could test the student on each section or at the end via a comprehensive test. Alternatively, we could include a prebuilt webapp and require the student to perform a series of tasks, resulting in the student demonstrating a cursory grasp of their knowledge. At the end of this experience, a student will likely have gained knowledge on application security according to the prescriptions provided, and possibly demonstrated some aspects of how to secure an application.
Let’s contrast that now with a backwards design applied learning approach. When we teach students how to secure a web application/website, we want them to ultimately be able to perform five tasks:
- build an application using the LAMP stack
- attack the application they built
- harden the application they built
- attack their student peers’ applications that they each have built
- defend their own application from an attack by their peers
To accomplish this, we support creating environments with all the tools necessary to build an application, attack an application, and defend that application. Best in class learning combines this sort of hands on experience with quality instruction (lectures, reading, videos) so the learning and the practice are integrated. By participating in an applied learning exercise a student takes part in an environment that mimics the real world and provides a tangible experience that will directly translate into work they will do on the job. It also forces students to understand the theory and practice around “how to secure a website” as they have to build the site, attack it AND defend it in order to truly understand not only the steps that need to be taken, but WHY those steps need to be taken. Given how dynamic the threat landscape is, this combination gives students the flexibility and readiness to excel in their jobs not just enter the field.
Bringing it All Together
I started this post talking about how numerous individuals struggle with the question “How can I get any experience if cybersecurity employers won’t give it to me?” The other question is how can the industry better support training and education in order for organizations to fill the current talent and skills gaps. The answer to this question is through immersive education/applied learning founded on a solid understanding of key concepts. Effective cybersecurity professionals need to understand and apply the knowledge to do the tasks required.
This immersive educational approach is important and necessary in our industry, because the demand for talent far outstrips the supply which means that individuals with no experience need to accept roles in companies that require some level of experience. The only practical solution is to provide applied learning experiences that will fill the gap between employer requirements and employee experience. This is something that both SecureSet and CyberVista both believe in and deliver on, with our educational products.
There is a bright future for this growing and developing industry and for those individuals who are going to be a part of it. As a result, there is a lot of room in this field and the best way to take advantage of it is through the combination of applied learning and quality instruction.