Merriam-Webster’s defines hands-on learning as: “gained by actually doing something rather than learning about it from books, lectures, etc. : involving or allowing the use of your hands or touching with your hands. : actively and personally involved in something (such as running a business)”
While cybersecurity professionals are most adept at understanding what knowledge is needed to execute tasks and responsibilities and foster a culture of ethical cybersecurity, how to execute and implement is more challenging. Critical thinking, strategic planning, leadership, empowerment, organizational, research, technology, communication and teaching skills weigh heavily in how effectively and pervasively a cybersecurity culture can be established in a firm.
Not everyone learns in the same way. While an auditory or visual learner may be able to master skills by watching an instructor perform a task, a kinesthetic learner will perform better if they perform the task themselves. Hands-on skills activities in your cybersecurity education can benefit all types of learners by providing opportunities for all types of learners to observe as well as perform.
In today’s environment, educators in all areas of cyber security are being challenged to move beyond traditional methods of instruction (i.e. the lecture) to an approach that calls for increased interactivity with students. It is well accepted among most faculty that a hands-on approach to learning is the preferred method. Specific to cybersecurity, an integral piece of any training is the opportunity to work in an interactive hands-on environment. Problem-solving skills are best developed in this fashion. The incorporation of real-world problems needs to include challenges that rise above simplistic scenarios. Instead, these problems need to propel students into the realms of higher order critical thinking skills: analysis, synthesis and evaluation such as are required in the cybersecurity professional’s daily job. Students must be able to practice hands-on skills in order to prepare for today’s cybersecurity career. Problems faced in the daily duties require the professional to look at security issues from both the attack/defend perspectives and critical business-centric functions and to adapt to ever-changing threats. Therefore, a hands-on curriculum is likely to produce the most effective results in training cybersecurity professionals.
One avenue of collaboration is to offer lab simulation to enrich existing security curricula or to enable security courses to be offered with a lab component. Unlike traditional labs, simulators utilize virtual equipment and space, and is accessed through a geographically distant computer (virtual machine). However, users are accessing a physical network environment. Lab simulation offers a number of other advantages as well. Lack of financial resources and equipment top the list of barriers to hands-on labs, but lab simulation could be housed in NSA/DHS CAEs (Center of Academic Excellence) and funded to provide access to other universities, community colleges, and high schools. Lab simulation also affords the opportunity to work in a team environment. Through proper lab settings, students can work on the same network environment simultaneously as part of a team. Additionally, lab simulation removes the time and space limitations of traditional labs, thereby allowing more users overall to share the resources and access anytime, from anywhere.
We need a large cybersecurity workforce, and we need one that is hands-on trained in the latest tools and techniques of the field. In the short term, rather than reinventing the wheel in educational organizations across the nation, we should utilize hands-on skills lab simulators within CAE designated institutions and non-CAEs to become the hubs of cybersecurity education and training, connecting not only with other educational institutions but with industry partners as well. Services offered through the schools could include train-the-trainer workshops, remote access labs, lab content, and even hosting of security colloquia. Tying CAE knowledge units to the competency levels through the NICE (National Institute of Cybersecurity Education) Cybersecurity Workforce Framework adds industry required hands-on skills and needs to the education model via lab simulation.
U.S. organizations, both government and private, need a massive, well-trained cybersecurity workforce sooner rather than later. The infrastructure to train small numbers is there. Funding remote lab simulators to expand capacity is a timely idea that addresses the demand relatively quickly and economically. It is through the lab environment that students will gain the hands-on experience component deemed vital by educational and industry experts alike. This will lead to effective education and training which enables our country to build a specialized workforce with the right skills, at the right time and place to protect our citizens and assets.