Cybersecurity must be the hottest career around right now.
GlobalData analytics show that about 500,000 jobs with exposure to cybersecurity were posted worldwide in 2023 and of those 100,000 remain unfilled. In 2022, more than 700,000 jobs were posted. Cyber teams have not been immune to cutbacks and yet the threat landscape has reached a five-year peak. This is according to the cyber certifications and training body ISC2’s latest findings. Of almost 15,000 cyber practitioners surveyed for their 2023 report on the state of the cyber industry and crime landscape, 75% said the risk of a malicious attack on their systems and data was the highest they had experienced since 2018. A confluence of factors is to blame: economic headwinds, the move to cloud-based services and the fast emergence of machine learning (ML) and artificial intelligence (AI) technologies, which create new ways for cyber criminals to steal data through phishing, whaling or ransomware attacks.
This year alone there have been thousands upon thousands of incidents targeting healthcare facilities, government networks, education institutions and most other industries in data breaches and leaks affecting hundreds of millions of people. The threats are growing exponentially and yet so does the skills and workforce gap, up 12.6% year-on-year, estimates ISC2, the world’s largest association of cyber professionals.
New cyber education and training emerging
Against this backdrop, cyber education innovation is critical to rapidly upskill more workers to join the cybersecurity workforce, while widening the talent pool to attract more women and underrepresented groups to the world’s fastest-growing profession. The 2023 ISC2 study also reveals that businesses are waking up to the need for real-world experience and certifications and prioritising those over advanced degree qualifications, which in the past were considered the traditional path into cyber roles.
Historically universities and colleges have not excelled in this area, known for their broader multi-year degrees in computer science and software engineering but there are exceptions – and Sheridan College in Ontario is one.
Sheridan, which has its main campus in Brampton, has been ahead of the curve from the start with regard to creating the much-needed targeted skillsets in cyber. Two decades ago, the college launched its Honours Bachelor of Information Sciences (CyberSecurity), the country’s first dedicated cybersecurity degree and its longest running.
Every year, Sheridan graduates between 40 and 50 students from this degree programme but by adding a two-year cyber diploma and cloud security graduate certificate to its portfolio in the next academic year, it will be able to graduate about 200 students ready to help businesses and the public sector protect their data and networks in volatile geopolitical and macroeconomic conditions.
This expansion in study opportunities takes good advantage of Brampton’s status as Canada’s fastest-growing city as well as its youngest. In 2021, Brampton’s population consisted of 17.9% children (0–14), and 23.4% youths (15–29) meaning 41% of its population is below 30 years of age.
Next year Sheridan College will be responsible for another trailblazing initiative accelerating cybersecurity skills and talent development in Canada when it switches on its new cyber range, a hyper-realistic and sophisticated training and testing platform that will simulate a security operations centre (SOC). This will offer its students much-needed experiential “on-the-job” learning but in a safe space. Currently in development, it will offer a physical and virtual aspect and is supported by a financial donation from Stratejm, a managed security services provider located nearby.
“Cybersecurity is evolving relentlessly and the change is drastic, specifically when we talk about the advent of technologies like large learning models,” says Ali Hassan, PhD, a professor in the Computer Science department at Sheridan College and the school’s cybersecurity programme coordinator. “All of us have heard of ChatGPT, but that is just one large learning model. AI, ML, quantum computing – these are all modern evolving technologies and all have a direct impact on cybersecurity.
“Our cyber range will help our students get the most relevant, up-to-date education in a realistic environment, improving their abilities in threat detection, incident response, vulnerability management and – critically – enable them to communicate confidently and articulately to their team and non-technical business stakeholders to facilitate an effective response.”
These high-tech platforms have been historically only available to industry professionals at some of the biggest technology organisations in the world and in some key government agencies. A cyber range is often compared to a flight simulator that prepares pilots to respond to complex and unpredictable situations without risking life or property.
Make no mistake, this is big news and creates a poster child for what best-in-class cyber education looks like.
‘A symbol of education; a symbol of innovation’
As communication ability and other non-technical skills like curiosity and problem-solving are increasingly recognised by executives as important criteria for cyber employees, being able to use a cyber range as a key learning tool is a huge advantage. “When operating in a market characterised by instability, organisations need professionals who are knowledgeable, adaptable and efficient facilitators of information,” the 2023 ISC2 report concludes.
A cyber range develops a peer-to-peer learning environment, where the users are sitting side-by-side and working as a team – and so developing those in-demand soft skills.
Sheridan College is planning to open its cyber range to the local business community, allowing start-ups and small-to-medium businesses to use it for security audits and red team penetration testing (pentesting), which involves an “ethical hacking” team simulating a cyber attack on an organisation to test its security controls. Typically, SMEs are most vulnerable to malicious threat actors because they will inevitably have a digital footprint, but their resources are stretched.
“They will often be storing customer data including potentially financial information and if they have software connected to the internet, all this will be inherently vulnerable,” Hassan says. “Through our cyber range, we can offer essential security services to these SMEs and empower them to strengthen their digital infrastructure, improve their security posture and safeguard their data. As an example, in Brampton, a local manufacturer making small electrical switches that can be switched on remotely can bring their product to us and we will conduct a security audit to make sure their product complies with cybersecurity best practice.
“We will then be able to provide them with a report to show where they are doing well and where they have vulnerabilities. Let’s say a business gets an email and they are unsure whether the email is benign or malicious, again we can run this through the cyber range to find out. The same process applies if one of their employees has discovered a strange file or an unfamiliar process on their system.
“This work will be completed by our students, most likely those who enrol in the two-year diploma we are launching next September. In time, we will also offer services to train their employees through workshops, seminars and hands-on activities through the cyber range. It will also be used as a cyber R&D hub, with the research that emerges contributing to developing the cyber ecosystem in Brampton, Canada and abroad.”
Real-world experience without the risks of error
For those still struggling to grasp what a cyber range is and what Sheridan’s version will be able to do, Kristin Armstrong, associate dean, Applied Computing at Sheridan, tries to create a picture.
“It simulates a SOC. So, students will be sitting together at stations with multiple screens in front of them, and then have large screen displays projecting everything you can think of with red versus blue teams in a fully immersive live hackathon experience. We already host hackathons and capture the flag events for our students, but these will be even more realistic with the cyber range able to simulate different types of organisational infrastructure like a hospital, an airline or a retailer. So, when they step into the real world, they won’t feel like a deer caught in headlights.”
Armstrong continues: “The fantastic thing about the cyber range is that you can make mistakes without causing real-world damage. And it promotes experimentation, which is good because that fosters that deeper understanding of cyber; you are not afraid to take those risks and investigate what is being put in front of you.”
The cyber range will be a critical component of Sheridan’s new two-year diploma programme to expand the pool of entry-level cyber workers available to industry to accommodate the high demand. Armstrong says the platform will help Sheridan College offer industry workers who can hit the ground running.
Not far away, in the Brampton Innovation District, a dedicated corporate accelerator and workforce training provider called Rogers Cybersecure Catalyst already has a cyber range on site, Canada’s first. The Catalyst Cyber Range provides realistic high-pressure cyber-attack simulation workshops to business clients as well as the participants of its flagship fast-track training programme, Certifications for Leadership in Cybersecurity.
In November, the Catalyst celebrated its fifth anniversary, announcing C$16m ($11.7m) in renewed funding from its corporate founding partners, Rogers Communication and RBC. Brampton and the Canadian Government are also key backers of the initiative, which has helped to create and fill 800 jobs in the cyber industry through its skills-based education programmes and corporate accelerator for founders and scaleups. More than 10,000 cybersecurity experts, mentors, thought leaders, entrepreneurs, programme participants, alumni and partners make up the Catalyst community.
One thousand women, girls and non-binary individuals have gained employment in the cyber industry as a result of the Catalyst, a national centre of excellence. It credits its customisable cyber range as being fundamental to preparing its students and the businesses it works with for the high-pressure situation of a real-time attack, which cannot be taught in a classroom through two-dimensional PowerPoint slides.
Clare Barnett, director, economic development at the City of Brampton says: “Most cyber engineers and others involved in cybersecurity roles will never have access to a cyber range but in Brampton we have two through Sheridan College and the Rogers Cybersecure Catalyst, which is backed by the city government as well as industry.”
