WIXLIB

length. Topics include Cybersecurity – The Big Picture; Career Pathways; Accessing theCybersecurity Job Field; The Cybersecurity of Things; and Protecting and Serving.Industry InternshipsThrough the VSGC’s Commonwealth STEM Industry Internship program, we continue theprocess of reaching out to and scheduling meetings with each of the member HRCybercompanies as well as some of the academic partners. We are also assisting with CSIIPregistrations and determining specific needs for targeted recruitment for ideal student candidatesfor the internships. We have provided a number of cyber security classroom and informationsessions with students and faculty from Hampton Roads schools and others, member and nonmember. Per the proposal, we anticipate at least 10 internship placements for summer 2017. Todate we have now placed eight students with Dan Bowden and Sentara Healthcare. We are alsoworking very closely with APEX as well in partnership with Sentara. For many of the othercompanies we have met with, we are in the process of obtaining specific requirements for theirprospective interns and reaching out to students who may be interested.Developing a Curriculum (DACUM)As noted in the December quarterly report. The DACUM panel meeting was held on December13-14, 2016 in Hampton. Coordinated by VSGC and hosted by Thomas Nelson CommunityCollege, the panel identified the tasks and duties for cybersecurity professionals in the HamptonRoads region. Ten currently working cybersecurity professionals from different employmentsectors met and discussed their daily work and tasks. Led by a certified DACUM Facilitator, thedeliverable from the panel discussion will be a DACUM chart for early career cybersecurityprofessionals. The DACUM chart was finalized in February and provided in previous reports.This DACUM chart will inform and serve as a guide to curriculum development and otherproject components.High School InternshipsVirginia Beach City Public Schools’ Technical and Career Education department createdindustry internships for high school students enrolled in ATC classes for Cybersecurity &Network Administration, CISCO Networking, Computer Systems Technology, and Software &Game Development. These internships are professionally and financially supported byHRCyber. Up to 20 VBCPS high school students will have the opportunity to experience 30hour cybersecurity internships in the cybersecurity field through this partnership. Currentcommunity partners include NEXCOM, ABS Technology, AECOM, Klett Consulting, andG2Ops, SAIC, Clark Nexsen, and Endurance IT Services. Participating companies will workwith ATC teachers to outline a plan of study for assigned interns. Internship students are in theirjunior or senior year of high school, have or are pursuing certification, and come from one ofthree programs: Network Administration and Cyber Security, Cisco Network Engineering, andComputer Systems Technology. All of the internships will be completed by the end ofNovember 2017.5

Train academic advisors on cybersecurity programsTraining for 40 academic advisors on the work that HRCyber is doing in the region witheducational institutions and on cybersecurity academic programs available at Old DominionUniversity was completed on September 29, 2017 as part of the Old Dominion Advisor Networkconference. During this training information was provided on how HRCyber is working withregional educational institutions from high schools, community colleges and universities inexpanding the availability of internships as part of cybersecurity degree programs and on thedevelopment of articulation agreements between ODU and Tidewater Community College,Thomas Nelson Community College and the recently completed agreement with NorthernVirginia Community College. The degree plan for ODU’s Interdisciplinary StudiesCybersecurity major was reviewed with all advisors.Identify curricula revisionsA workshop was held on April 7, 2017 with the educational partners to discuss tools availablefor reviewing their cybersecurity curricula to meet workforce needs. Information regarding theDACUM chart and the results of the cybersecurity surveys were provided for use in reviewingand revising curricula. Faculty and staff routinely review their course curricula to see howcybersecurity modules can be added.Virtual LabThe ODU cybersecurity virtual laboratory provides a secure and user-friendly environment fordistance learning students to remotely do hands-on labs, which are a critical component of manycybersecurity courses. The enterprise Cisco routers, switches, and security appliances in thelaboratory provide comprehensive protection for the laboratory as well as shield the campusnetwork from accidental cyber attacks. The high-end workstations together with the Cisconetworking gears enables to create not only virtual networks, but also real world networkenvironments connected by physical routers and switches, to emulate highly realistic cyberattack and defense. Various hands-on labs, from the entry-level labs to advanced, comprehensivelabs, have been developed and deployed in the virtual laboratory, supporting the cybersecuritycourses currently offered by ODU.To provide seamless access for our partners in HR Cyber Alliance to the ODU virtual lab, wehave worked with ODU ITS (Information Technology Service) to upgrade the equipment in thelab. ODU guest accounts have been created for a list of faculty of TNCC and TCC. The partnersare able to utilize only web browsers to log in their ODU guest accounts. The virtual lab can beseamlessly accessed from their guest accounts. Training on the capabilities of the lab has beenprovided to TNCC and TCC faculty and additional training will be completed as needed.STEM Trifecta Challenge.Members of HRCyber served as judges in the STEM Trifecta Challenge in June 2017. Over1,000 students from every school in the City of Virginia Beach participated in this annual event.6

HRCyber provided 500 to the winning Cybersecurity Challenge Team with two teams tied forfirst place – Advanced Technology Center and Ocean Lakes High School.Workforce Summit Planning. We are finalizing our planning for our October 27, 2017HRCyber Workforce and Economic Development Summit. This is one of the last majoractivities we have to complete as part of this project. See attachment C for the draft program andagenda for this conference.Future ActivitiesOver the next ninety days, we will continue to complete all related activities associated with thisproject. This primarily includes planning and conducting a Cybersecurity Workforce andEconomic Development summit on October 27, 2017. We are also co-sponsoring ThomasNelson Community College regional cybersecurity conference on October 13, 2017 andparticipating in the NICE Conference in early November.Additional ActivitiesOver the past three months, a number of additional activities that were not described in ourproposal have been completed as a result of our participation in the RAMPS initiative. Theseadditional activities include: Thomas Nelson Community College received designation from NSA as a NationalCenter of Academic Excellence in Cyber Defense Two-Year Education.Faculty at Old Dominion University submitted two additional proposals focused oncybersecurity related issues.o The Engineering Management and Systems Engineering researchers wereawarded 115,000 through The National Security Agency Cybersecurity CoreCurricula Development Grant to develop a course in cybersecurity riskmanagement to support the President’s Cybersecurity National Action Plan.o The Department of Electrical and Computer Engineering was awarded a threeyear, 360,000 NSF Research Experience for Undergraduates (NSF REU)program. This grant will provide 10 undergraduate students from across thecountry with research opportunities in cybersecurity during the 10-week summerprogram.The HRCyber team joined forces with a team of individuals planning to seek statefunding as part of the Virginia Initiative for Growth and Opportunity(www.govirginia.org). The effort is focusing on workforce development, research anddevelopment, and collaboration in the region and across the Commonwealth of Virginia.Concluding RemarksBy all indications, our project continues it trajectory of success. We have accomplished all ofour major activities with the exception of our Summit which is scheduled for October 27, 2017.7

Additional, we are investigating ways for this initiative to continue after the NICE grant iscompleted in December 2017 and based on our Partner Azimuth Check the vast majority of ourpartners and stakeholders believe that this initiative needs to continue as this is an area ofpotential growth for this region.8

Attachment A: Final Data Report – Submitted by the Social Science Research Centerat Old Dominion University toThe Hampton Roads Cybersecurity Education, Workforce, and Economic DevelopmentAlliance (HRCyber)July, 2017

IntroductionThe Social Science Research Center (SSRC) at Old Dominion University collaboratedwith the Hampton Roads Cybersecurity Education, Workforce, and EconomicDevelopment Alliance (HRCyber) to provide data collection and evaluation support tothe project. The SSRC conducted focus groups with business and educationrepresentatives and used that feedback to develop surveys for businesses andeducational partners to assess the workforce needs of cybersecurity companies inHampton Roads. Finally, the SSRC met with small groups of the educational partnersto discuss the placement rate of cyber students into the workforce and other relatedissues. The information from those data collection efforts are presented in this finalreport.Focus GroupsFocus groups were conducted with interested individuals who were attending theVirginia Beach Cyber Convention and Expo on October 6th, 2016 and the Cyber ThreatConference held at Thomas Nelson Community College on October 7th, 2016.Approximately 15-20 people attended each session. Focus group participantsrepresented a variety of perspectives including local government, smaller and largercyber companies, college students, the shipyard, Department of Defense, and highereducation. The basic summaries for each question asked can be found in theAppendix. Below is a general summary of the more substantive questions.Recruitment EffortsParticipants were asked how their company typically recruits cybersecurityprofessionals. The responses seemed to favor direct interpersonal contact withpotential candidates or through personal networks. Common responses included:recruiters, college fairs, internship programs, veteran sources such as transitionassistance program (TAP) classes for the military, direct referrals, and networking withinpersonal networks. Other “traditional” methods such as job boards or classifiedpostings were deemed by some as not very helpful.Priority Skills/Knowledge AreasParticipants were asked to identify their top three priority skills/knowledge areas whenhiring and/or training cybersecurity employees. The answers were varied and includedthe more technical skills necessary for positions in the cyber field such as priorprogramming experience, experience with vulnerability assessment, risk management,network detection and analysis, and penetration testing. However, other more basicskills were also mentioned including the need for lifelong learners who are passionateabout cybersecurity, technical/proposal writing skills, soft skills/communication skills andcustomer service skills, and a general knowledge of how IT relates to businessgoals/strategies. These responses indicate the diverse nature of the skills andknowledge that businesses are seeking in their cyber employees.Final Data Report – HRCyber2

Difficulty in Finding Qualified ApplicantsFocus group participants were asked how difficult it was to find applicants with the skillsand knowledge that they mentioned previously. The general consensus was that it isdifficult for a variety of reasons. Some of the non-DOD participants shared thatconventional recruitment methods do not always work and they have to rely on personalnetworks to hire. Others reported seeing “paper tigers” – these are applicants whoappear to have the necessary qualifications/certifications but they cannot actuallyperform the specific job tasks and requirements.Participants from local municipalities reported not being able to compete with salariesoffered by private firms or DOD. This results in local governments becoming a trainingground with high turnover. Those from DOD reported needing people with securityclearances. The “perfect candidates” would have a 4-year degree, but also the handson skills, the certifications and the clearances. Finally, many participants agreed thatmany applicants with the necessary technical/cyber skills do not have goodcommunication skills.Educational Programs and Preparing the Cyber WorkforceParticipants were asked how well the local educational programs were meeting theirneeds for a prepared cyber workforce. They were also encouraged to share what elsethey would like local educational institutions to know about their workforce needs. Theneed for training in specific areas included: Risk managementVulnerabilities in programmingPenetration testingCertificationsUnderstanding the software development cycleParticipants also shared the need for different mixture of skills or knowledge. Applicantsare needed who can do more than one thing – particularly for employers that cannotpay for large IT departments or for specialists in every area. Many are looking for“geeks” or hackers but not necessarily needing those who are formally educated. Someparticipants pointed out that there are courses for which no one at the college/universityis qualified to teach. Another mention was that coders need to also understandhardware.For DOD, their needs are driven by the requirements in the contracts and so it would behelpful it educational partners were familiar with some of those general requirements.Other basic or soft skills were mentioned including: being able to facilitatecommunication between the board, IT department and programmers and how to workas a team.Other specific recommendations for educational programs included: startingtraining/introducing skills at the public school level to get students interested early,Final Data Report – HRCyber3

hosting/organizing hacking conferences or hack-a-thons, giving credit for internships,putting cyber into the general IT curriculum, including security in all CS programs.Finally, some participants mentioned the importance of the NIST framework and studentaccess to security clearances.Business and Educational Partner Web SurveysThe feedback from the focus groups was used to inform questions and responseoptions for web-based surveys of business representatives and educational partners.The information from the surveys will help develop educational pathways from the publicschools through community colleges, four-year institutions and continual professionaldevelopment that will provide a capable and fully trained cybersecurity workforce forHampton Roads. The survey was disseminated to over 200 business contacts askingabout the cybersecurity workforce and their recruitment and hiring needs. Businesseswere also encouraged to share the survey link with other business contacts who rely onthe cybersecurity workforce. The educational survey was sent to 35 educationalcontacts in Hampton Roads.Business Survey SummaryEmail invitations to complete a survey of cyber workforce hiring needs were sent tobusiness contacts in November, 2016. By February 20, 2017 a total of 34 businessrepresentatives completed the survey. The Appendix includes tables and charts for thesurvey results. This section will summarize some of the survey highlights.The respondents to the business survey represented private/for-profit companies(64.7%), federal, state, and municipal government (26.5%), and not-for-profitorganizations (8.8%). The business respondents came from various industriesincluding cybersecurity, education, insurance and local government. Respondents heldprimary positions such as cybersecurity manager/administrator (23.5%), CEO/CFO(11.8%) and IT manager/administrator (8.8%).Final Data Report – HRCyber4

Regarding recruitment methods, the survey results support what was found in the focusgroups. Personal/direct referrals are among the most effective as reported by 41% ofbusiness representatives while more traditional methods such as classified ads werenot a top effective method.Final Data Report – HRCyber5

The 34 business representatives shared information on the number of current vacanciesin their company for specific positions. Below are the total number of current vacanciesreported for each position type. Cybersecurity analysts, engineers and consultantsseem to be the most commonly reported vacancies for the responding businesses.PositionTotal Current VacanciesCybersecurity Analyst27Cybersecurity Engineer22Cybersecurity Consultant21Cybersecurity Specialist/Technician16Cybersecurity Architect15Incident Analyst/Responder15Cybersecurity Manager/Administrator12Penetration and Vulnerability Tester11Cybercrime Analyst/Investigator6IT Auditor5The information on vacancies is generally consistent with the feedback from businessrepresentatives about the hardest positions to fill. Cybersecurity analyst (33%) andengineer (48%) ranked among the most commonly mentioned as hard to fill. More thanone in five business respondents (22%) also mentioned cybersecurity architect,penetration and vulnerability tester and cybersecurity specialist and technician asamong the hard to fill positions. IT auditor (4%) and incident analyst/responder (4%)were selected by a lower percentage of businesses as hard to fill. Cybersecurityconsultant was also not frequently selected as difficult to fill yet it was third-highest interms of number of current vacancies.Final Data Report – HRCyber6

Business representatives were asked to rate the importance of certain skills andknowledge. The survey results were fairly consistent with the focus groups results inthe variety of skills and their importance ratings. Risk management (82%), networking(79%) and network detection and analysis (79%) were among the technical skills mostoften selected as at least somewhat important. However, general problem solving(94%), communication skills (94%), and writing skills (85%) were among the more basicskills that were rated as important – in higher percentage than the more technical skills.Final Data Report – HRCyber7

Businesses were also asked to identify the most difficult knowledge skills to find inapplicants. Once again, some of the more basic skills were mentioned as often (if notmore) than the technical skills including communication skills (32%), general problemsolving (21%), and understanding the business environment (18%). Penetration testing(21%), CISSP certification (21%), and security clearances were selected among themost difficult skills to find – which is consistent with the focus group results.Final Data Report – HRCyber8

Businesses were asked to rate the quality of cybersecurity education available from theeducational institutions in Hampton Roads. Public schools received no “excellent”ratings while 21% of businesses described the education from community colleges asexcellent. Only 8% describing local four-year colleges and universities as excellent.More than half of business representatives (54%) described the quality of educationfrom colleges/universities as good, compared to 38% rating community colleges and21% rating local public schools as good. Public schools received the highestpercentage of businesses rating them as “poor” at 29% compared to 8% for communitycolleges and 13% of four-year colleges/universities.Final Data Report – HRCyber9

Education/TrainingRate the quality of cybersecurity educationavailable from educational institutions inHampton ic School33%8%25%13%Community Colleges4-Year Colleges/UniversitiesBusiness representatives were asked how well local educational institutions preparedstudents in various categories based on the NIST framework. The majority ofbusinesses responded “fair” to most categories with two-thirds (67%) responding fair tothe recovery category (maintaining plans for resilience and restoringcapabilities/services that were impaired due to a cybersecurity event). More than half(57%) responded fair to the respond category (developing/implementing the appropriateactivities to take action for a detected cyb

University and Tidewater Community College and Thomas Nelson Community College. These agreements allow students in the AAS in Information Systems Technology-Cyber Security program to transfer to the BS in Interdisciplinary Studies with a Cybersecurity major. These agreements saves the student over 50 credit hours of course work.