Ryan Corey is President and Co-founder of Cybrary, Inc., an online security training and education provider. Cybrary provides free access to security courses, along with learning tools and an enterprise training product.
OPAQ: Describe business needs for security training today and how/why online courses are a good fit for meeting them?
RC: Technologies are shifting so fast, and attack surfaces are expanding so fast that it is tough to keep up with it all. Equipping personnel with the right skills is critical. Research has shown that companies retain their people when they continually train them, but the tech and IT security training landscape is problematic. The traditional model is to send people on a one-week course, where they cram in lots of material at a cost of $3,000 to $6,000. The industry would certify people in whatever course they took, and that’s another $300 to $1,000 for the test. It’s also inaccessible: if you are not close to a major metropolitan area then you have to travel. And if a company doesn’t sell enough seats in a course, then the course might cancel. That’s inconvenient. It became obvious when companies like Pluralsight and Linda started having massive success that online became the preferred way to do training. You can do it at your own pace, and it’s much more affordable. Microbursts of learning are what seems to work best for most people.
OPAQ: From looking at your user base and most popular courses, what trends do you see that correlate to security education and/or security needs?
RC: Concepts like the DOD 8140 directive for federal government and pen testing are popular with consumers and on the enterprise side, incident response and threat intelligence. The enterprise product, which is the paid side of the business and includes full access to all the learning tools, is seeing 20-30% revenue growth monthly. Yet we also know that so many security teams are not getting training, and it’s surprising.
OPAQ: In what cases are online learning not an appropriate match for security professionals?
RC: People tend to go to classrooms when there is pressure to learn something in a specific time period, when they need mentorship, or hands-on training. I think where online falls short is in the accountability aspect, but you can design courses with gamified concepts to help keep people engaged. It’s like going to the gym on a regular basis. Sometimes you don’t see what the reward is going to be, so maybe you won’t go.
OPAQ: Aside from training and education, what else is critical to closing the security skills gap in this country?
RC: The final piece is assessment. Let’s say a stay-at-home mom who used to work in IT wants to go back to work after being at home for five years. She’d like to work in cyber but she’s got no experience. So even if she goes and takes a $5000 course for a week, that’s still not enough, and getting a two-year degree is really not convenient and it’s expensive. That is very high friction. That’s the same for someone just starting out. A degree is not useful without experience. If an individual takes online training and does an assessment, that puts them through real world scenarios and gives scores for their performance. There is a company called Cyberscore that offers tech assessments for system administrators. Coding challenges are another way to do this. The point is, people need a transparent way to show that they are technically proficient in a security skill to the employer.