Cyber apprenticeships: old solution to a new problem
Why business, government, and military officials in St. Louis built one of the country’s first cyber apprenticeship programs.
This article is part of a special CXO Report on the cybersecurity talent pipeline. Read the entire report.
Masterclock hardly looks like a company that works with NASA. Tucked away in a suburb of low-slung ranch homes just outside St. Louis, Missouri, Masterclock is more important than its relative obscurity suggests. Many of the world’s top tech and defense firms, such as Lockheed Martin and Boeing, rely on the company, a precision timing device maker, to keep complex systems of networks and devices perfectly in sync. Those big-name connections, combined with Masterclock’s small size, make it a juicy target for hackers.
Cyberattacks on small businesses have increased dramatically over the past five years, and until recently Masterclock didn’t have a dedicated staffer among its 20 employees monitoring the security of its networks and data. It fell victim to an elaborate phishing scam two years ago and lost about $50,000. “We just didn’t have anybody looking for holes,” says CEO John Clark.
Many other businesses don’t have anybody looking, either. As securing networks and information becomes a vital priority across a range of industries, there are more available (and essential) cybersecurity jobs than qualified workers. Between September 2016 and September 2017, 286,000 open cybersecurity jobs were posted in the United States, according to the job market data firm Burning Glass. Globally, experts predict a shortage of 1.8 million cybersecurity workers by 2022.
So instead of competing for a highly paid analyst in an incredibly tight labor market, Masterclock tried an old-time approach that is slowly gaining new traction in some sectors of the U.S. economy: hiring an apprentice.
In November, Masterclock brought on Kate Drollinger, a student in a new cybersecurity apprenticeship program run by the Midwest Cyber Center (MC2), a St. Louis nonprofit. She’s learning the ropes of the company while completing 18 months of certification course work online. Half of her wages are paid by the company, half by MC2 grant money. Apprentices earn between $15 and $24 an hour while enrolled.
Apprenticeships, in which companies hire inexperienced workers and pay them to learn on the job, are rare in the U.S. But supporters think they could be a promising way to grow the cybersecurity talent pool. Currently, mainstream models of education aren’t cutting it: U.S. universities conferred just 64,405 computer and information sciences bachelor’s degrees during the 2015–2016 academic year. And when it comes to cybersecurity, according to MC2 executive director Tony Bryan, “most employers aren’t necessarily as concerned with a traditional degree” as much as the certifications and specific technical skills. Plus, the apprentices are paid, offering a pathway for people who otherwise wouldn’t be able to afford to stop working to expand their skill sets.
A community effort
Cybersecurity apprenticeships are a brand-new phenomenon. The first registered with the Labor Department in Virginia in 2016; another is run by a California community college. Launched last year, MC2’s is the third in the country and the first in the Midwest. A military veteran with nonstop energy and a decade of experience on the St. Louis nonprofit and startup scene, Bryan didn’t know much about apprenticeships at the start. “I think, like most, I assumed that apprenticeship programs were for trades, like electricians and carpenters and painters,” he says. “I didn’t know that there were programs for everyone, from coders, to dental hygienists, to X-ray technicians.”
Walking through both MC2’s headquarters in a squat brick office park on Scott Air Force Base and at TREX — a modern, industrial co-working space downtown with Budweiser on tap (it’s St. Louis) where MC2 rents an office — it’s clear Bryan has never met a stranger. He knows, stops to chat with, and shares a personal tidbit about everyone we encounter, including a miniature poodle roaming around TREX with her owner.
That knack for making personal connections and bringing people together proved vital in launching MC2’s program, which was designed in partnership with (and draws funding from) area businesses, government, and military officials. Scott Air Force Base, which houses MC2, faces its own obstacles in terms of finding and retaining tech talent.
“At some point the Air Force has to acknowledge the fact that it’s an IT organization that flies,” says Colonel Terrence Adams, the base’s chief information and data officer and a member of MC2’s advisory board. “We not only need military people who are focused on cybersecurity, we need contractors who are focused on cybersecurity, and our civilian workforce. There’s just not enough as we continue to grow the need here,” he says.
“It’s not just for tech firms,” says Mardy Leathers, a Missouri Labor Department official and the director of workforce development for the state. Robust cybersecurity, he notes, is now vital to successful operations for major industries in the area, including less obvious ones, like manufacturing. “They all have to deal with the challenges of protecting data, securing data, and organizing and managing their data.”
Clark of Masterclock agrees. “We’re a little company with a very specific niche that has products deployed in some of the most secure places around the world, and we still feel vulnerable,” he says. “And if that’s the case, I just imagine some of these companies whose infrastructure is older, there are holes probably everywhere.”
According to Clark, his apprentice, Drollinger, already has proven valuable in the space of a short few months. Her first task was rooting around the company’s servers to see what sensitive information she could access as a generic user. She found plenty, digging up old password files, banking statements, and other information that, oftentimes, employees had left exposed on their personal computers.
Drollinger became fascinated by cybersecurity at 13, when a hacker took over her laptop. She watched, helplessly, as the hacker typed on her screen and opened programs until she slammed down the power button and turned off the computer. To her, the work at Masterclock is gratifying because she can apply lessons learned through her online coursework in real time. “I never really could find my place in the classroom,” she says. “It’s very passive, and I never could quite figure out how the stuff in the classroom would apply when I got out in the real world. But with this apprenticeship, the relevance is key. My boss doesn’t ask me to do anything that doesn’t have direct impact on the business.”
Drollinger’s dream is to own her own medical device company, and her job at Masterclock feeds into her interest in how to improve the cybersecurity of internet-connected devices, such as clocks and X-ray machines. So far, it’s a perfect match. “I’ve never had a bad day at work,” she says.
Matching underserved talent and open jobs
Still, Adams at Scott Air Force Base points out that closing the cybersecurity jobs gap will involve reaching beyond people like Drollinger, whose interests and career goals match up with what most people think of as a stereotypical “cybersecurity job.” “A lot of people, I think they think it’s too technical, it’s not for them, but there is a large range of different jobs we can offer.”
One of MC2’s apprentices, for instance, works at the Saint Louis Science Center, a local museum, teaching cybersecurity basics to middle and high school students. “Now we can reach into communities [where] we never thought that we’d be into,” Adams says. “So, retirees, they could be veterans of the military, they could be somebody who may have been a bus driver before. You just never know the talent.”
Jasmine Owens, an apprentice who also does program management and recruitment for MC2, thinks awareness that such a model exists could help make tech jobs accessible to people beyond the usual cohort of college-educated white men. (According to one survey, just 5 percent of tech workers are black or Latino; less than a quarter are women). When she presents at area high schools and community colleges, “they’ll ask me specifically, as an African American, how many of us are doing this?” she says. “Then, as a female, how many women are doing this? They don’t teach it in the high schools. You don’t hear about it, so your interest is not piqued. You don’t know the opportunities out there.”
Leathers, the workforce development head, says MC2’s program is a promising model for tackling some of Missouri’s most pressing labor market issues. The state’s labor participation rate and skills gap are higher than the national average. “About 1.6 million members of our workforce don’t have the specific skills to match the jobs that are here in Missouri, or let alone, the jobs that we feel are going to be emerging,” he says. “We see a big push for jobs that require less than a bachelor’s degree but more than a high school degree. Those are the jobs that are in demand, and employers have those needs. What we’re trying to do is create a talent pipeline that can flow right into that.”
Despite the growing popularity of college-based experiential learning programs such as those offered by Northeastern University and Georgia Tech, the apprenticeship employment model in the U.S. is still a rarity. Fewer than 150,000 workers started apprenticeships in 2014. Per capita, U.S. apprenticeship numbers are dwarfed by countries in Europe, including Germany and France, where the model is more common.
Part of the disconnect, Leathers says, is that education and employment have evolved on separate tracks, and employers in the U.S. aren’t used to investing in unproven workers. “It’s a paradigm shift in that companies have to really rethink how they are investing in recruiting, attracting, and retaining talent,” he says. “That does mean putting some money upfront into developing individuals who aren’t completely job-ready.”
Bryan at MC2 says that placement has been the biggest challenge for the first apprenticeship class. Three hundred workers applied to be in the program’s first cohort. After a rigorous screening process, 25 were enrolled. So far six have been placed with companies, but Bryan is confident that number will grow. “Companies are actually approaching us and asking how they can get involved,” he says. “We made a transition so [they] can find their own candidates and simply enroll them into our program, and we continue to offer the same curriculum and the training and supports that we would if it was a candidate of our own that we were having to find.”
Though the program is in its infancy, apprentices have found work with local businesses, including Elsevier and the cybersecurity firm Network Technology Partners. Agriculture giant Monsanto has signed on to offer a position within its company. And Bryan has ambitions to take the program beyond St. Louis. “We’d like to be able to go in a few different cities, and we deliberately built our program the way it was so it’s adoptable in any city,” he says. “If Boston called tomorrow and said, ‘Hey, we really like your apprenticeship program,’ we can provide the support.”
CXO Magazine is a publication founded at Northeastern University to chart the ideas, events, and people shaping the future of work. Learn more.
