Kevin Nolten is Vice President at the Cyber Innovation Center based in Bossier City, Louisiana. The center’s mission is to focus on cybersecurity workforce and education pipeline issues.
Listen to the full episode
Key points
- Cyber innovation center’s role: Located in Bossier City, Louisiana, the center focuses on cybersecurity workforce and education pipeline issues. It supports Barksdale Air Force Base’s mission and aims to grow the cyber workforce for the federal government.
- Early cybersecurity education: The center emphasizes introducing cybersecurity concepts to students at an early age to address the workforce gap. There are currently around 600,000 cybersecurity jobs in the U.S. without a sufficient workforce.
- CYBER.ORG initiative: This academic initiative integrates cybersecurity concepts into K-12 education. It creatively incorporates cybersecurity topics into standard subjects, like using gigabytes instead of apples in math problems, to spark interest in technology and cybersecurity.
- Teacher training: CYBER.ORG also focuses on training teachers to handle cybersecurity topics, encouraging them to facilitate rather than lecture, which leads to higher student engagement and knowledge retention.
- Federal government’s role: The Department of Homeland Security and CISA (Cybersecurity and Infrastructure Security Agency) are heavily involved in reducing the cybersecurity workforce gap. The partnership with CYBER.ORG has educated 35,000 teachers, impacting around 4.2 million students.
- Diversity in cybersecurity: Efforts are being made to diversify the cybersecurity workforce, including initiatives like Project REACH, which focuses on historically black colleges and universities (HBCUs) and Hispanic-serving institutions (HSIs).
Check out the full transcript of the show
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening
Today our guest is Kevin Nolten, Vice President at the Cyber Innovation Center. We’re going to be discussing cybersecurity education and workforce development.
Welcome, Kevin. Thank you for joining me today.
Kevin Nolten:
Thanks so much, Steve. It’s great to be here.
Yeah, thank you. We appreciate you giving up some of your time to talk about this very important topic with us, something that I know that you and I are both passionate about. So let’s start with setting the groundwork for our audience to help them to understand the Cyber Innovation Center and its role in cybersecurity education and workforce development, or anything else you think we need to know about the Cyber Innovation Center.
Kevin Nolten:
Definitely, Steve. Well, really happy to share with you about the Cyber Innovation Center. We’re located in a little suburb of Shreveport, Louisiana. The town’s called Bossier City. And the Cyber Innovation Center is the anchor of a 3,000 acre research park, a national cyber research park. And this cyber research park is the largest contiguous neighbor to Barksdale Air Force Base. Barksdale Air Force Base is a major command and not necessarily going down that path, but it’s important because the reason the Cyber Innovation Center exists is to support the mission set out of Barksdale Air Force Base.
The mission set of Barksdale Air Force Base was the reason the Cyber Innovation Center was stood up so that we can then take innovation and provide it to the federal government. And as we began down this pathway, we quickly realized that in order to grow and expand the cyber workforce for the federal government, we need to focus on workforce development. The conversation goes, is it the chicken or is it the egg? We firmly planted our investment in the egg. We said, if we can start introducing students to cybersecurity at an early age, we then will begin solving the workforce challenge that we have in our country today around cybersecurity.
As you probably know, Steve, there’s 600,000 cybersecurity jobs that are in the country today, and we don’t have a workforce to fill it. And my philosophy is that we are in this position because of our lack of attention to STEM education 15, 20 years ago. With cybersecurity education, we do not want that to be the case 15, 20 years from now because there is national security implications on that. So we firmly plant our attention, among other things, but firmly plant our attention to cybersecurity workforce development, and we started at the K-12 space.
That’s the part that really intrigues me, and I so agree with that idea. We need to start with the K-12 space. If you wait until kids are already in college, before you start teaching them about cybersecurity, I guess two things happen. One is they’ve already spent decades on their devices without proper security understanding, and the other is that they’re already behind in where they need to be academically learning about this topic. So is that, in fact, where CYBER.ORG… You’ve got Cyber Renovation Center, we might call it CIC, and then there’s CYBER.ORG, and is that where that comes into play? Is the K-12 student development? What’s the relationship there?
Kevin Nolten:
Definitely. CYBER.ORG is the academic initiative of the Cyber Innovation Center. And how CYBER.ORG does this is very unique and it’s very innovative. Well, CYBER.ORG does is it takes concepts that already need to be taught at the K-12 level, your math concepts, science concepts, ELA, social studies concepts, and we integrate a context of cybersecurity into those concepts. So for example, here’s what that means. You’ve got to teach subtraction at the second grade level and the story and the word problem goes, “Sally has three apples at the house. She has five friends coming over. How many apples does Sally need to go out and buy?” Well, our philosophy is let’s change apples to gigabytes because kids know what apples are. So here’s the story. Sally has a computer at the house that has three gigabytes of memory. She has five friends coming over. How many gigabytes does Sally need to add? At that second grade level, we transform a student’s mindset about gigabytes. What is a gigabyte? What is computer memory? What’s computer hardware? What’s a DDoS attack? Because that plays into effect of computer memory.
And so we take a math lesson that you have to teach. We teach it in a unique way that peaks a student’s interest in technology, in cybersecurity, and then we’re propelling our way down a path that that student can select courses in middle school. That student can select high school pathways around technology, and then that propels them into the two year, four year, or career degree field. So even research has shown that students are making informed decisions about what trajectory, what career trajectory they want to make at the fourth grade level. So if we don’t introduce students to these cybersecurity careers, then they are going to be, this sounds bad, but they’re going to be stuck in a rut that they know.
If their mom is a doctor, if their dad is a lawyer, or if their mom works at a local convenience store, if her dad works at a manufacturing shop, that’s the world they know so that’s where their attention and interest will lie. But what we do is we give these students at the second, third grade, these career profile cards. And these career profile cards, if you remember the old baseball trading cards, these are the shape of a baseball trading card. And on the front, it has a cybersecurity career on it. So there’s cards like information assurance analysis, cheap information security officer, cybercrime investigator. There’s 35 cards that we have developed today, and growing.
And then on the back of these cards, it talks about, what are the essential duties of this job? Is a degree required? And half of them have degree required, half of them, but the half that don’t require industry-based certifications. So it talks about what industry-based certifications are required, and then it has their median salary. And so these students can get out of that “rut” of, this is all I know about. So I’m taking content and curriculum that’s being integrated into the classroom and then coupling it with career awareness resources. Now I have what it takes to make an informed decision as to, what do I want to be when I grow up?
I absolutely love that. I’ve got a granddaughter who’s three, almost four, and I am amazed at her ability to navigate devices from a user’s perspective. I mean, she knows how to turn on the iPad and to get where she wants to go on the iPad to watch the video that she wants to watch. She knows how to do all that. So it’s just thrilling to me to think that when she starts in K-12 that she’ll be able to learn some of what goes on behind that. Right? We need to know more than just click here and click there from a user’s perspective, but she will need to understand why it works the way it works and some of the dangers that are out there. So I really appreciate that. That’s pretty exciting to me.
The question that comes to my mind then is, well, in K-12, we’re trying to teach students this, but do we have the teachers who have the knowledge that they need to do that, or is there any curricular resources to help teachers that CYBER.ORG puts together?
Kevin Nolten:
Yeah, definitely, Steve. One of the things that CYBER.ORG focuses on is providing the teacher whatever they need to teach the content. So whether it’s the idea to change apples to gigabytes, and that’s very, very foundational, but our content and resources go up and expand into the upper grade levels, whether that’s upper elementary, middle high school, and get very technical. And we get students on a cyber range. We’re teaching students about malware, phishing attacks. We’re teaching them coding and how to write secure code. And those concepts can be very intimidating to teachers. And as a former administrator myself, I remember looking at concepts that I wasn’t trained on and going, wow, that’s scary. How can I teach something that I don’t really know or feel comfortable with? And how can I teach something that probably my students know more about than I do?
And so what we do through our grant with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency, CISA, is we train educators. We invite teachers to participate in our professional development workshops, whether that is in-person or virtual online, and through our training, first of all, it’s kind of a psychological adjustment. You can do this. You can teach cyber. You do know this. And we teach teachers how to almost be facilitators in the classroom as opposed to lecturers in the classroom. And if you are a facilitator in the classroom, then you are leaning on your student’s knowledge and contributions in that learning environment that then leads to higher student engagement, higher knowledge retention, less distractions in the classroom, which means less discipline problems. And so by just transforming this entire classroom environment, what we’re able to do is solve a lot of other secondary and tertiary issues that a lot of our classrooms are facing today.
Excellent. Thank you for that. I want to pivot our focus here just a little bit. So looking through your website, there’s an obvious relationship between CYBER.ORG and the Department of Homeland Security. Obviously the federal government has an enormous stake in having a trained workforce that they can draw upon. So maybe you could talk to us a little bit about how CYBER.ORG or CIC helps for that mission of cybersecurity education for the federal government.
Kevin Nolten:
Definitely. Well, the Department of Homeland Security back in 2009 approached us about a challenge that they had with this cybersecurity workforce gap. They have an issue with filling cybersecurity jobs, not only within DHS, but within the entire federal government. And DHS, oh, gosh, five, six years ago, spun off a sister organization that is the Cybersecurity and Infrastructure Security Agency, CISA. And CISA has had the task of not only protecting the critical infrastructures of our country from a cybersecurity perspective, but they’ve also been tasked with figuring out how to stop and decrease the cybersecurity workforce gap of our country.
And I’m proud to say that we’ve been partnered with CISA. We just started our 11th year as a partner with CISA. And through that partnership, we’ve been able to educate 35,000 teachers. Those 35,000 teachers are getting access to our content and curriculum. Those 35,000 teachers are from every state, four US territories, and the impact is around 4.2 million students. Those teachers have taught 4.2 million students in the country.
And I’m really happy. Last year was the first year that cybersecurity jobs number leveled out. It grew a little bit, but it didn’t go from 100,000 to 300,000 to 700,000 like we thought, it has leveled out at 664,000. And that’s a testament to what the federal government is doing in investing in workforce development. And that’s a testimony to what CISA is doing to ensuring that we are focusing on that talent pipeline at all levels, whether it’s K-12 through our organization, whether that’s through higher education, whether that’s through scholarship for service, the CAE, the Center for Academic Excellence Program, whether that’s this new campaign that just recently launched called Shields Up, where we’re protecting the borders, our border security, and the outreach efforts that program has as a part of it. CISA is doing a phenomenal job at taking a look at the comprehensive workforce challenges of our country.
And that’s probably the key, I think, because it’d be easy to think, oh, well, yeah, the federal government needs a bunch of trained people. They need people trained in cybersecurity. And that is probably CISA’s primary role. But when you think about how complex cybersecurity is and the interrelationship between the federal government and all of its partners, which includes every industry, the ecosystem, the cyber ecosystem that the federal government deals with, has tentacles that go everywhere. So it’s not just people working for the federal government that impact their cyber readiness and ability to defend our cyber infrastructure. It goes throughout the whole country. So you may not end up working for the… My granddaughter may not end up working for the federal government, but there’s a good possibility she’s going to work for some organization that has a relationship with the government, and even an organization that has a relationship with an organization that has a relationship with the federal government. And all of that is connected, particularly when you’re talking about cyber readiness.
Kevin Nolten:
They are. And I would just add one comment to that, Steve. What I challenge folks to think about, and I’ve not gotten an answer yet, so if one of your listeners has an answer for this question, I’m all ears, but name me a job that does not have any implication of cybersecurity in it.
Steve Bowcut:
Yeah, exactly.
Kevin Nolten:
There is none. Whether you’re going into the medical field, law, law enforcement, business owner, whether you’re owning the flower shop on the corner of 3rd and Main Street in downtown, cybersecurity plays an important role in your business, in your careers. And we all have to be cyber literate. That’s why my mantra with my team is every student cyber literate, period. Every student cyber literate. Because no matter what business you’re going into, you need to know, hey, I shouldn’t click on that link that I got in an email. Hey, I shouldn’t open that attachment from this person that I don’t know, or I shouldn’t share my password. I mean, those are the foundational things that I think some of us take for granted. But to the group of individuals who are not cyber savvy, then that may not be an automatic thought. And so what we have to do is we have to educate every citizen in our country to be cyber literate. And if we can do that, then our national security vulnerabilities from a cyber standpoint will diminish over the next 10, 15, 20 years as this young population of cyber literate students go into that workforce.
Yeah, exactly. And another aspect of that, I think, that I would like to touch on is we have such a diverse society today, so how do we include students from diverse backgrounds and communities?
Kevin Nolten:
Yeah, Steve, not to sound flippant, but that to me is an easy solution, but it’s going to require a little bit of an investment. And this is why CYBER.ORG has done, I think, a phenomenal job of taking something that it’s not hard to do, it just takes time and energy to do it. And we’re investing that time and energy. And here’s how, this is what I mean by that. We launched two years ago a project called Project Reach. Reach, R-E-A-C-H. That stands for realizing equitable access to cybersecurity in high school. And what we did first out of the gate is we partnered with Grambling State University, an HBCU in northern Louisiana, who’s been a great partner and a great friend of ours. And we worked with Grambling to develop a high school feeder program that goes into their four-year cybersecurity undergraduate degree program, a degree program that we actually helped them build. But we ask Grambling for three high schools that they don’t get students from.
And so we went to those three high schools. We worked with our principals. We built them a cyber program, a four year, here’s what you take of the freshmen, sophomore, junior, senior year. And in its first year, we took a group of juniors. There were 600 high school students who participated in Project REACH in its first year, split between those three high schools. Of those 600, 95% of them will be, when they do enroll next year, hopefully, will be first time college students, 95% of them. 100% of those students, after completing one year of our program, are now interested in pursuing a cybersecurity undergraduate degree program. And a majority of those want to go to Grambling.
So we knew we had something there. We knew that we had to partner with the university to ask for their feeder high schools to work on that bridge. So 600 students in the first year, CISA says, “Oh, I like that program. Let’s continue funding that.” And they asked us to go to 12 additional HBCUs. So now we just launched this year, the first year of the 12 additional HBCUs. We’ve then took it a step further and said, “Yes, while we need to focus on our historically black colleges and universities, we also need to focus on our Hispanic serving institutions.” So we went through and translated all of our content and curriculum into Spanish and are now working with our HSI partners, mostly in Texas, California, Arizona, areas where our Hispanic populations are greater in the country. And we’ve asked our HSI partners to say, “Give me three high schools that you want to see increase in pipeline.” And so we’re working now to get those schools to come online and hopefully the winter, the winter 2024, but at the very least we’ll have them on board in the 24-25 academic school year.
So we were focused on diversity. And I call diversity from a racial, ethnicity standpoint, gender. So we partnered with the Girl Scouts and we developed the cybersecurity badges for the Girl Scouts, where over a million badges have been earned by Girl Scouts across the country. And so what we have to do is we can’t just say, “I’m going to write curriculum and then I’m going to have to let just everybody come to me and get that curriculum.” If I don’t tailor that curriculum, to the demographics to the diversity issues of our country, I’m not doing a good job of it. And so how hard is it for me to tailor content and resources to the audience? Whether it’s translating it into Spanish, whether it’s providing it through an HBCU partner.
So that’s what I mean by it’s not hard. It just takes a little time and energy to do it. And that’s important to me. Diversifying the cybersecurity workforce is absolutely critical. If we don’t diversify it, that 464,000 number I told you about earlier is going to continue to grow because we’re not going to solve the cybersecurity workforce challenges with a bunch of white males.
Agreed. That’s absolutely true. Thank you for that. And I was going to ask you, and I still will, to share some examples, some success stories. And it sounds like your diversity initiatives is in itself a success story, so I appreciate that. But are there any other maybe more personal examples of students who have benefited from the programs that you guys have?
Kevin Nolten:
100%. There’s a gentleman, a young man who 12 years ago participated in a robotics competition that we hosted. The evolution of CYBER.ORG is, we’ve really started on STEM and then now I’ve gone more of a technical cybersecurity route. But 12 years ago, we were doing STEM, we were doing robotics, and that student was in middle school. He was in seventh grade. And as he progressed through middle school, he went into high school, he sunk his teeth into a cybersecurity pathway and now is in the workforce. And he’s working in a building that is right behind me, that’s a major defense contractor, IT services provider that has 1,600 jobs in our northern Louisiana community. And this student was born in northern Louisiana, raised in northern Louisiana, educated in northern Louisiana, and now has a high paying cybersecurity job in northern Louisiana. And that success story to me is a testament to a small agriculture, oil and gas economy community, diversifying that economy into a cybersecurity economy. If we can do it, anybody can do it.
And there’s success stories across the country. You look at North Dakota, which is the fastest growing cybersecurity workforces in the country as far as a state’s perspective. We built that program for North Dakota. You look at what Kentucky’s doing, what Arkansas is doing, you look at Arizona and what Maricopa County is doing, we built that cyber program for these large counties, for the state departments of education. And those 4.2 million students that have been impacted, I’ve got 4.2 million success stories that can correlate with those students.
That is so cool. Thank you for that. Are there any other organizations or cybersecurity community stakeholders that you engage with that you want to touch on?
Kevin Nolten:
Definitely. It takes a village. As parents, you say it takes a village to raise your child. It takes a village to raise the next generation cyber literate workforce. And there are partners all over the place, but I would be remiss if I didn’t mention NICE, the National Initiative for Cybersecurity Education. This is out of the Department of Commerce. And so Department of Commerce, and then there’s NIST, National Institute for Science and Technology, and then under NIST is NICE. And they’re a bunch of nice folks. That’s always my joke. But the NICE organization has community of interest groups and they have community interest groups for higher ed, for workforce, for certifications, but for K-12. And if your viewers are interested in a community, a coalition that is just willing to help throw in sharing of ideas, go to the NICE website and find a community of interest that’s suited for you. So if you’re higher ed, then go into the higher ed. I’m personally invested in the K-12 piece, so I’m a member of the K-12 community of interest.
So going into the NICE community and getting plugged into that, really the community is a great way to meet partners, to meet friends, to meet like-minded individuals who are trying to solve the cybersecurity workforce challenges, that are trying to solve the diversity issues around cybersecurity and workforce, that are trying to find funding to do this. Why go out and buy something when somebody in that community can offer to you something for free like we do? So CYBER.ORG’s resources are available at no cost.
And so Steve, at the risk of forgetting somebody in our Rolodex of partners, go to the NICE website, get plugged in there, and you yourself will find the true value that that community of interest will have on what you are trying to do in the cybersecurity workforce space.
Perfect. That’s great advice. Thank you. I appreciate that. Now, we’ve painted a very rosy picture, but I’m sure there are some challenges that you face. And so maybe you could just give us a glimpse into that. What are some of the challenges that you face, and maybe not just your organization, but this initiative for cybersecurity education and developing a cybersecurity literate workforce. What are some of the challenges and how do we overcome them?
Kevin Nolten:
Well, I think challenge number one is funding, right? But that’s too easy of an answer, right? So what I would say is that our biggest challenge is adoption of resources. You look at the K-12 education space, there are six hours in a school day and based on state standards, based on the requirements of educators, there’s probably eight hours of content that you need to get into a school day. And so when we go to schools and say, “Look at this content,” even though it aligns to state standards, even though it doesn’t add to it, it just replaces, “We got to teach subtraction. Just don’t use Apple using gigabytes,” even though it does that, we’re met with resistance. We’re met with, “Oh, I don’t get time for that. Oh, that’s going to be hard. Oh, I don’t know anything about cybersecurity.” And so what we just have to do is it’s a marketing campaign.
Just as the Army had Uncle Sam going, “I want you to join the Army,” it’s I want you to teach cyber and you can. Just as everybody can join the army, that was the mindset behind the campaign, everybody can teach cyber. And so what we want to do is to just change a mindset of, “That’s hard. I don’t have time for it,” to, “I can do this and this is how I can do it.” I think that’s probably one of the greatest challenges.
Now, I can go into the politics of what standards are getting adopted in what states and what priorities different state departments of education has and boards. And those are just, to me, nuances and problem sets. I love going into a state department of education and say, “Okay, I acknowledge that you do it this way, but what if we think about it a little differently?” And for the most part, we’re met with receptivity. We’ve got strategic partnerships with about 40 state departments of education, and that means that we have worked with state departments of education to change ways in which we think about cyber education.
So education reform, and I use that very, very loosely because that has a lot of context, is to me important. How are we prioritizing what we need to teach in the digital age that we live in, that’s what I mean by education reform. Let’s think about what we’re teaching and how we’re teaching it and how that plays into the workforce that we will need 15, 20 years from now, not the workforce that we need now or not the workforce that we needed yesterday.
Right. Very good. All right, so we are about out of time. I want end with one final question here that I think our audience will find interesting maybe to see your perspective looking into the future. What are some of the future goals or your vision for where we’re headed and what the world should look like in the future?
Kevin Nolten:
Well, as I mentioned earlier, my goal is every student cyber literate. And that’s what I want to see. And by the time I retire, I want to know that every student has had some kind of access to cybersecurity education. Now, that’s a long flag in the sand. It’s a long ways away. But more near term, what I want to see is an embrace of cybersecurity as a relevant concept that’s needing to be taught across all academic disciplines. When we look at industry sectors, when we look at critical infrastructure, we have to acknowledge that cybersecurity plays a role in that. And I think what we need to do is to ensure that not only is the federal government paying attention to this. And I commend CISA, and I know I’ve thrown a lot of credit that way. I commend CISA for thinking forward on this cybersecurity workforce, but it’s also the responsibility of industry in each of our communities, large and small, to invest in their workforce development.
They always say that succession planning in any organization is very, very important, but it’s not just the CEO that you’ve got to figure out how to do succession planning. It’s your entry level positions because when your entry level positions spend five years in that seat and they get promoted, who else is coming in? And so while companies now I think say, “Well, we’ll just leave it to happen, chance, to see what the pool of talent is,” no. Be in control of the talent pipeline that you’re consuming on the front end. And if we can knock those two things out, then we’ve got a cybersecurity workforce that’s going to be set not for just 15, 20 years, but for centuries because we’re planting the seeds now.
Think about it, when you go on a walk in the woods and you’ve got these giant trees, those giant trees were not planted in your lifetime. Those giant trees were planted centuries ago. What we have to do as citizens of our country right now is plant the seeds of a cybersecurity workforce and a cyber literate population so that a century from now, we have this cyber safe population where our national security issues around cybersecurity are null. That’s the goal.
Very good. Excellent. Thank you so much. I think we’re going to have to end it there. This has been a fascinating conversation. I really appreciate it. I know we could both go on for another hour easily, but thank you, Kevin. I really appreciate you giving us some time today.
Kevin Nolten:
Absolutely, Steve. This is something I’m very passionate about. And if we can do anything for your viewers, please don’t hesitate to reach out to us, CYBER.ORG. That’s our name and our website, so it’s a pretty easy thing to remember.
Steve Bowcut:
And we’ll put links to that in our show notes. So thank you so much and a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide podcast.