Checklist 219: Teaching Tomorrow’s Cybersecurity Pros with Robert Speciale

This week on The Checklist, we talk with award-winning educator Robert Speciale, whose innovative program is teaching cybersecurity to high school students. We’ll discuss:

• Teaching cybersecurity to digital natives
• The gradual approach to technical education
• The risk of training “future bad guys”

Closing the cybersecurity skills gap

Cybersecurity skills are in demand — so much so that the infosec industry routinely worries about a “cybersecurity skills gap”, since there are simply not enough trained workers to fill all of the open positions!

Robert Speciale teaches at Indian Springs High School in Nevada. He is the architect of the school’s new Career and Technical Education (CTE) program in Cybersecurity, which aims to prepare students for careers in IT and information security. At graduation, Speciale’s students will be ready to enter the workforce if they choose, or to head off to college and tackle even more advanced topics. The three-year program assumes no prior knowledge of digital security, or even of basic computing skills. It is meant to be a structured, gradual method of teaching cybersecurity:

Year 1 covers basic computer concepts (e.g. “What is RAM?” and “What’s a motherboard?”); practical administrative skills such as OS installation and configuration; and computer networking fundamentals. By the end of the first year, students will have the knowledge and skills needed to obtain a CompTIA A+ certificate, a common requirement for entry-level IT jobs.

Year 2 goes deeper into cybersecurity topics, introducing students to malware, ethical hacking, and digital forensics. The second year curriculum also includes lab work where students can hone their offensive skills (i.e., hacking!) in a safe environment.

Year 3 prepares students for the Network+ exam, another important IT certification. The coursework in the final year of the program covers intermediate-level network configuration and design, as well as a deep dive into network protocols. 

Since the program is intended to prepare students to begin work immediately after they graduate, they also learn basic professional skills like resume writing and interviewing.

Speciale says that “recruiting” interested students for his program has been fairly straightforward — especially since he works in a close-knit community, and already knows most of his prospective students by the time they reach high school. But he also points out that many students nowadays, simply by virtue of the world they’ve grown up in, are naturally receptive to technical education: 

Kids in our society are technology natives. They’re able to become intermediate users at a way younger age. And there’s a level of interest there that for many years went unnoticed in education. I try to leverage that interest. To say, “Hey, you know how to use your device really well. You know some things about technology. How would you like to explore that on a little bit of a deeper level?

Is teaching cybersecurity dangerous?

Some of the topics that Speciale’s students cover can sound impressively, even impossibly, advanced. Take, for example, this description of a lab assignment for second-year students:

Exploit an IIS web server three different ways: forced browsing, log file inspection, and anonymous FTP manipulation.

Most adults would have a tough time parsing the technical language in that assignment, let alone completing it successfully! But Speciale says that the key to teaching advanced concepts to students is a staged approach — in particular, one that focuses on the “nuts and bolts” of technology from the beginning:

In the first year, students explore foundational questions like, “What the heck is FTP?”. And they get the details, at a very basic level: FTP is a protocol, it does this, it does that, etc. That way, when we hit Year 2, we can say, “OK, now you know what this is. Let’s see what we can and can’t do with it, through the lens of ethical hacking, or with the thought that, hey, here’s how someone could hack you if you don’t configure this correctly. So we’re always building upon what came before. It’s kind of like a “reverse pyramid”, where we start out with just a little bit in Year 1, but then these concepts get revisited constantly, always adding a little more complexity as we go, so that by the time we get to Year 3, the students get the whole picture. 

The program contains practical information about malware and hacking, and some might wonder if it’s too risky to be teaching cybersecurity to teenagers at all, since we might be inadvertently training “future bad guys”. Speciale is mindful of the risks, and says that this why he emphasizes ethics and personal responsibility in his classroom:

There’s always a risk to anything you do with students, in any class. But ethics is part of our curriculum. And we do talk about that, about how you should use what you learn for good. It’s a sticky question, but my approach is to say, “Hey, I’ll give you some tools. But if you use them for bad, that’s going to be on you.” My hope is that if I do a good enough job of promoting the positive aspects of a career in this field, then I won’t have to worry about any student joining the Legion of Doom!

The Checklist would like to thank Robert Speciale for joining us on the program. If you’d like to learn more about the topics discussed on this week’s Checklist, Robert recommends Hack The Box, an online platform for learning and practicing cybersecurity skills.

The Checklist archives is the place to go if you want audio and show notes for past episodes of the podcast (we have them for every single show, going all the way back to the very first one!). As always, if you have a question that you’d like answered on an upcoming Checklist, or if you have a suggestion for a topic or guest, please write to us and let us know.