STEMatch creates new cybersecurity education and career paths

The critical cybersecurity skills shortage is giving rise to innovative programs designed to bring into the field people who otherwise wouldn’t or couldn’t pursue the opportunity. STEMatch is one such program. “The purpose of STEMatch is to make the opportunities that are created by STEM education more visible, accessible and affordable for people that are underrepresented in our industry,” Chris Zannetos, creator of CSO50 recognized project STEMatch tells CSO.

The STEMatch program is a collaboration between private industry and academia to help solve the skills shortage currently afflicting the cybersecurity industry. Beyond that, it is the impressive and admirable passion project of a man who cares greatly about not only attracting more people into the cybersecurity community, but also giving those from lower-income or underrepresented communities the means and opportunities to succeed in the sector.

While the path to entry-level cybersecurity roles has been simplified in recent years with an increase in college/university programs, many adults either cannot afford the education fees or the time required to complete them. Zannetos considers the impactful, lasting solution to this problem to be a new education path—one that understands and addresses demand and supply issues behind the shortage of cybersecurity candidates and involves investment from various parties that derive real value from its success.

The STEMatch program reflects those ideals. It offers both early interaction with and education for young people around STEM subjects and a cheaper, more accessible and relevant path to entry-level cybersecurity jobs for adults who are unable to explore traditional routes into cybersecurity.

The origins of STEMatch

Zannetos’ background spans over 20 years within the cybersecurity sector as an entrepreneur, having founded three different companies in the space. The early seeds for STEMatch were sown some time ago when he was still with the second of his businesses, which had been steadily growing in size and stature, and working with the local community for talent development. “One of the things we did was to sponsor a local middle school in the city of Boston, in a lower-income neighborhood,” says Zannetos. “We sponsored learning trips. We sponsored, judged, and provided awards for their science fair. We brought kids to our office and shared with them what a security company does and how they could find that opportunity if they maintained interest in math and science.”

What struck Zannetos was that in lower-income communities such as the one in which the middle school was based, not only were a larger proportion of people from underrepresented backgrounds, but also that interest in math and science fell 44% at a certain age. “This means we’re losing kids early, and for us in the tech world, continually resource constrained, that’s a real issue. Of course, it’s also an issue of opportunity as well for kids that come from backgrounds that are not affluent, for students of color, or other underrepresented groups.”

Zannetos saw his company continue to grow before selling it in 2015. However, the acquiring organization did not want to continue the middle school outreach program. “I became a free agent and I didn’t want to leave this school high and dry, so I set out to find new sponsorship. I went to five CEOs I knew at local companies and asked them if they’d like to get involved, with the hope I’d secure just one.” He was able to secure all five as sponsors bringing fresh interest and support for his vision.

Getting STEMatch off the ground

Zannetos soon recognized the program would require significant upscaling to match demand, and so he set up STEMatch formally in 2017. “We drilled down into the two areas that really need to be addressed to make this opportunity accessible to everybody. One was at the beginning when we started losing kids’ interest in math and science at around 12 to 14 years of age. In the US, by the time you reach high school (ages 15 to 18) you get put on a track, and if you are at a lower level with math and science, you’re not likely to get to the level needed to graduate and go to college and do something around STEM.” The second area of focus was on making cybersecurity careers accessible for people with one or two years of post-high school education instead of four by designing an industry-assisted one-to-two-year community college cybersecurity certificate for people of any age that cannot afford a full, four-year degree.

STEMatch career days

For the first cohort (12- to 14-year-olds), tailored career days have been designed alongside a growing number of partnering organizations and schools to give students unique exposure to local tech companies. “We’ve brought more than 600 kids to companies over the last few years, and they get to learn not just what engineering or product management do, but what marketing, sales, finance and HR do in tech companies, too. Sometimes, kids visit a company that’s a mile away from their school and they had no idea that the company was there or even existed.”

STEMatch

The career days typically follow a three-hour structure that includes an introduction by the hosting organization’s CEO and executives about what it does, services offered and departmental functions, Zannetos explains, followed by a hands-on project. “This can be anything: creating a program that teaches a robot how to stack a pyramid of plastic cups or make a peanut butter sandwich, hands-on code editing, taking a computer apart and putting it back together or even something not tech related at all, such as a legal, sales or HR exercise. The kids get exposed to what’s available in the tech world and are made aware that they’d be welcome, because a lot of them don’t know it exists, think it’s not for them, or have nobody in their neighborhood involved in the industry. We want them to recognize they can be successful in tech and that we want them.”

The days usually round off with a scavenger hunt before a pizza and soda lunch, Zannetos says. “Pre-pandemic, we were running eight to ten of these per year, and our aim is to get to 40 a year in the next two years.”

Tailoring the cybersecurity curriculum

The second of STEMatch’s focus areas—adults from all walks of life—has required similar collaboration between the private and education sector. “The state of Massachusetts has focused on fostering the cybersecurity industry, and the state’s workforce development effort inspired us to address the final educational step prior to working in cybersecurity. We built a program alongside a combination of eight vendors and end users and aligned with Massachusetts Bay Community College (MassBay).” The purpose for aligning with a community college is that they traditionally have a high rate of people who cannot afford or consider full college degrees for various reasons, and so they are perfect for reaching the demographic of individuals that STEMatch is designed for, Zannetos says. The likes of Mimecast, Carbon Black and IBM were all on board, as were organizations including State Street Bank and Harvard Pilgrim Health Care. “The initial concept was to run a pilot to prove the ability of one-year cybersecurity educated students with additional, experiential learning to be effective, entry-level staff.”

The first step was to review the cybersecurity curriculum already in place at MassBay to assess where it was strong, where the weak spots were and how it could be tailored in line with desired entry-level cybersecurity skills, with guidance from the participating organizations. “The curriculum was technically very strong. It was designed to ensure that students could effectively pass the Security+ qualification.

Interestingly, the two areas that were picked up on by CISOs for more focus were soft skills and greater exposure to cloud-based infrastructure, Zannetos says. “They wanted to ensure there were ample opportunities for the students to work in teams and to be prepared to present and communicate findings.” Regarding cloud-based infrastructures, reviewers felt the curriculum should expand beyond traditional network security to increase focus on emerging cloud technology as it becomes more pertinent in working environments.

As the program started to solidify, so too did the pilot Zannetos previously mentioned. Within that, all involved companies made commitments to host at least one graduating student in a three-month paid internship to provide on-the-job learning and evaluate the effectiveness of the curriculum, and agreed to participate in data gathering on cybersecurity professionals to build a predictive algorithm to assess a person’s fit for the cybersecurity profession. This would also be used to evaluate the one-year certificate graduates and potential hires. Labs were created by Mimecast and Carbon Black based on their products and incorporated into the curriculum too.

COVID-19’s impact on the STEMatch program

With STEMatch very much an evolving initiative, Zannetos reflects on a number of challenges that have arisen as the project has grown. “We were about a year into the pilot and just as we were ramping up the internship and algorithm-creation portions of the project, the COVID-19 pandemic hit Massachusetts.” This had significant impact on various elements of the program, most notably the internships that had already been lined up—which had to be cancelled—and new hurdles around gathering the data necessary for the development of the candidate success profile algorithm.

“The pandemic was certainly a huge roadblock—all of our programs were in-person. We wondered whether we should spend the time and effort to build remote programs, but candidly we just didn’t have the resources to do that at the time,” says Zannetos. Instead, two different solutions were implemented. To solve the data gathering challenge, the team turned outward to its network within the cybersecurity industry. With the help of the Advanced Cyber Security Center and Tech Exec Networks, the team was able to gather enough data to build its predictive algorithm to evaluate the students. “When we ran the students through this, they were absolutely in line with existing security professionals, so that was good news.”

An eight-person security panel including four CISOs was then put together to hold virtual mock interviews that replaced the internships as a means of rating the hire-ability of the students on a scale of 0-100 (100 being absolutely hirable). “The average score was 72, so they did pretty well on that—certainly well enough for us to move to the next step of the process.”

Aside from pandemic-induced issues, there have been other hurdles dating back to the very start of the program that have proven similarly challenging. “One big thing is that when a non-profit or community organization approaches a private sector company, their requests can be rather daunting from the enterprise’s perspective. If you ask whether they would commit staff to doing some mentoring for kids, generally people are excited about that, but when you say it needs to be every Friday, without fail, for one or two hours, for however many weeks or months, it becomes harder to secure that buy-in from a logistical perspective.”

It’s vitally important that programs are (or at least appear to be) a light lift for organizations and are time efficient. “We’ve developed and simplified our career day formats so that they can be easily reused by different organizations if required. This helps get more companies involved, because in the tech world, companies and employees want to engage with communities and help, but it’s got to be something that executives can support from a time perspective.”

There have also been challenges around aligning incentives, Zannetos says. “We have this huge shortage of cybersecurity staff worldwide and vast numbers of well-paid jobs sitting vacant, but we haven’t made the connection.” Bringing schools and companies together to address this is tough because it requires a mutual set of incentives, he says. “We shared with companies how community colleges are an untapped human resource pipeline; none of them had been recruiting from community colleges—they weren’t even aware of the strengths of some of the cybersecurity programs within them. We then made visible the fact that these companies would help drive enrollment and course demand for the college, but that both parties would need to work together to achieve said outcomes. It came down to getting them both to step outside the conventional.”

STEMatch’s success stories and future plans

Despite the challenges that that have arisen since STEMatch’s inception, Zannetos points to several of the program’s success stories. These, he says, can be categorized in the hard facts of numbers and softer, but no less meaningful, qualitative results.

“Today’s path to cybersecurity jobs requires a spend of $80,200 to $172,556 for students to gain a four-year degree from a public or private institution. Our program cost $8,196 to $29,709 per student, with ongoing costs including internships estimated to be $17,000 per student,” he says. In all, 29 students have completed the course with the additional labs, and there were eight student internships scheduled prior to the pandemic. “When it comes to the career days, initial review results show a double-digit increase in interest in STEM,” which is a promising indicator, he adds.

“From a qualitative perspective, the results have been incredibly rewarding. You go to our sessions and hear the kids talk about what they’ve learned and how excited they are. We receive feedback from teachers that this is the most impactful program they have been involved in outside of standard teaching. Companies tell you they can’t wait to run the workshops again next semester. It really is amazingly rewarding.”

Zannetos has ambitious plans for evolving and growing STEMatch in the coming years, especially now that COVID-19 restrictions are lifting following successful vaccination rollout across the US. “The plan for the next year is to get the full program in place with at least 25 companies working with one or two community colleges. We’ll also be overlaying a program around soft skills based on the input from our pilot CISO advisory board.” Within the next two years, Zannetos aims to be working alongside up to 50 partners, two or three colleges, and to have 100 students enrolled in the program. “On the career days side, we are looking to expand the middle school cohort from sixth grade to also include seventh and eighth grade, working with 20+ companies.”

Beyond that, Zannetos intends to create an apprenticeship program specifically designed for job changers, many of whom are taking courses at community colleges while holding down a job. “The current internship model is perfect for students who don’t have a full-time job, but job changers are in full-time jobs and they can’t just stop. We’re looking into how we can work with the companies to create an internship that works for somebody that already has a job.”

There are also plans to present to participating companies the option of offering longer internship opportunities for students. “We plan to go to our state government to get some matching funds to give more incentives to the companies, so if they commit to funding one internship, government funding will pay for another, so they get two,” Zannetos says. “That’s a win-win, because every job that we create here in our state is more tax revenue, so there’s incentive for government too.”

Ultimately, the goal is to make Massachusetts a hub of security talent. “Then perhaps we can look at exporting this to other parts of the country and maybe even other parts of the world.” Perhaps most ambitiously, Zannetos’s end goal is to make community college-based cybersecurity education free, with students paying back the cost within two years of graduating through taxes once in a job. “Through the industrial revolution, we made high school education publicly funded in the US, and I believe we can afford to do the same with community college education. It’s another win-win—one for companies, one for schools, one for government, and most importantly, one for students.”