Today on Cyber Work, I’m talking to Justin Pelletier, the Director of Cyber Range programs at the ESL Global Cybersecurity Institute at the Rochester Institute of Technology. While we’re pretty proud of our cyber ranges here InfoSec Skills, Justin positively blows my mind with a walkthrough of his organization’s massive, immersive simulations. And because they’re also involved in cyber range technology for beginning cybersecurity pros who are transitioning from other jobs, which is the sort of people I love speaking to, we were able to talk about what’s involved in making a good cyber range, how to break down those early barriers of fear and self-doubt, and how quickly you can move into a cyber career after hands-on training. All of that and a few of my awkward attempts to shoehorn in references to the movie wargames today on Cyber Work.
[00:01:52] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. So if you’ve listened to even more than one other episode of Cyber Work, you know that we talk about our InfoSec Skills platform pretty regularly, and specifically about the hands-on component, the cyber ranges. Cyber ranges are a way to engage with the problem-solving aspects of cybersecurity using hands-on simulations of real situations.
Justin Pelletier, my guest today, his work is with the Cyber Range and Training Center at the Rochester Institute of Technology, and an interest to me because it’s in line with our own trading methods and objectives. Although, as you will see soon, it’s on a whole other scale. So I wanted to talk to him about his own experience and some of the success stories he seen with students using cyber ranges and also why they might be the most fun way to learn cybersecurity.
Justin, thanks for joining me today. Welcome to Cyber Work.
[00:02:55] Justin Pelletier: Thank you, Chris. I appreciate you having me on the show.
[00:02:58] CS: My pleasure. So I always like to start out the show by getting a sense of where your interests and all this came from. When did you first get interested in computers in tech and what got you excited about cybersecurity as a calling? What was the draw?
[00:03:13] JP: Yeah. I always love telling the story, because it really was a little bit of a love affair, frankly. So I remember very clearly, I went to a tag sale with my mother when I was just a kid. And I saw this book on programming with QBASIC, which – Or program with BASIC, I should say, which was included on all the old computers, 3.1, and whatnot, and Microsoft. You get the QBASIC function. So I started learning programming, and then just kind of went with it from there.
Fast forward to contemplating what career I might start off on as a high school senior, I got accepted actually to go to school for art. And my mother, again, an influential role, she said, “You know, you might consider being an art teacher instead of an artist so you can actually support a family or something one day. I’d like some grandkids.” She always like to throw that one in.
[00:04:07] CS: Right, right, right. Yup.
[00:04:09] JP: And I kept following that line of thinking and said, “Well, I really enjoy art, but I also have this great computer hobby. I love creating code. I love solving problems with computers. And that’s actually a pretty high-demand field. I could probably make more money and support the family even better if I had –”
[00:04:24] CS: All those grandkids, yeah.
[00:04:26] JP: Yeah, fight. And so, then that just kind of just went from there. So I switched to computer science before I started off in college. And then sort of that hook was set deep. As far as my transition to cyber, that really started when I got into the military. So I started off as a coder in my computer science undergrad. And then I joined the I joined the military and pursued a career in intelligence. And immediately my company commander said, “Hey, you’ve got a computer background, and you’re an intelligence officer. I want you to work on signals intelligence.” So kind of the coding side of intel. And from there it just unfolded and became cybersecurity career.
[00:05:05] CS: I imagine that it sort of pushed your technical skills in different directions as well by [inaudible 00:05:12] that way. Okay. So, yeah, I like to start my research on my guests by going to their LinkedIn page, because each one always tells a story especially with people with a very storied career. So your deep study in computer sciences isn’t hard to see. You had a bachelor in computer science and a doctorate in computer information, system security information assurance. And you even have it on there. It’s rare that I get to see the name of someone’s doctoral dissertation. And since yours is quite germane to our listenership, can you tell me about your dissertation titled Effects of Data Breaches on Sector Wide Systematic Risk in Financial Technology, Health Care and Service Sectors?
[00:05:51] JP: Sure. Thanks. I’m impressed you got through the whole dissertation title in one breath. It’s a long one.
[00:05:55] CS: Breath control .Yeah.
[00:05:58] JP: Yeah. I’m happy to gush about it, like probably most folks with their dissertations. I’m impressed that even you looked up – Even you saw this thing.
[00:06:06] CS: Yeah. Oh, yeah. No. I always hear like, yeah, it’s something nebulous on LinkedIn, like, computers, “I did computers.” And you’re like, “Oh, this looks something. What are we talking here?” Okay.
[00:06:14] JP: Yeah. So, actually, sandwiched in between these two more technically-focused degrees, I had a Masters of Business Administration. And part of what I – So part of my mandate when – As a civil servant, I was kind of working some cyber problem sets. Included a host of things that I just couldn’t rope into a dissertation that would be publicly disclosed, right? So just open publish.
So I said, “Well, what’s obvious open data that I can use and draw some inference about and would be kind of interesting and germane to the community?” And so I looked at stock market data in particular, which is open and obvious, and started sort of dusting off some of those skills that I picked up in my finance courses. And really started to examine the sector-wide risk calculations that follow a breach.
And so, kind of pulling on that thread a bit, we know that stock prices take a bit of a tumble after a breach in a publicly traded market. But the price effect is actually changed over time. And there’s been an increasing call for more regulation to account for that diminishing stock price movement, saying, “Hey, people aren’t taking this serious anymore. We need more regulation to motivate compliance in an increasing problem with cybersecurity.
And so, being a self-avowed libertarian, I said, “Well, maybe government intervention isn’t always the right answer. Let’s see if there’s any market-based incentives that can help motivate.” And so, looking at the way that the community, and by this, I mean, publicly-traded companies and investors, calculate risk as it pertains to their base cost of capital. So an investor wants a high return for a high risk. Yeah.
So when there’s a breach, sometimes that reflects is a stock price movement. Other times it might be reflected as what we call a systematic risk or a beta coefficient on the regression. So a lot of math, a lot of plotting and kind of data mining and crunching. And it turns out that there’s an increasing effect on the risk perceptions in the marketplace even for near neighbors.
So for example, target gets breached, Walmart is perceived as more risky, which is an interesting effect. Yeah.
[00:08:41] CS: Yeah. And unexpected, I imagine.
[00:08:43] JP: Yeah, I wasn’t really expecting to see that. But it was a pretty cool finding. And I think that’s actually become an interesting and relatively popular conversation topic when I engage with senior leaders about cybersecurity. They say, “Well, cyber, it’s very technically demanding. It’s very interesting in some ways. But what does it really mean for our organization?” And then to translate it into that lexicon of risk really speaks to board level leaders and C-suite executives across the board, because that’s their language, is risk management.
[00:09:16] CS: Right. Now. I mean, can you account for what that sort of cross-company risk element? Where that stems from? Because that is a surprising finding. Like, do you have a sense of what was causing that?
[00:09:32] JP: Great question. So there’s some theoretical precedent that we could point to in what we call convergence behavior and herd mentality with stock price movements. So we have this kind of analog where you follow the trend, everybody’s kind of doing the thing, right? So that’s one. There’s another maybe more rigorously-defined component that we call spillover effect. And so, it’s sort of an exogenous shock or a systematic risk behavior that we might look at as a non-controllable risk.
So for example, you have a company in California, well, they’re in your corporate stock price, and it’s movement and risk evaluation. There’s this kind of uncontrollable risk of earthquakes. It’s an exogenous shock. It’s a systematic risk component that you can’t really control for. It’s out of your hands. But it still affects you.
And so, if there’s an earthquake in one part of California, the market tends to say, “You know, these California-based companies, yeah, they’re subject to earthquakes.” So it’s – Yeah, anyway I could elaborate —
[00:10:40] CS: So while you’re moving things around, and you’re like, “Okay, we got to dump Target. They got breached.” You’re like, “Yeah, I don’t feel good about any of these big box places. Let’s get them out of here.” Yeah.
[00:10:48] JP: Yeah. And it might not necessarily translate into an adjustment in actually the holding. Just what the market seems to demand for the risk cost.
[00:11:01] CS: Got it. Okay. So, going back to the previous work, you spend almost two decades working with the Department of Defense. We mentioned that before. And that you sort of got into cybersecurity during this time when you were sort of asked to move over to the sort of technical programming side of it. Can you talk about, without breaking any rules, or clearances, or anything, can you talk about some of the cybersecurity related work you did while there and some of the real-world lessons you learned on that job?
[00:11:27] JP: Um, yeah, I can discuss a little bit. So as you mentioned, nearly two decades of work with the Department of Defense. I have the pleasure of being a civil servant, both as a general schedule employee and as a uniformed person in the reserve component, as a guardsman and as a reservist now.
I will say that I gained a great appreciation for a lot of, surprisingly, non-technical things. So certainly, there’s application areas that are highly technical and quite interesting, I might add. But from a pragmatic perspective, sort of looking at the trajectory of my career, I will say that I received some of the best leadership lessons and training that you could hope to have through the Department of Defense. And I think we all maybe can appreciate that there is no amount of directive-level leadership do this, because I told you, so that will make you violate your conscience or stand up and take fire, like, shoot at somebody or get shot at, right? So there’s this whole sort of crucible of leadership development that I found really beneficial.
And really leveraging the understanding about who you’re working with and the quality of your camaraderie to achieve what’s almost impossible is really been one of the major takeaways. And so, not so much cybersecurity related work. But that was an absolute real-world lesson.
I’d say another category of lessons learned as certainly the way that we might incorporate cyber as an element of national power. And so, traditionally, we have these sort of four pillars of national power projection and strategic planning, diplomatic information, military and economic. And I think what we’re seeing with cyber is it definitely touches the information, right? Because you have this whole idea of information dominance and controlling the narrative. And there’s cybersecurity tools that can impact that, right? You can apply AI and amplify certain messages or create new ones out of thin air that don’t even – You know, fake news. And that does play, I think. It’s a diplomatic as well.
But then sort of the military component, seeing the way militaries use cybersecurity as an integrated factor with kinetic action, whether it’s for sort of target development in a kinetic cycle, namely, I’m going to put bombs on a target. I want to know who I’m – So let me use some cyber to develop the target. All the way to that sort of information dominant side, which, not for nothing. I think we’re seeing some of that going on in Ukraine right now.
[00:14:03] CS: Mm-hmm. Yeah. So, yeah. So, from getting your MBA at the Rochester Institute of Technology, I see that you came back in 2018 to Head the Cyber Range and Training Center, which is sort of the focus of our discussion today. What drew you to return to your alma mater to engage in this course of study and teaching?
[00:14:20] JP: Um, Chris, it’s sort of a deeply personal story I’ll share with you and your audience. So I was down in the beltway working as a civil servant, working for the country. And loved the job. It really enjoyed the mission. And then my mother came down with Lou Gehrig’s disease. And she needed just full-time care. So I realized very quickly that the cost of living in DC is not conducive to living off savings as a 30 something year old and taking care of mom.
So I resigned my position as a civil servant. Moved back to Rochester where my wife is from, and got some help from her family to care for my mother until she passed away. Simultaneously, as kind of finishing up the PhD, and did a couple of stints of active duty during that process, and then said, “Okay, well, what’s next?” And reached back out to some of my mentors when I was doing my MBA I stayed in touch with and sort of shared with them, “Hey, I’m kind of at a crossroads. And I got the PhD. I was really intending to use this in my civil service career. But now I don’t quite know what to do. I don’t really feel like moving back to DC. And my family priorities have changed. I really like it in Rochester.”
And actually, a close friend now said, “Hey, we’re trying to build this program at RIT called Hacking for Defense, which started at Stanford and has a pretty good community here in the United States. And we want to bring this. And being that you have an MBA focused on entrepreneurship, and a military background, you’d be well suited to maybe help bring this program to RIT. So maybe you consider doing an adjunct thing?”
Well, one thing led to another, and I got actually invited to apply for a full-time faculty position. And then the university decided to build a cyber range and apparently thought I’d be a good guy to lead the effort. And here we are.
[00:16:19] CS: That’s fantastic. So, all right, well, let’s get into it. Can you tell me about the work of the Global Cybersecurity Institute Cyber Range and Training Center? So I know you have a presentation here for me, and I’m looking forward to seeing it. But just in terms of structuring the thing, I was just curious what your program offers. What type and levels of students you’re targeting? Whether these are complete beginners, people with some baseline computer science background. And also, talk about some of the exercises and processes students work through via cyber ranges.
[00:16:48] JP: Yeah, sure thing. And, yeah, let me go ahead and share my screen, Chris. And, please, I love what I do, and I’m happy to gush about it forever. So just tell me to stop if I’m going too in the weeds. Okay? So first and foremost, we just had an announcement actually yesterday formally that we are now the ESL Global Cybersecurity Institute. So we’ve had a generous gift to a partnership, really, with ESL, which essentially stands for Eastern Savings and Loan. It’s a regional financial institution that’s committed to cybersecurity, clearly. And they’ve now the sponsor of the institute. And that’s within RIT.
I’m not going to spend a lot of time talking about the university, other than to say that I was surprised to learn that we’re the 10th largest private university in United States, and have a really strong alumni base, which is pretty amazing. We have a global presence, not just in Rochester, New York, but in Croatia, Dubai, Kosovo, and so on.
One of the things that RIT is really founded on is this idea of cooperative education and experiential learning, which translates really well, I think, to what we do in the range. So I’ll get more into that. But we have one of the oldest and largest co-op programs in the country. So when, regionally, my wife was saying, “Hey, RIT means jobs. Like, that’s what it means around here to say, “I went to RIT.” “Well, you got to get job out of it, didn’t you?” And that’s kind of what we’re known for.
And so when we thought about building this sort of global cybersecurity institute a few years ago, we said, “Well, we’re good at a few things,” a lot of things actually. “And so let’s play to our strengths and sort of build on to that and create something a bit more holistic than just doing the traditional sort of engineering approach to things.”
And so, certainly, we built on top of a core technical discipline of computing security. At RIT, we have a department of computing security. And there’s about 500 undergrads in that department, another 150 or so master’s students, and maybe between 20 and 50 PhD students depending on the time. But also, we have computer science and software engineering, human computer interaction, engineering, so on.
And so, certainly, there’s a lot of technical disciplines. But integrating cognitive psychology, public policy and other components of the cyber process and problem set was really endemic to our mission. So we built upon that to create a multidisciplinary center. And we had some great seed funding through an alum, Austin McChord, the founder of Datto, who worked with us. And we got some extra funding from New York State to construct this building and to build the institute. And that’s really meant to provide for professional training and technology transfer through the cyber range through the Eaton SAFE Lab. I’ll talk about those in a minute. And also, to advance fundamental capabilities of what’s possible through our core research agenda as an academic institution, and also to leverage and inflict that globally through our partnerships.
So now, let’s talk a little bit more about the facilities, right. So we have this conference center. We’ve got a satellite location to the Cybersecurity Experience Center, and the National Hall of Fame, Cybersecurity Hall of Fame. And really, the design is to make cybersecurity feel and be accessible to folks who would not normally consider it as a career.
And really, at the anchoring of that is a lot of what we do in the Cyber Range and Training Center, which you see depicted here. It’s a bit of a war room. It’s sort of like a SOC in some ways. You see some other views of it here. And so, in that, we kind of mix a lot of the technical knowhow with a bit of – We actually have a game design development department. And we have some real scholars in game design and live action roleplay as an academic pursuit. So the term gamification means a lot of things to a lot of folks. It’s kind of overused. But we actually apply some of those principles to creating experiences that are immersive and accessible, so that we can allow folks to move past – You see, we bolded here, move past that tabletop exercise into a live fire cyber environment. And so we do that by replicating, at scale, network systems, devices and so on that allow for folks from all over the world, both on site and remote, to work out real realistic scenarios.
And we have audio-visual integrated across the buildings so that we can have a satellite office location in one of our classrooms upstairs or across the globe in actuality. We’ll have telepresence. And even – This is really fun. So we have programmable HVAC back and lighting and sound. So if you imagine a scenario of a cyberattack and all this stuff unfolding, we can actually make the temperature really go up. Not just figuratively.
[00:21:44] CS: Yes, right, right.
[00:21:44] JP: Right. You’re sweating because of the tension, because also because the heat is on. Yeah, exactly. And the lighting, the blinking red and the sirens and all these different things that make it feel like you’re part of something, even if you’re a completely non-technical, which is really important to us because it’s more about creating the change leadership. And really a core part of our mission. That multidisciplinary approach is about the people and processes as much as it’s about technology.
So we kind of tie that together. And you see this disaster piece theater, as a quote from Mike Loft over at Slack. When we were talking to him about what we were going to create, he said, “Oh, I know [inaudible 00:22:21]. This is disaster piece theater.” And in a lot of ways it is, right? So we bring in executives from across the industry, HR, finance, legal folks that have no interest or knowledge about technology necessarily, right? They’re not cyber nerds like us, right? So they’re folks who – They’re kind of a different kind of finance nerd or whatever.
And then we create these multiple simultaneous dilemmas that allow them, force them really, to triage and become a little bit of a first responder on behalf of the organization. So they can say, “Well, what is most important?” We got to prevent loss of life, then destruction of property, and then everything else, right? But until you’re in that scenario of actually moving past the checkbox, kind of compliance list of a traditional tabletop, but usually not always, but often only the CISO and the IT team really care about. And now put it into the language that HR can understand where, “How do we manage internal communications when we have a site out or some crisis going on?” Like, things matter, right? And so you’re into that. It’s really hard to appreciate. So that’s a big part of what we do in-person in the range. And that’s all enabled by a backend infrastructure. You can see some of the highlights listed here. I mentioned the ability to replicate a global system.
So in any of our training scenarios, we can spin up and have running simultaneously 5000 VMs like a Windows desktop or something equivalent, or 10s of 1000s of PLCs are sort of low lightweight devices that have embedded systems running. And you can see kind of our backend hardware that we have managed in sort of a private cloud, arrange cloud, with our data center. I could talk a lot more about this. It’s amazing what we’re able to do. But maybe a few use cases would be a little more interesting.
[00:24:20] CS: Absolutely. First, I have to ask, how many times have you watched the movie War Games?
[00:24:24] JP: Oh, a couple of times.
[00:24:27] CS: I feel like I’m – Yeah, I feel like I’m conversing with Dr. Falken here. This is great.
[00:24:32] JP: That’s funny. Oh, I guess, I’d watch it with that in mind, because it’s been years. Yeah, it’s been a while.
[00:24:37] CS: So, yeah. So talk about the use case. I was trying to imagine like what the scenarios are and the scales of them. And if there’s like – If you have like sort of like skill levels where we start with like an entry level one and then go to sort of like full scale meltdown and all that.
[00:24:52] JP: Yeah. Yeah, so I’ll talk a little bit about one of the things that we built the range to accommodate as sort of an edge case, an edge case scenario. So every year, RIT is lucky to host the Collegiate Penetration Testing Competition. We also host sometimes the Cyber Defense that UTSA they run at the national level. But we’re the global hosts of the Collegiate Pen Testing Competition, CPTC.
And here you see an image of their final presentation. So what we do is we get college students from across the planet. They start off with a with a simulated infrastructure that we host through the range. And they pen test it and give us sort of that report on what they found? What remediation they recommend and its ability to impact the company in its kind of core mission. They start off at eight or nine, depending on the year, regional hosts. I could range it. We have five in the US, one in Canada, one in Europe, one in the Middle East. And we’re still growing. But that’s our footprint right now. And then the winners of the regional host come on to RIT for the finals.
What you see here is actually the most recent finals that we just hosted in January. Every year, we build a new critical infrastructure company. And we model it using these this architecture. So in this case, the company is called LeBonBon Croissant. It is a food manufacturing and retail operation.
[00:26:28] CS: [00:26:28]. All right. Thank you.
[00:26:31] JP: Yeah, yeah, it’s a running theme within the competition, the organizers, the volunteers and stuff. For some reason, croissants are like the biggest thing. So it’s fun, too. So we [inaudible 00:26:40].
[00:26:40] CS: [inaudible 00:26:40] about a croissant.
[00:26:41] JP: Yeah, right. So that was the name of this year’s company. Last year, we had Next Generation of Power and Water. So we built like a regional electric, like a –
[00:26:53] CS: Water purification, or –
[00:26:56] JP: We had actually a nuclear power plant, a dam with a reservoir, and then water treatment facility all integrated. So the reservoir water would power the dam, cool the power plant, and be useful for the community’s water in a medium-sized city, maybe a couple 100,000 people or something. And we had all the way from like the programmable logic controllers controlling the sluice gates on the dam, all the way through to the customer database and like simulated readings from smart meters and stuff. And so, they had this sort of sweeping architecture.
And in this example, with the food manufacturer, we had the manufacturing floor where they’re making kind of these candied croissants and confections. And then there’s all these different sort of operations technologies built into the systems. And then the customer database, and their logistics system, and their ERM and different things like that that really replicate a company, and the email logs and the chat systems and so on.
What you see here is actually their culminating – At finals, they have a culminating final presentation. And we have a series of volunteers that roleplay as board members of this fictitious company. And again, back to a point I raised a little while ago, I didn’t make this competition. I happen to help run it now. But from its design, it requires technical experts to speak at a language that board members can understand. And really, that’s about risk.
And so, you see the risk classifications. So they’re now looking at criticality and severity of impact. And then trying to map that to the core operations of the business to a bunch of savvy technologists that happen to be senior executives and sit on boards themselves and can say, “I understand what you’re saying. Most board members wouldn’t. I don’t know.” And that’s part of the feedback and evaluation.
[00:28:49] CS: Right? And so this goes way beyond just you get 200 points if you deploy the right tool at the right moment and things like that.
[00:28:56] JP: You got it. Yep. So it’s much more of a surgical approach, right? Because it’s pen testing. And it’s meant to simulate. So if they bring down the dam, which, of course, the students did. They’re too aggressive on their NMAP, right? [inaudible 00:29:06] aggressive NMAP scan. Brings down the PLCs. Lesson learned. Learn it here instead of when you’re doing a pen test on a real one. And we and we had the role players calling, “Are you trying to flood the town? The governor is on the phone. And this is the third time today. And what are you doing?” So that ability to be professional and respond appropriately is really built into the system.
I think I’ve covered most of this. But one highlight is that we have a chance to cycle through critical infrastructure themes in a way that allows us to build a repository of environments that we can then train on in the range with kind of different training. But also, we’re able to be a little bit of a forcing function for some of the best white hat students out there to learn technologies that they would never –What student gets Modbus in their undergrad, right? But they’re trying to figure out what a dam runs on. And that’s part of the protocol. So they’re going to study.
[00:30:03] CS: So that sort of answers my previous question about what level of baseline of computer science or cybersecurity background. This is work for the sort of like the elite students at this one.
[00:30:13] JP: Yeah. this is the cream of the crop. Absolutely. And again, this is one of our edge cases. And you can see here, we’re able to generate a lot of data, which we can then use for research purposes, which is really a cool part of being affiliated with an academic institution. We’ve got a couple dozen researchers that can say, “Oh, here’s a bunch of Splunk logs. Here’s a bunch of syslog outputs and stake froze VMs that were infected or used to attack. And let’s do some forensic analysis,” and so on. So those are really cool.
And we publish this data and we make it openly available to the community so others can do research on what attackers might do in these environments. So that’s one edge case. I want to zoom out a little bit, because one of the – So almost everything that I’ve just talked about, and I know I’m getting excited and blabbering a lot. So, I’m sorry.
[00:31:01] CS: It’s okay.
[00:31:04] JP: But all that’s well and good. And yeah, we can run a competition virtually. But what do we do with all that kind of gee whiz AV stuff? That war room in COVID? So we had all these plans to do this kind of disaster piece theater, and prep courses, and in-person training with all this great stuff. And then COVID, and we’re like, “Well, we got to do something differently.”
And so we went back to do some discovery in what’s the gap? And in our discovery, we realized that we interviewed several dozen CISOs, and program managers, and technologists and found that it’s not the 10% of people that are cyber enabled that are really the core. It’s the 90% of people that only think about cyber that are the problem. From two perspectives, right? One, they’re the ones clicking all the links that they shouldn’t click, right? Which is infection vector dejure. And then the other part of it is, “Well, we need more cyber folks to come into the workplace. I don’t care if they’re entry level, or the cream of the crop. We need more, right? Just turn up the volume on the whole thing.”
And so we said, “All right. Well, let’s create something that will allow folks to have a baseline understanding and ability to project cyber skills and keep growing so they have good foundation, right? So we built a career launch pad that you can see described on the screen here. But really, it’s about as close to a boot camp experience as you could hope, like a coding boot camp or whatever. With no technology background required. We, of course, do some testing to make sure that we’ve got good logic and reasoning and attention to detail.
But I’ll tell you, we’ve had some amazing stories about like life transforming coming through this. No tech background, folks who were sanitation workers, construction workers, nurses, receptionists all come through our program and get great cyber jobs afterward. So we do this all online. And of course, we’re built on this immersive experience. And so we built a company for them to roleplay as interns at. This is brick wall cybersecurity, Brick Wall Cyber. You can Google it. It looks like a real company. We’ve had folks reaching out, “Hey, can you help us out?” They think it’s a real company. But this is a simulated firm that allows our bootcamp learners to go to work on day one. So they learn by doing instead of just getting a bunch of lectures and stuff, like a traditional academic experience.
And so we run this in a way that lets them answer emails, trouble tickets, and so on with colleagues in a built environment that feels like a real company. So they get some professional experience. Even if they’ve been a sanitation engineer, never set foot in office, other than to take out the trash or whatever, they can still get an appreciation for what it’s like to work in an office environment so they can be successful on day one.
And of course, the tools that they get exposed to are relevant, we think, and germane so that they might not be that cream of the crop expert by the time they’re done. But they know where to go to keep learning. They’ve got a lot of resources in. You talk to them about Zeek, or whatever it is, and they say, “Oh, yeah. I know what that is.” And they and they know where to keep learning if that’s a big part of the job you’ve got for them.
[00:34:18] CS: Right. Yeah, it’s that first breakthrough that’s always the sort of scariest part, especially if you don’t feel like you come from that world.
[00:34:27] JP: Yeah, absolutely. And actually, one of the cool things, one of the coolest things, I got to say, in building this and really thinking about the impact. We’ve had a couple of years now, almost two full years of running the career launchpad and the boot camp. And RIT is the home of the TAC Net National Technical Institute for the Deaf, NTID. And so we have a large deaf population of learners on campus. And it’s part of the fabric of our university. We’re proud to be to be integrated with NTID and the deaf community in a meaningful way.
And so we started offering American Sign Language-led and facilitated bootcamp courses, right? And in working with the team from NTID, I’ve come to appreciate how meaningful some barriers to entry really can be for those that have challenges, right? And it makes me really appreciate the difficulty of a diverse and inclusive workplace. And that means a lot of things, right?
But one thing that’s very common, I think, is that there’s – Especially when there’s a communication barrier, like with deafness or being hard of hearing, there’s a difficulty in sort of proving that you can do the job when you can’t explain yourself very easily to your future employer. And so, we started looking at, “What else do we do at RIT that could actually help?” And so, you see here I’ve got on the slide the Eaton Cybersecurity SAFE Lab. We do a lot of partnerships between faculty, staff, and students, where we do real-world security engagements, pen testing, social hardening, policy audit, whatnot.
And so we took that, and we built that opportunity through that lab into an apprenticeship series for those bootcamp grads for sort of the entry level folks who have these barriers, so that they can then – Instead of saying, “Let me explain to you in a way that is hard to do when you have communication barrier, or barriers across diversity targets.” Instead of explaining it, let me show you. Here’s my portfolio of things that I have done. That’s so much more convincing when there’s a cognitive diversity issue or linguistic limitation or something.
Again, there’s a lot of categories of diversity. And one thing that, really, I think translates across a lot of those categories is if you can show what you’ve done, the need to be able to prove that you can do it is really solved. And so, we actually just got grant funding to build an apprenticeship program. And so we’re hiring this year. We’re hiring six apprentices as our pilot to do testing. You can see a list of capabilities and areas of expertise and so on, but to fit in with the lab and test voting devices, and energy devices and things that we’re already doing in the lab. So I’m really, in particular, excited about that. There’re some great projects that we’ve done. Voting machines are really an important one. We’re pursuing some accreditation with the Elections Commission to get certified as a voting device testing lab, and a series of other things that are really exciting just in their own right. But to have sort of this pathway created for folks who couldn’t afford to come to a great university like RIT in a traditional kind of four-year degree thing, or couldn’t get in, or just college isn’t for them. It enables that whole population of folks who would never normally consider our career field as a potential. And it makes these life-changing really great jobs open up to them. So it’s really a cool and motivating thing. So I’ll leave that there. I could gush. I could gush. I could gush. But that’s enough for the dog and pony.
[00:38:28] CS: That’s great. I was going to say that I was – Before this, I was having trouble imagining how we were going to sort of transition back to relatively low-level cyber skills discussions or cyber range discussions after talking about the War Room and the disaster piece theater and so forth. But I think with these other programs that you’re offering as well, I feel like that’s a pretty natural transition point right there. So that’s great. We do actually have a fair amount of commonality in that regard. I mean, we began offering cyber ranges a couple years ago. We’ve recently upgraded to Cyber Range 2.0 going from a command line only environment to something more virtual and sort of replications of environments and so forth.
And so, I guess I wanted to talk to you a little bit about – Can you speak about what makes a good cyber range in terms of creating a problem to be solved or a concept to be taught using this method? What are some considerations in terms of how you create a cyber range? I mean, like creating a capture the flag exercise, I imagine, there’s some art to building sort of the puzzle or the understanding that isn’t either far too easy or unfathomably difficult.
[00:39:42] JP: Yeah, that’s a great question. I think one of the things that really shines out to me as sort of the brightest light in the set is a dogged pursuit of the value add for the core customer. Yeah? So depending however you define that, it could be entry level, it could be cream of the crop, it could be anywhere in between. But identifying what the needs are for the learning objectives and then crafting the experience around that, where on the level of autonomy should we build this thing, right? How much should they be expected to know out the gate? Do they need some hand holding and really detailed instruction set at the first couple of exercises? And how much can we take off the training wheels? By the time we get to the end of the program so that they’re now operating more self-sufficiently? I think that’s probably the most important thing that I would recommend to consider when building an exercise or building a range experience, is really, what are you going to do to serve the people coming through? And how best to do that given where they’re at?
[00:40:50] CS: Right. You have to understand whether or not sort of rooting around and being – Without enough information is actually part of the challenge or not, because I think at a certain high-level, the idea, especially with like capture the flag or something, is like, “Yeah, there are no training wheels.” And there might not necessarily be like an end point. And you should know this by now. But you can’t start there. You can’t just like walk into a German class and have the teacher speaking only in German, unless you’re very confused. So, yeah.
[00:41:16] JP: Yeah, I think that’s a really great – And I think we share this, absolutely, in that approach to saying, “Okay, well, let’s meet them where they’re at and take them a few steps forward. And so that eventually they’re able to speak fluent German.” But if you don’t start with how to say hello, and how are you, you’re never going to get there.
And it feels so intimidating in a field like ours, because it’s so technically deep and wide. And there’s acronyms out the wazoo, right? You could spend days and days and still not know what somebody is talking about, because there’s so much there. And so, starting with those kind of bite-sized chunks and making them understand that they can do the thing by showing – Like, don’t just tell them they could do it. But they get some hands-on experience and say, “I can do this.” It’s like the light bulb goes on, you know?
[00:42:00] CS: Yeah, absolutely. Yeah. This is – Yeah, it’s something that regular people do. Not just sort of super big brains. Yeah.
[00:42:07] JP: Yeah, absolutely.
[00:42:08] CS: So one of the issues we see with a lot of people who would make good cybersecurity professionals, as we were just saying, is that they don’t always feel comfortable with higher order computer science work. And so, therefore, they don’t think there’s any place for them. Can you talk a little bit about some of the success stories? I mean, you mentioned people in other professions getting into – Doing your programs and your cyber ranges. And can you talk about any particular cases that you found especially interesting or inspiring?
[00:42:38] JP: Um, there’s a whole bunch, actually. I could name names, but I haven’t necessarily gotten a permission to do that.
[00:42:50] CS: Sure. Of course.
[00:42:52] JP: So I’ll speak a little bit more generally. We have a few folks that have agreed to be interviewed about the impact of our training programs and so on. And you can find those on our website. But just to just to kind of keep it at a high-level. I’ve seen folks who lost their – Smart folks lost their jobs because of COVID. The whole industry got pulled out from under them. They were hospitality management-level person for 5, 10 years. COVID hits, everybody gets laid off.
And then they were able to not only learn the fundamentals of cyber, but then also have this industry background that they could then apply it to. They know the hospitality industry. So now they can help add cyber to the whole tool chain needed desperately for access control and other things, right? Similarly, we had a sound engineer, right? So kind of a niche skill. And an entrepreneur, right? So he’s got his own business. He’s part of the crew that helps set up for a really high-level acts that folks will pay a bunch of money to go see in concert and so on. So the whole sound engineer, the lighting components, and so on, how do you make sure that that isn’t going to get hacked in the middle of your show? What’s your differentiator as a small business owner? You have to say, “You know what? You can trust me to handle this, because I have this background.”
So this is a really kind of a cool addition to some – There’s definitely some technical components to the sound engineering and the lighting and so on. But it’s a very different sort of technology than what you’d normally expect with cyber.
And again, I’ve mentioned nursing. So, of course, a great opportunity for somebody that understands that experience of caring for a patient and can translate the cyber need to the nurses and doctors and all the folks who are like, “Ah! I just want to serve the patient.” “Okay, well, you can do that better if you protect their information. Here’s how to do it. Don’t just click cancel on the next security feature you see.” And, “Oh, by the way, let me understand how that works.” And then relay that to the company so that they can improve the experience as a user, right? It’s a really unique and cool experience. So again, I could talk a lot more about examples of that but —
[00:45:12] CS: No. Tat ties in nicely. And we had a previous guest who – And we basically got to that point as well in terms of, “Oh, if I have these skills, where do I go now?” And it’s like, “Well, whatever industry you’re interested in any way, there can be a cyber component to that, whether it’s libraries, whether it’s finance, whether it’s hospitals, whether it’s –” So, I guess, as we’re kind of getting to the end of the hour here, but I want to talk a little bit about, as you said, with COVID, a lot of people lost their jobs very quickly. Entire industries kind of fell apart in the scene for the foreseeable future. Can you talk about the sort of rapid upskilling that happens with cyber ranges? I mean, like, if you’re in that point right now where you’re like, “This sounds really interesting. I feel like I can contribute to this. I want to start learning immediately?” Can you give like sort of an estimation of how long they might take them to sort of feel comfortable, have a demonstrable set of experiences that will then in terms – Have someone else be able to take a chance on a relative newcomer like that?
[00:46:18] JP: Yeah. I mean, obviously I’m biased, because of our bootcamp, our career launchpad, that foundations level. We built that to most rapidly career transition in 16 weeks. And those are 16 grueling weeks. That’s why we called it a boot camp. As a military guy, that means something, right? It’s like [inaudible 00:46:37]. But that’s the shortest possible timeframe that we could engineer and feel comfortable saying, “Actually, no, this person knows enough to be effective on the job one, or day one of the job.”
I will say that when we when we spoke with a lot of the hiring managers that would employ these folks, our trainees, a huge range of responses. Some said 10 years. Maybe? Right? And I think there’s some real truth to the range, in that there’s things that you can do using tools. If you know how to use a tool, you can be effective after only a handful of weeks, really, maybe a couple of months. Even if you don’t – You can put together an Excel spreadsheet or something. But to program something? No way, right?
But even after a dozen weeks or so, you could be effective in being part of a cybersecurity platform. Being a level one SOC analyst maybe with some mentorship and some ongoing training and so on. Though, I think we always have more room to grow. So even though I’ve been doing this – I mean, we’ve been doing this for decades, right? And it’s like there’s always more to learn. There’s always some – You lift up a rock and there’s like a hundred more things to uncover. This is such a deep field. It’s really exciting.
So I think, probably the biggest thing to just keep in mind for those that are thinking about the field is that you’re never going to stop learning, which is, to be, part of the fun, really. But also, not to be intimidated by that. Yeah, you can actually be effective even if it’s just helping people understand how to enable security by default on their system. In a very simple way, just being able to communicate with people or run a few log traces and see, “Oh, there’s something going on here.” And then escalate it to the next level up. And that can actually make a material difference, because we need, really, all hands-on deck.
[00:48:46] CS: Can you speak at all to – I mean, we’re sort of talking around the notion of the skills gap, that there’s all these jobs out there and not enough people to fill them. And as you said, there are plenty of opportunities for people who have this sort of minimal skill set who are transitioning into a new part of their career. Can you talk at all to the sort of HR hiring side of this in terms of whether there needs to be a loosening up? I mean, the archetype is always – It’s an entry level job. We need you to have a CISSP, or something like that. I mean, do you see any sort of changes in terms of the hiring landscape of companies being more willing to take a chance on, as you said, a former, hospitality person who’s done through a boot camp and is learning very quickly?
[00:49:37] JP: Yeah. We surveyed interviewed a bunch of folks, maybe a couple hundred folks. And we found absolutely that certifications like CISSP, they’re really HR filters. They’re very useful, by the way. And I’m a CISSP holder. A lot of compliments for (ISC)² squared and all that they do. But it’s not the only thing that the folks who actually have to work with the hires care about.
So more specifically, sometimes it’s the price of admission to have certs like that to get past the HR filter. But fundamentally, the only thing that the actual person is going to employ, like the team lead or even among the colleagues, all they care about is can the person do the job? And that is all skills-based. Whereas the certs by the nature of their accreditation are very much knowledge-based certs. So you know how to do the thing, or you can figure out the answer to a problem, fine. But applying that in the real world is really difficult to test from a certification perspective.
So having hands-on skills, even if it’s a running list of your hack the box achievements, or whatever it is that’s showing that you’re doing the thing, that’s what people care about. And if you can’t get through the front door with HR filters and all – Then talk to folks at BSides or some other community-driven event and say, “Hey, I’m breaking into the field. Can you introduce me to some of your colleagues?” And you will get a job. You don’t have to go through the front door all the time. You can be a warm lead. And as long as you’re interested and motivated, you will land a job. There’re enough jobs out there for sure.
[00:51:30] CS: Absolutely. So one last thing here, I saw sort of throughout on your presentation, but if our listeners want to learn more about either Justin Pelletier or the Cyber Range and Training Center at RIT, where should they go online to look?
[00:51:43] JP: Sure. So LinkedIn is probably the best place if you want to get a hold of me personally. If you want to learn more about the Cyber Range, about the goings on at the ECL Global Cybersecurity Institute, check us out online at RIT, the Rochester Institute of Technology, rit.edu. If you type in our RIT cyber, you will get us. If you just Google RIT cyber, you’ll get us.
And I just talked about a large component, but only a small component in big picture of the overall mission, right? So we have all these research initiatives and some really cool stuff going on across the bigger RIT with relationship to cyber. So it’s not only the Cyber Range itself, but I invite you to check us out on online there.
[00:52:31] CS: Awesome. Justin, thank you so much for joining me today. This was amazing, frankly, I’m blown away.
[00:52:37] JP: Thanks, Chris. It’s a pleasure. I’m really a fan of what you’re doing and how you’re doing it. So I’m very pleased that we’re able to link up today.
[00:52:44] CS: Well, thank you very much. I like to hear that. I appreciate it. So as always, I’d like to thank everyone listening to and supporting this show. Every week, new episodes of the Cyber Work podcast are available each Monday at 1pm Central both on video at our YouTube page. Just type in InfoSec, you’ll find us. Or an audio wherever you download your podcasts.
Also, speaking of cyber ranges, we have a monthly challenge. If you go to infosecinstitute.com/challenge, you’ll go through three little challenges escalating in difficulty. And if you complete all three and you get the little diploma and send it to us, you could be eligible for free prizes each month. So check that out, infosecinstitute.com/challenge.
Thank you once again to Justin Pelletier, and RIT and the Cyber Ranges. I’ve already forgotten the new brand. What’s it called again? ESL –
[00:54:10] JP: ESL Global Cybersecurity Institute.
[00:54:12] CS: Thank you very much to the ESL Global Cybersecurity Institute and Justin Pelletier. And thank you all for watching and listening. I will speak to you next week.