Below is a transcript of testimony given to the Texas State School Board of Education on November 14th, 2018 by John Owen in support of the cybersecurity TEKS.

Testimony to the State Board of Education Committee of the Full Board

Item 7: Proposed New Cybersecurity Texas Essential Knowledge and Skills

November 14, 2018

Thank you for your time and the opportunity to discuss the proposed new Texas Essential Knowledge and Skills for cybersecurity courses.  My name is John Owen and I am a cybersecurity professional working with Set Solutions based in Houston.  I have worked with numerous clients in the Fortune 500, the largest oil & gas companies in the world, and many others in the finance, insurance, manufacturing, and education industries.  My primary focus is helping companies increase the value and maturity of their cybersecurity operations through the use of tools, technologies, processes, procedures, and data-driven security solutions.  I am a product of a strong high school computer science program at Rockport-Fulton High school, run by my father back in the early 2000’s.  I went on to study Computer Science and Information Assurance at Sam Houston State University (a Center of Excellence in Digital Forensics) and continued to earn numerous industry certifications including EC-Council Certified Ethical Hacker, and 14 Splunk certifications allowing me to deliver their security-focused data platform at the highest levels.  Much of what I learned I’ve had to develop on my own initiative and, had there been a foundational course sequence as the one that is being considered today, I would have been much more prepared for my positions.  The key part of my education was the computer science courses I took in high school, which served me very well in my continued studies in cybersecurity.

The recently released National Cyber Strategy notes how Cyberspace is a fundamental component of American life, economy, and defense.  It further explains the increasing difficulties faced by our private and public entities to secure this space as adversaries increase the frequency and sophistication of their malicious cyber activities.

One of the many obstacles faced by these entities is a very realistic and increasing cybersecurity talent gap in the industry.  It is predicted that by the end of next year, one to two million cybersecurity jobs will remain unfilled and that deficit will increase to 3.5 million by 2021.  Last year the United States employed nearly 780,000 people in cybersecurity positions, with approximately 350,000 cybersecurity openings.  These forecasts have been unable to keep pace with the dramatic rise in cybercrime, which is predicted to cost the world $6 trillion annually by 2021 (doubling the cost in 2015).  According to a report by Dark Reading, only 14% of IT security managers feel there are currently enough cybersecurity professionals in the field with the skills necessary to hunt down and respond to threats.

This skills gap has created benefits for those in, and entering, the industry.  The Bureau of Labor Statistics found that the median pay for an IT security analyst was $92,000 per year (equivalent of $44.52 per hour) and the rate of growth for jobs in the information security industry is projected at 37% through 2022.  In response to the gap many people pivot into cybersecurity from other industries and careers. Currently one third of cybersecurity executives arrived in the industry through non-technical careers.  Businesses have responded by providing internal training to staff and effectively lowering the barrier to entry into IT security jobs.

Cybersecurity education is necessary to prepare and protect the future of the economy by providing training in incident handling and response, intrusion detection, analytics and intelligence, security information and event management, access/identity management, advanced malware prevention, and cloud computing/virtualization.  Cybersecurity has not been a part of many undergraduate courses in the past and many of these degree courses do not provide specialist skills.  The lack of curriculum is considerably insufficient in high schools where, in Texas, less than 38% of schools offer a Computer Science course and less than 3% of high school students have completed a single computer science course. Cybersecurity engineers are forced to learn their skills through certification programs that are in demand by employers and will remain vital for candidates.

As recommended by the National Institute for Standards and Technology a cybersecurity capstone course should incorporate content about how cybersecurity intersects with business, policy, and specific industries.  Additionally, schools should partner with local businesses and colleges so students can more easily transition from high school into jobs or higher education, thus ensuring that students are receiving the skills needed by future employers.

Educators, from elementary schools to postgraduate institutions, need to comprehend the critical knowledge, skills, and abilities to prepare future cybersecurity professionals.  Science, technology, engineering and math (STEM), and other cyber concepts, should be taught to all students and they should be educated on the secure use of today’s ever-evolving technologies. This includes the recognition and incorporation of current Computer Science TEKS as integral foundational elements in the cybersecurity pathway. Cybersecurity is essentially a specialization within the computer science field and components like computer systems and architecture, networking, algorithms, data structures, databases, and distributed systems are elemental in both.
The National Initiative for Cybersecurity Education (NICE) has identified five strategies to increase the quantity, quality, and diversity of students pursuing cybersecurity careers:  Increase career awareness, infuse cybersecurity across the education portfolio, stimulate innovative educational approaches, and identify academic and career pathways.  Specifically, high school students should be prepared for industry recognized certificates like CompTIA Security+, GIAC Security Essentials, or ISC2 Associate.  Upon exiting high school, students should be qualified to enter the workforce with one of these certifications or the ability to matriculate into a 2-year institution to obtain an advanced industry certification (like EC-Council Certified Ethical Hacker, CompTIA Advanced Security Practitioner, or CSX Cybersecurity Fundamentals), or attend a 4-year institution to major in Computer Science with a specialization in cybersecurity like information assurance.

The State Board of Education, along with the Texas Education Agency, has a critical and meaningful responsibility to empower our youth with the skills to support the future of the American and world-wide economy by implementing and expanding a cybersecurity pathway and continuing to work with educators and business and industry representatives to develop recommended TEKS for new cybersecurity courses as a part of this pathway.  Additionally, the Board should accept the recommendations of the Texas Computer Science Task Force and create a Cybersecurity capstone course as the culmination of the Cybersecurity pathway, reclassify Computer Science courses under Career and Technical Education, monitor and review the progress of the pathway, and review and update the Computer Science and Technology Applications TEKS.