George Mason faculty are tackling cybersecurity’s talent pipeline problem


If you’re a cybercriminal, the latest news on cybersecurity talent shortfalls should put a smile on your face. For example, the majority of cybersecurity leaders report that their teams are understaffed, and they have problems retaining qualified professionals.

But for Nirup Menon, a George Mason University professor of information systems and operations management (ISOM), and Brian Ngac, an instructor in the ISOM area, this workforce challenge is a golden career opportunity for the young people of Northern Virginia and the Washington, D.C., area.

Nirup Menon and Brian Ngac
Nirup Menon and Brian Ngac

The pair recently won a two-year award from the National Institute of Standards and Technology (NIST), an agency within the U.S. Department of Commerce, to create unique experiential learning opportunities and workshops designed to enhance cybersecurity education and workforce development.

Working closely with industry partners Mobius Consulting and Institute for Defense Analyses (IDA), Menon and Ngac will recruit and help select students to work on actual cybersecurity projects. “They need to have taken some fundamental cyber class ahead of time,” Menon clarifies. “We want students with a commitment to the field. It allows you to get experience but it’s also competitive.”

Throughout the 12-week projects, students will receive mentoring both from the industry participant and from business faculty. “We run it in an agile scrum-like manner,” Ngac says. “Every week, we ask ‘What did you do?’ ‘What are you going to do?’ ‘What are the challenges that are impacting your work?’” If students run into trouble, faculty mentors can work with industry managers to help them get back on track.

“We’re trying to build not just the cyber workforce but the skills as well,” Ngac says.

Menon and Ngac have developed a specialty in this type of hands-on learning, which they have dubbed the Professional Readiness Experiential Program (PREP). More than 100 Virginia-based undergraduates and 20 industry participants have participated in PREP, which includes projects funded by two Commonwealth Cybersecurity Initiative Experiential Learning grants in collaboration with Mobius and IDA. 

“PREP not only focuses on cybersecurity projects, but also works on many business process improvement projects,” says Ngac. "Honors and high-performing ISOM students work on real-world projects with industry participants on identifying technical solutions to business challenges through rigorous research, modelling, analysis, quantification, risk management, implementation planning, and, at times, execution.”

The NIST award also incorporates workshops for students who are new to cybersecurity but interested in exploring it as a career option. Workshops will be launched in collaboration with Trinity Washington University (TWU), an HBCU whose College of Arts and Sciences is women-only. For a field such as cybersecurity, which continues to face diversity challenges, the participation of organizations such as TWU is essential.

“We want to bring in students who have not thought of cybersecurity as a field, because they think it’s all engineering, hacking and coding,” Menon says. The workshops will emphasize the variety of functions that are integral to the space, such as management and auditing, in addition to engineering. 

Students and industry participants in the current CCI Experiential Learning Projects
Students and industry participants in the current CCI Experiential Learning Projects

“It’s not just tech, there may be creativity involved in anticipating scams and threats,” Ngac explains. “These are different things we’ll be bringing up in the workshop in terms of roleplaying what cybercriminals might do, or how someone might try to socially engineer an attack.”

Unlike a standard grant, the NIST award is structured as a cooperative agreement in which the funding agency will collaborate in shaping and delivering programs as they evolve.

“The advantage of working with NIST is that top people work there. They are the standards body, so they have seen and surveyed a lot of industry,” Menon says. He also lauds NIST’s high-level view of cybersecurity and its implications. “They’re not just looking at technology but also public policy, human factors, etc. It’s a holistic approach.”

Organizations interested in being an industry participant (whether they have cybersecurity-focused or business process improvement-focused projects) with PREP are encouraged to contact Brian Ngac.