Start spreading the news, folks. New York City wants to be king of the hill, top of the heap, "A" number-one in cybersecurity.

The city that never sleeps needs cybersecurity pros to defend against the attacks that never sleep. Wall Street banks and hedge funds are working closely with the city to attract experienced security pros, to train the next generation of security leaders, and to grow the talent pool.

The city is confident they've hit on a winning strategy--and it may have more to do with Brooklyn than government-funded initiatives.

A cybersecurity mandate from the top

Cybersecurity does not become a priority until senior leadership steps into the game, and in New York City that happened formally on July 11, 2017, when Mayor Bill de Blasio signed Executive Order No. 28 of his administration, a document many an under-resourced and under-appreciated security professional will salivate over. The executive order created the New York City Cyber Command, and gave the agency sweeping authority to parachute into the many city IT departments scattered across the city and "mandate deployment of technical and administrative controls."

Cyber Command asks nicely, we presume, but their requests to IT staff are backed with the firm order from the mayor that "all agency and office heads are directed to cooperate with the New York City Cyber Command." Geoff Brown, the CISO of the City of New York and head of the NYC Cyber Command, compared the role of his agency to a managed security services provider (MSSP) for other branches of city government, but with the power to compel the application of technical controls.

"We have the authority and responsibility to lead incident response, to deploy technical and administrative controls, develop policies, review cyber spend--what you'd see in a large enterprises," he tells CSO.

Despite the similarity of the agency's name to U.S. Cyber Command, a branch of the military, Brown emphasizes that New York's Cyber Command has a purely defensive mandate. When any kind of investigation is needed, Brown calls the New York Police Department (NYPD).

Order No. 28 was the first, most visible commitment that the city means business when it comes to cybersecurity. The New York City Economic Development Corporation is currently throwing everything at the wall they can think of to see what sticks as part of its Cyber NYC initiative. Perhaps the most valuable, and likely to succeed, effort is New York University’s (NYU's) Cyber Fellow program.

Cyber Fellows at NYU

A key component of the city's strategy is their partnership with NYU's Tandon School of Engineering. To meet the city's goal of training the next generation of cybersecurity professionals, NYU now offers an online masters degree in cybersecurity, with a heavily discounted cyber fellowship for domestic students that costs just over $15,000. Designed to meet the needs of working professionals, the program is intended to be flexible and affordable.

Cyber fellows, program director Nasir Memon tells CSO, are typically in their late 20s or early 30s, have a bachelor's degree but no experience in computer science or cybersecurity, and are looking to change careers. To make the funnel as wide as possible, NYU offers a bridge course online that teaches the fundamentals of computer science--and, at a mere $1,500, is an affordable way for students to find out if they like cybersecurity and are good at it. Only about a third of students enrolled in the bridge course qualify for the Cyber Fellows program, but the good news is that successful bridge course students don't need to take the GRE.

The first cohort of a hundred cyber fellows began the program in 2018, and graduates in 2020, Memon says, and NYU hopes to scale that to a thousand students per year in the near future. "The skills shortage people are talking about is in the hundreds of thousands, even millions," Memon says. "In order to scale and build this pipeline, affordability was needed. Once you digitize things, you can scale it to levels that allow you to start producing experts at a scale the country needs."

NYU works closely with industry partners to develop the curriculum and facilitates the matchmaking process between students and potential employers. The university also works with the city's Cyber Command to run red team exercises on the city's cyber range, where students get a taste of sitting in a blue team security operations center (SOC) chair. One event, Cyber STRIKE (Simulated Threat Response and Incident Knowledge Exercise), is designed to help Cyber Command protect the city’s infrastructure and systems from malicious attacks.

Around 60% of Cyber Fellows live in the New York City area, and Memon expects many to stay in the region when they graduate.

How will New York City compete with the Bay Area?

New York's biggest competition for cybersecurity professionals is the Bay Area, followed by Washington, DC. The housing market and cost of living in the Bay Area, however, has overheated to the point that San Francisco is now a more expensive place to live than New York.

Washington isn't a cheap city to live in, either, but opportunities for salary growth are fewer than in New York or San Francisco. Plus, government jobs tend not to attract the best and brightest, and come with salaries to match.

The key element that will put New York on the map as a cybersecurity hub has little to do with the city's efforts to stimulate the market, Ed Amoroso, CEO of Tag Cyber, former long-time AT&T executive, and New York area native tells CSO. Initiatives like Cyber STRIKE are not what drives a city to become a tech hub, he argues, observing that you could run the same exercise in Tampa, Florida and never attract cybersecurity talent as a result.

"What drives that condition is that the city is an awesome place where people want to be," Amoroso says. "Brooklyn and lower Manhattan, you walk around there and it's just amazing. It's beautiful. If you want to attract tech to a city, you have to be a great city for tech people," he adds, noting that the majority of newcomers to tech and cybersecurity are young people.

Another reason why cybersecurity startups will set up shop in New York is because that's where the customers are. Attend any cybersecurity conference in the city, and almost all the buyers are locals and almost all the sellers are from the Bay Area. It's a lot more convenient when you're building a startup to be where your customers are. “Five years from now the city will probably be giving the Bay Area a run for its money," Amoroso says.