Cybersecurity Education Issues & Approaches Derek A. Smith Director of Cybersecurity Initiatives at Excelsior College AFCEA November 18, 2014
Where we are now! Symantec: In a world of increased cybersecurity attacks, an estimated 300,000 cybersecurity jobs are vacant in the United States
Where we are now! Rand Corporation: The nationwide shortage of cybersecurity professionals -- particularly for positions within the federal government -- creates risks for national and homeland security, according to a June 18 2014 study by Rand Corporation.
Where we are now! ISC2: The reasons for an inability to bridge the need for additional information security workers are fueled by three factors: business conditions, executives not fully understanding the need, and an inability to locate appropriate information security professionals (ISC2)
Where we are now! Contributing factor: Competing budget priorities, a narrow pipeline of prospects, training shortfalls, ambiguous skill-set requirements and a tug of war between the public and private sectors all add complexity to the process FCW Magazine
While billions of dollars are being spent on new technologies to secure cyberspace, it is the people with the right knowledge, skills, and abilities to implement those technologies who will determine success
Understanding the trends Four common trends that drive the need for cyber education: information security is increasing in relevance is increasing in attention and demand from students, private industry and government agencies more domains to secure and more ways to attack. focus more on the practices (not just general security)
Straining to address the needs and trends finding qualified instructors and professors struggling for resources with competing subject critical lack of equipment, laboratories and opportunities for students to get hands-on experience dynamic curriculum
Different approaches, common ground Common themes: Cybersecurity must evolve into a formal discipline in the curriculum similar to other existing disciplines. Programs must teach a combination of theory and practice. Cybersecurity should be taught in an integrated fashion, with all students learning basic principles. Independent study and student interest groups are a key teaching tool. Government and industry collaboration is extremely important. Providing strong faculty development opportunities is a must.
Program Components Technology Technology specific items Skills development (hands-on) Theory and research Critical Thinking Analysis and decision making Problem solving Finding unique solutions Information Literacy not just technology literacy Research process Interpersonal skills Team work Communications capabilities Writing, presentations
Cyber Security Content Areas (Examples at all training / education levels) Systems maintenance, patches, upgrades Content security Data assurance Physical security User education Detection (hacks, probes, etc.) Deterrence (fire walls, honey pots, etc.) Forensics (evidence gathering, preservation) Policy development Forward planning and professional development Preparation for certification Security budgeting & public communications Research all areas
"One of the first things at the high level is actually defining what it is you want this person to do because it's not as broad as it's sometimes made out to be when you just say 'cybersecurity career field,'" Howard Schmidt, formerly White House cybersecurity coordinator.
The Workforce Framework lists and defines 32 specialty areas of cybersecurity work and provides a description of each. Each of the types of work is placed into one of seven overall categories. The Workforce Framework also identifies common tasks and knowledge, skills, and abilities (KSA's) associated with each specialty area. The Workforce Framework will be used as guidance to the federal government, will be made available to the private, public, and academic sectors for describing cybersecurity work and workforces, and related education, training, and professional development. NICE Framework The National Initiative for Cybersecurity Education (NICE) developed the National Cybersecurity Workforce Framework (the Workforce Framework) to define the cybersecurity workforce and provide a common taxonomy and lexicon by which to classify and categorize workers.
Linking efforts at all levels Seven different tenets for cybersecurity education 1. Holistic 2. Interdisciplinary 3. Diverse programs 4. Business-focused 5. Hands-on 6. Research-oriented 7. Common language and science
Meeting the demands of tomorrow Increase awareness and expertise Treat security education as a global issue Approach security comprehensively, linking technical to non technical fields Seek innovative ways to fund labs and pursue real-world projects Advance a science of security
How We Approach It: Heavy doses of theory & fundamental principles Softer skills: writing, communications, problem solving, critical thinking, team work Some levels include lots of hands-on Different approaches depending on level Intro. level typically more skills based (also a mixed set of students and student backgrounds) Intermediate some hands-on but includes softer skills (theory, critical thinking, problem solving, communications, team work) Advanced managerial or research
Student Expectations Mind set preparation Understanding what the professional does Detailed analysis Constant monitoring Responsibility issues Want it immediately Expecting hands-on work in most programs Employment expectations High-paying jobs In some areas a security clearance is an issue
Faculty Preparation Full-time vs. part-time/professional faculty Backgrounds vary Technically adept but don t teach well Good teachers but don t know technology Teaching ability: preparation & in the classroom Keeping up with the changing technology New theories, problems, tools, techniques Developing specialization areas (may go out-ofdate ) Balancing: hands-on, theory, KSA's, softer skills Up to date on technology, law, business needs, costs/benefits
Sample Programs Capitol College Doctor of Science in information assurance (DSc) Master of Science in information assurance (MSIA) The Bachelor of Science in cyber and information security (BSCIS) Computer and Network Security(Certificate) Digital Forensics and Incident Handling (Graduate Certificate) Information Assurance Administration (Graduate Certificate) Network Protection (Graduate Certificate) Secure Cloud Computing (Graduate Certificate) Secure Mobile Technology (Graduate Certificate) Secure Software Development (Graduate Certificate) Security Management (Graduate Certificate)
Sample Programs University of Maryland, University College MASTER OF SCIENCE IN CYBERSECURITY MASTER OF SCIENCE IN CYBERSECURITY POLICY MASTER OF SCIENCE IN DIGITAL FORENSICS AND CYBER INVESTIGATION MASTER OF SCIENCE IN INFORMATION TECHNOLOGY: INFORMATION ASSURANCE BACHELOR OF SCIENCE IN CYBERSECURITY BACHELOR OF SCIENCE IN COMPUTER NETWORKS AND SECURITY BACHELOR OF SCIENCE IN SOFTWARE DEVELOPMENT AND SECURITY CYBERSECURITY POLICY CYBERSECURITY TECHNOLOGY DIGITAL FORENSICS AND CYBER INVESTIGATION FOUNDATIONS OF CYBERSECURITY INFORMATION ASSURANCE
Sample Programs Prince George s Community College Cybersecurity Assoc. of Applied Science Cybersecurity Certificate Cybersecurity Management, Certificate
Sample Programs Excelsior College Five Cybersecurity Programs Certified to Meet the NSA s Committee on National Security Systems (CNSS) Training Standards Master of Business Administration in Cybersecurity Management Master of Science in Cybersecurity Bachelor of Science in Cyber Operations Bachelor of Science in Information Technology [Without Concentration] Bachelor of Science in Information Technology (Cybersecurity) Undergraduate Cybersecurity Certificate Graduate Cybersecurity Management Certificate
Questions? Derek A. Smith Director, National Cyber Security Institute Excelsior College (dsmith2@excelsior.edu)