Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Shaping security problem solvers: Academic insights to fortify for the future

2,630 views

Published on

In a follow-up to its recent CISO assessment, Fortifying for the future, the IBM Center for Applied insights interviewed cybersecurity academics who held a range of responsibilities within their universities. First and foremost, the interviewees did what many of our CISO Assessment respondents have over the years: point out the various imperfections, concerns and issues afflicting today's information security practices. But the interviewees didn't stop at identifying problems—they also offered ways in which these challenges could be addressed through actions within academia.

Published in: Technology
  • Be the first to comment

Shaping security problem solvers: Academic insights to fortify for the future

  1. 1. © 2015 IBM Corporation Shaping security problem solvers: Academic insights to fortify for the future May 2015
  2. 2. © 2015 IBM Corporation Cybersecurity is growing in all directions: 2 © 2015 IBM Corporation Fortifying for the future As a field, it continues to expand with the endless march of technology. The IBM Center for Applied Insights, as a follow-up to its recent CISO Assessment, Fortifying for the future, interviewed a group of cybersecurity academics to examine how business and academia converge in this matter. Do professors have a unique perspective on the problems facing today’s security leaders? As a concern, it weighs heavier on business leaders in light of recent breaches. And in universities, demand for security programs is on the rise.
  3. 3. © 2015 IBM Corporation The interviews demonstrated that academics are addressing key security challenges by adapting their educational approach. 3 Security teams often playing catch-up with attackers Produce versatile experts who use predictive and behavioral analysis Lack of communication all the way up to executive level Train students to be facilitators between technology and business Mobile and Internet of Things are growing security hurdles Create holistic curriculum that examines these technologies Enterprises need to share more information Provide a platform for business leaders to converse © 2015 IBM Corporation Business problem Academic solution
  4. 4. © 2015 IBM Corporation Today’s security posture feels untenable. It’s near impossible to keep up with the ceaseless evolution of hacking technology while also plugging every hole in a system. 4 © 2015 IBM Corporation The attacker always has an advantage because the defender has to understand and patch every single potential vulnerability in the organization. Organizations need to move up the attack chain and see when we're being reconnoitered and surveilled from the very beginning, when the door is being knocked on before they even get in and cause a mess. Business Problem: Security teams often playing catch-up with attackers Associate Professor of Managed Information Security, United States Faculty Director, Financial Services Analytics PhD Program United States Professor, Computer engineering, Switzerland Academic Director, Infrastructure Planning and Management, United States The creativity of the attackers is incredible. They are always a step ahead, and that’s what makes the problem difficult. If you only rely on the technology, it's always a catching game, it's always a reactive game. You're never going to win this way.
  5. 5. © 2015 IBM Corporation Universities are training students to stay ahead of attacks by practicing proactive and aggressive skills, while also understanding the mindset of their enemies. 5 © 2015 IBM Corporation Academic Solution: Produce versatile experts who use predictive and behavioral analysis You have to first regard the incentive issues. Why do they want to attack? I mean you have to know the psychology, the incentives. The key is the ability to develop a new skill set where people can adapt to changing environments versus teaching state-of- the-art routines in cybersecurity. We’ve added a significant amount of offensive content to our curriculum. We’re doing some big data research to try to characterize attack flows based on network signatures. Faculty Director, Financial Services Analytics PhD Program United States Associate Professor of Managed Information Security, United States Professor of Computer Science and Electrical Engineering, United States
  6. 6. © 2015 IBM Corporation Finding a security solution is only half the problem—you also need to be able to convey it in a manner that non-technical colleagues understand. Communication challenges can persist even at the C-level. 6 © 2015 IBM Corporation I've seen the glazed look on CEOs’ faces because the people that understand cybersecurity can't speak in the language that they get. It’s much easier to find a technologist that specializes within a particular domain than it is someone who can be a generalist and work effectively in areas like management, governance and budgeting. Business Problem: Lack of communication all the way up to executive level Department Chair, Mathematics and Computer Science, United States Chair of Computer Information and Network Security, United States University CISO, United States It's extremely in demand and rare to find people with good business background who also understand the technology, and vice versa. The CIO and the CISO—there is no collaboration between them, because the IT department thinks somebody's interfering in their work. Academic Director, Infrastructure Planning and Management, United States
  7. 7. © 2015 IBM Corporation By integrating business components into technical programs—and vice versa— universities hope to create employees with an interdisciplinary skill set who can not only build solutions, but explain them too. 7 © 2015 IBM Corporation Academic Solution: Train students to be facilitators between technology and business I spend one-tenth of the course on heavy technical controls. The other nine- tenths of the course cover things that aren’t technical. It’s much more process oriented, people oriented, governance oriented. Cybersecurity has evolved, and the education has evolved correspondingly. It's moved from being primarily technical and hands-on to incorporating more management, leadership and policy. The goal of our program is for students to become that translator between senior executives and the technology people. University CISO, United States Director, Managed Security Information Program, United States Academic Director, Infrastructure Planning and Management, United States
  8. 8. © 2015 IBM Corporation The proliferation of devices and sensors pleases users, but every new connection to the Internet also creates a possible vulnerability that must be secured. 8 © 2015 IBM Corporation The more things you have connected, the more potential entry points you have. Security becomes more and more complex in that sense. People are starting to now figure out that their cell phone could be a piece of evidence in a crime. Business Problem: Mobile and the Internet of Things are growing security hurdles Director, Center for the Application of Information Technology, United States Department Chair, Mathematics and Computer Science, United States Many individuals use these mobile applications, these gadgets, but they have very little idea what is really going on. So the first thing should be awareness. Your toaster is going to have a device on it, your thermostat in your house is going to have a device on it. A lot of those kinds of things are being developed without a tremendous amount of thought given to security.Chair of Computer Information and Network Security, United States Director, Center for the Application of Information Technology, United States
  9. 9. © 2015 IBM Corporation To mimic the real-world conditions, universities are shifting the classroom balance toward device and sensor security, with an emphasis on new research into these areas. 9 © 2015 IBM Corporation Academic Solution: Create holistic curriculum that examines these technologies We’re staying current in the technology fields. Many more universities now have mobile security elements than they did in perhaps 2010 or 2011. We have to change the definition of cybersecurity to reflect the new technology that we have today, with the advances of smart devices and the Internet of Things. It's going to be an evolution. We're doing more on mobile device security, BYOD. All that stuff is huge. And we're doing it. Director, Center for Autonomic Computing, United States Chair of Computer Information and Network Security, United States Director, Managed Security Information Program, United States
  10. 10. © 2015 IBM Corporation In an age when safeguarding data is an ultimate priority, sharing information might seem counterintuitive. But companies need to keep each other apprised to aid the collective effort. 10 © 2015 IBM Corporation The antivirus industry is well- established. They do a lot of analysis and detection of malware, and they do it well. But only a few of the companies actually are open with their findings. I understand the leaders' viewpoint: nobody wants to say that their organization was hacked, because it doesn't look good. But if they can share information, it will help another organization. Business Problem: Enterprises need to share more information Associate Professor of Managed Information Security, United States Department Chair, Mathematics and Computer Science, United States Academia values the communication of new discoveries, while the industrial community values privacy. There are certainly companies out there that don’t want to share things that they’ve understood. If somebody asks me, “Could we use your material?” then I would of course say yes. On the level of the institution, I’m not aware of such cooperation. Professor, Computer engineering, Switzerland Professor, Computer engineering, Switzerland
  11. 11. © 2015 IBM Corporation Universities are hosting security conferences so that business executives can share information with each other while also influencing the curriculum. 11 © 2015 IBM Corporation Academic Solution: Provide a platform for business leaders to converse We bring in industrial advisory board partners every year to get an understanding of how our curriculum fits into industry and whether or not we’re doing the right things. We were one of the main institutions organizing a conference on enterprise security. We had over 300 people from 49 countries. Thanks to such cooperation, the cybersecurity situation is improving. Former executives make the best kind of professor. They bring not only a wealth of experience, but also knowledge of what's actually needed in the market. Professor, Business Informatics Institute Poland Professor of Computer Science and Electrical Engineering, United States Associate Professor of Managed Information Security, United States
  12. 12. © 2015 IBM Corporation12 © 2015 IBM Corporation This is an everybody problem. The universities aren’t going to figure this out on their own. Industry is not going to figure it out on their own. It’s something that we have to work together on. Read more about the state of cybersecurity on ibmcai.com, or download the latest CISO Assessment, Fortifying for the future. Director, Center for the Application of Information Technology, United States
  13. 13. © 2015 IBM Corporation13 © Copyright IBM Corporation 2015 IBM Corporation New Orchard Road Armonk, NY 10504 Produced in the United States of America May 2015 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. Other product, company or service names may be trademarks or service marks of others. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

×