Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity education for the next generation


Published on

In a world of increasing information security threats, academic initiatives focused on cybersecurity are proliferating – yet, there is still the danger of falling short in addressing the long-term threat. To avoid becoming too focused on near-term issues, academic programs must be more collaborative across their own institutions, with industry, government and among the global academic community. Only by working in concert can we meet today’s demand while educating the next generation to create a more secure future.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Cybersecurity education for the next generation

  1. 1. Cybersecurity educationfor the next generationAdvancing a collaborative approach
  2. 2. 2 Cybersecurity education for the next generationIn a world of increasing information securitythreats, academic initiatives focused oncybersecurity are proliferating–yet, there isstill the danger of falling short in addressingthe long-term threat. To avoid becomingtoo focused on near-term issues, academicprograms must be more collaborative acrosstheir own institutions, with industry,government and among the global academiccommunity. Only by working in concert canwe meet today’s demand while educating thenext generation to create a more secure future.Understanding the needThe number of cybersecurity-related academic programsaround the world–whether called information assurance,security engineering or information security–has increasedsignificantly over the past decade. One reason for this growthis the very strong demand from industry and government fortrained professionals as both groups are facing a significantskills gap. In fact, over half of industry respondents in arecent survey said that they had too few information securityworkers on staff.1A UK government report said that it maytake 20 years to address current and future informationand communications technology (ICT) and cybersecurityskills gaps.2To rectify this situation, governments have launched a numberof programs, working with industry and academia, toencourage more professionals to enter the cybersecurity field.In the United States, over 160 academic programs have beencertified as National Security Agency/Department ofHomeland Security National Centers of Academic Excellencein Information Assurance.3Meanwhile, in India, the UniversityGrants Commission has asked that cybersecurity be introducedat both the undergraduate and post-graduate levels nationwide,based on a task force recommendation.4About the studyTo understand how cybersecurity academic programs,throughout the world, are evolving–and in the process identifyboth challenges and emerging leading practices–IBM inter-viewed faculty members and department heads from 15programs in six different countries. Study participants wereselected from over 200 programs followed by the IBM CyberSecurity Innovation initiative. To fairly represent a diversityof perspectives, we selected programs from various geogra-phies with varying levels of maturity.
  3. 3. 362%61%54%Mobile computingCloud computingSocial businessGovernment and industry are creating demand, but what’sthe view of students and educators when it comes to security?Over 450 students and 250 educators in computer science,information systems and engineering participated in thelatest IBM Tech Trends research and shared their opinionson emerging technology areas.5Both groups see securityas extremely important, with 56 percent of students and44 percent of educators ranking it as one of the top threeissues the IT industry will face over the next two years. Whenasked what they saw as the primary barriers to the adoptionof mobile, cloud computing and social business, security cameout on top.Figure 1 – Percentage of students and educators who see securityas a top barrier to technology adoptionUnderstanding the trendsFour common trends were identified by the educators weinterviewed. The first is that information security is increasing inrelevance. No longer just a highly specialized area, it issomething that impacts people every day. In an interconnectedworld reliant upon smart phones, social media, e-commerceand cloud services, information security impacts more andmore of the public. It has become personal.The second trend is increasing attention and demand fromstudents, private industry and government agencies. More andmore industries, from banks and financial services companiesto aerospace and defense firms, as well as healthcare providersare seeking graduates with specialized security skills. Trainingan expert cybersecurity workforce is now a national priority formany countries. Those interviewed said that almost all of theirstudents are hired after graduation. Some are hired even beforethey graduate and finish their degrees while working. Risingdemand is prompting the creation of more programs at theuniversity, community college and vocational levels–all ofwhich compete for talent and resources.These key stakeholders clearly see security as a critical issue,but do they feel their programs are addressing it? Less than60 percent of the students and educators surveyed believe theiracademic programs address the creation and development ofIT security practices for these emerging technology areas.These findings suggest that, despite the progress being made,work still needs to be done. Educational institutions need todo more to fully embed information security practices andprinciples into academic programs.
  4. 4. 4 Cybersecurity education for the next generationThirdly, the field of cybersecurity has also significantlyexpanded with more domains to secure and more ways to attack.This means more to teach and to learn. Today, attacks areextremely hard to detect; attackers are stealthier and moreevasive. In response, academic programs are expanding beyondtraditional areas like cryptography, and countering sniffing anddenial of service attacks. Cybersecurity education now coversnew areas like cyber-physical attacks, the protection ofheterogeneous systems and real-time security data analysis.Lastly, academic programs are moving away from teachingpurely the principles and theory of security to focus more on thepractices. This is largely driven by the demands of industry andgovernments, as well as by students who want to focus moreon real-world problems and practical challenges.Figure 2 – Trends and challenges in cybersecurity educationStraining to address the needs and trendsHigh demand, growth in the number of programs, increasedthreat and expanding domain are combining to create anumber of challenges for educators. This puts a strain onboth organizational and technology resources.The main difficulty for university programs is finding qualifiedinstructors and professors, especially junior faculty. Industry andgovernment are recruiting highly skilled cybersecurity expertsat a rapid pace and draining the pool of potential faculty. Thelevel of worldwide competition for talent is also rising sharplyas the number of academic programs grows. Some of thenon-U.S. universities we interviewed to said it was particularlyhard to retain faculty over the long term, with some professorsleaving after only a couple of years for opportunities in theUnited States.Informationsecurityincreasingin relevanceGreaterattentionand demand,needinga responseExpandeddomain forcybersecurityGeneralmove fromprinciplesto practicesof securityTrendsCompetingresourcesand topicsLack ofequipment,laboratoriesand hands-onexperienceFinding quaifiedinstructorsand professorsDealing with avery dynamiccurriculumChallenges
  5. 5. 5Institutions are also struggling for resources with competingsubjects. A number of the programs we looked at draw profes-sors from multiple departments. Departments have competingpriorities and limited faculty slots, and they are not solelyfocused on cybersecurity. For example, a cybersecurity programbased in the computer science department must contend withother important emerging topics such as mobile technology,cloud computing and analytics.Another major challenge is a critical lack of equipment, laboratoriesand opportunities for students to get hands-on experience. Many ofthe faculty we spoke to use either open-source tools or theirown internally developed software and simulators. Even whenprograms receive a donation, the budget for training andmaintenance isn’t there. Students need access to state-of-the-art, easy-to-use test beds, simulation tools and trainingnetworks. They should focus on learning principles insteadof complex tools.A very dynamic curriculum is putting added pressure oncybersecurity professors and programs. As threats evolverapidly and continuously, it is difficult to stay aligned with thelatest solutions and technologies. In general, classes needupdating every year, requiring time and resources that are hardto come by. With the ever-widening purview of cybersecurity(for example adding cyber-physical infrastructure, healthcare,legal and policy issues to the mix), this issue isn’t going awayanytime soon.“Similar to the observation that securitymust be built into systems from the start,security concepts also need to be covered inthe computer science curriculum from thevery beginning…this creates the challengeof making room for these concepts incourses that already have plenty of materialin them.”— Dr. Mustaque Ahamad Professor, College of Computing, Georgia Institute of TechnologyDifferent approaches, common groundIn response to these trends and pressures, academic institutionsare taking different approaches to cybersecurity education. Somebelieve in specializing early and focus more on the applicationof cybersecurity, making it a part of mainstream undergraduateeducation. Others aren’t advocates of specialized undergrad-uate degrees and think it is more important to have a stronggrounding in the fundamentals of computer science first. Whileopinions differ, it is important to highlight the debate so com-mon ground can be found.Common themes emerged during our interviews:• Cybersecurity must evolve into a formal discipline in thecurriculum similar to other existing disciplines.• Programs must teach a combination of theory and practice.• Cybersecurity should be taught in an integrated fashion,with all students learning basic principles.• Independent study and student interest groups are a keyteaching tool.• Government and industry collaboration isextremely important.• Providing strong faculty development opportunities is a must.
  6. 6. 6 Cybersecurity education for the next generationLinking efforts at all levelsAny one academic program cannot, on its own, addressthe full range of trends, challenges, issues and differingperspectives. There is a clear need for leading practices thatpromote a collaborative approach and a longer-term focus.Seven different tenets for cybersecurity education surfacedduring our interviews. Together, they can serve as guidance inthe development of new capabilities. The principles fall intothree groups, all focused on collaboration – within institutions,with industry, government and across the global academiccommunity. No single program had all of these characteristics.Figure 3 – A unifying set of leading practices• Holistic–A comprehensive approach from a technicalperspective is essential. Designing and managing securityfor networks, software, hardware, data and applications iscrucial. The majority of existing programs provides a broadspectrum of courses, covering both traditional security (e.g.,cryptography) and emerging technical areas (e.g., mobileand cloud security). Almost all of the programs require someeducation in ethics. Many also cover the legal, business,government and social issues associated with cybersecurity.Collaborate withinyour own institutionCo-evolvewith industryand governmentConnect across theglobal academiccommunityCommonlanguage andscienceBusiness-focusedHolisticResearch-orientedInterdisciplinaryDiverseprogramsHands-onPromoting amore collaborativeapproach and alonger-term focusCollaborate withinyour own institution
  7. 7. 7• Interdisciplinary–Institutions are beginning to work acrossacademic disciplines to incorporate cybersecurity intonon-technical academic programs. Although interdisciplinaryefforts are in their infancy, a few are in the planning anddevelopment stages. These include joint programs withbusiness, medical, law, economics, public policy, criminologyand even journalism schools.• Diverse programs–Most educators we interviewed haveprograms at the Master’s and Ph.D. level and a few havededicated undergraduate programs. Almost all had differentapproaches based on whether cybersecurity is taught as partof engineering or computer science. Concentrations, minors,post-graduate certificates and professional developmentprograms in cybersecurity were also popular.Undergraduate specializationThe Computing Security BS degree program at theRochester Institute of Technology was launched over six yearsago. This was in a response to faculty recognition of a growingneed for security professionals that would continue to increasefor many years to come. With feedback from our IndustrialAdvisory Board, we created a dynamic and evolving curriculumthat addresses the many aspects of security theory, reinforcedby experiential and co-operative learning experiences. Throughthe use of extensive laboratory work in combination withrequired co-operative work experiences, graduates achievemastery not only in computing security theories but alsodevelop the capability to apply the theory in practice. Aftercompleting core course work that gives them a firm foundationin computing, students select a six-course advanced sequencefrom a variety of specialty areas such as network security,systems security, digital forensics, malware analysis, securesoftware development, or computing security theory. Theireducation is then completed with a senior capstone project.Since the inception of the program, over 200 students havegraduated and experienced a very high placement rate. We arestill challenged to get more high school students to major incomputing security, in order to address the growing need forsecurity professionals.–Sylvia Perez-Hardy Associate Professor & Chair, Department of Computing Security, Rochester Institute of Technology“Interdisciplinary education for cybersecurityis essential. It is not only about computerscience and engineering. We are workingto bring together multiple programs fromour university–criminology, brain sciences,statistics, ethics, healthcare informatics,economics and risk analysis–to trulydevelop a comprehensive approach tosecurity thinking.”— Dr. Bhavani Thuraisingham Louis A. Beecherl Jr. Distinguished Professor, Department of Computer Science,Executive Director of the Cyber Security Research and Education Institute,  The University of Texas at Dallas
  8. 8. 8 Cybersecurity education for the next generationPractical experienceTemasek Polytechnic’s School of Informatics & IT provides ahands-on, practice-oriented education, emphasizing the devel-opment of problem-solving and thinking skills. The School willbe setting up a Security Operations Centre (SOC) as a LearningEnterprise for students from the Cyber & Digital Security andDigital Forensics programs. The SOC is expected to be opera-tional early 2014. It will monitor the School’s network of 1,600students. The unique feature of the SOC is that students willmonitor and respond to actual security events and incidents.By combining a hands-on environment with relevant subjectsin the classroom, the School believes that its students willacquire knowledge and skills that are industry-relevant andhighly valued.–Ho Hee Meng Manager, Security & Governance, School of Informatics & IT, Temasek Polytechnic• Business-focused–Programs with a strong business focusgenerally have formalized processes and structures. Most havean industry advisory board or group of sponsors that meetregularly. These business partners tend to be deeply engaged,funding research and design competitions, providingfellowships and scholarships, contributing to curriculumdesign and sending their own employees to the institution fortraining and advanced degrees. Programs without extensivebusiness partner involvement still had security professionalsgiving lectures or hosting industry nights.• Hands-on–Since many programs struggle with a lack ofresources to adequately address students’ needs, they arecoming up with creative solutions. Interviewees stated thatextensive lab work and projects, both individual and group,are very important. Some have a dedicated lab class whileothers rely on lab modules. Special-interest groups such as“grey hat” clubs and hacking competition teams enjoy highpopularity. They are sometimes the primary source ofpractical experience for students despite not always beingpart of the official curriculum. Another common practice isworking with industry and government organizations onco-op programs and internships, some mandatory.“We take pride in our close association withindustry in building our cybersecurityresearch and education programs. We canrealign our research and curricular focusbased on their exposure to the latest trendsand needs in the market.”— Dr. Suku Nair Professor and Chair, Department of Computer Science and Engineering,  Director of SMU HACNet Labs, Southern Methodist UniversityCo-evolve with industryand government
  9. 9. 9• Research-oriented–Dedicated research centers, publications,grants and collaborations are all important parts of a strongresearch program. Many universities have formal researchinstitutes. In some cases, they are physical locations with labs.In other cases, their role is limited to providing strategic focusand coordinating research opportunities for faculty. Manyprograms are part of single- and multi-university researchinitiatives conducted in collaboration with nationalgovernments. Some programs yield marketable innovationswhile others are subject to regulations that prevent the easycommercialization of research. State and national institutesare more interested in fostering economic development in adedicated way. Most programs see their students as theirprimary form of technology transfer.• Common language and science–A number of professors anddepartment heads see the need for building a science ofsecurity and establishing a cross-discipline lingua francaamong scientists, engineers and policy makers. For example,government uses the term “cybersecurity” while industrytends to use “information security.” The differences extend todefinitions as well–some see information security as limitedto perimeter protection, while others extend its domain topeople, data, networks and applications. A foundation for thescience of security is being explored at many universities.“There is a significant need for a commonlanguage of information security, not withinthe technical discipline, but betweengovernment, academia and differentindustries–information security specialistsneed to be understood by engineers, policymakers and business leaders, and vice versa.”— Prof. Dr. Michael Waidner Chair Professor for Security in Information Technology, Technical University ofDarmstadt, Director of the Fraunhofer Institute for Secure Information TechnologyA science of securityCritical cyber systems must inspire trust and confidence,predictably protect the integrity of data and resources as wellas the privacy of data owners, and perform securely, safely, andreliably. Therefore, a scientific basis for the design and analysisof trusted systems is needed. Security science should give usan understanding of the limits of what is possible in some secu-rity domain by providing objective and quantifiable descriptionsof security properties and behaviors. Security science shouldhave broad applicability, transcending specific systems and notbe limited to the current forms of attack and defense. To assistin addressing these challenges, the National Security Agencyrecently initiated a coordinated set of focused research activi-ties taken under the auspices of three Science of SecurityLablets – at the University of Illinois at Urbana-Champaign,North Carolina State University, and Carnegie Mellon University.The Lablets share a broad common goal, which is the advance-ment of a more scientific approach to security related research,with focus on a selection of the hardest technical problems andresearch to advance the solution to these problems.– Laurie Williams, Ph.D. Professor, Department of Computer Science, North Carolina State UniversityConnect across the globalacademic community
  10. 10. 10 Cybersecurity education for the next generationMeeting the demands of tomorrowThe trends, challenges, and leading practices uncoveredthrough our interviews show that cybersecurity educationprograms are entering a period of transformation. Only byworking in concert can they meet today’s demand whilepreparing a new generation of professionals for futurechallenges. The key question is: what needs to be done next?Our recommendations focus on increasing and improvingopenness and collaboration, along with addressing both imme-diate priorities and longer-term strategies. Programs muststrive to balance the near-term requirements of industry andgovernment while educating future faculty members andresearchers, developing more internships and fellowships,and continuing investments in research.These are the key initiatives of prime importance in thedevelopment of cybersecurity education.1. Increase awareness and expertise–We must all work to raisethe level of awareness across the academic community.Cybersecurity is no longer a hidden area embedded incomputer science or engineering disciplines. Programs needto graduate more computer scientists and engineers withhands-on training and the ability to design and develop securesystems from the start.2. Treat security education as a global issue–Cybersecurity issuesare not relegated to a single country. They know noboundaries. Institutions need to share and collaborate withother programs around the world. Academics from moremature countries should increase their formal collaborationwith those in emerging countries to help address the skillsgap. Such initiatives could include distance learningprograms and the sharing of curriculum and best practicesamong educators.3. Approach security comprehensively, linking technical to non-technical fields–Adopt a curriculum that has a holistic andinterdisciplinary approach. Security education should coverinfrastructure, people, data, applications, ethics, policy andlegal issues. Business and public policy schools should focuson creating better security policy and governance andtraining future information security leaders, such asChief Information Security Officers.4. Seek innovative ways to fund labs and pursue real-world projects–Resources will always be tough to come by. Industry, govern-ment and academia must come up with novel ways to givestudents practical experience. More internships and designcontests are one way to overcome this challenge. Other alter-natives include cloud-based or virtualized ranges, simulatorsand test beds.5. Advance a “science of security”–Place emphasis on the creationof a discipline of security science with fundamental conceptsand a common vocabulary. This new science should focus onanticipating security problems, not just reacting to attacks. Itmust include scientific methodologies and incorporate repro-ducibility and proofs in the design of security systems.Now is the time to actWe believe that these recommendations offer ways to makecybersecurity education more effective in the short and thelong term. By breaking down barriers and working in concert,it is possible to better address current and emerging challenges.We must maintain our current level of fervor and effort inthe field while keeping our eyes on longer-term goals.The academic community will achieve more by collabo-rating broadly. Governments must invest in programs thatadvance the science behind cybersecurity, along withfundamental education in science, technology, engineeringand mathematics. At the same time, industry must providetechnology, opportunity and expertise. It will take all of usto create a more secure future.What’s your view? We invite you to share your own insightsand perspectives with us via email at orTwitter at @IBMCAI.
  11. 11. 11About the authorsMarisa Viveros is a Vice President at IBM Corporation, leadingthe Cyber Security Innovation initiative globally. She isresponsible for creating education and research programs thatfoster stronger collaborations among academic institutions,government organizations and IBM to develop cyber andinformation security knowledge and talent to address the skillsshortage. She can be reached at Jarvis, Senior Consultant at the IBM Center forApplied Insights, specializes in fact-based research onemerging business and strategic technology topics. In additionto his research responsibilities, David teaches on businessforesight and creative problem solving. He can be reachedat thank all of the academic programs that took the time toshare their experiences, insights and opinions to help shapethis document.We acknowledge our team without whose graciouscontribution of time and expertise this work would nothave been completed:Dianne FodellSadu BajekalPaul KontogiorgisAbout the IBM Center for Applied IBM Center for Applied Insights introduces new ways ofthinking, working and leading. Through evidence-basedresearch, the Center arms leaders with pragmatic guidanceand the case for change.About IBM Academic IBM Academic Initiative, part of our University Relationsprogram, offers resources for educators and students intechnology areas such as business analytics, big data, mobilecomputing, cloud computing, and cybersecurity. The resourcesinclude training, technology and curriculum materials forfaculty along with expanded programs to directly engagestudents with real-world business challenges.
  12. 12. Please RecycleEDE12345-USEN-00© Copyright IBM Corporation 2013IBM CorporationNew Orchard RoadArmonk, NY 10504Produced in the United States of AmericaApril 2013IBM, the IBM logo and are trademarks of International BusinessMachines Corporation in the United States, other countries or both. Ifthese and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or TM), thesesymbols indicate U.S. registered or common law trademarks owned byIBM at the time this information was published. Such trademarks may alsobe registered or common law trademarks in other countries. Other product,company or service names may be trademarks or service marks of others.A current list of IBM trademarks is available on the web at “Copyrightand trademark information” at document is current as of the initial date of publication and may bechanged by IBM at any time. Not all offerings are available in every countryin which IBM operates.THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS ORIMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the termsand conditions of the agreements under which they are providedNotes and sources1The 2013 (ISC)2 Global Information Security Workforce Study.Frost & Sullivan in partnership with (ISC)2 and Booz Allen Hamilton.January 2013. UK cyber security strategy: Landscape review. National Audit Office.February 2013. of Academic Excellence Institutions. National Security Agency (NSA)Central Security Service (CSS).“Cybersecurity to be part of India’s college, university curriculum.”The Times of India. January 17, 2013. track to the future: The 2012 IBM Tech Trends Report. IBM Center forApplied Insights. December 2012.