Cybersecurity Education Receives a Makeover

April 1, 2015
By Sandra Jontz
E-mail About the Author

Experts call for revamped curriculum to prepare a security work force.

New methods of teaching cybersecurity might be the best hope for providing the necessary security experts to turn the tide against malicious cybercriminals who have launched constant battles against vital networks. In purely quantitative terms, the number of available information technology security experts falls critically short of what is necessary, while the number of hackers and cyber adversaries grows larger.

The demand for well-educated and trained cybersecurity professionals outpaces the supply, both in the government and private industry. The market for information technology careers is expected to have a 40 percent vacancy rate by year’s end, with the tally higher for positions at the supervisory level. Businesses and government agencies struggle to train—and retain—qualified workers in an environment punctuated by dwindling dollars earmarked for research and development, a lack of enthusiasm from students and young adults and an ever-changing threat environment posed by nimble cybercriminals.

In part, experts say, it is society’s fault as people’s increasing desire and dependence on technology make it easier for criminals to hack their way toward profitable endeavors. “We certainly are in an area right now that has seen explosive growth with the Internet, but more importantly, we have, quite frankly, put our lives and our economy and our ways of interacting with business and friends and colleagues and everything into this digital world,” says Rob Roy, federal chief technology officer with HP Enterprise Security Products. “Sensitive information, intellectual property, financial information—that’s all in this brave new world that we’re living in, and it becomes extremely attractive to the three primary groups or individuals who want to use it for bad purposes.” The three primary groups are hacktivists, cybercriminals and nation states for purposes of sabotage and espionage.

The shortage of cybersecurity experts has created a national security situation in the United States akin to the expansion of radical Islamic militants in the Middle East, Russia’s assault on part of Ukraine, rising tensions between the United States and North Korea, and the mushrooming of China’s navy, according to some experts.

“It’s a tremendous problem, the lack of the numbers of people we need for the cybersecurity work force,” Roy offers. “It’s estimated we’re behind by about 2.5 million people—just in the U.S. federal government—to properly protect the nation’s infrastructure.”

Cybercriminals have moved far ahead in their ability to hack into networks versus the abilities of security experts in industry and government to protect them. “Cybersecurity, for many years, was viewed as insurance,” Roy notes. “You wanted to create the next great cellphone that has a visual interface and a touch interface and boy, it’s great. You don’t necessarily build in the best security into that device as your first priority. Your first priority is to make it usable and make it attractive to your customers. As we saw around the world, you have the negative forces.”

These negative forces easily can download, often for free, all of the tools necessary, he adds. “The education is built into the tools. It gives them all of the help they need. They can do this without any formal instruction whatsoever.”

The primary challenge facing the cyber work force today is the lack of personnel coupled with the lack of experience of those who are employed to fight the fight. “Sending somebody to school for four years to get a cybersecurity degree to me is useless,” Roy contends. “By the time they get out in four years, the field of cyber has already changed 50 times. ... To attack this problem right here and now and to start turning the tide, we need to find people who have the ability to learn cyber and who have a passion about it. We need to get them educated on it. Once they are educated on it, we need to give them a way of sitting in on a real-life environment, whether a government agency or in the private sector, they need to get some of this on-the-job training for at least six months, preferably a year.”

Many programs and curricula exist in an effort to rapidly train and field a new generation of cyberwarriors, such as one offered by the Federal IT Security Institute (FITSI), which administers the Wounded Warrior Cyber Combat Academy (W2CCA) by cross-training combat-wounded veterans who are medically discharged from active duty service. The program, started in March 2013, trains warriors wounded in Iraq or Afghanistan in cybersecurity, with the goal of closing the skill gap of technically proficient professionals and setting the former troops on a path toward employment, says program lead instructor Jim Wiggins. “So the idea is to take some of these guys who are very patriotic, very capable—they have a number of unique attributes—and retrain them in a career field.” The W2CCA offers a blended program of in-class instruction at Walter Reed National Military Medical Center and online. There is no charge to the warriors; the program is funded by donations to the nonprofit FITSI Foundation.    

The students, who can apply on their own or be referred by a military occupational therapist, are presented with 14 different courses taught over a one-year period to make the students marketable in the sector. “This is a huge growth industry and the reason has to do with the fact that the cybersecurity market is directly tied to the use of IT [information technology] within our society,” Wiggins says. “So as society continues to consume more and more IT, the need for properly protecting that IT infrastructure and that information becomes more and more important.”

Industry experts say a shift in training methods is afoot. For example, what does not seem to work well any longer is the old-school method of long lectures in conventional settings, says Peter Tran, senior director of the Advanced Cyber Defense Practice at RSA, the security division of EMC. “The traditional classroom, student-teacher, long lectures, long days doesn’t work. It fails to prepare students to work under duress and in high-tension environments following a breach,” Tran offers. “A traditional warfighter in the field, for example, you’re going to want to train ... to surge and behave in the environment that they’re going to be fighting in. Education and training traditionally doesn’t do that. It was more ‘OK, we’re going to give you the theories. We’re going to give you the practicums … the textbooks.’ It is a very academic environment.”

The first time an incident becomes serious, rookie analysts are caught with the “deer in the headlights stare when presented with a true stressful condition,” Tran opines.

“What is trending now, and what we’ve implemented in the advanced cyber training and education curriculum, is a bridge from what was not working to what we call surge training or burst exercises,” Tran maintains.

The approach places students in situations in which they must respond to a crisis in “bursts” of 10 to 20 minutes in duration. “We’re working on getting the students who are accustomed to traditional classroom environments, or even virtualized environments … and have them get used to these 10- to 20-minute surges where we present real threat cases in lab environments and then they surge. Then they go and recover, and we present them with another stressful environment and they surge for 10 to 20 minutes, and when they go back to their environment, they go, ‘Ah, I’m used to it. I haven’t forgotten.’”

Experts expect cybersecurity threats to worsen, particularly as more and more users will access networks via less secure mobile devices. “The security operation environments are beginning to change now,” Tran continues. “They are very distributed and very federated, meaning as we take advantage of more mobile platforms … the virtual security work force is no longer going to be sitting in one single room or command center. They’re going to be distributed globally.”

Enjoyed this article? SUBSCRIBE NOW to keep the content flowing.


Share Your Thoughts:

Bottom line is that Government sector needs to change the way it does business. If you always do what you always did, you will always get what you always got. Government sector needs to change the way it hires, trains, compensates and promotes Cyber professionals. Four to Six month hiring cycles, requiring 4 year degrees for much of the training required for leadership positions, and a corporate culture from the sixties does nothing but drive the very people we want from wanting to work for the "man".

Today working for the Feds, I have to pay for nearly any continuing education out of my own pocket and the opportunities for advancement are nearly non-existent.

I've been a civil slave now for 15 years of my 26 year career. Was making $250K before 9/11 with a startup .com that was shaping the world we live in. Two years later, I'm making $40k a year with the Government, jumped ship for two years to private sector; made much better money, but both small companies with much instability. Second company folded 8 months after I accepted the position, but perfect timing provided me an opportunity to come back to Government. Told myself that I would just suck it up and work it out to retirement, but it is getting harder and harder everyday to want to stay.

Great point Leon! We just discussed this today in a meeting. Some of our best cyber security job seekers are coming out of the government sector, but they don't stay there! The money is low and change is slow. Cutting edge cyber security professionals only want to work with companies that will actually enact organizational changes from the top down. I, for one, am very glad to see that administration is taking a hands-on approach to our cyber defense! Our CEO and Founder Deidre Diamond talked about this very issue this week in a webinar, available here >>

Computer software companies need to start putting consumer safety before profit. Remember, every time I program is breached it is because some hacker had taken the time to find the hole that the programmer left open.
If it's a choice of loosing your job or getting the product to market on time and under budget, I think we know the answer to what happens. That would solve more than half of the Cyber Security breaches that we have today because they are man made flaws.
If you are looking for a way to plug holes in a program, look for the open holes left by the programmer.

Share Your Thoughts: