May 14, 2015 By David Jarvis 4 min read

Even though we’re all aware that Watson can read millions of pages per second, you and I are still limited to one at a time. One book at a time, one lesson at a time, one skill at a time — education, like everything else, is subject to prioritization.

As a result, academics and universities have hard choices to make when it comes to choosing a curriculum, especially in a burgeoning topic like cybersecurity, which continues to grow in depth and breadth every semester. According to a study on cybersecurity education carried out by the IBM Center for Applied Insights, problems seen on the industry level are a major influence shaping cybersecurity academic programs.

The center’s study, a follow-up to its recent CISO assessment, “Fortifying for the Future,” consisted of interviews with cybersecurity professionals who held a range of responsibilities within the academic world. First and foremost, the interviewees did what many of our CISO assessment respondents have over the years: point out the various imperfections, concerns and issues afflicting today’s information security practices.

But the interviewees didn’t stop at identifying problems. They also offered ways in which these challenges could be addressed through actions within academia. This structure — academic solutions as remedy for business problems — breaks down into four key concepts, derived from the collective musings of the dozen interviewees:

1. Know Your Enemy

An oft-bemoaned shortcoming of information security, and one that was echoed throughout our interviews, is the feeling of always being two steps behind cybercriminals, who are constantly imagining new ways to attack companies. As a result, people in the academic world are looking for new perspectives on threats that are less prone to an endless game of cat and mouse. Understanding the behavior and motivations of hackers is one way of beating your enemy to the punch, which calls for complementing technical topics with courses in economics and psychology. On the technical side, this shift means focusing less on the how of an attack in favor of trying to predict the where and the when by characterizing attack flows using big data analytics. Teaching students to think like an attacker, along with the predictive power of big data, will help turn traditionally defensive strategies into offensive ones.

2. Don’t Get Lost in Translation

Security solutions are only as effective as the person advocating for them since nontechnical executives need to understand and adopt the defenses. Adoption is far from assured in many companies, where the communication between security leaders and their C-suite peers can be anything from unclear to antagonistic. With this corporate hurdle in mind, security academics are trying to train their students to be as skilled in communication as they are in cybersecurity. By emphasizing classes in areas like business, governance and policy, security programs hope to produce experts capable of bridging communication gaps. On the flip side, cybersecurity needs to be taught in schools of business and public policy, not only in computer science programs.

3. Be Decisive on Devices

Ten years ago taking work home with you might have meant packing a briefcase with some printouts. But today, employees often have their full suite of IT capabilities at home, on the road and everywhere outside the office through company-supplied mobile phones or even their own devices. While such interconnectedness gives employees more flexibility, it also increases the responsibility of security teams, who must figure out how to provide ubiquitous protection for employees and their devices. As a result, universities are adding more classes on mobile security to prepare their graduates for the challenges they’ll face in business. The interviewees estimated that the number of classes on device and Internet of Things security has proliferated in the last couple of years alone.

4. Speak Up Outside of Academic Settings

If communication within a company can be lacking, it can certainly be just as insufficient externally, as well. Interviewees lamented the poor collaboration among businesses when it comes to security. While extreme privacy might seem like a rational approach in an era of intense media scrutiny, organizations are missing out on chances to inform each other about threats and build stronger defenses based on collective intelligence. Universities are helping out both by hiring industry experts as professors and allowing them to share their experience in the classroom, and also by hosting events where business leaders can convene and converse in an academic setting. As a result, schools not only coordinate the exchange of information, but can also adjust their curricula based on areas of need dictated by visiting executives.

Information security is never complete. The act of continuously building walls around your company’s or country’s information can feel like a Sisyphean task, but answers may lie in the world of academia. “The only fence against the world is a thorough knowledge of it,” said John Locke, who may not have been familiar with data breaches or DoS attacks, but whose advice still rings true today. Thankfully, there are dedicated individuals at universities offering advice and educating the CISOs and security professionals of the future.


More from CISO

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today