Even though we’re all aware that Watson can read millions of pages per second, you and I are still limited to one at a time. One book at a time, one lesson at a time, one skill at a time — education, like everything else, is subject to prioritization.

As a result, academics and universities have hard choices to make when it comes to choosing a curriculum, especially in a burgeoning topic like cybersecurity, which continues to grow in depth and breadth every semester. According to a study on cybersecurity education carried out by the IBM Center for Applied Insights, problems seen on the industry level are a major influence shaping cybersecurity academic programs.

The center’s study, a follow-up to its recent CISO assessment, “Fortifying for the Future,” consisted of interviews with cybersecurity professionals who held a range of responsibilities within the academic world. First and foremost, the interviewees did what many of our CISO assessment respondents have over the years: point out the various imperfections, concerns and issues afflicting today’s information security practices.

But the interviewees didn’t stop at identifying problems. They also offered ways in which these challenges could be addressed through actions within academia. This structure — academic solutions as remedy for business problems — breaks down into four key concepts, derived from the collective musings of the dozen interviewees:

1. Know Your Enemy

An oft-bemoaned shortcoming of information security, and one that was echoed throughout our interviews, is the feeling of always being two steps behind cybercriminals, who are constantly imagining new ways to attack companies. As a result, people in the academic world are looking for new perspectives on threats that are less prone to an endless game of cat and mouse. Understanding the behavior and motivations of hackers is one way of beating your enemy to the punch, which calls for complementing technical topics with courses in economics and psychology. On the technical side, this shift means focusing less on the how of an attack in favor of trying to predict the where and the when by characterizing attack flows using big data analytics. Teaching students to think like an attacker, along with the predictive power of big data, will help turn traditionally defensive strategies into offensive ones.

2. Don’t Get Lost in Translation

Security solutions are only as effective as the person advocating for them since nontechnical executives need to understand and adopt the defenses. Adoption is far from assured in many companies, where the communication between security leaders and their C-suite peers can be anything from unclear to antagonistic. With this corporate hurdle in mind, security academics are trying to train their students to be as skilled in communication as they are in cybersecurity. By emphasizing classes in areas like business, governance and policy, security programs hope to produce experts capable of bridging communication gaps. On the flip side, cybersecurity needs to be taught in schools of business and public policy, not only in computer science programs.

3. Be Decisive on Devices

Ten years ago taking work home with you might have meant packing a briefcase with some printouts. But today, employees often have their full suite of IT capabilities at home, on the road and everywhere outside the office through company-supplied mobile phones or even their own devices. While such interconnectedness gives employees more flexibility, it also increases the responsibility of security teams, who must figure out how to provide ubiquitous protection for employees and their devices. As a result, universities are adding more classes on mobile security to prepare their graduates for the challenges they’ll face in business. The interviewees estimated that the number of classes on device and Internet of Things security has proliferated in the last couple of years alone.

4. Speak Up Outside of Academic Settings

If communication within a company can be lacking, it can certainly be just as insufficient externally, as well. Interviewees lamented the poor collaboration among businesses when it comes to security. While extreme privacy might seem like a rational approach in an era of intense media scrutiny, organizations are missing out on chances to inform each other about threats and build stronger defenses based on collective intelligence. Universities are helping out both by hiring industry experts as professors and allowing them to share their experience in the classroom, and also by hosting events where business leaders can convene and converse in an academic setting. As a result, schools not only coordinate the exchange of information, but can also adjust their curricula based on areas of need dictated by visiting executives.

Information security is never complete. The act of continuously building walls around your company’s or country’s information can feel like a Sisyphean task, but answers may lie in the world of academia. “The only fence against the world is a thorough knowledge of it,” said John Locke, who may not have been familiar with data breaches or DoS attacks, but whose advice still rings true today. Thankfully, there are dedicated individuals at universities offering advice and educating the CISOs and security professionals of the future.


More from CISO

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Reporting Healthcare Cyber Incidents Under New CIRCIA Rules

Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022.While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your processes,…