Take Notes: How the Academic World Can Inform Security
Even though we’re all aware that Watson can read millions of pages per second, you and I are still limited to one at a time. One book at a time, one lesson at a time, one skill at a time — education, like everything else, is subject to prioritization.
As a result, academics and universities have hard choices to make when it comes to choosing a curriculum, especially in a burgeoning topic like cybersecurity, which continues to grow in depth and breadth every semester. According to a study on cybersecurity education carried out by the IBM Center for Applied Insights, problems seen on the industry level are a major influence shaping cybersecurity academic programs.
The center’s study, a follow-up to its recent CISO assessment, “Fortifying for the Future,” consisted of interviews with cybersecurity professionals who held a range of responsibilities within the academic world. First and foremost, the interviewees did what many of our CISO assessment respondents have over the years: point out the various imperfections, concerns and issues afflicting today’s information security practices.
But the interviewees didn’t stop at identifying problems. They also offered ways in which these challenges could be addressed through actions within academia. This structure — academic solutions as remedy for business problems — breaks down into four key concepts, derived from the collective musings of the dozen interviewees:
1. Know Your Enemy
An oft-bemoaned shortcoming of information security, and one that was echoed throughout our interviews, is the feeling of always being two steps behind cybercriminals, who are constantly imagining new ways to attack companies. As a result, people in the academic world are looking for new perspectives on threats that are less prone to an endless game of cat and mouse. Understanding the behavior and motivations of hackers is one way of beating your enemy to the punch, which calls for complementing technical topics with courses in economics and psychology. On the technical side, this shift means focusing less on the how of an attack in favor of trying to predict the where and the when by characterizing attack flows using big data analytics. Teaching students to think like an attacker, along with the predictive power of big data, will help turn traditionally defensive strategies into offensive ones.
2. Don’t Get Lost in Translation
Security solutions are only as effective as the person advocating for them since nontechnical executives need to understand and adopt the defenses. Adoption is far from assured in many companies, where the communication between security leaders and their C-suite peers can be anything from unclear to antagonistic. With this corporate hurdle in mind, security academics are trying to train their students to be as skilled in communication as they are in cybersecurity. By emphasizing classes in areas like business, governance and policy, security programs hope to produce experts capable of bridging communication gaps. On the flip side, cybersecurity needs to be taught in schools of business and public policy, not only in computer science programs.
3. Be Decisive on Devices
Ten years ago taking work home with you might have meant packing a briefcase with some printouts. But today, employees often have their full suite of IT capabilities at home, on the road and everywhere outside the office through company-supplied mobile phones or even their own devices. While such interconnectedness gives employees more flexibility, it also increases the responsibility of security teams, who must figure out how to provide ubiquitous protection for employees and their devices. As a result, universities are adding more classes on mobile security to prepare their graduates for the challenges they’ll face in business. The interviewees estimated that the number of classes on device and Internet of Things security has proliferated in the last couple of years alone.
4. Speak Up Outside of Academic Settings
If communication within a company can be lacking, it can certainly be just as insufficient externally, as well. Interviewees lamented the poor collaboration among businesses when it comes to security. While extreme privacy might seem like a rational approach in an era of intense media scrutiny, organizations are missing out on chances to inform each other about threats and build stronger defenses based on collective intelligence. Universities are helping out both by hiring industry experts as professors and allowing them to share their experience in the classroom, and also by hosting events where business leaders can convene and converse in an academic setting. As a result, schools not only coordinate the exchange of information, but can also adjust their curricula based on areas of need dictated by visiting executives.
Information security is never complete. The act of continuously building walls around your company’s or country’s information can feel like a Sisyphean task, but answers may lie in the world of academia. “The only fence against the world is a thorough knowledge of it,” said John Locke, who may not have been familiar with data breaches or DoS attacks, but whose advice still rings true today. Thankfully, there are dedicated individuals at universities offering advice and educating the CISOs and security professionals of the future.