Cybersecurity Education

Cybersecurity Education

Issues & Approaches

Derek A. Smith

Director of Cybersecurity Initiatives at Excelsior College

AFCEA

Where we are now!

Symantec:

“In a world of increased cybersecurity

attacks, an estimated 300,000 cybersecurity

jobs are vacant in the United States”

Where we are now!

Rand Corporation:

“The nationwide shortage of cybersecurity

professionals -- particularly for positions

within the federal government -- creates

risks for national and homeland security,

according to a June 18 2014 study by Rand

Corporation.”

Where we are now!

ISC2:

“The reasons for an inability to bridge the

need for additional information security

workers are fueled by three factors:

business conditions, executives not fully

understanding the need, and

an inability to

locate appropriate information security

professionals (ISC2)”

Where we are now!

Contributing factor:

“Competing budget priorities,

a narrow

pipeline of prospects, training shortfalls,

ambiguous skill-set requirements

and a

tug of war between the public and private

sectors all add complexity to the process”



While billions of dollars are being spent on

new technologies to secure cyberspace, it

is the people with the right knowledge,

skills, and abilities to implement those

technologies who will determine success

Understanding the trends



Four common trends that drive the need

for cyber education:



information security is increasing in relevance



is increasing in attention and demand from

students, private industry and government

agencies



more domains to secure and more ways to

attack.



focus more on the practices (not just general

security)

Straining to address the needs and

trends



finding qualified instructors and professors



struggling for resources with competing

subject



critical lack of equipment, laboratories and

opportunities for students to get hands-on

experience

Different approaches, common

ground

Common themes:



Cybersecurity must evolve into a formal discipline in

the curriculum similar to other existing disciplines.



Programs must teach a combination of theory and

practice.



Cybersecurity should be taught in an integrated

fashion, with all students learning basic principles.



Independent study and student interest groups are a

key teaching tool.



Government and industry collaboration is extremely

important.



Providing strong faculty development opportunities is

a must.

Program Components



Technology



Technology specific

items



Skills development

(hands-on)



Theory and research



Critical Thinking



Analysis and decision

making



Problem solving



Finding unique solutions



Information Literacy



not just technology

literacy



Research process



Interpersonal skills



Team work



Communications

capabilities



Writing, presentations

Cyber Security Content Areas

(Examples at all training / education levels)



Systems maintenance, patches, upgrades



Content security



Data assurance



Physical security



User education



Detection (hacks, probes, etc.)



Deterrence (fire walls, honey pots, etc.)



Forensics (evidence gathering, preservation)



Policy development



Forward planning and professional development



Preparation for certification



Security budgeting & public communications



Research – all areas

"One of the first things at the high level is

actually defining what it is you want this

person to do because it's not as broad as it's

sometimes made out to be when you just

say 'cybersecurity career field,'"

Howard

NICE Framework

The National Initiative for Cybersecurity Education (NICE) developed the National Cybersecurity

Workforce Framework (the Workforce Framework) to define the cybersecurity workforce and provide a

common taxonomy and lexicon by which to classify and categorize workers.

The Workforce Framework lists and defines 32

specialty areas of cybersecurity work and provides a description of each.

• Each of the types of work is placed into one of seven overall categories.

• The Workforce Framework also identifies common tasks and knowledge, skills, and

abilities (KSA's) associated with each specialty area.

• The Workforce Framework will be used as guidance to the federal government, will be made available to the private, public, and academic sectors for describing cybersecurity work and workforces, and related education, training, and professional development.

Linking efforts at all levels

Seven different tenets for cybersecurity

education

1. Holistic

2. Interdisciplinary

3. Diverse programs

4. Business-focused

5. Hands-on

6. Research-oriented

Meeting the demands of tomorrow



Increase awareness and expertise



Treat security education as a global issue



Approach security comprehensively,

linking technical to non technical fields



Seek innovative ways to fund labs and

pursue real-world projects

How We Approach It:



Heavy doses of theory & fundamental principles



Softer skills: writing, communications, problem

solving, critical thinking, team work



Some levels include lots of hands-on



Different approaches depending on level



Intro. level – typically more skills based (also a mixed

set of students and student backgrounds)



Intermediate – some hands-on but includes ‘softer’

skills (theory, critical thinking, problem solving,

communications, team work)

Student Expectations



‘Mind set’ preparation



Understanding what the professional does



Detailed analysis



Constant monitoring



Responsibility issues



Want it immediately



Expecting hands-on work in most programs



Employment expectations



High-paying jobs

Faculty Preparation



Full-time vs. part-time/professional faculty



Backgrounds vary



Technically adept but don’t teach well



Good teachers but don’t know technology



Teaching ability: preparation & in the classroom



Keeping up with the changing technology



New theories, problems, tools, techniques



Developing specialization areas (may go

‘out-of-date’)



Balancing: hands-on, theory, KSA's, ‘softer skills’



Up to date on technology, law, business needs,

Sample Programs



Capitol College

 Doctor of Science in information assurance (DSc)  _{Master of Science in information assurance (MSIA)}

 The Bachelor of Science in cyber and information security (BSCIS)  Computer and Network Security(Certificate)

 Digital Forensics and Incident Handling (Graduate Certificate)  Information Assurance Administration (Graduate Certificate)  Network Protection (Graduate Certificate)

 Secure Cloud Computing (Graduate Certificate)  Secure Mobile Technology (Graduate Certificate)  Secure Software Development (Graduate Certificate)  _{Security Management (Graduate Certificate)}

Sample Programs



University of Maryland, University College

 MASTER OF SCIENCE IN CYBERSECURITY POLICY

 MASTER OF SCIENCE IN DIGITAL FORENSICS AND CYBER INVESTIGATION

 _{MASTER OF SCIENCE IN INFORMATION TECHNOLOGY:} INFORMATION ASSURANCE

 BACHELOR OF SCIENCE IN CYBERSECURITY

 BACHELOR OF SCIENCE IN COMPUTER NETWORKS AND SECURITY

 BACHELOR OF SCIENCE IN SOFTWARE DEVELOPMENT AND SECURITY

 CYBERSECURITY POLICY

 CYBERSECURITY TECHNOLOGY

 DIGITAL FORENSICS AND CYBER INVESTIGATION  FOUNDATIONS OF CYBERSECURITY

Sample Programs

Prince George’s Community College



Cybersecurity Assoc. of Applied Science



Cybersecurity Certificate

Sample Programs



Excelsior College



Five Cybersecurity Programs Certified to Meet

the NSA’s Committee on National Security

Systems (CNSS) Training Standards

 Master of Business Administration in Cybersecurity Management

 Master of Science in Cybersecurity

 Bachelor of Science in Cyber Operations

 Bachelor of Science in Information Technology [Without Concentration]

 Bachelor of Science in Information Technology (Cybersecurity)  Undergraduate Cybersecurity Certificate

Questions ?

Derek A. Smith

Director, National Cyber Security Institute

Excelsior College