SECURITY TRAINING AND EDUCATION
Mischel Kwon | Mischel Kwon and Associates
Michael J. Jacobs | Cybersecurity Consultant
David Cullinane | Ebay
Christopher G. Ipsen | State of Nevada
James Foley | Georgia Tech
How do we solve the workforce problem? Guest editor Mischel Kwon brought together a group of people from government, private-sector, and academic backgrounds to discuss the challenges in educating cyber professionals.
How should we break up our fundamental security needs into learning areas—for example, into informa-tion assurance, policy work, technical security opera-tions, technical security administration, and even executive management— taking into account the resources involved, both human and fi nancial?
Michael J. Jacobs: What you’ve identifi ed, generally speaking, follows the developed [information assur-ance] curriculum, which is at the core of the [National Security Agency] Center of Excellence program and evaluation process. In terms of certifi cate or degree programs, these are the general topics covered by that curriculum, and schools participating in such a pro-gram need to, at a minimum, cover them. But from my perspective, the single greatest gap that exists today in educational programs is the topic of policy— how to develop it, how to enforce it, and making cer-tain that system operators and owners and executive managers are prepared to do the policy enforcement and development.
In looking at systems over the past 48 years, this is always the missing ingredient. We have great ideas. We’ve got a lot of technical capability working on the problem. But we don’t do what’s really necessary, and
that is to develop a cogent set of policies and then ensure—either through technical or auditing means— that they are enforced. Without that enforcement, don’t bother writing the policy. Frankly, without writing the policy and without enforcing it, don’t bother putt ing all these technical things in place because you’re going fail. Christopher G. Ipsen: In terms of the types of training, one of the things that frustrates me is gett ing to the 80 percent level. Several organizations put out diff erent training modules, and I think there should be more of a systematic approach. We should be able to lever-age the economies of scale more eff ectively, and I’m not seeing that happening. We need basic training— obviously, it won’t cover all challenges, but the goal would be to standardize on the fi rst 80 percent. Aft er that fi rst 80 percent, focus in on those tiers of training necessary on the back end. Right now, one area with a defi cit is quantifi able technical capabilities from a security perspective, and one of its missing compo-nents is validation testing in terms of skill sets. We need a way of validating the skills of the individuals being trained so that not only do they receive a cer-tifi cation but we also know their specifi c quancer-tifi able skills, from the technical to the analytical.
Educating Cyber Professionals:
A View from Academia, the Private Sector,
and Government
www.computer.org/security 51 We have an NSA Center of Academic Excellence in
Las Vegas that we’re hoping to keep. Its funding is com-ing under some scrutiny, and one of my primary goals is to keep it and then to build on it. How do we expand the base training that an NSA Center of Academic Excel-lence can do out to conferences—Black Hat, DEF-CON, and other trade conferences that come through Las Vegas—and capture those individuals through, say, a world-class datacenter like Switch Communications? What can we do to pull all of those pieces together into a cohesive training program that can maybe address the second 20 percent, so that we can be innovative, so that we can use individuals who are at the bleeding edge of security threats and create an environment that capital-izes on and maximcapital-izes their unique understanding of these problems around either very specifi c exploits or around the challenges associated with big data? I think Nevada has an interesting opportunity.
What is it that we’re not doing in aca-demia to prepare our CS graduates for the workforce? What do we need to do to assure the workforce that our graduates are qualifi ed? Can we take
something from other areas of academia? For example, are companies satisfi ed with the level they get when an electrical engineer graduates a master’s program?
James Foley: In both engineering and CS, there’s an emphasis on problem-solving and learning by doing, and to the extent that our information security courses emphasize labs and actually sett ing up networks to be secure and fi guring out how to detect att acks, the more hands-on experience the bett er. Ipsen: In addition to leveraging the traditional CS approach to cyber education, I believe that there is also value to be derived from other academic disciplines like psychology and the arts. In Wired a couple of
issues ago, an article talked about feedback loops and those types of disciplines that build resilient change in terms of people’s behavior. I think there are some valid observations we can pull from that discussion. One of the examples given was the concept of people speed-ing. Th ey don’t always necessarily want to speed, and they have a speedometer in front of them that can vali-date their speed, but when you put an external stimu-lus out there that says, “Oh, by the way, here’s your real speed as you’re driving down the road,” not only do
people slow down, they actually drive a litt le bit slower for the rest of their trip. Th is outcome-based training capability has nothing to do with the speedometer and nothing to do with the physics of the car or the brakes or anything else.
So how do we build feedback loops for people doing the correct behavior associated with informa-tion security? Is there a way for us to say, “You clicked on a link, and you know that’s bad behavior. Please don’t do that anymore”? It’s nonjudgmental in the way that it presents the information, but it encourages peo-ple to do the right thing, which I think most peopeo-ple genuinely want to do. Th ey just don’t know what that is, or they’ve forgott en. We can use it in structured technical fi elds to reinforce how people learn their cyber security dos and don’ts.
Jacobs: Th at makes perfect sense, and it fi ts right in with the idea of usable security and mak-ing thmak-ings obvious in terms of what’s going on and what you should and shouldn’t do.
Foley: It does, but it also goes back to the point about policy. You can’t keep smart people from doing the wrong thing if there isn’t a policy base that’s deployed into the environment so that they understand what they should and shouldn’t do. A perfect example was signing into WebEx for this discussion. One of the “policy engines” on my laptop is Norton, and there are some subroutines running on WebEx that Norton didn’t recognize. I got three diff erent banners at the bott om of my screen, saying, “We think it’s safe, but we don’t know very much about it.” Some people wed to Norton might’ve just dropped out because Norton couldn’t tell them anything. So, I think there’s a tech-nical aspect to helping people understand what they should and shouldn’t do as well as a policy aspect— that long list of things that, through trial and error, we know are the wrong things to do—and they both have to be deployed into the environment.
Jacobs: Th ere are technical solutions out there. You can deploy policy enforcement engines into your enterprise, both agent based and agentless, to look at your IP address to see what kind of behavior you’re manifesting. Th ey can report it to you or to the audit function. But one of the things I’ve found, particularly with some large commercial enterprises, is an aver-sion to strict policy. I recall a conversation I had with a
We have great ideas. But we don’t
do what’s really necessary, and
that is to develop a cogent set
of policies —Michael J. Jacobs
SECURITY TRAINING AND EDUCATION
CFO of a major corporation when we were going in to do what we characterized as a comprehensive review, evaluation, and then configuration to optimize the enterprise’s security profile. When the subject of pol-icy came up, he asked what I meant. When I discussed some examples such as use restrictions and peer to peer, he balked at the notion that we would be restrict-ing employee access to the threstrict-ings they wanted, none of which were related to the business of the enterprise and would continue to present security weakness in the system.
David Cullinane: There’s another dis-tinction between education and train-ing. I need to educate my executives on
the threat that’s out there, how real it is, the risk of that threat, and what we need to do about it, and be able to demonstrate to them that I’m spending their money appropriately. I need to train
my developers to write better code so that they’re not only more productive, but they also don’t build prob-lems into our products, our environment, and things of that nature.
For things like clouds, we need to educate people about the security issues associated with cloud com-puting so they understand those issues, and then, also train them on how to deal with the security issues of the cloud. What are the protections they’ll have to have to put in place? What are their options? There’s a balance there, and I think education’s sort of the higher-level explanation of why this is important and what is needed, and it’s needed for a certain audience. It’s probably needed for all the people who will get trained, too, but the training should be customized to the audience that’s going to use it.
So, if your development team is doing your website, it gets trained on website security issues and how to avoid cross-site scripting and things of that nature. If your team is doing database administration, it needs to be trained on database security issues and what things to watch for and that sort of thing. There’s a distinction there that applies when you’re trying to teach anyone about security, whether it’s one of your employees or the students in a classroom.
The situation is complex because we’re talking about a lot of different kinds of education and training, with qualifications and certifications. What do we need to do to ensure that our professionals are qualified?
Cullinane: Certifications have a value to me as an employer in the sense that they let me know that at least this person went through a test and success-fully passed it. But determining how creative and
good people are at that type of thing is something that you can only really learn when you see them in prac-tice and start to identify the really sharp people. The Cloud Security Alliance is trying to do certification in the body of knowledge that the CSA has determined is fundamental to dealing effectively with cloud secu-rity. This offers some value as an employer: “Here’s an emerging technology that I think I want to use. I know I need somebody that knows what they’re talk-ing about in this space, so at least I have some valida-tion that this person has proven or demonstrated some level of knowledge and understanding.” I also think it’s good when I send an employee to something like that and he or she comes back with a certification—if I’ve done my job as the boss and made sure that the train-ing is good and the quality is there and the content that I’m going to need my employee to understand is there, then I know that the employee learned what he or she needed to learn. Putting it into practice is some-thing I’ll need to manage as a manager.
So, I see some big value there, but bridging that with, “How do I ensure that new college graduate Mary Jones has enough knowledge to be able to step in and do what I need her to do right now?” is a much more complex question. At least in the private sec-tor, it also varies widely by type of environment and business. Ebay’s almost entirely based on Web appli-cations, so that’s the skill set I need. How do I mea-sure that as a primary criterion and do it effectively? CISSP [Certified Information Systems Security Pro-fessional] tells me that Mary knows the fundamentals of security, so she’s got a basic level of knowledge and has demonstrated it to someone. How do I go beyond that and see what skill level she has, and even more important, figure out what skill levels she’s going to need and find that training?
I’ve participated in various and sundry groups for more than five years that have tried to get developer training at the college level to include much more on security, and it’s still not happening. That’s part of what we also need to do—impact the curricula, so that people who are doing jobs that aren’t necessarily purely security are coming out with at least basic security knowledge. Are there effective government programs that we can expand to include the private sector, to address these problems?
Ipsen: I saw a really interesting approach yesterday, and at first, I wasn’t sure that it was the right way to go, but as I thought through it, it really resonated with me. At UNLV [University of Nevada, Las Vegas], the NSA Center of Academic Excellence is in the School of Informatics, and it’s working on the concept of
www.computer.org/security 53 developing programs in conjunction with other
cohorts, so bringing business, security, and other fac-ets together in a degree program makes a lot of sense. What I mean specifi cally by that is the type of indi-vidual that we’re looking to train in the future—we need highly specialized people, but we also need gen-eralists who can access information from those highly trained individuals. We also need generalized training for those people who are neither managers nor highly trained specialists.
In this three-tiered system, one tier is the generalist, the next is the hybrid middle manager who needs to rein-force the concept of security, and the last is those people who develop policies and discrete security practices moving forward. We have to understand what it is that we need to train to, and we need to look at existing pro-grams that can help us achieve those outcomes. But com-ing back to the earlier discussion, there’s also tremendous value, particularly in
the business com-munity, in saying, “Not only does this person have a certi-fi cation, but we’ve validated it through performance-based testing.” Th at always seems to resonate. We
need to develop ongoing tests of people’s capabilities, both against their peers and emerging threats. If we can demonstrate skills, we bring together all the concepts of the training paradigm to validate that testing is outcome based rather than theoretical based.
It’s hard to get funding for training on real systems, and it’s expensive to put together a training lab that’s new enough to be relevant to today’s problems. How do we deal with that issue?
Foley: Th at’s a real challenge. Part of it requires equip-ment vendors, who have been very good to some schools, to broaden in terms of donations and reach out further. Th ere are certainly things to be done with virtual labs and computer simulations, but beyond labs, we need to look at education. I was just reviewing Georgia Tech’s distance learning masters in information security, which off ers a lot of these courses online. One of the things I’d like to see hap-pen is for more schools to become receptive to using other schools’ learning material as part of a course. We could take, for instance, an undergraduate intro-duction to information security course that has good video lecturers and make that available to schools that don’t have their own information security
expert, packaged in a way for a faculty member with general computing knowledge to facilitate the course. It’s going to be a long time before every computer sci-ence program has a faculty member who’s a specialist in information security.
What about reduced resources? For example, as you look across US universities, you actually see a drop in the number of Centers of Academic Excellence and a signifi cant drop in schools that off er even basic com-puter science programs.
Foley: I don’t see a drop in the number of schools off er-ing CS degrees. Th ere was an enrollment drop, but the good news is that it has leveled off and in some schools is increasing, and hiring has also picked up in the com-puting segment. Th ose are some good signs, but there is a continuing concern—the computer science degree is perceived by some as being isolating and not about real-world problems. Neither perception is factual.
Clearly, the training and educa-tion we make avail-able for computer scientists won’t work for everyday users protecting themselves and their data. We need to fi gure out who the various audiences are, what they need to function securely, and how— and how oft en—we can provide them with knowledge and feedback. What is clear from this discussion is that the need is great, and that addressing it requires fl exible, diverse approaches.
Mischel Kwon is president of Mischel Kwon and Asso-ciates, a cybersecurity consultancy in Fairfax, Vir-ginia. Contact her at [email protected].
Michael J. Jacobsis a cybersecurity consultant and for-mer director of information assurance at the US National Security Agency.
David Cullinane is the CISO for Ebay, where he’s respon-sible for global fraud, risk, and security strategy.
Christopher G. Ipsen is CIO for the State of Nevada.
James Foley is a professor in the School of Interactive Computing at Georgia Tech.
Selected CS articles and columns are also available for fr ee at htt p://ComputingNow.computer.org.
