SoS Musings #9 - State of Cybersecurity Education

SoS Musings #9

State of Cybersecurity Education

Cybersecurity education is maturing within university undergraduate and graduate level programs with an emerging surge to develop a K-12 curriculum. The acknowledgement that the topic goes beyond classic computer science and engineering and includes multidisciplinary aspects like psychology, economics, ethics, law, international relations, safety and others is quite refreshing. But the numbers don’t lie. The demand for cybersecurity jobs far outweighs the supply. The challenge is not only providing good K-20 curriculum at all learning institutions, but also promoting and understanding what cybersecurity careers look like. At the recent National Initiative for Cybersecurity Education (NICE) K-12 Cybersecurity Education Conference, a Keynote Speaker, Paul Vann, an 11th grade student in the Commonwealth Governor’s School in Virginia, said students know what nurses, doctors, lawyers, fireman, and policeman do in their profession, but very few understand what cybersecurity professionals really do. As cybersecurity curriculum develops and matures, it is also important to go beyond the how. We must comprehend the why. Law enforcement helps us live safely in physical space. Cybersecurity professionals help us live safely in cyberspace.

Cybersecurity education is not a new shiny object that just arrived on our national stage of challenges to solve. Cloaked in its new name, cybersecurity is the evolution of computer security terminology dating back to the 1970s with the associated efforts to train and educate practitioners. Some will argue that today’s cybersecurity is more complex than computer security of yesteryear. Technological advances inherently increase the complexity of designing functionality and their corresponding protections. The past provides insights into accomplishments from which we build future successes. Cybersecurity education may trace its roots back to the Computer Security Act of 1987 which mandated security awareness training. This legislation incited programs to organically blossom. Among the surviving efforts are the National INFOSEC Education and Training Program (NIETP) providing oversight of the National Security Agency and Department of Homeland Security-sponsored National Centers of Academic Excellence in Cyber Defense Education and Research (CAE-CDs & CAE-R) along with the NIST-led National Initiative for Cybersecurity Education (NICE) providing the Cybersecurity Workforce Framework (NIST SP 800-181). Adding certification programs aimed at training the practical application of cybersecurity techniques like ISC2 Certified Information Systems Security Professional, CompTIA programs and SANS training to name a few, results in an ever-building quantity of education and training. Over the past several years, NSA’s Research Directorate Science of Security (SoS) initiative has funded research to produce scientifically supported cybersecurity advancement in the establishment of cybersecurity as a science. The 4 SoS lablets, 25 Sub-lablets, and over 150 additional collaborating institutions worldwide have promoted cybersecurity awareness and training, and many have added scientifically-based cybersecurity courses to their curricula. These success stories plowed the field of developing university and workforce curriculum along with a taxonomy of what knowledge is required to perform cybersecurity work.

Innovative Cybersecurity education techniques and curricula are popping up all over. This is good news. It is driven by the acknowledged incidents in cybercrime, attacks, and exploitations. In the past, an argument was required to gain the attention of the C-Suite. Today it is the C-Suite that is demanding better cybersecurity professionals. So, the demand is clearly visible. But are we doing enough? Are we seeking the graduate who understands the why and not only the how? It is more than a checklist. It is the comprehensive cyber knowledge that stimulates emerging ideas anticipating future functionality and exploitation capabilities. CAE-designated universities are fertile grounds to mature cybersecurity curricula encouraging “out of the box” thought and research. In addition, emphasis on K-12 is growing as evidenced by NICE’s National K-12 Cybersecurity Education Implementation Plan. But work within the educational community to normalize a standards-based curriculum that mandates some level of cybersecurity as a requirement for graduation remains on the to-do list. Complicating the dialog is the 10th Amendment to the Constitution making education a function of the states.  Grappling with educating students to fill a critical national cybersecurity workforce gap that some feel is a national security matter and balancing it with an amendment that limits a national educational approach is tricky. Efforts to address this programmatic shortfall across federal and state jurisdictional boundaries are critical.

Time is not on the side of Cybersecurity Education. Clearly the workforce gap demonstrates that our current national ability to educate cybersecurity-ready individuals is inadequate. The pipeline is long and mostly empty. However, positive steps are underway. A Presidential Memorandum expanding access to high-quality Science, Technology, Engineering and Math (STEM) and Computer Science education to K-12 students is a great step in the right direction. The inceptive private/public partnership efforts to work this challenge are evident at NICE conferences and the plethora of cybersecurity blogs and websites to include professional journals with peer-reviewed scholarly papers. Efforts like GenCyber to inspire the next generation of Cyber stars through inspired summer camps focused on engaging the learners and teachers with sound cybersecurity principles and teaching techniques makes a positive impact on K-12 students. But more needs to be done to educate students about cybersecurity careers. Explaining in simple everyday language is critical. Outcomes are more important that a laundry list of duties. For example, a cybersecurity career results in protecting and defending our cyber way of life in a similar manner to law enforcement protecting and defending our physical way of life. Informing students and, daresay, the population at large, is critical to stimulate a desire to seek cyber careers. The NICE Framework identifies the complexities of cybersecurity work roles but we must boil them down to simple digestible stories explaining why cybersecurity professionals are essential to our safe existence in cyberspace. Many references discuss the fact that cybersecurity is an in-demand field, yet students remain unaware. Clearly this is an area rich with opportunities to increase the career field awareness.

Today’s rapidly increasing dependence on computing technology for our daily living demands new and innovative approaches to inspire people to seek cybersecurity careers. The positive work begun by NICE, CAE-CD/R, the SoS initiative, and other private/public partnerships to develop robust mature cybersecurity K-20 curricula is half the challenge and must continue to mature. Perhaps it’s time to dedicate energy into enticing students to seek the education needed to tackle the toughest cybersecurity workforce challenges. We must not delay in building a robust cybersecurity professional community. The bad guys continue to poke and prod our networks seeking the next breach to steal our identities, impair lifestyles and threaten our national security. Their successes are early predictors of imposed lifestyle changes. If we fail, the consequences will be unacceptable. The time to act is now.