What does it mean to be trained and work in “Cyber Security”? Let’s face it, although computers have been around a long time, and information has been around even longer, the Cyber Security profession has only just popped into existence, relatively speaking.
We know that careers in Cyber Security are hot. So hot, in fact, that governments, higher education and even K-12 schools are scrambling to find ways to train students on “Cyber”. We’ve recognized that this will be a quintessential profession for the Fourth Revolution, let alone World War III, and we must be ready.
As a Chief Information Security Officer working in Higher Education, I’m often asked about colleges willingness to “train workers” (to my colleagues in the Academy, apologies — I am fully aware that we exist for more than just preparing kids to be good taxpaying citizens).
I am asked how educators are designing cyber theory and practical experience so as to produce people with degrees who know what they’re doing once they graduate.
We’re not. No one is.
Just like our legislators, those currently in universities tasked with designing a cyber curriculum don’t really know much about Cyber Security. Typically, they consider it a subset of Computer Science — a blend of computer engineering and systems integration. Which it is.
It is also Risk Management, Psychology, Data Analysis, Organizational Management, Public Policy and Administration, Legal/Compliance, and Marketing. Let’s not forget Communications, Ethics, International Studies and Entrepreneurship.
For the career academics, there are huge opportunities for Research in Cyber Security. Malware and bug bounties, encryption algorithms, workplace diversity in Cyber, risk tolerance of board members — the research possibilities are endless, and governments and sponsors are willing to pay for the research. But great research is only a sliver of the work to be done.
Cyber Security is an inter-disciplinary profession, requiring students to attain practical experience, not just theory, as part of their studies.
So, I propose that it is time Cyber Security came out from behind the shadows of Computer Science or Management Information Systems (just as CISOs are coming out from behind CIOs in the Corporate Heirarchy), and have their own college, with a fully formed Associate and Bachelor program which teaches practical, generalist security skills, and Master’s/Doctoral programs which specialize in the sub-disciplines of cyber security for maximum career progression and research quality.
In a profession as complicated as Cyber Security, there cannot simply be one set of classes to make a “cyber major”, and expect students to know anything useful. It must be a full exposure to the entire spectrum of sub-disciplines — risk management to security operations — and this cannot be done on top of the other curriculum requirements of a computer science or MIS degree. Similarly, Master’s and Doctoral programs are about specialization — having a general Cyber Security master’s program is better than nothing, but insufficient. Just an MBA student can choose accounting, finance, international business, organizational management or operational management, Cyber Security Master’s students should be able to select Policy and Governance, Cyber Legal, Risk analysis and evaluation, Security Engineering and Systems Design, Incident Response and Intrusion Detection.
If Cyber Security were it’s own college, the employment support structures that accompany this would also encourage students to work specifically with Cyber Security teams — not just learning to code, or to build a server, but to do these general tasks through the lens of Cyber Security. The graduates from this college would form a special cohort of alumni, ready to support each other in their Cyber careers.
I am aware that creation of Cyber Security colleges will not be quick, nor easy. The Academy is an interesting institution, and it will take many years for such a thing to be realized, even with the best of intentions.
I fear we don’t have time to wait for the formal structure of a College to be in place. So I will look to a combination of Higher Education, Technical Colleges, Professional Organizations and Non-Profits to provide a patchwork of training and experience for those wanting a career in Cyber Security. And in the meantime, I will continue to work with legislators and the Academy to train them how to think about the Cyber Security discipline.
P.S. I would also like to see Computing Security & Ethics as part of every general education curriculum. Anyone, in any degree of study, needs to understand the power and limitations of computing and information, with a healthy dose of personal security and privacy thrown in.
P.P.S. To my Cyber Security colleagues, we need people ready and willing to teach. Is that you? Contact your local university or college — I guarantee they have need of your services.
P.P.P.S. To my Cyber Security colleagues (again) — there are a ton of students looking for internships and coops — paid and unpaid. Consider opening your organization to students — you’ll be amazed at the value they can bring to your team.