Take notes: How academia can improve security

Academia-CISO-bookWhen it comes to information security, universities are addressing problems seen at the business level with specific initiatives in the classroom.

Even though we’re all aware that Watson can read millions of pages in a matter of seconds, you and I are still limited to one at a time. One page at a time, one lesson at a time, one skill at a time: education, like everything else, is subject to prioritization. 

As a result, universities have hard choices to make when it comes to choosing a curriculum, especially in a burgeoning topic like cybersecurity, which continues to grow in depth and breadth every semester. According to a study on cybersecurity education carried out by the IBM Center for Applied Insights, problems seen on the industry level are a major influence shaping cybersecurity programs.

The Center’s study, a follow-up to its recent CISO assessment, Fortifying for the future, consisted of interviews with cybersecurity academics who held a range of responsibilities within their universities. First and foremost, the interviewees did what many of our CISO Assessment respondents have over the years: point out the various imperfections, concerns and issues afflicting today’s information security practices.


But the interviewees didn’t stop at identifying problems—they also offered ways in which these challenges could be addressed through actions within academia.

Academia CISO quote - Cybersecurity has evolved, and the education has evolved correspondingly. It's moved from being primarily technical and hands-on to incorporating more management, leadership and policy.

Know your enemy

An oft-bemoaned shortcoming of information security—and one that echoed through our interviews—is the feeling of always being two steps behind cyber criminals, who are constantly imagining new ways to attack companies. As a result, professors are looking for new perspectives on threats that are less prone to an endless game of cat-and-mouse. Understanding the behavior and motivations of hackers is one way of beating your enemy to the punch, which calls for complementing technical topics with courses in economics and psychology. On the technical side, this shift means focusing less on the how of an attack in favor of trying to predict the where and the when by characterizing attack flows using big data analysis. Teaching students to think like an attacker along with the predictive power of big data will help turn traditionally defensive strategies into offensive ones as well.

Don’t get lost in translation

Security solutions are only as effective as the person advocating for them, since non-technical executives need to understand and adopt the defenses. Adoption is far from assured in many companies, where the communication between security leaders and their C-suite peers can be anything from unclear to antagonistic. With this corporate hurdle in mind, security academics are trying to train their students to be as skilled in communication as they are in cybersecurity. By emphasizing classes in areas like business, governance and policy, security programs hope to produce experts capable of bridging communication gaps. On the flip side, cybersecurity needs to be taught in schools of business and public policy, not only in computer science programs.

CISO Academia quote - The goal of our program is for students to become that translator between senior executives and the technology people.

Be decisive on devices

Ten years ago, taking work home with you might have meant packing a briefcase with some printouts. But today, employees often have their full suite of IT capabilities at home, on the road and everywhere outside the office through company-supplied mobile phones or even their own devices. While such interconnectedness gives employees more flexibility, it also increases the responsibility of security teams, who must figure out how to provide ubiquitous protection for employees and their phones. As a result, universities are adding more classes on mobile security to prepare their graduates for challenges they’ll face in business. The interviewees have seen the number of classes on device and Internet of Things security proliferate in the last couple of years

Speak up

If communication within a company can be lacking, it can certainly be just as insufficient externally as well. Interviewees lamented the poor collaboration among businesses when it comes to security. While extreme privacy might seem like a rational approach in an era of intense media scrutiny, businesses are missing out on chances to inform each other about threats and build stronger defenses based on collective intelligence. Universities are helping out both by hiring industry experts as professors to allow them to share their experience in the classroom, and also by hosting events where business leaders can convene and converse. As a result, schools not only coordinate the exchange of information, but can adjust their curriculums based on areas of need stated by visiting executives.

Information security is never complete, as the act of continuously building walls around your company or country’s information can feel like a Sisyphean task. Answers may lie in the world of academia, though—”The only fence against the world is a thorough knowledge of it,” said John Locke, who may not have been familiar with data breaches or DoS attacks but whose guidance still rings true today. Thankfully, there are dedicated individuals at universities offering advice and educating the CISOs and security professionals of the future.

Related material

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s