Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

// // //
10:00 AM
Connect Directly
E-Mail vvv

Challenging Our Education System to Nurture the Cyber Pipeline

Let's teach students how to teach themselves. Once we do that, we will have taught a generation of students how to think like hackers.

I've yet to come across a company that has all the cybersecurity talent it wants. If you work in technology, you've probably heard someone talk about the "pipeline problem." As you progress deeper into the more niche and technical roles in technology, like cybersecurity, the need for qualified candidates rises to seemingly unachievable counts.

Related Content:

Women Are Facing an Economic Crisis & the Cybersecurity Industry Can Help

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

As we move into the digital age, how do we develop the next generation of problem solvers whose responsibility will be to keep the world safe from cyber threats?

Many of the cybersecurity professionals I've met share a curiosity about how things work and a willingness to test limits. We were the ones who annoyed our parents and teachers with incessant questions: "Why?" and "How?" "Why does y=mx+b?" "How does a plant grow?" And "Don't touch that" inevitably turns into "I wonder what would happen if I touched that?" So, how do we create an environment that fosters this type of thinking to address cybersecurity's pipeline problem?

The answer involves taking a deeper look into our education system and the underlying messages it conveys to our students. Students currently are evaluated against how well they can follow instructions. The students who excel in the classroom are often the ones who are great at following directions, who are eager to please and do what they're told. I was one of those students and, though I've found my way to a rewarding role in cybersecurity, I see opportunities for improvement.

Imagine an education system where we encourage students to break things in a constructive fashion. Break to know why and how. An education system where we're less concerned about the end result than about the student's ability to think outside the box and come to conclusions based on the information they've been provided.

These are the types of students who would thrive in cybersecurity. As penetration testers, they'll be able to think up less-obvious attack chains that expose companies to just as much risk as the more obvious ones. As security operations center analysts, they'll develop more accurate ways for identifying attacker behavior and cut down the time to initial detection. They'll have spent their lives nourishing their own creative problem-solving process and will be well equipped to find answers to the harder questions.

I had a math teacher in grade school who graded students on their ability to follow directions. We were asked to show our work on our assignments and would lose points if we didn't use the methodology he taught to arrive at the right answer, limiting us to learning what was taught and not how things worked.

Life isn't one-size-fits-all. We should celebrate a child's creativity when they come to the right answer, whether or not it's the way we would have done it. This encourages students to continue nurturing their curiosity and develops better thinkers. This is what the cyber pipeline is missing. Thinkers, not "smart people."

How can we create more thinkers? 

  • Ask open-ended questions: As teachers, we can ask students more open-ended questions. Get them to think through their answers, justify them, and reinforce those neural connections in their brains. I had an electrical engineering professor in college who gave students a few blank sheets of paper for the midterm and final. The exam was to write out everything we'd learned in her class up to that point, a difficult task if we hadn't really learned the material. Preparing for these exams demanded that we worry less about memorization of the minutia and focus on a deeper understanding of the material — an understanding that would move us closer to mastery of the subject and enable us to use this same understanding to think creatively and find novel solutions to problems.

  • Pass the teaching baton: The next thing we can do goes along with this idea of mastery: We should assess students on their ability to teach the subject matter on which they're being assessed. Did you ever notice how quickly an answer comes to you when you're drafting the message to a colleague to ask for help? When we teach or communicate complex ideas to another person, it forces us to organize our thoughts in a way that deepens our understanding of the subject matter. In classrooms, we can task students with orally presenting their answers to homework. We can group students with partners and have them take turns explaining their logic to one another in a low-stress setting.

  • Focused mentorship: What about those of us who aren't in the classroom with students? We can focus our efforts on a mentorship that nurtures intellectual curiosity in mentees. Our mentee has an idea? Great. Regardless of whether or not we think it will work, let's let them come to those conclusions on their own. Let's give them opportunities to fail and teach them that failures are a part of success, that our failures are really teaching opportunities.

Straight A's don't translate into the ability to solve problems creatively. We should place less importance on doing things the taught way and focus instead on teaching students to find their own way. We must encourage students to ask why things work the way they do, to deepen their mastery of the fundamentals so they can take creative risks with their understanding. To challenge the way things are done and push them to find a better way to do it. Let's teach them how to teach themselves. Once we do that, we will have taught a generation of students how to think like hackers. We'll have taught them the importance of curiosity in life, and our pipeline will be full of candidates ready to protect the world against coming cyber threats.

Stephanie Aceves is Senior Director, Threat Response SME Lead, at Tanium. Prior to Tanium, she was a part of EY's Cyber Threat Management, both on the Incident Response and Attack & Penetration teams. Before leaving EY to work for Tanium, Stephanie led red team (ethical ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/12/2022 | 2:20:00 AM
Pending Review
This comment is waiting for review by our moderators.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file