Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/10/2014
11:00 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Education K Through Life

InfoSec professionals of the future need access to the right education and tools early on and throughout their entire work life.

Cybercrime will never be completely eradicated. As with any criminal endeavor, there will always be those who choose to travel a darker path. However, the information security industry as a whole can and should do a better job of educating and training curious, innovative people who will help us quickly bounce back from an attack and -- more importantly -- be able to predict and prevent vulnerabilities and attacks before they happen.

Who are these people? They are close at hand yet surprisingly out of reach. Today, children are inundated with technology starting in the crib, but they don’t receive the security training they need starting in the crib. It’s unfortunate, but technological advancement necessitates a trade-off of innocence. Kids can’t just plop down in front of video games anymore, because their new devices, whether consoles, computers, tablets, or smartphones, now let strangers directly into their homes.

In the same way we train children not to accept rides from strangers, we now must teach children from an early age, at home and at school, to protect their passwords and avoid phishing scams. Information security is a lesson that should be taught from kindergarten through life. It is critical that we reach children in their formative years, at the same time we are teaching them right from wrong, to teach them the basic cybersafety skills that will inform the rest of their lives, regardless of the careers they choose. As the most vulnerable segment of society, children must learn to protect themselves.

Lighting the path to an InfoSec career
The information security professionals of the future don’t have access to the right education and tools early in their lives. Teachers and guidance counselors don’t yet know enough about the information security industry to properly direct curious students. Right now, these up-and-coming hackers are mostly self-taught. They get a thirst for cyberknowledge and seek out the dark corners of the Internet to learn what they can’t find out in computer class.

But what if we could illuminate the career path of an information security professional for them? Careers in information security are both challenging and rewarding; at the same time, they are also lucrative, with pay continuing to rise across the board for all disciplines. And as we have seen, information security professionals are in demand. Reaching students at this early age would allow us to cultivate more white hats and eliminate future black hats before they have a chance to go bad.

There is a hunger for information security knowledge and collaboration at the college and university level that didn’t exist 10 years ago. Simply getting a degree isn’t enough to prepare anyone to enter the workforce; you need experience. By partnering with schools to provide more internship programs, incorporate relevant training into class work, and create more industry-academic content, businesses can improve future IT professionals’ ability to combat ever-changing cyber security threats. Immersive programs that blur the line between the college environment and the workforce will better prepare students to be lifelong learners and participants in continuing education, the type of visionaries who can stem the tide of cyberattacks and anticipate vulnerabilities before they are exploited.

Paying it forward
Once IT professionals are in the workforce, continuing education could be their most valuable asset. Technology changes so quickly that a college degree is outdated by the time the ink dries on the diploma. Through continuous education, though, you should be getting the equivalent of a new degree every four years. If your organization doesn’t currently invest in continuing education, you must advocate for it yourself. And even if you can’t get your boss to sign off on additional classes, training, or certifications, it is still important to keep learning.

Businesses that take continuing education seriously will outpace those that don’t. Even if your current company doesn’t see its point, improving your knowledge and skills is the only way to prepare yourself to work for someone who does. Be curious. Get certified. Network with your peers. Continue your education. And pass on your knowledge wherever you can, whether it’s to the non-IT side of your organization or to a local grade school. You can start by teaching the cybercops of tomorrow to use strong passwords.

 

W. Hord Tipton, CISSP-ISSEP, CAP, CISA, CNSS, is currently the executive director for (ISC)2, the not-for-profit global leader in information security education and certification. Tipton previously served as chief information officer for the U.S. Department of the Interior ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marc Eggers
50%
50%
Marc Eggers,
User Rank: Strategist
10/17/2014 | 2:18:13 PM
Re: Homeschool students to the rescue!
Thank you, @Marilyn Cohodas.  As part of the homeschool community, I see how much this segment of the population gets overlooked.  I know that there are many opportunities there to not only increase security awareness, but to also increase recruitment into the infosec ranks.  I am glad that there is a good bit of information out there on web searches now to hopefully raise awareness of this segment and hopefully we can get them more involved in security and help with the lack of resources in infosec.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/16/2014 | 4:04:18 PM
Re: Homeschool students to the rescue!
You make a good point, @Marc Eggers! You piqued my curiosity, so I did a quick search online on "home school" and "STEM" and there are quite a few resources out there, including several from university engineering programs!
Marc Eggers
50%
50%
Marc Eggers,
User Rank: Strategist
10/16/2014 | 10:24:25 AM
Homeschool students to the rescue!
I completely agree with the main thrust of this article, not only from the needs of the infosec industry, but also from the need to just keep children safe. We as security professionals need to invest some of our time and energy into actively teaching and training the next generation. Whether that is only talking to friends and family or it is reaching out to give free/low-cost security talks at the local library.

One of the most underlooked segments of the population that I think could yield a good portion of the needed infosec professionals is the homeschooled population (especially in the United States). As their education is able to be tailored by the parents, and the flexibility of their education and time would really allow them to be more available during "business hours" for infosec professionals to help train these kids and bring them up with security higher in their awareness. This availability during business hours also allows them to volunteer or intern (apprenticeship anyone?) one or two days a week to learn the ropes and the business, as well. These kids are often some of the most curious and willing to put in the most effort into things that interest them because they can get high school and/or college credits for it. This segment of the population would be an excellent area for companies to invest some time into through internships and more open forums to engage these kids into STEM and security fields. I know of some orgaizations that only accept college students working towards a computer science/IT degree, but if a program were to be put into place, we can engage more of the younger students into these fields. Also, internships are a great way to get future employees dialed in and ready to go with that particular organization. I am not saying we should not invest in brick and mortar schools and working to get "traditional" students involved and engaged in the STEM and security fields. I believe that we need to work to catch these students as well. I just want to point out that the homeschool segment of the population is often easier to get in touch with and to get moving first because they do not have the bureaucracy involved. Homeschool parents will also often attend and get engaged in the dialog and the information and pass it along to other homeschool families.

This is just something to think about as I know that this segment of the population is often overlooked and underdeveloped, and most parents are interested in ways to help keep their children safe. Why not engage them in the safety discussion? It seems like a win-win situation to me.

 
Hord
100%
0%
Hord,
User Rank: Author
10/14/2014 | 9:46:32 AM
Re: University Courses
Good point Marilyn. Learning how to relate to the younger generations is often not easy for my older generation.  Was never into gaming myself, Twitter, Facebook, even texting, but soon realized it is necessary to get involved through new communication methods across the board regardless of the risks they present.

I think this issue must get on the agendas of political candidates if we are ever to move quickly enough to close the digital education gap.  I find the public has lost trust in our government and corporations to protect their data and privacy.  We can't function without that trust and the only way to turn it around is through citizen political action.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/14/2014 | 8:00:45 AM
Re: University Courses
Hord, It's so true that our current educational system -- K through life -- is often a deterrent to delivering well-rounded, competent security professionals, especially those with a liberal arts bent, who might not be inclined to go into a STEM career without encouragement that makes the field more relevant and understandable. I think gamification is a good way to reachout to a younger generation. But it's also important to describe infosec in the context of how critical security is to our daily lives. It's a great opportunit to do important work that makes a difference!
Hord
50%
50%
Hord,
User Rank: Author
10/13/2014 | 5:26:00 PM
Re: University Courses
As an International organization, (ISC)² has noted large disparity in global capability to adjust to varying educational needs.  As a former teacher in a family of teachers, I know first-hand the "underpaid" reality of the teaching profession in the United States. My mother taught for 43 years ($35/month during the depression). She stayed with teaching only because of her dedication as I believe most teachers do today. Other countries place sometimes extreme priority on education.  Their students attend regular school for 6 hours and then spend another 6 hours with special tutors, making for long and stressful days.  I just read about accomplished tutors earning $2,000,000+ per year in South Korea. Our business manager in Hong Kong was one of those 12 hour students. Our universities are also very variable in their willingness and/or ability to adjust curricula beyond a snail's pace to adapt to the changing educational needs worldwide.  We often say the rapid change of pace in technology makes college degrees obsolete before the ink dries on the diploma. But at least we can see changes in educational methodology occurring.

The academic system is now recognizing how important continuous learning has become.  This has formed a rapidly growing bond between university and even grade school education with the respectable accredited credentialing community. The result is a process that constantly refreshes content of curricula and lifetime learning through formal education, credentialing and recertification.

Another point was made that learning in this difficult field must be constructed in a manner that is interesting as well as challenging.  Many of the concepts in our world are abstract to the beginner.  We explore such things as gaming in our education and training materials.  We must continue to find ways to relate to the younger generations.

Thanks for the very interesting commentary. 

Hord

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/13/2014 | 8:55:36 AM
Re: University Courses
These are all great comments and points of view. @Ninja001, I'm particiularly eager to learn more about the state of cyber education in South Africa.  You say "the training and information is available," but is it adequate? Or do you also share the concerns mentioned by GonzSTLshenn168 and RyanSepe?
Ninja001
50%
50%
Ninja001,
User Rank: Apprentice
10/12/2014 | 1:17:40 PM
University Courses

I wish to adress the point raised about "cyberknowledge" being obtained from the "dark corbners of the web".

Surely the introduction of more relevant courses into education institutes will cause the issues raised to become obsolete? I agree that the level they are currenty at is nowhere near satisfactory however the development has started. As technology develops so will the courses. That is the aim of most universities I would imagine. 

I can say with confidence that in South Africa the training and information is available. 

 

GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/10/2014 | 1:52:19 PM
Security Education
Mr. Tipton, I would like to highlight this particular section of your commentary:

"In the same way we train children not to accept rides from strangers, we now must teach children from an early age, at home and at school, to protect their passwords and avoid phishing scams. Information security is a lesson that should be taught from kindergarten through life. It is critical that we reach children in their formative years, at the same time we are teaching them right from wrong, to teach them the basic cybersafety skills that will inform the rest of their lives, regardless of the careers they choose. As the most vulnerable segment of society, children must learn to protect themselves."

In a previous post, I mentioned that as a taxpayer, I would fully support the idea of introducing safe computing practices in a school curriculum. Let's face it – nowadays, children at a very early stage are exposed and often interact with technology in ways that I could never imagine when I was 20! The more informed they are during their formative years, the more ingrained security will be in their adult behavior. That is actually a bonus because then, Security Awareness training will not be some boring esoteric topic replete with all those wonderfully interesting PowerPoint slides, but actually something they can relate to, instead of something that resembles a foreign language.
shenn168
50%
50%
shenn168,
User Rank: Apprentice
10/10/2014 | 12:11:27 PM
Fair Enough, But What About the Teachers Themselves?
Respectfully, Mr. Tipton your advocacy for security education is indeed important,

"The information security professionals of the future don't have access to the right education and tools early in their lives. Teachers and guidance counselors don't yet know enough about the information security industry to properly direct curious students."


What I want to highlight, in line with what you have already stated, is that our teachers (K-12 and up) are underpaid, over-burden with test compliance (geez, not unlike the security professionals in a highly regulated industries), and do not possess foundational cyber security training. 

If somehow a teacher suddenly becomes an infosec "skilled" professional, it is likely he/she would soon end up working for the industries.  Leaving a gap that would be filled with another without the security knowledge, a vicious cycle.  

Perhaps utilizing the STEM model to establish the beachhead for security education K through life is a sustainable process.  Or perhaps the German-style apprenticeships with companies or increased vocational curriculums with information security could be the answers to producing more whitehats in order to secure our cyber future? Whatever the answer(s) may be, personally I don't like the current state of affair; that is, 'offense is winning and defense is losing.'

Regards,

C.L. Shen, CISSP, Security+

Page 1 / 2   >   >>
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12928
PUBLISHED: 2019-06-24
The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12929
PUBLISHED: 2019-06-24
The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server.
CVE-2019-12936
PUBLISHED: 2019-06-23
BlueStacks App Player 2, 3, and 4 before 4.90 allows DNS Rebinding for attacks on exposed IPC functions.
CVE-2019-12937
PUBLISHED: 2019-06-23
apps/gsudo.c in gsudo in ToaruOS through 1.10.9 has a buffer overflow allowing local privilege escalation to the root user via the DISPLAY environment variable.
CVE-2019-12935
PUBLISHED: 2019-06-23
Shopware before 5.5.8 has XSS via the Query String to the backend/Login or backend/Login/load/ URI.