Analyzing Cybersecurity’s Fractured Educational Ecosystem




Every day, a common scenario plays out across the US. An information security employer receives a resume from a recent graduate and looks at the student’s academic qualifications. Folks in human resources then invariably start muttering to themselves, “Does this individual have the necessary qualifications to be a…?” (fill in the blank: penetration tester, security operations center analyst, developer, contractor).
In an industry where hard data is respected above all else, we have surprisingly little data on how to evaluate candidate qualifications. The only issue experts seem to agree on is that there is a major infosec skills shortage — although even here, there is disagreement on exact numbers (Cyberseek cites 746,858 currently employed, but Frost and Sullivan reports 1,692,000 currently employed). This means that when employers are trying to find usable guidance, rankings, or even certifications to assist in determining the quality of an academic program, and by proxy, the students and job candidates they produce, they’re out of luck.
The problem stems from the origins of security in academia. At different institutions, security-related classes emerged over the years in various disciplines, including computer science (CS), information systems (IS), and information technology (IT), as a tangent discipline in the service of broader departmental goals and curricula. In most cases, security education is still maintained within these disciplines. This program diversity makes it difficult for a single evaluation criterion to emerge that is general, yet still useful, within this diluted environment. Indeed, unlike CS, IT, and IS, there currently are no widely adopted academic accreditations for computing security at all.
Don’t Give Up  
The National Security Agency has three primary designations that institutions can apply for that will deem them as a Center of Academic Excellence (CAE). Currently, these designations are offered in three distinct areas: cyber defense (CD), cyber operations (CO), and research (R).
Nearly 170 academic institutions maintain at least one of the three National Security Agency designations, but only the CAE-CD and CAE-CO maintain curricular requirements. On the surface, these designations may seem to be exactly what is needed; however, there are also some concerns with simply seeking out NSA-designated institutions. Due to the need to designate security programs that may be housed in CS, IS, IT, or dedicated Computing Security programs, the CAE-CD requirements are broad and primarily focused on defensive topics. As a result, these designations act more like a minimum barrier to entry in the area of infosec education and don’t provide a comparative criterion or any mapping to job functions. Moreover, they were initially created with the NSA’s goals and needs in mind, not necessarily matching those of an enterprise or more general security operation.
Indeed, this broadness, until recently, extended to the designation itself. Prior to a recent revision, the NSA CAE-CD designation was given at the institution level and not for a specific program. This meant that although institutions might have obtained this, they did not have to provide students a way to take the required courses, thereby making such a designation useless as an evaluation criterion. This highlights that just because a student attends a designated institution doesn’t mean they will receive the desired education.
The CAE-CO is a newer, more offensively focused, and also more stringent designation. However, it highlights one of the potential problems with the system as a whole. The NSA represents a unique employer, the Department of Defense, and has adapted the designation requirements to include aspects not often used or needed in industry. An example of this would be the CAE-CO requirements for Just War Theory. Most industry security professionals would agree that this is not part of their day-to-day responsibilities. None of the NSA designations focus on nongovernmental, industry requirements, particularly for roles such as penetration testing. And, without industry outreach, there doesn’t appear to be any solution on the near-term horizon.
It is important to note that accreditations alone will never totally solve this problem. There are other criteria that play a role in effective infosec programs. Faculty quality, extracurricular activities, and continuous communication within the industry, including internships, are all contributing factors to the overall student experience and their ultimate success within a program. This is where that infosec employer can find their edge; while most companies won’t be able to provide the grants and scholarships that the government does, they have the opportunity to serve as advisers to academic programs offering their feedback in exchange for mutually beneficial, hands-on internships. Using this vehicle, employers may be able to get the influence and data they need to make informed decisions about the quality or academic programs, accreditations, and, ultimately, mission-critical new hires for their teams.

Comments

Post a Comment

Popular posts from this blog

تحميل اصدارات برنامج njRAT لاختراق الاجهزة 2017

Image
تحميل   اصدارات برنامج  njRAT  لاختراق الاجهزة  2017 ---------------------------------------------------------------------------------------------- السلام عليكم ورحمة الله تعالى وبركاته تحميل جميع اصدارات برنامج  njRAT  الشهير لاختراق الاجهزة مع تشفيرة متواضعة  لستب njRAT 5 نتيجة فحص تشفيرة الستب http://pscan.xyz/results.php?id=VbGXRoAJjWiEeSHH الان ناتي الى التحميل njRAT_v0.3.5 للتحميل https://up.top4top.net/downloadf-483nr2oz4-rar.html njRAT_v0.4.1 https://up.top4top.net/downloadf-483nhv6j2-rar.html njRAT_v0.5.0 للتحميل https://up.top4top.net/downloadf-483nihol1-rar.html njRAT-v0.6.4 للتحميل https://up.top4top.net/downloadf-483dr2zk1-rar.html njRAT-v0.7d
Read more

Cybersecurity in 2018: Three predictions and one hope

Image
Effective cybersecurity means keeping a close eye on the threats you currently face, and an even closer eye on the threats to come. As you consider your security strategy and investments for the coming year, here are three key trends that will define the threat landscape in 2018, and one hope for a more effective approach to protection.  Risk will continue to shift from infrastructure to the application layer As web apps have evolved from basic information and ecommerce functionality to full-fledged online services, their code and customer data have made them an increasingly appealing target for hackers. Not only are they accessible via the open Internet—they’re also woefully underprotected, with the application layer drawing only 3 percent of the typical security budget at a time when it accounts for 30 percent of successful breaches, according to Verizon. While an incident of the magnitude of the Equifax breach can hardly be said to have a silver lining...
Read more

Which phishing messages have a near 100% click rate?

Image
Training employees to spot phishing emails, messages and phone calls can’t be done just once or once a year if the organization wants to see click rates decrease. For one thing, employees come and go (and change roles) with regularity. Secondly, threats change over time. Thirdly, knowledge and practices that aren’t regularly reinforced will be lost. And, finally, awareness isn’t the same as knowledge. “Just knowing a threat exists isn’t the same as knowing how to recognize and respond to a threat when it presents itself. In-depth education about phishing prevention is needed to create lasting behavior change,” Wombat Security researchers point out. The statistics included in the company’s latest annual State of the Phish report show the difference made by both the tools used to train end users to recognize and avoid phishing attacks and how often they are used. In the US, most organizations use computer-based online security awareness training and simulated ...
Read more