A recent study analyzing cybersecurity education at top American universities found that none of the top 10 computer science programs requires cybersecurity as a course for graduation. This means that thousands of computer experts who will be building our future technology might have no formal cybersecurity training.
There’s already a strong need to develop professionals to help secure and protect our existing and future technology. Since 1998 the National Security Agency has administered a program recognizing educational institutions that satisfy specific information assurance and cyberdefense educational objectives in their two-year, four-year and research programs. The government believes that this education initiative reduces the overall number of vulnerabilities in our nation’s networks.
Until university computer science programs formally include technical cybersecurity education in their programs, information technology administration and development and cybersecurity will remain two separate disciplines. The problem is that businesses usually can’t afford to hire full-time professionals for both areas. They often turn to consultants, driving forecasts reported by Forbes that the cybersecurity business will grow from $75 billion worldwide in 2015 to $170 billion by 2020.
One way to bridge this cybersecurity divide is to mandate technical cybersecurity training for existing technology employees. This training should be more than user awareness on how to identify phishing emails.
For example, send your system administrator to digital forensics training where he/she will learn how to research a cybersecurity breach and the artifacts left by an attacker. This knowledge will teach your system administrator how to identify compromised systems, how to securely configure a system to prevent a breach and how to conduct a productive pre-investigation before bringing in a consultant.
Sending your network engineer to a penetration testing course will provide specific insight into how an attacker bypasses network security to compromise and maintain unauthorized presence on your network. Upon successfully completing the course, your network engineer will know what needs to be secured, what information needs to be logged and what to look for in the logs.
Another approach is to support employee participation in cybersecurity challenges, such as Hawaiian Telcom’s recent Capture the Flag event and other exercises that strengthen and test cybersecurity skills and promote learning. While IT professionals might not transition to become cybersecurity experts, the knowledge they gain and can implement in their day-to-day work could be the crucial factor in preventing a major cybersecurity breach of your company.
Michael Miranda, director of information security at Hawaiian Telcom, holds current Global Information Assurance Certification (GIAC) and is a Systems and Network Auditor (GSNA), a Certified Intrusion Analyst (GCIA) and Certified Forensic Analyst (GCFA). Reach him at michael.miranda@hawaiiantel.com.