Classroom

From Smart Hires to Hacking Labs, Here’s How to Launch a Cybersecurity Program

Follow these best practices to deliver a top-notch cybersecurity curriculum.

Kyle Cronin is an assistant professor at Dakota State University in South Dakota.

David Overby is CIO at Dakota State University in South Dakota.

Dakota State University has a proud history as both a teachers’ college and a technology-intensive university. In 1984, not long after global payment processing companies began locating in South Dakota, the state government designated DSU as a tech-focused university. The institution responded by building a computer science program that has served local industry well.

Since then, of course, the needs of industry have evolved considerably. Case in point: cybersecurity. Today, an estimated 200,000 unfilled cybersecurity positions exist in the United States alone. DSU is helping to address that shortage by offering degrees in information assurance and cyber operations.

We now have more than 1,000 students in our College of Computing — more than 400 of them online — and they all must take courses in cyber operations and network security to graduate. We also offer an online-only cybersecurity degree that primarily serves students who are out of state.

These programs serve a dual purpose: fulfilling a dire need in a society increasingly dependent on secure technology and preparing our students for in-demand, well-paying careers. To deliver them successfully, we needed to develop these courses in a manner that gave students the systems access they needed to practice critical skills, while also maintaining the necessary security.

For example, both the College of Computing’s on-campus and online students have access to our Information Assurance Lab. Residing in DSU’s main data center, the lab consists of half a dozen racks of virtualized servers. Once we ensured there was enough high-performance storage to meet the growing demand for lab time, expanding our capacity was straightforward because it’s easy to virtualize servers over the web-based interface.

Students using the lab learn how to spin up virtual test beds remotely so they can study how to hack into a financial system. Once they’ve learned how hackers operate, students learn remediation and protection skills.

Crafting a Cybersecurity Syllabus for Success

In coming years, driven by a growing need in the labor market, cybersecurity curricula are likely to proliferate at institutions. For those seeking to develop a similar lab or online courses, we offer the following best practices, based on our experiences over the past several years.

Hire faculty with hands-on technical experience: Online cybersecurity programs need a champion who has experience in both coursework and enterprise network management. Because of DSU’s small size, we were fortunate that the head of the cybersecurity lab has a well-rounded background in network administration, software development and teaching. We also seek to hire professors and instructors who have worked in the commercial sector; they are up on the latest trends and tend to be quick to adapt as cyberthreats evolve.
Stay ahead of security trends: This presents a great challenge for an institution because planning and implementing new courses typically takes several months, if not years. In contrast, new threats are quick to emerge and change the game for IT security professionals. Take ransomware as an example. A year ago, ransomware was barely on the radar screen. Now, the tech press covers it routinely, and higher education is certainly not immune. In January, Los Angeles Valley College paid a $28,000 ransom in bitcoin to a hacker who had seized control of its computer network and campus email. DSU strives to revamp our cybersecurity curriculum annually to give students experience with the latest strains of malware and with emerging attack vectors and techniques.
Don’t be afraid to fail: Most of what computer scientists do stems from trial and error. Every course won’t work out. Sometimes trends move faster than staff can respond. And colleges have to start from somewhere. For example, when DSU first created its virtual lab, students gained access by typing in a command prompt on a computer screen. The process was clunky, and the network often kicked students off when they tried to log on. Over time, the college improved the interface and back-end network. Today, students access the lab by simply clicking on a link in the college’s learning management system.
Understand the needs of online students: Many online students work full-time or have other responsibilities, such as taking care of children or elderly parents. They’ll find it helpful if each professor in an online cybersecurity program can be available for evening “office hours” (roughly 4 to 7 p.m.) at least one day during the work week. Also, make sure to obtain the support and buy-in from faculty, administrators and central IT that are necessary to deliver the communications tools that online students require: chat, email and video conferencing.
Know when to let go: After three to five years, when the academic lab matures to the point of needing mostly ongoing maintenance, it’s time to turn the operation over to central IT. For example, the cybersecurity group adds only a little more than a half-rack of servers per year, so there’s little need for professors to maintain the equipment as much.

Colleges are in a unique position to offer leadership with cybersecurity education. We’re proud of what we’ve done at DSU, but we recognize that more needs to be done, at both college and K–12 levels. It’s incumbent on those of us in academia and in other fields to give students an opportunity to learn that cybersecurity, in addition to being a career that pays well and will likely offer growth for many years, also can be rewarding and interesting.

hjalmeida/Thinkstock