David Maimon is director of the Evidence-Based Cybersecurity Research Group at Georgia State University.

Sep 30 2020

Training the Next Generation of Cyber Professionals

Colleges and universities are preparing students for in-demand jobs tackling tomorrow’s cybersecurity challenges.

Compared with academic pursuits like history, philosophy or mathematics, the field of cybersecurity is still in its infancy. The word cybersecurity itself is barely three decades old, and, until quite recently, universities rarely offered degrees or even concentrations in the field.

That’s quickly changing, largely thanks to feverish industry demand. By some estimates, the global cybersecurity workforce needs to grow at a blistering 145 percent each year simply to keep pace with the demand for skilled talent in the near future. While some business leaders have historically overlooked the need for top-shelf cybersecurity talent, the growing array of attack types coupled with a number of high-profile breaches have motivated many businesses to increase their focus on information security as a way to protect their bottom lines. The average cost of a data breach in the U.S. is $8.6 million, according to IBM.

LEARN MORE: Get the Defense-in-Depth strategy checklist.

The National Centers of Academic Excellence in Cybersecurity (CAE-C) program — founded in 1999 and managed by the National Security Agency — recognizes colleges and universities that have rigorous academic standards around cyber defense, are active leaders in the development of cybersecurity education and provide leadership and expertise to governments and schools.

“The United States will be best postured for strong cybersecurity professionals across all critical infrastructure sectors when alliances with academia, industry and all levels of government occur,” says Diane M. Janosek, NSA’s commandant for the National Cryptologic School.

Here, cybersecurity leaders at three universities recognized by the CAE-C program discuss how they’re preparing the cybersecurity professionals of tomorrow.

MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.

Responding to Cybersecurity Industry Needs

Started in 2018, the Evidence-Based Cybersecurity Research Group is one of several programs at Georgia State University focused on cyber defense. “What’s unique about our research group is that we are trying to understand what works and what doesn’t in the context of cybersecurity,” says David Maimon, director of the center. “We’re trying to test the effectiveness of policies and tools. The focus is not just on technology but on the human actors: hackers, targets, chief information security officers and law enforcement.”

Students work to protect the research group’s private network while also applying existing cybersecurity tools to determine their effectiveness at stopping threats. These efforts help industry in two ways, Maimon says: First, companies get an unbiased, realistic picture of which tools can help keep their IT environments safe. Second, they receive access to a pipeline of talented students who will graduate with meaningful cybersecurity experience.

Georgia State University's Evidence-Based Cybersecurity Research Group students

At Georgia State University's Evidence-Based Cybersecurity Research Group, students are tasked with determining whether existing tools are effective at stopping threats. Source: Georgia State University

“Companies are struggling to find resources to help them survive these attacks,” Maimon says. “Everybody is trying to keep their budgets reasonable, and many companies pay a lot of money for cybersecurity tools that, at the end of the day, they’re not really sure if they’re effective or not.

“Companies require these skills,” Maimon adds, “and they want the students that they’re going to hire in the future to have those skills.”

Industry relevance weighs heavily on the focus and design of the program. In fact, Maimon says, the entire concept behind the Evidence-Based Cybersecurity Research Group came from conversations with industry stakeholders.

“We came up with this program based on our conversations with our advisory board, which is made up of people in industry,” Maimon notes. “Their complaint was that students knew the theory, but they had no practical skills that would allow them to start working for those companies, and they needed six months to a year of additional training. We’re trying to bridge that gap.”

Understanding Cybersecurity in the Real World

While there are many applications for cybersecurity education in real-world situations, the field is also rich with theory and research, notes Joel Rasmus, managing director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.

“There are a lot of applied aspects to cybersecurity, and we have an entire college devoted to application, with a formal cybersecurity major in that ­college,” Rasmus says. “But if we restrict cybersecurity education to just application, we’ll be locked into always addressing today’s problems, and not designing more secure, more resilient systems for the future.”

Rasmus notes that employers sometimes complain that graduates lack proficiency in specific cybersecurity products. “I explain that while a current understanding of practice is important, there is a difference between education and training,” he says. “Our goal is to make sure our graduates have a strong foundational understanding of how they work so that when the next product comes out or the next threat emerges, they know how to assess and address. Training is important, but for a fast-moving, ever-evolving industry like cybersecurity, you shouldn’t expect to use the same product over the long term. You can be trained on any new product, but your payoff is having a strong foundational understanding of how and why things work.”

MORE ON EDTECH: Learn how to train the next generation of InfoSec pros through real-world threats.

Purdue has long been a leader in cyber research and education, and the university has a number of majors and tracks available. CERIAS takes an interdisciplinary approach to cybersecurity and offers numerous learning opportunities both in and out of the classroom. On the school’s cyberTAP cyber range, students tackle real-world cybersecurity problems, defending a network against 14 stock scenarios, such as ransomware and distributed denial of service attacks. They also host cybersecurity competitions and attend on-campus lectures by industry experts.

Along with being a high-demand field, cybersecurity gives students the opportunity to flex their creativity and pursue a variety of career goals, says Rasmus, who emphatically rejects the common stereotype of a basement-dwelling hacker in a hoodie. He recalls speaking with a young woman who was drawn to cyber defense after her friend’s sister was abducted. The student, he says, wanted to learn how to use cyber skills to stop the online abuse and exploitation of children.

“It wasn’t about, ‘Oh, I really like the idea of hacking into something,’” Rasmus says. “This was somebody who identified that cybersecurity was a way to make the world a safer, ­better place.”

Having a State-of-the-Art Cyber Range

Located in Virginia Beach, Va., Regent University launched a state-of-the-art cyber range at its Institute for Cybersecurity in the fall of 2017. Students at the small, private school have a chance to engage in hands-on cybersecurity training and simulation with real-time attack scenarios and security breaches.

“We’re starting from ground zero with a lot of our students,” says Cheryl Beauchamp, director of the institute. “They’re not coming with a lot of prior knowledge. We’re starting with packet tracing, learning about policies and rules, and then we put them in a simulated security operations center environment.”

Regent students practice with security tools from vendors including Palo Alto Networks and Fortinet. “I’ve made the case that we want to make sure our students go into the workforce with relevance,” Beauchamp says. “The attacks of four years ago are not necessarily relevant anymore. It’s important for them to have the underlying foundation. But it’s also important for students to be able to go out and say, ‘I’m familiar with that tool, we were just using that on the cyber range.’”

Surveys of Regent students show that many are motivated to study cybersecurity in part because of perceived job security, but many are also simply fascinated by fields such as digital forensics. Beauchamp acknowledges that a degree alone doesn’t necessarily prepare students to take on cybersecurity tasks in the field upon graduation, and so Regent also emphasizes industry certifications.

“When you work for an IT department, you won’t have seen every single scenario in your college textbook,” Beauchamp notes. “Having the opportunity to practice in a hypersimulated environment, where students can see real traffic and real logs, is really crucial.” 

Ben Rollins