At Georgia State University's Evidence-Based Cybersecurity Research Group, students are tasked with determining whether existing tools are effective at stopping threats. Source: Georgia State University
“Companies are struggling to find resources to help them survive these attacks,” Maimon says. “Everybody is trying to keep their budgets reasonable, and many companies pay a lot of money for cybersecurity tools that, at the end of the day, they’re not really sure if they’re effective or not.
“Companies require these skills,” Maimon adds, “and they want the students that they’re going to hire in the future to have those skills.”
Industry relevance weighs heavily on the focus and design of the program. In fact, Maimon says, the entire concept behind the Evidence-Based Cybersecurity Research Group came from conversations with industry stakeholders.
“We came up with this program based on our conversations with our advisory board, which is made up of people in industry,” Maimon notes. “Their complaint was that students knew the theory, but they had no practical skills that would allow them to start working for those companies, and they needed six months to a year of additional training. We’re trying to bridge that gap.”
Understanding Cybersecurity in the Real World
While there are many applications for cybersecurity education in real-world situations, the field is also rich with theory and research, notes Joel Rasmus, managing director of the Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University.
“There are a lot of applied aspects to cybersecurity, and we have an entire college devoted to application, with a formal cybersecurity major in that college,” Rasmus says. “But if we restrict cybersecurity education to just application, we’ll be locked into always addressing today’s problems, and not designing more secure, more resilient systems for the future.”
Rasmus notes that employers sometimes complain that graduates lack proficiency in specific cybersecurity products. “I explain that while a current understanding of practice is important, there is a difference between education and training,” he says. “Our goal is to make sure our graduates have a strong foundational understanding of how they work so that when the next product comes out or the next threat emerges, they know how to assess and address. Training is important, but for a fast-moving, ever-evolving industry like cybersecurity, you shouldn’t expect to use the same product over the long term. You can be trained on any new product, but your payoff is having a strong foundational understanding of how and why things work.”
MORE ON EDTECH: Learn how to train the next generation of InfoSec pros through real-world threats.
Purdue has long been a leader in cyber research and education, and the university has a number of majors and tracks available. CERIAS takes an interdisciplinary approach to cybersecurity and offers numerous learning opportunities both in and out of the classroom. On the school’s cyberTAP cyber range, students tackle real-world cybersecurity problems, defending a network against 14 stock scenarios, such as ransomware and distributed denial of service attacks. They also host cybersecurity competitions and attend on-campus lectures by industry experts.
Along with being a high-demand field, cybersecurity gives students the opportunity to flex their creativity and pursue a variety of career goals, says Rasmus, who emphatically rejects the common stereotype of a basement-dwelling hacker in a hoodie. He recalls speaking with a young woman who was drawn to cyber defense after her friend’s sister was abducted. The student, he says, wanted to learn how to use cyber skills to stop the online abuse and exploitation of children.
“It wasn’t about, ‘Oh, I really like the idea of hacking into something,’” Rasmus says. “This was somebody who identified that cybersecurity was a way to make the world a safer, better place.”
Having a State-of-the-Art Cyber Range
Located in Virginia Beach, Va., Regent University launched a state-of-the-art cyber range at its Institute for Cybersecurity in the fall of 2017. Students at the small, private school have a chance to engage in hands-on cybersecurity training and simulation with real-time attack scenarios and security breaches.
“We’re starting from ground zero with a lot of our students,” says Cheryl Beauchamp, director of the institute. “They’re not coming with a lot of prior knowledge. We’re starting with packet tracing, learning about policies and rules, and then we put them in a simulated security operations center environment.”
Regent students practice with security tools from vendors including Palo Alto Networks and Fortinet. “I’ve made the case that we want to make sure our students go into the workforce with relevance,” Beauchamp says. “The attacks of four years ago are not necessarily relevant anymore. It’s important for them to have the underlying foundation. But it’s also important for students to be able to go out and say, ‘I’m familiar with that tool, we were just using that on the cyber range.’”
Surveys of Regent students show that many are motivated to study cybersecurity in part because of perceived job security, but many are also simply fascinated by fields such as digital forensics. Beauchamp acknowledges that a degree alone doesn’t necessarily prepare students to take on cybersecurity tasks in the field upon graduation, and so Regent also emphasizes industry certifications.
“When you work for an IT department, you won’t have seen every single scenario in your college textbook,” Beauchamp notes. “Having the opportunity to practice in a hypersimulated environment, where students can see real traffic and real logs, is really crucial.”