Cybersecurity Education and Practice: Never Stop Learning

By Ken Sigler, Dan Shoemaker, and Anne Kohnke

As the number of industries, organizations, and educational institutions continue to recognize the scope and impact of cybersecurity, the means in which the crisis is approached cannot be made haphazardly. For many years cyber professionals have been able to apply consistency within practices aimed toward minimizing the effects of cyber-attacks by using international and domestically adopted standards, guidelines, and frameworks. These standards, guidelines, and frameworks aim to put into context how some facet of cybersecurity should be accomplished. While well-intentioned, this wide array of sometimes overlapping standards can be quite overwhelming to the practitioners and organizations that need them the most.

Organizations tend to fit into one of two categories when considering their adherence to standards and guidelines. Many take the unsystematic (and sometimes chaotic) approach by either ignorantly or willfully neglecting the value of standards and guidelines or by ignoring them entirely and just doing their own thing. It is those organizations that find themselves strapped with the complexities and budgets of recovering from data breaches, much less understanding of how the breach happened in the first place.

The second group of organizations successfully adopt applicable standards and guidelines and make valiant efforts to abide by them. The problem resides in the interpretation of those resources.  These valuable resources are written by industry experts charged with providing detailed explanations of cybersecurity practices at a very concrete level. The organization is left to make their own interpretation that sometimes can lead them into a direction that will be more costly, compared to if they were not to have adopted the standard and guideline in the first place. Thankfully, recent books have been published that provide greater understanding into such cybersecurity areas as: understanding and applying the National Institute of Standards and Technologies (NIST) Cybersecurity Framework, standardized approaches for implementation of cybersecurity controls, understanding cybersecurity risk management and the implementation of risk practices using the NIST Risk Management Framework, implementing guidelines that support cybersecurity management throughout the entire supply chain, and how to make an organization truly cyber-resilient.

Similarly, educational institutions have struggled to find the right fit for how to prepare students for careers in cybersecurity. Since the turn of the century many Information Technology programs saw cybersecurity as solely the need to implement technology aimed at protecting information; hence the reason for the old way of referring to the field as “Information Security”. Programs taking on that understanding of the field prepare students with a narrow scope of simply presenting the technologies that protect information. And in many cases, those presentations are done through simulated approaches.

However, as the field of cybersecurity has evolved, educators cannot take as narrow of an approach to preparing students. Realistically, the field has become much more than just securing information. Rather it is becoming a discipline in and of itself, which encompasses a complete body of knowledge that requires standardized approaches (with well-defined outcomes) to introducing the expanded areas that make up the entire field of cybersecurity. No longer can someone be prepared for work within the field simply by understanding the difference between a router, switch, and firewall. Cybersecurity has expanded to the extent that data security, software security, component security, connection security, system security, human security, organizational security, and societal security should all necessarily be included (from an interdisciplinary approach) within cybersecurity curriculum in order to adequately prepare individuals for work within the field. And to that extent, organizations should endeavor to understand the interdisciplinary knowledge of the individuals that they hire.

To support the growing need for standardized and interdisciplinary approaches of educating future professionals in the entire cybersecurity body of knowledge, two standards have been developed to assist educational institutions in the development of their cybersecurity curriculum. NIST published the second version of the “National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework” in 2017. NICE breaks the field of cybersecurity down into specialty areas and specifies what each area of the workforce should be doing to ensure that security functions of identification, protection, defense, response, or recovery are being carried out properly.

Similarly, later that same year, the Joint Task Force on Cybersecurity Education in association with the Association for Computing Machinery (ACM), IEEE Computer Society (IEEE-CS), Association for Information Systems Special Interest Group on Information, Security and Privacy (AIS SIGSEC), and International Federation for Information Processing Technical Committee on Information Security Education (IFIP WG 11.8) was formed and published in December 2019 the Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity Education (more commonly known as CSEC2017). The purpose of CSEC2017 is to provide a summary of the underlying topics that encompass eight knowledge areas that define the boundaries of the discipline of cybersecurity. The premise of the guideline is to provide educators an understanding of what topics should be included in the cybersecurity curriculum, a common set of outcomes and provides adequate flexibility into how the topics are introduced and outcomes realized.

Much like the earlier discussion related to whether organizations adopt cybersecurity industry standards, the same is true of educational institutions. It is a growing imperative that all cybersecurity curriculum provide a greater scope of instruction into the entire body of knowledge while providing hands-on approaches to introduce and dive deeper into each topic. While standards and guidelines provide the detail of what needs to be included in cybersecurity curriculum, books on NICE, such as A Guide to the National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (2.0) and CSEC2017 The Cybersecurity Body of Knowledge The ACM/IEEE/AIS/IFIP Recommendations for a Complete Curriculum in Cybersecurity, have been published that provide specific examples into how they can be implemented successfully.

Cybersecurity is not a field that should be approached carelessly. Many organizations and educational institutions have taken that approach and failed to the extent of costing millions of dollars. In a time where many are being forced to rethink their cybersecurity strategies as a result of COVID-19, the use of standards and guidelines accompanied by numerous books that bring standardized topics into context, provide the capability of implementing cybersecurity instruction and practice in a manner that will circumvent the effect of attacks for years to come.

About the Authors

Ken Sigler, is a faculty member of the Computer Information Systems (CIS) program at the Auburn Hills campus of Oakland Community College in Michigan. His primary research is in the areas of software management, software assurance, cybersecurity risk management, and cybersecurity education. He Has spoken nationally on numerous topics related to cybersecurity and has served as the liaison for the college to the International Cybersecurity Education Coalition (ICSEC), of which he is one of three founding members. Ken is a member of the University of Detroit Mercy Center of Cybersecurity and Intelligence Studies Board of Advisors.

Daniel P Shoemaker, is a principal investigator and senior research scientist at the University of Detroit Mercy’s Center for Cyber Security and Intelligence Studies. Dan has served 30 years as a professor at UDM with 25 of those years as department chair. He served as a co-chair for both the Workforce Training and Education and the Software and Supply Chain Assurance Initiatives for the Department of Homeland Security and was a subject matter expert for the NICE Workforce Framework 2.0. Dan has coauthored six books in the field of cybersecurity and has authored over one hundred journal publications. Dan earned his PhD from the University of Michigan.

Anne Kohnke, is an Associate Professor of Cybersecurity and the PI for the Center of Academic Excellence in Cyber Defense at the University of Detroit Mercy.  After a 25-year career in IT, Anne transitioned from a Vice President of IT and Chief Information Security Officer (CISO) position into full-time academia in 2011. Dr. Kohnke was also a tenured Associate Professor at Lawrence Technological University where she taught technical IT and cybersecurity courses. Dr. Kohnke’s research is focused in the area of cybersecurity, risk management, threat modeling, and mitigating attack vectors.  Dr. Kohnke has recently coauthored six books and several peer-reviewed journal articles in this field of study.  Dr. Kohnke earned her PhD from Benedictine University, an MBA from Lawrence Technological University, and courses in the Master of Science in Information Systems and Technology at the University of Michigan Dearborn.