This post originally appeared in Forbes.

Security is fundamentally about risk mitigation – so why don’t we teach it like that?

We often see cybersecurity work portrayed as a shadowy game where good guys sit in front of giant screens showing esoteric technical data and match wits in real time with a lone wolf hunched over a laptop wearing the inevitable hoodie. While scenes like that occasionally play out, the far more realistic scenario in most enterprises is an asynchronous contest in which attackers are using commonly available open source tools to look for well known vulnerabilities and exploiting them with packaged exploit kits. In the real world, success typically depends more on adopting good processes, getting business stakeholders to buy into the program, and being disciplined about executing on them. That’s not to say that deep technical skill isn’t valuable or necessary – it most certainly is – but a team of elite level security tacticians can’t effectively protect an organization if the decision makers are unwilling to support their work through funding and tolerance of security hassle. The ability to “sell” executives on continuous investment in a security program is the most critical aspect of the outcomes most organizations see. As an industry, though, we’re largely failing on this because when we think about security education, we usually prioritize tactics over strategy.

If you spend a few minutes researching available cybersecurity educational options, one theme will immediately become apparent: the curriculums stress the tools students will work above developing an understanding of business risk mitigation. This theme is apparent not just in the for profit training and certification space, but extends even into the undergraduate and graduate levels. While having a strong understanding of the available arsenal is important, if you’re unable to articulate why it all matters to a business leader, you’ll never get the sponsorship required to really implement a proactive, strategic, program and will always be trying to find more fingers for all the holes in the dike. The most successful security organizations I’ve seen in 20 years of this work are those that have leadership that can frame the problem as risk mitigation, clearly explain options and tradeoffs to non-technical executives, and rally their support for implementing ongoing security programs. That doesn’t mean they don’t have deep technical skill, but it does mean that those technical skills are in balance with the business savvy to leverage them effectively. Why then does our educational approach differ so greatly from this?

One approach to advancing this perspective is through internship programs whereby senior students can develop real world perspectives on cyber roles. In doing so, they are able to develop a visceral understanding of the nature of cyber being about risk mitigation. As interns work in actual enterprise environments, they see that every organization struggles with threat overload and can’t fight every fire at once. At the same time, they can put technical cyber skills in practice on real systems while developing new skills in areas outside their formal curriculum. The threat landscape changes so rapidly that it’s impractical for the educational system to focus on the tactical nuances of specific tools. Providing an understanding of risk management concepts, a strong and wide technical base, and an internship / apprenticeship programs are the three most critical aspects to a cybersecurity education.

This disconnect can be addressed with a few high level changes to the way we deliver cybersecurity education:

1. Cyber isn’t a standalone discipline separate from IT itself. You can’t secure something you don’t understand which means the most effective cyber practitioners often come from a background in IT infrastructure or development or even a non-IT business domain. They’ve developed a mastery of the target and can thus much more effectively identify its weaknesses and effective mitigations. We shouldn’t teach cyber as a standalone trade, but rather as ‘capstone’ layer on top of understanding whatever it is you’re protecting in the end.

2. The very first concept in the very first cyber course a student takes should start with the fundamental truth that this is a problem without end. There is no such thing as perfect security and there are always constraints in money, staff, time, and hassle that prevent implementing the ideal technical solution. Every course should start with the foundational assumption that the most important skill is triaging and prioritizing risk such that you can wisely allocate scarce mitigation resources.

3. As important as technical mastery of security tools and technology is the ability to effectively describe complex, technical problems to the non-technical leaders whose support is critical to addressing them. Even the most brilliant cyber tacticians need support from business leaders to implement effective tools and technical strategies; equipping students with only half of this skillset leaves them unprepared for the reality of their future jobs. Equal weight should be given in cyber education to developing communication and presentation skills to enable security practitioners to credibly work with non-technical decision makers, using their vocabulary and from their perspective. Cyber professionals that possess both the technical depth and the ability to connect with these external audiences are both the most effective in their roles and have the highest long term career ceilings.

Cybersecurity is a societal wide problem and one that will never be “solved,” but can be well managed. Arming aspiring security professionals with a more complete and balanced skill set enables them to be more effective in the fight and achieve greater long term personal career impact.

← Back to All Posts Next Post →