March 20, 2017

One field rife with job opportunities in our economy's recovery from the Great Recession is cybersecurity - some estimates have the demand in this sector surging to 1.5 million positions by 2020. The trouble, however, is that few applicants are qualified to take those jobs, according to a survey by the non-profit organization that works to establish standards in the information systems industry.

In recent years, colleges and universities have ramped up efforts to offer cybersecurity training to students in related fields, but providing the "right" set of skills to enter a career that involves warding off perpetually and rapidly evolving cyber threats is often a shot at a moving target.

To improve its ability to hit the mark, Drexel University's Isaac L. Auerbach Cybersecurity Institute has been working closely with industry professionals to keep its master's degree and online certificate curriculums fresh and provide hands-on experiences.

Early evidence of positive progress from this collaboration is the recent success of Drexel's intramural cybersecurity team. The group, comprised of 10 students and coached by information security professionals from Susquehanna International Group, became the first school from Philadelphia to qualify for the regional finals of the National Collegiate Cyber Defense Competition. This competition puts participants in a corporate cybersecurity simulation where they must keep a network running fending off a team of would-be hackers.

Three people who have been involved with the team and, by extension, Drexel's effort to prepare students for jobs in the field, recently gave us a look at maintaining a quality program and fielding a competitive cybersecurity team. The Professor:

Steven Weber, PhD, is a professor in the College of Engineering and director of the Isaac L. Auerbach Cybersecurity Institute at Drexel. Weber is heading up the school cross-disciplinary degree and certificate programs, as well as research efforts at the Institute and recruitment of industry partners.

Cybersecurity is one of the fields with rapidly growing demand in the job market. Some experts estimate that 1.5 million cybersecurity professionals will be needed by 2020, so how has this demand risen to the point where we are now scrambling to meet it?

Although public awareness of the cybersecurity personnel gap is more acute today, the existence of the gap has actually been noted by those in the cybersecurity community for many years.

Part of the reason so many jobs have been created in this field in the last decade is tied to the fact that the internet was not designed with security in mind. Its original creators were focused on just getting it to work - and not considering how bad actors might "break" it. Now that internet use is relatively ubiquitous and so many people use it for business transactions, there is a rapidly growing need for cybersecurity professionals to design ways to secure the system.

This is a concern that clearly spans public, private and government sectors, so there has been quite a bit of movement from different directions to meet the demand for people with this specific training.

The federal government has responded by working to categorize and standardize "cybersecurity" work. By doing this, it can raise awareness of the need for workforce planning and allow educational institutions to build a framework for education and training in the field. Via the National Science Foundation, the National Security Agency and the National Institute of Standards of Technology, the government is also funding research, educational opportunities and scholarships in cybersecurity.

In the private sector, there are numerous initiatives underway to address the skill gap, including outreach, private-public partnerships, certification and workforce training.

And in education, we're seeing a push to include more advanced computing skills - including coding - in K-12 curricula. Colleges and universities like Drexel are also offering degree and certificate programs in cybersecurity.

What are the challenges schools are facing when it comes to putting together a curriculum that will turn out industry-ready graduates in this area?

The challenge is twofold.
First, the technical landscape is constantly evolving, and this poses a real challenge for curriculum development. While it is true that most technology-focused disciplines are rapidly evolving, this problem is particularly acute for cybersecurity. One concrete challenge of this ever-changing landscape is in making sure faculty are constantly updating their knowledge in light of new threats.
What proves particularly effective is for universities to maintain a close alignment with industry, to facilitate the rapid exchange of information and ideas. For example, Drexel hosts the monthly meetings of the Philly Security Shell, a meetup group for Philadelphia-area cybersecurity professionals.
Second, the scope of relevant cybersecurity fields has grown to include a wide array of academic disciplines not historically associated with cybersecurity. The modern cybersecurity landscape includes topics such as machine learning, the Internet-of-Things, media forensics, hardware security and secure wireless communications, to name just a few.
Because expertise on these topics comes from a wide array of fields, approaching cybersecurity from an educational perspective means that coursework is not and cannot be contained in any one college.
In the case of our master's degree, students take courses both in the Department of Electrical and Computer Engineering (in the College of Engineering), as well as in the Department of Computer Science (in the College of Computing & Informatics) and work with faculty members from across the university with expertise covering all corners of the cybersecurity landscape.

What are some ways that Drexel and the Isaac L. Auerbach Cybersecurity Institute have worked to overcome these challenges and provide the resources necessary to recruit and prepare students who will become cybersecurity professionals?

As I mentioned, one way to provide students with the latest information about cybersecurity is to work closely with industry professionals. As part of the Cybersecurity Institute’s mission we actively engage with external partners, be they from industry, government, or the military, to draw on their expertise and give them the opportunity to work with our students and faculty.
Last December, we brought in more than 50 leaders from industry, government, academia and the military to discuss the challenges facing our soldiers in navigating careers in cybersecurity. Conversations that came from this have helped to guide the way we prepare our students. And this group will continue to meet to work toward improving solutions to these challenges.
Internally, the Institute also aims to connect with Drexel students through the CyberDragons student group. We founded it in the summer of 2016 in collaboration with professionals at the Susquehanna International Group (SIG) who were interested in working as mentors. Since then, dozens of students who are interested in cybersecurity have gotten involved. And some of them decided to put a team together to participate in the Collegiate Cyber Defense Competition.
After just six months of practice, working closely with mentors from SIG, the group has qualified for the regional finals. This is an enormous accomplishment and it shows just how much can be achieved by partnering with people who are working in the field. In addition to our work with industry, we have also tapped into national resources that are available for institutions of higher education that are interested in developing or updating their cybersecurity degree program and/or curriculum.
One is the National Security Agency's Centers of Academic Excellence (CAE) program. This is rigorous and thorough accreditation of academic programs for both two-year and four-year degree programs. Drexel has been an accredited NSA CAE institution for more than a decade.
Another is the National Cyberwatch Center, a consortium of higher education institutions that provides fantastic education and training resources. Drexel has been a member for more than a year.
There are excellent conferences and meetings on cybersecurity education, including the Colloquium for Information Systems Security Education and the NIST NICE Annual Conference and Expo. Drexel representatives attended both these meetings last year.

How is gaining expertise in this field different than becoming proficient in disciplines like computer science or computer engineering - which are all closely associated with cybersecurity?

In my opinion, cybersecurity is both similar and different from “traditional” computer science and computer engineering. One difference is perception. I find that even among engineering students, who are accustomed to technical work, there is a perception that cybersecurity is a "dark art,' akin to magic.
It is not magic.
It is a technical discipline, like any other, and it may be understood through diligent effort. I think it's important to dispel some of these perceptions - especially as more students are considering this as a career path.
Cybersecurity is different from traditional fields in its philosophy of design. Most computing and engineering fields identify design constraints, performance criteria, and seek to optimize performance within those parameters. Cybersecurity, on the other hand, seeks to either "break" an existing system, or design a new system that is resilient to being "broken." The goal is to build a system that is impervious to bad actors seeking to break the system.
But overall, cybersecurity is really quite similar to other fields within computer science and computer engineering. Moreover, I think all computer science and computer engineering students should do their best to take some cybersecurity courses before they graduate - cybersecurity technical literacy should be a standard requirement for all such students.

What are some ways that students and industry professionals can get involved with the Cybersecurity Institute?

The best way for Drexel students to get involved with the Institute is through the CyberDragons student group. It is open to all students - regardless of knowledge or degree program. Students can find out more about how to get involved with the club by visiting: https://drexel.collegiatelink.net/organization/cyberdragons.
We encourage industry professionals to connect with the Cybersecurity Institute via email at DUCyberPI@drexel.edu. We work extensively with government, military, and industry in many different ways including seminars, sponsored research, joint research proposals, and would entertain other ways to collaborate.

The Student:

Colbert Zhu, is an undergraduate computer science major in the College of Computing & Informatics. He is the founder of Drexel's the CyberDragons student group and one of the team leaders of Drexel's student cybersecurity team. The team, in its first year competing, recently qualified for the regional finals of the National Collegiate Cyber Defense Competition.

What aspects of the field of cybersecurity interested you/attracted you to it?
I've always been interested in how computer hardware and software worked and I feel that cybersecurity adds an additional layer to that. Not only do you have to understand how something works, but what vulnerabilities may lie beneath.

What were the most challenging aspects of preparation for the National Collegiate Cyber Defense Competition?
The most challenging part of preparing for the competition was prioritizing what material we needed to learn. We did not get to start practicing as a team until this past December, so we had to make sure we weren't wasting time on anything superfluous.

What was it like to compete? Was there anything that surprised you?
The virtual qualifier went by very quickly since every second was spent either completing tasks or finding vulnerabilities on the system. The one thing that surprised the team was that only one person could be logged on to a computer at a time. This required us to rethink our initial game plan to adjust to the limited access.

After getting a taste of what the actual job is like, would you consider going into cybersecurity after graduation?
Though the actual job is not as fast-paced as the competition, I do enjoy the challenge of keeping out the red team [the would-be hackers]. I currently have a co-op with Security Risk Advisors as a penetration tester, and I'm definitely considering continuing down the path of cybersecurity after graduation.

How will you adjust practices to prepare for the regional competition?
For the regional competition, we will need to train some of our team in network administration and incident response. On top of this, the rest of our team will continue to learn Windows/Linux administration, along with how to better secure these operating systems.

The Pro:

Chuck Ludwig, is the head of Susquehanna International Group's Information Security team. He has been in the cybersecurity industry for 19 years and is also an adjunct faculty member at Drexel and coach of the student cybersecurity team.

When we talk about jobs in "cybersecurity," that is actually a pretty broad category - what are some of the positions that fall into this field?
Cybersecurity is a field that is broader than many people realize, with many potential roles ranging from highly technical in nature to non-technical. Some of the activities associated with cybersecurity jobs include designing, building, implementing, and operating preventive or detective security controls; actively monitoring and responding to security attacks and threats. Cybersecurity professionals also investigate security incidents or crimes, and test the effectiveness of an organization's security defenses by attacking them (only after being granted permission to do so). They also conduct security assessments and audits and develop security policies, standards and guidelines.
Each organization is unique, having its own unique security requirements and way of approaching cybersecurity, so you'll find that roles can vary greatly from organization to organization. Generally, I tend to see that the larger the organization, the more specialized and diverse the positions tend to be, and vice versa as organizations get smaller in size.

As someone who has worked in corporate information security for a number of years, how have you seen the demands of the job change?
The demands of the job have changed drastically over the years in many ways, but there are two changes that come to mind for me when I think about this.
The first is the change in mindset and approach from thinking that an organization has a reasonable chance of preventing a cyber breach to presuming that they've already been breached and reacting accordingly. I believe that up until about 8-10 years ago, security professionals felt that they could prevent most, if not all, significant cyber attacks from having any substantial impact on an organization. But, because of the explosion of technology and the sharp increase of sophistication and accessibility of cyber attack tactics and tools, security professionals can no longer hope to prevent attacks from being successful - they can only try to detect and respond to them quickly and effectively enough to minimize their impact.
Secondly, I've witnessed that security has ascended from the back offices of the IT department to the boardroom, as security attacks have shown to have a profound impact on the success (or failure) of businesses. It used to be that, for most organizations, security was viewed and managed as an IT function that focused on anti-virus and firewall technologies. But because of the prevalence and lethality of today's cyber threats, many organizations have had to elevate the priority and focus of security and now view cyber attacks as a strategic risk. Security professionals now have to take a bigger picture view of what they do, and have had to become more aligned and integrated with the business than ever before.

What kinds of skills and training does a college graduate need to have in order to be able to enter a position as a cybersecurity professional?
For technical security positions, I believe a strong grasp of networking concepts, internet protocols, operating systems, common applications/services, computer architecture and programming are vital as a foundation. Having a grasp of security attack tactics and techniques, defense measures, basic cryptography and risk-management principles is also very helpful, but can be refined and developed on the job.
Since security has become a business issue for many organizations, good verbal and written communication skills and an understanding of business have become important as well. Security professionals need to be able to talk with the business side, in addition to handling IT. They need to have the ability to understand business models and goals and align what they do in security with those.

What type of student would be successful in a job in cybersecurity, what characteristics/traits are important for someone to be successful in this position?
I find that those students who are curious, passionate about technology, possess an adversarial mindset and like to solve problems/build solutions are most successful in security - particularly in the technical disciplines of security. I like to see students who like to tinker with technology to understand how it works and how it can be used in ways that it was not designed for - particularly from a perspective of an adversary who may look to do harm.
I feel it is important for students to know that these characteristics/traits can be learned over time with practice, and that they are not necessarily "natural" talents that they are born with. It would a mistake for people aspiring to get into security to disqualify themselves because they feel they do not currently possess these traits. If there is a true passion for security, then you can learn all the skills necessary to be successful.

In working with the student team, what were some of the most challenging areas/tasks during the preparation? How did that preparation pay-off during the competition?
When I first started working with the team, most of them were just coming out of their sophomore years and had limited education and hands-on experience in the areas of basic system administration and networking. Since the National Collegiate Cyber Defense Competition is such a hands-on competition and since a huge part of security is about building, configuring and administering systems, applications, and networks securely, it was vital that we took the time to build up the knowledge and experience in these areas.
I know this was probably somewhat disappointing for many of the students because they were eager to jump into learning about how hackers break into systems and the cool tools used to prevent and detect those attacks, but I knew that without this foundational knowledge and experience they would struggle to be competitive. I must say that I am very proud of the students for sticking with the plan, and I hope they have a better appreciation for what security is really about as a result.
I think this relates to a theme that Steve and I have talked about on several occasions: that there is no "dark art" to security. In the case of the competition, as in the real world, success in the security field is simply a matter of having a passion for the field coupled with diligence and effort to learn and master the concepts and skills required to be successful.

Click to see the original article