How can we keep infosec pros a step ahead of the bad guys?
Information security professionals have a tough time of it.
Consider what they have to cope with in today's IT environment. You have big data meeting BYOD, a combination that's almost an invitation to cyber-espionage. The traditional method for protecting corporate networks was to create a hardened outer shell that restricted access to internal data -- the so-called M&M network that's hard on the outside but soft in the middle. That external shell is tough to crack, but attackers have found a creative way to get to the soft middle by using lost or stolen devices or employing social networks to glean usernames and passwords.
Meanwhile, attacks on individual and corporate digital assets are on the rise, and the black hats get more ingenious every day. Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Going forward, IT security gurus will need to think analytically -- understanding not just how to set up security, but also how to craft security solutions so that the business focus is supported while at the same time protecting the business's digital assets.
Focused procedures, such as penetration testing and "ethical" hacking, can be effective at hunting out specific vulnerabilities, but a holistic approach to network security that blankets the perimeter and protects against a broad range of attacks is better able to adapt to the constant evolution of assaults of this type.
To train for this type of holistic approach, students taking information security courses must practice a variety of defensive techniques, such as configuring access control and designing comprehensive security policies. They must also learn how to properly conduct an organizational security audit to identify security breaches and other alerts.
Universities and colleges are offering courses and projects that prepare and train cybersecurity professionals, and often these courses are specialized and not part of the core curriculum. Moreover, they often remain stuck on rigid, traditional security approaches that lack the flexibility users need in a mobile world. A new approach to cybersecurity protection and related education is needed, one that blends a focus on technology and security techniques with social psychology, risk management, collaboration and overall curriculum integration. An effective educational program is one that recognizes the need for security with flexibility, as part of the entire curriculum -- from entry-level to advanced, and in all classes, whether they are focused on some aspect of technology or on developing leadership skills.
Similarly, an effective curriculum is one that helps students think like professional hackers while guiding them to develop a risk-based approach to security -- which ensures that appropriate measures are applied to protect key data. The National Security Agency is promoting this new approach to cybersecurity education with its hacking competitions, a hands-on way to showcase potential threats and countermeasures. For their part, universities are moving toward hands-on virtual labs and introducing areas ranging from ethics to social psychology.
Just as vital, though, is the need for cybersecurity education for all students, and not just those studying information technologies. In the end, every user has a role in creating a dynamic mobile environment that offers flexibility while remaining secure.
Lynne Y. Williams is a faculty member in the MSIT program at Kaplan University who has been working with computers and networks since the days of VAX mini-mainframes. The views expressed in this article are solely those of the author and do not represent the views of Kaplan University.
Read more about security in Computerworld's Security Topic Center.