In my last post, I laid out the Yogi Berra theorem; to wit, “You aren’t secure, if you aren’t secure.” I also pointed out that cybersecurity is fragmented into a number of camps, all of whom claim that they have the answer, but none of whom address all of the problem.
It should be obvious from the initial statement, e.g., that we need to cover all of the bases in order to be rightfully secure, that the key step in that process is to get everybody rowing the boat in the same direction, which poses the crucial question, “How do we do that?”
The answer is education. Historically, we ensure correct societal behavior through commonly accepted norms. The historical role of education has been to convey those norms, which makes it the logical way to shape a true profession of cybersecurity. Still, there are a number of systemic and cultural challenges that have to be overcome before education can do that.
First, according to a report from the National Academies of Science, cybersecurity is an emerging field. So, until recently it hasn’t been clear what we ought to teach. Worse, all evidence points to the fact that whatever we should be teaching is cross-cutting. Basically, critical elements of the field reside in areas of academe that are as diverse as engineering, business, and law.
People who are not academics may not realize the implications of such divergence. But, the people in each of those cultures have very different views about what is important, and those views tend to be encased in stovepipes. Perhaps more important, all of these disciplines compete for students. Thus, the content of each study is likely to stress the importance and value of their own thinking, to the exclusion of anybody else’s.
Cultural difference also raises the question of “to aggregate, or not to aggregate”. If we leave the teaching of cybersecurity in diverse places, we aren’t going to get a consistent message, let alone evolve the field into a mature discipline. However, if we pull all of the cybersecurity education into a single place that begs the question of, “Where should we put it?” Since engineers won’t play well with lawyers and vice versa.
Finally, the term “holistic” has been used to describe what must happen in order for the solution to be correct. But the problem is that America’s business, governmental and academic leaders still have a 1990s view of the study of cybersecurity.
That view sees cybersecurity is a technical discipline founded in the mathematical domain of computer science. Yet, over seventy percent of the current losses are due to human behavior, which is too volatile to be captured by linear methods. Hence, there is clearly something missing from our current understanding and that missing ingredient has to be addressed before we have a true profession of cybersecurity.
Which returns us to the question of what to teach. Obviously, all of the players have to be on the same page if you want a holistic solution. So logically, the first requirement is to bring every potential contributor into the main tent. In essence, the key concepts for the discipline all have to be identified and amalgamated into a single unifying model of the field; one that has real-world currency.
Since, the knowledge base is cross-cutting, we are also going to have to get agreement among all the relevant disciplines about precisely what those key concepts are. In academe, the learned societies are the accepted agents for obtaining common agreement. Computing has three such societies. Those are the ACM (computer science), IEEE (software engineering), and AIS (information systems). In 2017, those three came together as a single entity to produce the first fully sanctioned, joint definition of the field.
That is the CSEC2017 http://cybered.acm.org/. The CSEC lays out the complete set of requirements for professional study in the same manner as the AMA does for doctors, and the ABA does for lawyers. In the Societies’ view, cybersecurity has eight generic knowledge elements. These elements constitute the profession. They are, 1) Data Security, 2) Software Security, 3) Component Security, 4) Connection Security, 5) System Security, 6) Human Security, 7) Organizational Security, and 8) Societal Security.
So, here’s the point. Although the first five knowledge elements are the usual suspects. The presence of Human, Organizational and Societal security requirements is revolutionary in that it pulls behavioral principles into the solution.
That is not merely a small step in the right direction. It is a giant leap in ensuring a capable professional, in that it breaks up existing stovepipes. It should be obvious that the solution will never lie with self-interested factions competing to have the right answer. It lies in a unified vision of a new and separate field built on knowledge from a relevant range of sources. The CSEC is the first official attempt to create that common vision and that’s why it’s important to the profession.
Bio:
In addition to my own teaching, research and publication program, I am accountable for developing innovative research programs in cybersecurity. I am also responsible for leadership in all aspects of curriculum design and development for a National Center of Excellence in Information Assurance Education (CAE/IAE). Courses taught include:
Graduate Secure Software Management
Graduate Software Assurance
Graduate Information Assurance Principles