Cybersecurity in theCybersecurity in thePost Secondary EnvironmentPost Secondary Environment

with special emphasis onwith special emphasis onThe Role Of Community Colleges inThe Role Of Community Colleges in

Cyber Security EducationCyber Security Education

Peter SaflundPeter Saflund

Presentation copyright TSI 2003 All rights reserved. Material herein developed in part under a grant from NSF. Opinions expressed herein are those of the investigator and d not represent the opinions of NSF.

The need for “skilled” workers has The need for “skilled” workers has grown from 20% to 65%.grown from 20% to 65%.

20%

20%60%

20%

45%

35%20%

65%

15%

Source: Bureau of Labor Statistics

1950 1991 2000

Professional Unskilled Skilled

But, we are not preparing enough But, we are not preparing enough skilled workers.skilled workers.

No HS Diploma 19%

High School 35%Some College 17%

Associate 7%

Bachelors + 22%

Adults > 25 years

Cybersecurity ConferenceCybersecurity ConferenceWashington DC June 26-28, 2002Washington DC June 26-28, 2002

There There isis a valid role for community college a valid role for community college clientele in cyber security!clientele in cyber security!– Security is a many-front issueSecurity is a many-front issue– Important initial gains will come at the Important initial gains will come at the

adaptation and implementation leveladaptation and implementation level– Transport and application layer first line Transport and application layer first line

defenses are vitaldefenses are vital– ““Everyone” must be security consciousEveryone” must be security conscious

In A Nutshell:

The First Responders Are:

Technicians, Technologists, and Paraprofessionals :

Are on the front lines

Are often the first to know

Educate end users

Gather data and evidence

Advise upper management

Make critical decisions which affect security

And Therefore:

Need education, re-skilling, and certification

The 8 I. T. Career ClustersThe 8 I. T. Career Clusters

Database Database Development and Development and AdministrationAdministration

Digital MediaDigital Media

Enterprise Systems Enterprise Systems Analysis and Analysis and IntegrationIntegration

Network Design and Network Design and AdministrationAdministration

Programming and Programming and Software Software EngineeringEngineering

Technical Support Technical Support

Technical WritingTechnical Writing

Web Development Web Development and Administrationand Administration

Career ClustersCareer ClustersAre clusters of jobs roles characterized by closely Are clusters of jobs roles characterized by closely related Critical Work Functions and Technical Skillsrelated Critical Work Functions and Technical Skills..

Critical WorkFunctions

PerformanceCriteria

Technical Skills

Foundation Skills

Many individual job roles & titles may exist under each career cluster.

In general lateral and vertical mobility within a cluster is readily facilitated.

Before Sept. 11, 2001Before Sept. 11, 2001

Major vulnerabilities were laptopsMajor vulnerabilities were laptops– Theft, loss of dataTheft, loss of data

Desktop workstations vulnerable to virusesDesktop workstations vulnerable to viruses

Defenses primarilyDefenses primarily– Access control softwareAccess control software– Front door to applicationsFront door to applications– Emphasis on authorized usersEmphasis on authorized users

Early 2000s EnvironmentEarly 2000s EnvironmentDon’t inhibit growthDon’t inhibit growth

Don’t slow down accessDon’t slow down access

Don’t impede processesDon’t impede processes

It’s all aboutIt’s all about– Hooking upHooking up– Building outBuilding out– Gurus talking about value of networks Gurus talking about value of networks

increasing geometrically as the number of increasing geometrically as the number of nodes….every business would be web based nodes….every business would be web based or gone….”first movers” had advantage…..or gone….”first movers” had advantage…..

Early 2000sEarly 2000s

Business Growth and ContinuityBusiness Growth and Continuity– Problems seen as event drivenProblems seen as event driven

Attack simulation wasn’t performedAttack simulation wasn’t performed

Network admin proud of hacker’s lack of Network admin proud of hacker’s lack of success (hero after the fact).success (hero after the fact).

Posture primarily Posture primarily – ResponsiveResponsive– ReactiveReactive

Attacks Are RisingAttacks Are Rising

With Increasing Economic CostsWith Increasing Economic Costs

0

2

4

6

8

10

12

14

Melissa Code Red Love Bug W32 Worm

$Billions

1999 2000 2001

Dollars, Identity Theft, & I PDollars, Identity Theft, & I P

050

100150200250300350400450500

Iden. Theft I P Fin. Losses

$Millions

FBI Statistics 2000 - 2002

What’s ChangingWhat’s Changing

New Language EmergingNew Language Emerging– CYBERTERRORISMCYBERTERRORISM– CYBERSECURITYCYBERSECURITY– TRUSTWORTHTY COMPUTINGTRUSTWORTHTY COMPUTING

Government funding coming, but …….Government funding coming, but …….– Need more than rhetoric and ideology.Need more than rhetoric and ideology.– Need recognition that technicians are the “first Need recognition that technicians are the “first

responders” in a cyber attack.responders” in a cyber attack.– Direct $$ to applications as well as research.Direct $$ to applications as well as research.

The Field of Cyber SecurityThe Field of Cyber Security

Some Generalizations - more or less Some Generalizations - more or less validated……..validated……..– At the application level, security skills will be a part At the application level, security skills will be a part

of virtually all technical jobsof virtually all technical jobs– 2-year grads will not have sole responsibility for 2-year grads will not have sole responsibility for

security audits, policies, strategiessecurity audits, policies, strategies– Many incumbent workers will need or desire Many incumbent workers will need or desire

upgrading and / or certificationupgrading and / or certification– Preparatory programs will require infusion more Preparatory programs will require infusion more

than re-inventionthan re-invention– There will be “Demand Pull” for Cyber SecurityThere will be “Demand Pull” for Cyber Security

Because …Because …

MINDSET AND ACTIONS MUST:MINDSET AND ACTIONS MUST:

Become anticipatoryBecome anticipatory

Assume different scenariosAssume different scenarios

Include coordinated actionInclude coordinated action

Inform the greater cyber communityInform the greater cyber community

Labor Demand PictureLabor Demand Picture

89% of business feel a large scale cyber 89% of business feel a large scale cyber attack will be launched within 2 yearsattack will be launched within 2 years

Almost 60% feel their organization is Almost 60% feel their organization is unprepared to defend againstunprepared to defend against

80% feel the US as a whole is unprepared 80% feel the US as a whole is unprepared to defend againstto defend against

Many large scale attacks have occurred Many large scale attacks have occurred but gone unreported (confidence issues)but gone unreported (confidence issues)

Better mousetraps make better miceBetter mousetraps make better mice

Labor DemandLabor DemandRecent ITAA Workforce study:Recent ITAA Workforce study:– 300,000 new openings300,000 new openings

Robert Half Technology:Robert Half Technology:– Highest growth rates are in Network Design and Highest growth rates are in Network Design and

Administration and Web / Internet (40% of total)Administration and Web / Internet (40% of total)– Network security admin $61K - $85KNetwork security admin $61K - $85K– Systems security admin $62K - $86KSystems security admin $62K - $86K

$633 Billion e-business volume ($633 Billion e-business volume (W.O.W.W.O.W.):):– Behind all this is technicians and technologistsBehind all this is technicians and technologists

I T is now an indispensable partner in most I T is now an indispensable partner in most businessesbusinesses

2 Main Program Areas2 Main Program Areas

Preparatory Preparatory – Two year professional Two year professional

technical degreestechnical degrees– Two year computer Two year computer

science transfer science transfer degreesdegrees

– Institutional certificatesInstitutional certificates– ““I T Minor” for I T Minor” for

business or sciencesbusiness or sciences– CertificationCertification

Incumbent and re-Incumbent and re-careering workerscareering workers– UpgradingUpgrading– CertificationCertification– Clock hour certificatesClock hour certificates– ““Go-To” for “lifelong” Go-To” for “lifelong”

learninglearning– Career progressionCareer progression– Workforce Workforce

developmentdevelopment

Possible Content AreasPossible Content AreasSystems maintenance, patches, upgradeSystems maintenance, patches, upgrade

Content securityContent security

Data assuranceData assurance

Physical securityPhysical security

User educationUser education

Detection (hacks, probes, etc.)Detection (hacks, probes, etc.)

Deterrence (fire walls, honey pots, etc.)Deterrence (fire walls, honey pots, etc.)

Forensics (evidence gathering, preservation)Forensics (evidence gathering, preservation)

Policy developmentPolicy development

Forward planning and professional developmentForward planning and professional development

Preparation for certificationPreparation for certification

Critical Work Functions

Curriculum

IntegratedActivities

Assessments

Certifications

VendorVendorNeutral

Authentic

Involving

Specifications

Authentic Holistic

Articulation

What About Security What About Security Certification?Certification?

Tier 1 - Professional Mgmt. (CISSP, CSSA)

Tier 2 - Vendor Specific

(Oracle, Checkpoint) and Vendor Neutral (CIW- SCNP)

Tier 3 - Vendor Neutral

Entry Level & Recarering (S+)

Linear ModelLinear Model

Computer Science

TraditionalPre engineering

TechnicianPara-

professional TechnicalPrograms &

Con. Ed.

4-yearUniver-

sity

WorkPrior Work

Co. TrainingPrior edu.

Prior Certs.

Certificate

Degree

Certification

More RealisticMore Realistic(Messy Organic Process)(Messy Organic Process)

Work Exp

TechnicalEducation

“Some” College

Certification

Work Exp

CorporateClassroom

ContinuingEducation

TechnicalEducation

UpgradingRe-skilling

Promotion

The Good NewsThe Good News

Strategies for SuccessStrategies for SuccessUse skill standards to set agreed-upon Use skill standards to set agreed-upon expectations expectations Hold the courseHold the courseWork with local business / industry to develop / Work with local business / industry to develop / refine contentrefine contentMake appropriate use of certificationsMake appropriate use of certificationsDevelop methods to rapidly infuse the latest Develop methods to rapidly infuse the latest security topics and content into curricula, security topics and content into curricula, activities, and assessmentsactivities, and assessmentsDifferentiate between technical and transfer Differentiate between technical and transfer outcomes as appropriateoutcomes as appropriateImplement a comprehensive plan for faculty Implement a comprehensive plan for faculty professional developmentprofessional development

Doing Less With LessDoing Less With LessMore collaborationMore collaboration

InfusionInfusion

Maximize CRMMaximize CRM

Get “appropriated” $$ authorizedGet “appropriated” $$ authorized

Existing and new NSF centers can helpExisting and new NSF centers can help

Take advantage of advantagesTake advantage of advantages– Clear and present solutionsClear and present solutions– Business is “IT – dependent”Business is “IT – dependent”– Flexible cost – effective deliveryFlexible cost – effective delivery

Some Closing IssuesSome Closing Issues

““Parallel Universes” (Parallel Universes” (AdlemanAdleman))– Relative value of credentials?Relative value of credentials?

Qualify Market OpportunityQualify Market Opportunity– Remember “dot-com entrepreneurs?”Remember “dot-com entrepreneurs?”

Re-Skilling the incumbent workforceRe-Skilling the incumbent workforce– What part of this is really new?What part of this is really new?

Maintain perspectiveMaintain perspective– Perimeter defenses will not the sole answer. Perimeter defenses will not the sole answer. – It is “impossible” to secure a digital system from It is “impossible” to secure a digital system from

digital attack.digital attack.

More InformationMore Information

T S IT S I– http://www.saflund.orghttp://www.saflund.org– info@info@saflundsaflund.org.org– 253.630.5326253.630.5326