How can we keep infosec pros a step ahead of the bad guys?

Information security professionals have a tough time of it.

Consider what they have to cope with in today's IT environment. You have big data meeting BYOD, a combination that's almost an invitation to cyber-espionage. The traditional method for protecting corporate networks was to create a hardened outer shell that restricted access to internal data -- the so-called M&M network that's hard on the outside but soft in the middle. That external shell is tough to crack, but attackers have found a creative way to get to the soft middle by using lost or stolen devices or employing social networks to glean usernames and passwords.

Meanwhile, attacks on individual and corporate digital assets are on the rise, and the black hats get more ingenious every day. Infosec professionals have to stay one step ahead, and that requires that they be well educated and as thoroughly trained in the dark art of network security as the bad guys. Going forward, IT security gurus will need to think analytically -- understanding not just how to set up security, but also how to craft security solutions so that the business focus is supported while at the same time protecting the business's digital assets.

Focused procedures, such as penetration testing and "ethical" hacking, can be effective at hunting out specific vulnerabilities, but a holistic approach to network security that blankets the perimeter and protects against a broad range of attacks is better able to adapt to the constant evolution of assaults of this type.

To train for this type of holistic approach, students taking information security courses must practice a variety of defensive techniques, such as configuring access control and designing comprehensive security policies. They must also learn how to properly conduct an organizational security audit to identify security breaches and other alerts.

Universities and colleges are offering courses and projects that prepare and train cybersecurity professionals, and often these courses are specialized and not part of the core curriculum. Moreover, they often remain stuck on rigid, traditional security approaches that lack the flexibility users need in a mobile world. A new approach to cybersecurity protection and related education is needed, one that blends a focus on technology and security techniques with social psychology, risk management, collaboration and overall curriculum integration. An effective educational program is one that recognizes the need for security with flexibility, as part of the entire curriculum -- from entry-level to advanced, and in all classes, whether they are focused on some aspect of technology or on developing leadership skills.

Similarly, an effective curriculum is one that helps students think like professional hackers while guiding them to develop a risk-based approach to security -- which ensures that appropriate measures are applied to protect key data. The National Security Agency is promoting this new approach to cybersecurity education with its hacking competitions, a hands-on way to showcase potential threats and countermeasures. For their part, universities are moving toward hands-on virtual labs and introducing areas ranging from ethics to social psychology.

Just as vital, though, is the need for cybersecurity education for all students, and not just those studying information technologies. In the end, every user has a role in creating a dynamic mobile environment that offers flexibility while remaining secure.

Lynne Y. Williams is a faculty member in the MSIT program at Kaplan University who has been working with computers and networks since the days of VAX mini-mainframes. The views expressed in this article are solely those of the author and do not represent the views of Kaplan University.

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityeducationtrainingIT managementindustry verticalsEducation/Training

More about KaplanNational Security AgencyTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lynne Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts