CyberSeek resource for cybersecurity career information

NIST, in partnership with burningglass and CompTIA recently introduced  the CyberSeek resource for cybersecurity career information.   Per the NIST press release:

The CyberSeek tool fills in knowledge gaps so policy makers, employers, security professionals and others will have greater visibility into the demand for cybersecurity professionals around the country. It will allow them to see the skills and types of workers that employers are looking for, as well as the true supply of professionals to fill those positions.

If you are looking for that initial job in cybersecurity, identify the skills you need to improve, or get ideas on how you can progress in your cybersecurity career I highly recommend spending a few minutes on CyberSeek.org

 

NIST publishes draft Cybersecurity Workforce Framework

It probably comes as no surprise to most that demand for cybersecurity professionals continues to rise.  The U.S. Department of labor projects an 18% growth in computer and mathematical occupations during the period 2012-2024. Unfortunately, 52% of IT professionals surveyed in a recent ISACA and RSA Conference survey stated that fewer than 25% of all job applicants were qualified.

One effort to address these shortfalls was recently updated with the publishing of the draft NIST Cybersecurity Workforce Framework (NCWF), NIST SP 800-181.  The NCWF provides information about cybersecurity work roles, the tasks performed by individuals filling those roles, and the knowledge, skills, and abilities needed to complete those tasks successfully.  The document is open for public comment through January 6, 2017.

*Additional cybersecurity workforce demand statistics  are available in this infographic published by the National Initiative for Cybersecurity Education here.

An Introduction

I wanted to take a quick moment to introduce myself.  I’m Professor Douglas Rausch and have recently taken over the role of the Cybersecurity Program Director from Professor Ron Woerner.  Ron has moved back to industry but don’t worry, he is still an adjunct Professor in the program at Bellevue and I’m sure will still be an active contributor to this blog.

I joined the full-time faculty at Bellevue about a year ago after serving in an adjunct position for about a year and a half.  Although I taught across both the undergraduate and graduate programs my focus was as director of the undergraduate cybersecurity program. That changed with Ron’s departure and I now oversee both programs.

Prior to joining the University, I spent 26 years in the Air Force as a communications and cyber operations officer.  It was great fun and an exciting time.  As with all of our instructors, I use those ‘on the job’ experiences to take the foundational concepts we teach in the classroom and provide thoughts on their application to the challenges you will meet each day as a cybersecurity professional.

rausch-web-hs-medWell, that’s a little bit about me.  I’m looking forward to using this forum to discuss the evolving world of cybersecurity as well as some of our activities here at the University.

Cheers
Doug

Accelerating cybersecurity education to meet industry demands

Seasoned information security professionals now have another flexible option to complete a Masters of Science in Cybersecurity, with the Bellevue University accelerated cohort format. The new online degree program enables students to complete their degree in about 14 months, alongside other professionals in their field. The cohort group will take all of the required courses together and finish at the same time, sharing experiences and expertise along the way.

There are twelve classes taken two classes at a time, each lasting nine weeks following a set agenda.  All of the classes are held online, which enables flexibility with student schedules. When students complete the program, they will have attributes, knowledge, and skills needed by industry as a master information security professional.

The faster pace of these classes requires students to enter the program with a set of knowledge, skills and abilities in information security. Students accepted into the accelerated cohort format must be seasoned professionals with a Bachelor’s Degree in Computer Science, Computer Information Systems, or Information Assurance/Cybersecurity, at least ten years of directly applicable information security experience, a major security certification (CISSP, CISA, CISM), and notable communications skills (published or spoken at conferences).  This allows a common frame of reference and skill level among all students.  In other words, students are learning with their peers and are able to share common problems and collaborate on solutions.

This program will be led by Ron Woerner, who has extensive academic and industry experience.  [See his bio here at http://academic2.bellevue.edu/rwoerner/.]  Ron is looking to work with students as professionals rather than the traditional teacher-student relationship.  Participants are encouraged to leverage their experiences and knowledge in completing the course work.  “I love joining people in their educational journey and learn alongside them.  I see my job as coaching them to that next level of their career rather than professing what I know down to them,” says Ron.

Students lacking the certifications and experience are encouraged to enter the traditional Masters of Cybersecurity program. This format allows students to take 1 or 2 classes per quarter term.  Twelve courses are required for graduation, however the traditional program allows students to pick their class schedule and concentration classes based on their preference.  This is more suited for people transitioning into the cybersecurity career field or looking for a more flexible program.

For more information on the Bellevue University Masters of Science in Cybersecurity programs, go to http://www.bellevue.edu/degrees/master/cybersecurity-ms/.

RWoerner-Class

Breaking into Security – 2015

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity.  Traits to be successful in cybersecurity include:

  • Curiosity – A wonder on how and why things work
  • Critical Thinking – goes with #1. You need to go beyond the obvious
  • Communications skills – you can find the coolest things, but if you can’t effectively let others know, it’s like a tree falling in the forest
  • Technical Skills – You need to know your way around a computer
  • Maturity – Stuff happens. You need to be able to keep your head when all h311 is breaking lose.

The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

The best of times and worst of times in security education

[Note: This article was originally posted on the ‘Educating Next-Gen Cybersecurity Leaders‘ blog on CSOOnline.com.]

“It was the best of times. It was the worst of times.” No, I’m not talking about Dickens’ A Tale of Two Cities. I’m talking about the Internet Age where we have powers beyond our ancestor’s imagination literally at our fingertips. We can work, play, and communicate from almost anywhere and anytime. The flip side is the dangers where people, systems, and data are breached on an all-too-frequent basis. Since you’re reading this, none of it is new to you. What may be new is how Education Technology is rapidly evolving to meet the needs of both students and industry, which epitomizes the best of times and the worst of times.

As a security professional, you may not be aware of all that’s happening in the world of Education Technology (#EdTech) and how it affects the security community. Teachers are using a wide variety of tech tools from smartphones and tablets to Internet applications like Google Docs, Twitter, Edmodo, Udemy, etc. Classrooms are being flipped to be student-focused rather than the traditional ‘sage on the stage’ lecture. The cloud has reached the classroom to where students learn from almost anywhere, anytime from any computing platform. Academic institutions at all levels (K-12, colleges, and universities) are scrambling to keep up with the rapid pace of technology.

Study after study shows we’re lacking combatants on the cyber battlefield to take up both offensive and defensive roles. Steve Morgan’s Cybersecurity Business Report validates this need in the posts Cybersecurity job market to suffer severe workforce shortage and Worldwide cybersecurity market continues its upward trend. He offers some solutions such as, “parents sending their kids to cybersecurity school,” and “getting a Master’s Degree in Cybersecurity.” However, there are underlying issues preventing these from being complete solutions.

One is the disconnection between what’s required by the security industry and what’s currently provided in academia. The body of knowledge for cybersecurity professionals requires such a wide berth that covering all of those areas at any depth is nearly impossible in the traditional classroom. Educators are forced to focus on some areas, while dropping others. They usually pick what’s easiest to teach in the classroom or their interest area or specialty, rather than what’s most needed in the ‘real-world.’

Then there’s the issue of developing essential professional skills such as hands-on technical know-how, real-world problem solving, and fundamental collaboration / communications abilities. Standardized, multiple choice (guess) tests only go so far. Creating and then grading assignments to meet these needs is much easier said than done. Educators at all levels need to be connected with industry professionals to understand and meet the burgeoning needs of not only what’s being taught, but also how.

There are many great activities promoting the next generation of security leaders. Conferences are getting kids involved in safe arenas to learn cybersecurity and practice their skills. Examples include the RSA Conference’s Cyber Safety Village, R00tz held in conjunction with BlackHat/DefCon, and the Hak4kidz conferences.

Cyber competitions promoting both offensive and defensive skills are also available to students from elementary school up through graduate studies. Examples of this area include US CyberPatriot, the ISC2/MITRE Cyber Challenge 2015, and National Collegiate Cyber Defense Competition (CCDC).  Dr. Dan Manson from California State Polytechnic University, Pomona, is consolidating information on the Cybersecurity Competition Federation website.

If you have a cybersecurity competition or kids’ event you’d like promoted in this blog, please let me know.  More information on all of these resources will be coming in future posts.

We have many opportunities to work together to solve this problem of developing more and better students with cyber savvy skills. We need you to join us in educating, training, and preparing the next generation of security leaders.

Hacker High at the 2015 RSA Conference

On Tuesday, April 21, I am leading a Peer-to-Peer (P2P) session at the RSA Conference in San Francisco. The title is “Hacking High: Teaching Our Kids Vital Cyber Skills.” The premise is that we need more kids with cyber smart skills, but they aren’t educated enough on the underlying technologies. This discussion explains those issues and brainstorms ideas for solving them. As the US CyberPatriot mentor of the year, Ron Woerner will talk about his experiences and show you how you can get involved in your community. See more at: https://www.rsaconference.com/events/us15/agenda/sessions/1879/hacking-high-teaching-our-kids-vital-cyber-skills#sthash.NxeQRUQm.dpuf

I was interviewed by Fahmida Y. Rashid, the Editor-in-Chief of the RSA Conference about the session. Her questions along with my answers are below.

1. Who are the attendees who will most benefit from—and contribute to—this peer2peer session? Do you have a specific role or job title in mind? Or even the kind of skills and mindset you are looking for?

The Peer-to-Peer session, “Hacking High: Teaching Our Kids Vital Cyber Skills” is for anyone who sees the great need in our industry for developing skilled cybersecurity professionals. This could be hiring managers, security trainers and educators, or anyone with the passion for building the next generation. This session will explain the issues and brainstorm solutions for meeting that need. There are many great opportunities for existing security professionals to work with the new generation. This goal of this session is to show them easy ways to be part of the solution.

2. Why do you believe that your topic is important for the information security industry—and your attendees—to be thinking about?

We’re in a national crisis. There is a continued need for more skilled cybersecurity professionals, yet we don’t have a consolidated plan for building people with those skills. Additionally, many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources and personal knowledge to teach technology to teenagers.

The articles below demonstrate the need:

•  “Demand to fill cybersecurity jobs booming” – http://peninsulapress.com/2015/03/31/cybersecurity-jobs-growth/
•  Cybersecurity’s hiring crisis: A troubling trajectory –http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
•  Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf

There are solutions available, but we need to work together as an industry to implement them. My simple solution is to teach hacking in schools. Kids will do it anyway, so we might as well guide them to keep them out of trouble and develop those critical skills. Everyone I talk with agrees that we need to start teaching IT and cybersecurity skills earlier in schools, but we don’t have a plan to do it. One of the solutions I will discuss is the role of cybersecurity and hacking competitions for 7-12 grade students. As the 2013-2014 Air Force Association CyberPatriot Mentor of the Year, I will be sharing my experiences with participants to show how easy it is to get involved and the many rewards in doing so.

3. Can you describe one or two things you would like the attendees to think about prior to the session, as a way to prepare themselves for the discussion?

Two things I’d like attendees of my session to consider is:

1.  How is your community or school system educating the younger generation to prepare them for the multitude of IT and Cybersecurity careers? Is a cybersecurity curriculum in place? If so, what does it contain?
2.  What are solutions for filling that gap? How can we work together to implement those solutions for our school aged kids.

This allows attendees to understand the problems and then be able to generate and implement solutions for addressing the needs.

4. What kind of outcome are you hoping for at the end of the session? What will attendees walk away with afterwards?

We need more security professionals to lead the education of our next generation. We can’t just leave it to the teachers. Attendees of the “Hacking High” session will fully understand the issues and come away with actionable ideas to be part of the solution. They will hear from other industry experts who are doing successfully doing it in their community to everyone’s benefit. They will see the bright star of hope to meet the critical needs of our industry in a fun and safe way, by teaching hacking in high school.
For more information on these topics, please see my blog entries:

• Why Aim for the Ground? Teaching our kids the right computer skills
• Hacker High – Why we *need* to teach hacking in school
• Lock IT Down @ CYBER++

We all need to work together to solve this international issue. In doing so, we not only build up a new generation, but build ourselves as well.

Loose Lips Might Sink Ships

Are you watching what you are telling your neighbors?  Do you guard information in your care to make sure only those people with a need to know can see it? Hopefully, you’re not accidentally letting any secrets slip.  It could be disastrous if confidential information got out to your competitors.  It could hurt your sales, your stock price and your reputation.

It happens in a variety of ways: accidental disclosure, carelessness in storage and protection, and corporate espionage.  Many times, it happens because people are not always conscious about how they handle sensitive information.  Employees are often the greatest threat in the compromise of sensitive information.

Following the simple steps below will help assure your ship is not sunk by loose lips:

1. Know your information.  Is the information you handle sensitive or confidential?  What would be the damage if it gets out to the public or one of our competitors?

2. Label sensitive, proprietary or confidential information.  You may know that the information is sensitive, but do your co-workers?  This is solved by labeling the document or data source as confidential.

3.Stop and think before doing anything with the information.  You should be conscious on how you use the information and where you store it. Don’t share it with someone who doesn’t need to know.

4. Protect sensitive, proprietary or confidential information.  This is a separate article by itself. In general here are some things you can do:

  • Place it in a secure location (not the public folder or even your laptop hard drive).
  • Better yet, don’t store a copy outside of a protected area.  Your PCs hard drives are neither secure nor protected.  If you don’t need a copy of a document, then don’t keep it on your computer.
  • Don’t send it to an outside email address unless absolutely necessary.
  • Encrypt it (using a tool like Microsoft Bitlocker)
  • Remove any extra copies of sensitive documents.  Maintain originals in a secure location and get rid of all other copies.

5. Ask for help.  Work with your security department.  If you are the security department, ask for help from others.

6. Be on the lookout.  Inform security if you find sensitive information that you shouldn’t be able to see.  It’s not to get someone else in trouble, but to protect your company.  Security should collaborate with the originator to ensure its proper protection.

These may seem like simple ideas, but they are still overlooked. A little time in security now can save many headaches later.