Transcript PowerPoint Presentation - Cybersecurity in the Community

Cybersecurity in the
Post Secondary Environment
with special emphasis on
The Role Of Community Colleges in
Cyber Security Education
Peter Saflund
Presentation copyright TSI 2003 All rights reserved. Material herein developed in
part under a grant from NSF. Opinions expressed herein are those of the
investigator and d not represent the opinions of NSF.
The need for “skilled” workers has
grown from 20% to 65%.
20%
20%
15%
20%
35%
60%
20%
45%
1950
1991
Professional
Unskilled
65%
2000
Skilled
Source: Bureau of Labor Statistics
But, we are not preparing enough
skilled workers.
No HS Diploma
19%
Bachelors + 22%
Associate 7%
High School 35%
Some College
17%
Adults > 25 years
Cybersecurity Conference
Washington DC June 26-28, 2002
There is a valid role for community college
clientele in cyber security!
– Security is a many-front issue
– Important initial gains will come at the
adaptation and implementation level
– Transport and application layer first line
defenses are vital
– “Everyone” must be security conscious
In A Nutshell:
The First Responders Are:
Technicians, Technologists, and Paraprofessionals :
Are on the front lines
Are often the first to know
Educate end users
Gather data and evidence
Advise upper management
Make critical decisions which affect security
And Therefore:
Need education, re-skilling, and certification
The 8 I. T. Career Clusters
Database
Development and
Administration
Digital Media
Enterprise Systems
Analysis and
Integration
Network Design and
Administration
Programming and
Software
Engineering
Technical Support
Technical Writing
Web Development
and Administration
Career Clusters
Are clusters of jobs roles characterized by closely
related Critical Work Functions and Technical Skills.
Many individual
job roles & titles
may exist under
each career
cluster.
Foundation
Skills
Critical Work
Functions
Technical
Skills
Performance
Criteria
In general lateral
and vertical
mobility within a
cluster is readily
facilitated.
Before Sept. 11, 2001
Major vulnerabilities were laptops
– Theft, loss of data
Desktop workstations vulnerable to viruses
Defenses primarily
– Access control software
– Front door to applications
– Emphasis on authorized users
Early 2000s Environment
Don’t inhibit growth
Don’t slow down access
Don’t impede processes
It’s all about
– Hooking up
– Building out
– Gurus talking about value of networks
increasing geometrically as the number of
nodes….every business would be web based
or gone….”first movers” had advantage…..
Early 2000s
Business Growth and Continuity
– Problems seen as event driven
Attack simulation wasn’t performed
Network admin proud of hacker’s lack of
success (hero after the fact).
Posture primarily
– Responsive
– Reactive
Attacks Are Rising
With Increasing Economic Costs
14
12
10
$
Billions
8
6
4
2
0
Melissa
1999
Code Red
Love Bug W32 Worm
2000
2001
Dollars, Identity Theft, & I P
$
Millions
500
450
400
350
300
250
200
150
100
50
0
Iden. Theft
IP
Fin. Losses
FBI Statistics 2000 - 2002
What’s Changing
New Language Emerging
– CYBERTERRORISM
– CYBERSECURITY
– TRUSTWORTHTY COMPUTING
Government funding coming, but …….
– Need more than rhetoric and ideology.
– Need recognition that technicians are the “first
responders” in a cyber attack.
– Direct $$ to applications as well as research.
The Field of Cyber Security
Some Generalizations - more or less
validated……..
– At the application level, security skills will be a part
of virtually all technical jobs
– 2-year grads will not have sole responsibility for
security audits, policies, strategies
– Many incumbent workers will need or desire
upgrading and / or certification
– Preparatory programs will require infusion more
than re-invention
– There will be “Demand Pull” for Cyber Security
Because …
MINDSET AND ACTIONS MUST:
Become anticipatory
Assume different scenarios
Include coordinated action
Inform the greater cyber community
Labor Demand Picture
89% of business feel a large scale cyber
attack will be launched within 2 years
Almost 60% feel their organization is
unprepared to defend against
80% feel the US as a whole is unprepared
to defend against
Many large scale attacks have occurred
but gone unreported (confidence issues)
Better mousetraps make better mice
Labor Demand
Recent ITAA Workforce study:
– 300,000 new openings
Robert Half Technology:
– Highest growth rates are in Network Design and
Administration and Web / Internet (40% of total)
– Network security admin $61K - $85K
– Systems security admin $62K - $86K
$633 Billion e-business volume (W.O.W.):
– Behind all this is technicians and technologists
I T is now an indispensable partner in most
businesses
2 Main Program Areas
Preparatory
– Two year professional
technical degrees
– Two year computer
science transfer
degrees
– Institutional certificates
– “I T Minor” for
business or sciences
– Certification
Incumbent and recareering workers
–
–
–
–
Upgrading
Certification
Clock hour certificates
“Go-To” for “lifelong”
learning
– Career progression
– Workforce
development
Possible Content Areas
Systems maintenance, patches, upgrade
Content security
Data assurance
Physical security
User education
Detection (hacks, probes, etc.)
Deterrence (fire walls, honey pots, etc.)
Forensics (evidence gathering, preservation)
Policy development
Forward planning and professional development
Preparation for certification
Authentic
Specifications
Articulation
Integrated
Activities
Curriculum
Involving
Critical Work
Functions
Assessments
Certifications
Authentic
Holistic
Vendor
Vendor
Neutral
What About Security
Certification?
Tier 1 - Professional
Mgmt. (CISSP, CSSA)
Tier 2 - Vendor Specific
(Oracle, Checkpoint) and
Vendor Neutral (CIW- SCNP)
Tier 3 - Vendor Neutral
Entry Level & Recarering (S+)
Linear Model
Computer
Science
Technician
Paraprofessional
Traditional
Pre engineering
Prior Work
Co. Training
Prior edu.
Prior Certs.
4-year
University
Work
Technical
Programs &
Con. Ed.
Certificate
Degree
Certification
More Realistic
(Messy Organic Process)
“Some”
College
Work Exp
Technical
Education
Work Exp
Technical
Education
Certification
Re-skilling
Corporate
Classroom
Continuing
Education
Promotion
Upgrading
The Good News
Strategies for Success
Use skill standards to set agreed-upon
expectations
Hold the course
Work with local business / industry to develop /
refine content
Make appropriate use of certifications
Develop methods to rapidly infuse the latest
security topics and content into curricula,
activities, and assessments
Differentiate between technical and transfer
outcomes as appropriate
Implement a comprehensive plan for faculty
professional development
Doing Less With Less
More collaboration
Infusion
Maximize CRM
Get “appropriated” $$ authorized
Existing and new NSF centers can help
Take advantage of advantages
– Clear and present solutions
– Business is “IT – dependent”
– Flexible cost – effective delivery
Some Closing Issues
“Parallel Universes” (Adleman)
– Relative value of credentials?
Qualify Market Opportunity
– Remember “dot-com entrepreneurs?”
Re-Skilling the incumbent workforce
– What part of this is really new?
Maintain perspective
– Perimeter defenses will not the sole answer.
– It is “impossible” to secure a digital system from
digital attack.
More Information
TSI
– http://www.saflund.org
– [email protected]
– 253.630.5326