shaping security problem solvers: academic insights to fortify for the future
TRANSCRIPT
© 2015 IBM Corporation
Shaping security problem solvers: Academic insights to fortify for the future
May 2015
© 2015 IBM Corporation
Cybersecurity is growing in all directions:
2 © 2015 IBM Corporation
Fortifying
for the future
As a field, it continues to expand with the endless march of technology.
The IBM Center for Applied Insights, as a follow-up to its recent CISO Assessment, Fortifying for the future, interviewed a group of cybersecurity academics to examine how business and academia converge in this matter.
Do professors have a unique perspective on the problems facing today’s security leaders?
As a concern, it weighs heavier on business leaders in light of recent breaches.
And in universities, demand for security programs is on the rise.
© 2015 IBM Corporation
The interviews demonstrated that academics are addressing key security challenges by adapting their educational approach.
3
Security teams often playing
catch-up with attackers
Produce versatile experts who use
predictive and behavioral analysis
Lack of communication all the
way up to executive level
Train students to be facilitators
between technology and business
Mobile and Internet of Things
are growing security hurdles
Create holistic curriculum that
examines these technologies
Enterprises need to share more
information
Provide a platform for business
leaders to converse
© 2015 IBM Corporation
Business problem Academic solution
© 2015 IBM Corporation
Today’s security posture feels untenable. It’s near impossible to keep up with the ceaseless evolution of hacking technology while also plugging every hole in a system.
4 © 2015 IBM Corporation
The attacker always has an advantage
because the defender has to understand
and patch every single potential
vulnerability in the organization.
Organizations need to move up the
attack chain and see when we're
being reconnoitered and surveilled
from the very beginning, when the
door is being knocked on before they
even get in and cause a mess.
Business Problem: Security teams often playing catch-up with attackers
Associate Professor of Managed Information Security,United States
Faculty Director, Financial Services Analytics PhD Program
United States
Professor,Computer engineering,
Switzerland
Academic Director, Infrastructure Planning and Management,United States
The creativity of the attackers is
incredible. They are always a step
ahead, and that’s what makes the
problem difficult.
If you only rely on the technology, it's
always a catching game, it's always a
reactive game. You're never going to
win this way.
© 2015 IBM Corporation
Universities are training students to stay ahead of attacks by practicing proactive and aggressive skills, while also understanding the mindset of their enemies.
5 © 2015 IBM Corporation
Academic Solution: Produce versatile experts who use predictive and behavioral analysis
You have to first regard the incentive issues. Why do they want to attack? I mean you have to know
the psychology, the incentives.
The key is the ability to develop a new skill set
where people can adapt to changing environments versus teaching state-of-
the-art routines in cybersecurity.
We’ve added a significant amount of offensive content
to our curriculum. We’re doing some big data research to try to characterize attack
flows based on network signatures.
Faculty Director, Financial Services Analytics PhD Program United States
Associate Professor of Managed Information Security,
United States
Professor of Computer Science and Electrical Engineering,
United States
© 2015 IBM Corporation
Finding a security solution is only half the problem—you also need to be able to convey it in a manner that non-technical colleagues understand. Communication challenges can persist even at the C-level.
6 © 2015 IBM Corporation
I've seen the glazed look on CEOs’
faces because the people that
understand cybersecurity can't speak in
the language that they get.
It’s much easier to find a technologist
that specializes within a particular
domain than it is someone who can
be a generalist and work effectively
in areas like management,
governance and budgeting.
Business Problem: Lack of communication all the way up to executive level
Department Chair, Mathematics and Computer Science,
United States
Chair of Computer Information
and Network Security,
United States
University CISO,United States
It's extremely in demand and rare to
find people with good business
background who also understand the
technology, and vice versa.
The CIO and the CISO—there is no
collaboration between them, because
the IT department thinks somebody's
interfering in their work.
Academic Director, Infrastructure Planning and Management,United States
© 2015 IBM Corporation
By integrating business components into technical programs—and vice versa—universities hope to create employees with an interdisciplinary skill set who can not only build solutions, but explain them too.
7 © 2015 IBM Corporation
Academic Solution: Train students to be facilitators between technology and business
I spend one-tenth of the course on heavy technical controls. The other nine-tenths of the course cover
things that aren’t technical. It’s much more process
oriented, people oriented, governance oriented. Cybersecurity has evolved,
and the education has evolved correspondingly.
It's moved from being primarily technical and
hands-on to incorporating more management,
leadership and policy.
The goal of our program is for students to become that translator between
senior executives and the technology people.
University CISO,United States
Director, Managed Security Information Program,
United States
Academic Director, Infrastructure Planning and Management,
United States
© 2015 IBM Corporation
The proliferation of devices and sensors pleases users, but every new connection to the Internet also creates a possible vulnerability that must be secured.
8 © 2015 IBM Corporation
The more things you have connected,
the more potential entry points you
have. Security becomes more and more
complex in that sense.
People are starting to now figure out
that their cell phone could be a piece
of evidence in a crime.
Business Problem: Mobile and the Internet of Things are growing security hurdles
Director, Center for the Application of Information Technology,United States
Department Chair, Mathematics and Computer Science,
United States
Many individuals use these mobile
applications, these gadgets, but they
have very little idea what is really
going on. So the first thing should be
awareness.
Your toaster is going to have a device
on it, your thermostat in your house is
going to have a device on it. A lot of
those kinds of things are being
developed without a tremendous
amount of thought given to security. Chair of Computer Information
and Network Security,
United States Director, Center for the Application of Information Technology,
United States
© 2015 IBM Corporation
To mimic the real-world conditions, universities are shifting the classroom balance toward device and sensor security, with an emphasis on new research into these areas.
9 © 2015 IBM Corporation
Academic Solution: Create holistic curriculum that examines these technologies
We’re staying current in the technology fields.
Many more universities now have mobile
security elements than they did in perhaps
2010 or 2011. We have to change the definition of
cybersecurity to reflect the new technology that we have today, with the
advances of smart devices and the Internet
of Things.
It's going to be an evolution. We're doing more on mobile device security, BYOD. All that stuff is huge. And we're
doing it.
Director, Center forAutonomic Computing,
United States
Chair of Computer Information and Network Security,
United States
Director, Managed Security Information Program,United States
© 2015 IBM Corporation
In an age when safeguarding data is an ultimate priority, sharing information might seem counterintuitive. But companies need to keep each other apprised to aid the collective effort.
10 © 2015 IBM Corporation
The antivirus industry is well-
established. They do a lot of analysis
and detection of malware, and they do
it well. But only a few of the
companies actually are open with their
findings.
I understand the leaders' viewpoint:
nobody wants to say that their
organization was hacked, because it
doesn't look good. But if they can
share information, it will help another
organization.
Business Problem: Enterprises need to share more information
Associate Professor of Managed Information Security,
United States
Department Chair, Mathematics and Computer Science,United States
Academia values the communication
of new discoveries, while the
industrial community values privacy.
There are certainly companies out
there that don’t want to share things
that they’ve understood.
If somebody asks me, “Could we use
your material?” then I would of
course say yes. On the level of the
institution, I’m not aware of such
cooperation.
Professor,Computer engineering,Switzerland
Professor,Computer engineering,
Switzerland
© 2015 IBM Corporation
Universities are hosting security conferences so that business executives can share information with each other while also influencing the curriculum.
11 © 2015 IBM Corporation
Academic Solution: Provide a platform for business leaders to converse
We bring in industrial advisory board partners
every year to get an understanding of how our
curriculum fits into industry and whether or not we’re doing the right
things. We were one of the main institutions organizing a
conference on enterprise security. We had over 300 people from 49 countries.
Thanks to such cooperation, the cybersecurity situation is
improving.
Former executives make the best kind of professor.
They bring not only a wealth of experience, but also knowledge of what's
actually needed in the market.
Professor, Business Informatics Institute Poland
Professor of Computer Science and Electrical Engineering,
United States
Associate Professor of Managed Information Security,United States
© 2015 IBM Corporation12 © 2015 IBM Corporation
This is an everybody problem. The
universities aren’t going to figure this out
on their own. Industry is not going to
figure it out on their own. It’s something
that we have to work together on.
Read more about the state of cybersecurity on ibmcai.com,
or download the latest CISO Assessment, Fortifying for the future.
Director, Center for the Application of Information Technology,United States
© 2015 IBM Corporation13
© Copyright IBM Corporation 2015
IBM Corporation
New Orchard Road
Armonk, NY 10504
Produced in the United States of America
May 2015
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corporation in the United States, other countries or both. If these and other IBM
trademarked terms are marked on their first occurrence in this information with a trademark
symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned
by IBM at the time this information was published. Such trademarks may also be registered
or common law trademarks in other countries. Other product, company or service names
may be trademarks or service marks of others. A current list of IBM trademarks is available
on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may be changed by IBM at
any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY
WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the
terms and conditions of the agreements under which they are provided.