shaping security problem solvers: academic insights to fortify for the future

© 2015 IBM Corporation

Shaping security problem solvers: Academic insights to fortify for the future

May 2015


Cybersecurity is growing in all directions:

2 © 2015 IBM Corporation

Fortifying

for the future

As a field, it continues to expand with the endless march of technology.

The IBM Center for Applied Insights, as a follow-up to its recent CISO Assessment, Fortifying for the future, interviewed a group of cybersecurity academics to examine how business and academia converge in this matter.

Do professors have a unique perspective on the problems facing today’s security leaders?

As a concern, it weighs heavier on business leaders in light of recent breaches.

And in universities, demand for security programs is on the rise.


The interviews demonstrated that academics are addressing key security challenges by adapting their educational approach.

3

Security teams often playing

catch-up with attackers

Produce versatile experts who use

predictive and behavioral analysis

Lack of communication all the

way up to executive level

Train students to be facilitators

between technology and business

Mobile and Internet of Things

are growing security hurdles

Create holistic curriculum that

examines these technologies

Enterprises need to share more

information

Provide a platform for business

leaders to converse


Business problem Academic solution


Today’s security posture feels untenable. It’s near impossible to keep up with the ceaseless evolution of hacking technology while also plugging every hole in a system.


The attacker always has an advantage

because the defender has to understand

and patch every single potential

vulnerability in the organization.

Organizations need to move up the

attack chain and see when we're

being reconnoitered and surveilled

from the very beginning, when the

door is being knocked on before they

even get in and cause a mess.

Business Problem: Security teams often playing catch-up with attackers

Associate Professor of Managed Information Security,United States

Faculty Director, Financial Services Analytics PhD Program

United States

Professor,Computer engineering,

Switzerland

Academic Director, Infrastructure Planning and Management,United States

The creativity of the attackers is

incredible. They are always a step

ahead, and that’s what makes the

problem difficult.

If you only rely on the technology, it's

always a catching game, it's always a

reactive game. You're never going to

win this way.


Universities are training students to stay ahead of attacks by practicing proactive and aggressive skills, while also understanding the mindset of their enemies.


Academic Solution: Produce versatile experts who use predictive and behavioral analysis

You have to first regard the incentive issues. Why do they want to attack? I mean you have to know

the psychology, the incentives.

The key is the ability to develop a new skill set

where people can adapt to changing environments versus teaching state-of-

the-art routines in cybersecurity.

We’ve added a significant amount of offensive content

to our curriculum. We’re doing some big data research to try to characterize attack

flows based on network signatures.

Faculty Director, Financial Services Analytics PhD Program United States

Associate Professor of Managed Information Security,

United States

Professor of Computer Science and Electrical Engineering,

United States


Finding a security solution is only half the problem—you also need to be able to convey it in a manner that non-technical colleagues understand. Communication challenges can persist even at the C-level.


I've seen the glazed look on CEOs’

faces because the people that

understand cybersecurity can't speak in

the language that they get.

It’s much easier to find a technologist

that specializes within a particular

domain than it is someone who can

be a generalist and work effectively

in areas like management,

governance and budgeting.

Business Problem: Lack of communication all the way up to executive level

Department Chair, Mathematics and Computer Science,

United States

Chair of Computer Information

and Network Security,

United States

University CISO,United States

It's extremely in demand and rare to

find people with good business

background who also understand the

technology, and vice versa.

The CIO and the CISO—there is no

collaboration between them, because

the IT department thinks somebody's

interfering in their work.

Academic Director, Infrastructure Planning and Management,United States


By integrating business components into technical programs—and vice versa—universities hope to create employees with an interdisciplinary skill set who can not only build solutions, but explain them too.


Academic Solution: Train students to be facilitators between technology and business

I spend one-tenth of the course on heavy technical controls. The other nine-tenths of the course cover

things that aren’t technical. It’s much more process

oriented, people oriented, governance oriented. Cybersecurity has evolved,

and the education has evolved correspondingly.

It's moved from being primarily technical and

hands-on to incorporating more management,

leadership and policy.

The goal of our program is for students to become that translator between

senior executives and the technology people.

University CISO,United States

Director, Managed Security Information Program,

United States

Academic Director, Infrastructure Planning and Management,

United States


The proliferation of devices and sensors pleases users, but every new connection to the Internet also creates a possible vulnerability that must be secured.


The more things you have connected,

the more potential entry points you

have. Security becomes more and more

complex in that sense.

People are starting to now figure out

that their cell phone could be a piece

of evidence in a crime.

Business Problem: Mobile and the Internet of Things are growing security hurdles

Director, Center for the Application of Information Technology,United States

Department Chair, Mathematics and Computer Science,

United States

Many individuals use these mobile

applications, these gadgets, but they

have very little idea what is really

going on. So the first thing should be

awareness.

Your toaster is going to have a device

on it, your thermostat in your house is

going to have a device on it. A lot of

those kinds of things are being

developed without a tremendous

amount of thought given to security. Chair of Computer Information

and Network Security,

United States Director, Center for the Application of Information Technology,

United States


To mimic the real-world conditions, universities are shifting the classroom balance toward device and sensor security, with an emphasis on new research into these areas.


Academic Solution: Create holistic curriculum that examines these technologies

We’re staying current in the technology fields.

Many more universities now have mobile

security elements than they did in perhaps

2010 or 2011. We have to change the definition of

cybersecurity to reflect the new technology that we have today, with the

advances of smart devices and the Internet

of Things.

It's going to be an evolution. We're doing more on mobile device security, BYOD. All that stuff is huge. And we're

doing it.

Director, Center forAutonomic Computing,

United States

Chair of Computer Information and Network Security,

United States

Director, Managed Security Information Program,United States


In an age when safeguarding data is an ultimate priority, sharing information might seem counterintuitive. But companies need to keep each other apprised to aid the collective effort.


The antivirus industry is well-

established. They do a lot of analysis

and detection of malware, and they do

it well. But only a few of the

companies actually are open with their

findings.

I understand the leaders' viewpoint:

nobody wants to say that their

organization was hacked, because it

doesn't look good. But if they can

share information, it will help another

organization.

Business Problem: Enterprises need to share more information

Associate Professor of Managed Information Security,

United States

Department Chair, Mathematics and Computer Science,United States

Academia values the communication

of new discoveries, while the

industrial community values privacy.

There are certainly companies out

there that don’t want to share things

that they’ve understood.

If somebody asks me, “Could we use

your material?” then I would of

course say yes. On the level of the

institution, I’m not aware of such

cooperation.

Professor,Computer engineering,Switzerland

Professor,Computer engineering,

Switzerland


Universities are hosting security conferences so that business executives can share information with each other while also influencing the curriculum.


Academic Solution: Provide a platform for business leaders to converse

We bring in industrial advisory board partners

every year to get an understanding of how our

curriculum fits into industry and whether or not we’re doing the right

things. We were one of the main institutions organizing a

conference on enterprise security. We had over 300 people from 49 countries.

Thanks to such cooperation, the cybersecurity situation is

improving.

Former executives make the best kind of professor.

They bring not only a wealth of experience, but also knowledge of what's

actually needed in the market.

Professor, Business Informatics Institute Poland

Professor of Computer Science and Electrical Engineering,

United States

Associate Professor of Managed Information Security,United States

© 2015 IBM Corporation12 © 2015 IBM Corporation

This is an everybody problem. The

universities aren’t going to figure this out

on their own. Industry is not going to

figure it out on their own. It’s something

that we have to work together on.

Read more about the state of cybersecurity on ibmcai.com,

or download the latest CISO Assessment, Fortifying for the future.

Director, Center for the Application of Information Technology,United States

http://ibm.com/ibmcai/ciso

© 2015 IBM Corporation13

© Copyright IBM Corporation 2015

IBM Corporation

New Orchard Road

Armonk, NY 10504

Produced in the United States of America

May 2015

IBM, the IBM logo and ibm.com are trademarks of International Business Machines

Corporation in the United States, other countries or both. If these and other IBM

trademarked terms are marked on their first occurrence in this information with a trademark

symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned

by IBM at the time this information was published. Such trademarks may also be registered

or common law trademarks in other countries. Other product, company or service names

may be trademarks or service marks of others. A current list of IBM trademarks is available

on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at

any time. Not all offerings are available in every country in which IBM operates.

THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY

WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY

OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the

terms and conditions of the agreements under which they are provided.

shaping security problem solvers: academic insights to fortify for the future

Technology

security solution

security teams

ibm center

security programs

ibm corporationfinding

ibm corporation1cybersecurity

ibm corporationuniversities

security problem solvers