Higher Education's Lesson from the EUPursue a Global Approach to Cybersecurity Education Sep 11, 2018 | By GTPE Communications
Written by Milton L. Mueller
Just a couple months ago, one of the most profound regulations in two decades transformed how international businesses process customer data gathered from the Internet — and also underscored the need for universities to rethink how they are educating the cyber workforce.
On May 25th, the General Data Protection Regulation (GDPR) took effect. It's a detailed set of rules promulgated by the European Union and is designed to safeguard the privacy and security of anyone in the EU by establishing strict procedures under which their personal data can be collected and managed. In effect, GDPR establishes that personal data is the property of the individual and not the organization that collects it.
The regulations apply to all for-profit and non-profit organizations doing business in the European market and imposes hefty fines for non-compliance.
Although GDPR is technically applicable only within the EU, it's a testament to the planet's ubiquitous digital interdependence that just about every major corporation in the U.S. and around the world will be affected in one way or another by the new rules, making the point that issues involving cyberspace — including education — must adopt a comprehensive, global posture.
While organizations have had two years to prepare, many still aren't compliant, particularly U.S. multinationals, even as states start to enact their own sweeping consumer privacy laws like California's Consumer Privacy Act passed in June. Global domain name regulator ICANN (the Internet Corporation for Assigned Names and Numbers), which collects and publishes domain registrant data, is also behind the curve. One of the reasons for this lack of readiness is the limited supply of policy-savvy cybersecurity professionals, already strained by the normal growth of Internet-dependent business operations, and the recent uptick in headline-generating episodes of computer network hacking and cyber threats.
The demand for cybersecurity professionals worldwide is projected to exceed the supply by 1.8 million by 2022, according to a 2017 Global Information Security Workforce study. In the U.S., the shortfall could reach about 265,000 by that year, says the ISC Center for Cyber Education and Safety. Industries with the greatest need for cybersecurity talent are healthcare, education and retail.
Most computer professionals are educated only in the technical aspects of data security and not the broader context of policies and procedures, which are at the heart of GDPR compliance. Thus, the necessary kinds of skills are in short supply as well.
Colleges and universities can and must do a better job filling these gaps in cyber job-applicant numbers and skills, recognizing that just as cybersecurity is an international problem, the solutions offered by higher education should likewise be global in scope.
We can begin to address the talent pool shortage by reaching beyond the confines of the traditional on-campus learning environment and make advanced cybersecurity degrees more accessible to a wider range of potential students, thereby bringing more future cyber professionals into the pipeline. One way this can be accomplished is by inaugurating and promoting online degree programs in cybersecurity, which would allow students located anywhere in the world to earn a degree.
Online learning is an attractive alternative for professionals who wish to earn a graduate degree part time while remaining employed in their current full-time positions. And since online students do not need the campus infrastructure that traditional on-campus students do, instruction can be delivered at a lower cost to the university, which is reflected in a lower cost to the student.
It's also essential that the curriculum follow an interdisciplinary path because cybersecurity isn't exclusively about coding and technology and digging through computer entrails, as it has been taught traditionally. As we are seeing with the GDPR, cybersecurity also includes understanding the organization and economics of global cyberspace, and developing the appropriate policies and procedures.
The information security industry agrees. At a recent focus group of chief information security officers organized by the Georgia Institute of Technology and the National Technology Security Coalition, participants said that essential knowledge for cybersecurity graduates includes basic business skills, the ability to communicate technology strategy, and a deep understanding of computer science and public policy.
In much the way international agreements are negotiated among nations to address concerns such as pollution, trade, arms control and a host of other cross-boundary issues, the emerging class of cybersecurity professionals must recognize the value of developing cooperative practices, agreements and enforcement mechanisms that promote the economic and social benefits of a networked planet while mitigating the worst impulses of some of its participants.
For example: "Cyber diplomacy" is a new area where we need tech-savvy diplomats who can talk to the Russians and the Chinese about their practices and try to find common agreements about curbing cyber espionage or the disinformation campaigns conducted by one country against another.
When students gain a level of interdisciplinary understanding about the ways technology, law and policy interact, they'll be better prepared for working in the cyberspace environment as it evolves.
An example of this is the Master of Science in Cybersecurity degree offered by Georgia Tech that is now also being offered online to address the global workforce skill gap. An interdisciplinary foundation exposes students to the fundamental technical, organizational and public policy aspects of cybersecurity; information security and traditional computer science, including applied cryptography, network security and secure computer systems; the "cyber physical" — that is, systems managed and controlled through cyberspace such as the power grid or water infrastructure; and public and corporate policy as applied to cybersecurity and addresses the challenges of terrorism, privacy and the law.
Students who graduate from this program enter the workforce with an understanding of the intersecting factors that must be addressed to achieve security in the cyberspace. At a cost that is less than half of the on-campus program, the online masters dramatically scales our ability to address the workforce shortages and skill gaps facing business, government and other organizations battling for cybersecurity, both domestically and globally.
Cybersecurity will always be a struggle between people who want to do bad things and people who want to protect themselves against them. Anything can be hacked, so we have to constantly respond to new kinds of threats by updating our technology, policies, practices — and our approach to education.
Milton L. Mueller, Ph.D., is a professor in the School of Public Policy at the Georgia Institute of Technology in Atlanta.