Tommi - Fotolia
An ancient proverb tells us, "The best time to plant a tree was 20 years ago. The second best time is now." In many ways this saying captures the essence of our work in cybersecurity at Southern Methodist University (SMU). Let me comment briefly on our two most important priorities -- research and education -- and how we are investing in the future.
At SMU we've recently formed the Darwin Deason Institute for Cyber Security and in our research at the Institute, we're working to advance the development of the science of cybersecurity. After decades of computer security research, in practice too many companies still find themselves in a "penetrate and patch" predicament -- a situation that is far too ad hoc and after-the-fact.
Whether it's through increased systematic experimentation, more powerful empirical models or theories with greater explanatory power and more, increasingly, there's a recognition that we need better answers to cybersecurity‐related questions: What can we measure? What can we predict? What can we replicate? What can we prove?
In the battle against human disease and injury, physicians and health care professionals benefit from the deeper understanding made available from medical science. Similarly, system designers and information technology professionals could more effectively combat security‐related challenges with better laws, principles and fundamentals that would result from cybersecurity science. It is becoming increasingly urgent that security be built into our cybersystems with the scientific understanding and engineering discipline that's required in building bridges, skyscrapers, rail lines, water systems and other critical physical infrastructure.
Research is needed that will produce insights and generalizations that are independent of any particular software, system, network, vulnerability or attack. The existing research base has certainly produced important findings and many of these findings have been put into practice, but a coherent science of security does not yet exist -- and it will take a long time to create it. With the help of many outstanding students, we're working at SMU to contribute to that science, and we think it is important to take a broad, interdisciplinary approach in doing so.
On top of the many technical, business, policy and process issues that information security professionals must address today, over the past several years there has been a widening skills-gap problem: There simply aren't enough trained and educated cybersecurity people to fill today's need. The shortage of trained staff is inhibiting our ability to defend enterprise networks and systems adequately. Some estimates indicate that there may be as many as 1 million job openings globally for information security professionals. Job postings increased 74% from 2007 to 2013 -- a growth rate two times faster than for all information technology jobs, according to one report. In 2013 there were over 200,000 information security job openings in the U.S. alone. A cybersecurity report issued by the U.K.'s National Audit Office in 2013 noted that the skills gap there could take up to 20 years to address.
At SMU we take seriously our responsibility to help train today's millennials so that they can contribute immediately upon graduation. One key advance we've implemented in the current academic year is that we now require our bachelor of science students in computer science and computer engineering to take a foundational cybersecurity education course as part of the core curriculum. At a minimum these students will gain a much deeper appreciation for the field and will be better able to protect themselves in cyberspace. More importantly, this required course may inspire some students to take more advanced courses and pursue a career in cybersecurity upon graduation or continue their education with graduate training in the field..
Enrollment of new computer science majors has gone up across the country over the past several years, and that -- combined with an increasing number of information security classes -- should help to whittle away at the skills-gap problem. That said, I believe we need to reach out beyond computer science majors. Going forward, it will be important to offer a broader survey course that will appeal to a much wider audience of students on our campus. In an effort to increase the size of the population that might eventually pursue a career in cybersecurity, I also have begun making plans to reach out to a K-12 student audience in Dallas this year.
Despite the challenging cybersecurity landscape that we face today, I remain optimistic about the future. That optimism is based in large part on my interaction with the students on our campus, and knowing that a good number of them will become cyber defenders in the years ahead. Creating a science of cybersecurity and closing the skills gap will take some time, but we must be patient and invest in the future. It's time to plant a few seeds.
About the author:
Frederick R. Chang is at SMU (Southern Methodist University, Dallas) where he is Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security, director of the Darwin Deason Institute for Cyber Security, professor in the Lyle School of Engineering and a senior fellow in the Tower Center for Political Studies. He spent many years in the private sector and is the former director of research at the National Security Agency. Dr. Chang has been awarded the National Security Agency Director's Distinguished Service Medal. He has served as a member of the Commission on Cyber Security for the 44th Presidency, and as a member of the Computer Science and Telecommunications Board of the National Academies.