At Iowa State University we have one of the oldest security education programs in the country. This has given us insight into the needs of both the students we educate, and the companies that hire them. Not a week goes by without potential employers asking, how do we find more students and how do we recruit them? Our answer is that companies need to get involved in the education process at the university. I know what you're thinking, this is code speak for asking for donations.
We have created a multilevel approach to security education at Iowa State. This accomplishes the goal of not only producing more security literate students, but also provides avenues for companies to become involved in a meaningful way.
Several companies have indicated that participation in the Cyberdefense Competition is a prerequisite for employment.
At Iowa State, we have developed a three-level framework for security education that provides (1) formal literacy-based training for students of all backgrounds, (2) inquiry-based learning through security and technically-focused student groups and activities and (3) classical technical-based initiatives.
Corporate presentations in the classroom
The focus of course-based learning is to provide students with the educational foundation and security skill-set with which to enter the cybersecurity workforce and continue learning through advanced degrees. This is the traditional method of delivering security education throughout the United States. Industry involvement is typically through presentations in the classroom setting.
Many faculty members are leery of bringing outside speakers into the classroom. They have had speakers come into class with slides that are nothing more than a recruiting pitch or sales attempt. When that happens we hear nothing but complaints from the students. The best speakers are those that present a thought-provoking security problem and explain how the organization is addressing it. Companies need to let students know that their IT security teams are working on interesting problems.
Inquiry-based learning allows students to explore cybersecurity issues and resolve problems by reviewing learning materials about cybersecurity, evaluating what they know, seeking out additional information about specific problems and coming to a conclusion or resolution based upon evidence they have gathered. This type of learning offers a unique set of opportunities for students by providing a way to engage in practical and hands-on experience that is either augmented by students' current coursework or in lieu of any computer security coursework. The open-ended nature of inquiry-based activities enables students of all backgrounds and knowledge levels to explore and learn at their own pace, as well as in teams.
Cyberdefense competitions work
At Iowa State University our implementation of inquiry-based learning in cybersecurity comes primarily from two activities. The five annual cyberdefense competitions (CDCs) that we host each year are the most popular. Two of the CDCs are for ISU students only; one is a regional competition with ISU students and teams from other schools and the other two are for community college and high school students.
In the Iowa model for a CDC, students design, configure, and maintain a set of servers and a network in a secure manner prior to the competition. This allows students to be creative in their solutions. (This is a different approach than the National Collegiate CDC, where teams of students are provided identical networks and then must secure and defend them.)
The student preparation for the CDCs is performed through inquiry-based learning, not formal security courses. The culmination of this learning is a day-long competition in which students work to prevent security breaches and to remediate any exploits that occur at the hands of hackers (the red team) while maintaining a fully-functional network for their end users.
Participation in a CDC provides valuable hands-on experience with cybersecurity that goes beyond anything a student could learn in a classroom. For both the high school students, and the college undergraduates that do not have access to formal cybersecurity education, these events give them experience in an area which they have little or no previous knowledge. For students with previous coursework in cybersecurity, a CDC allows them to move beyond what they have learned in the classroom by putting theoretical concepts into practice.
Industry participates in the CDC by providing red team members and monetary support. Several companies have indicated that participation in the CDC is a prerequisite for employment. Starting this year, we have created a one credit course for students that participate in the CDC and write an additional report. This course will appear on the transcript which gives employers an easy way to see which students have participated.
Interaction with information assurance student groups
In addition to the CDCs, Iowa State University has an Information Assurance Student Group (IASG) for students in any major who are interested in cybersecurity. The need for such a group was spurred by the lack of security courses offered for lower-division undergraduate students. The creation of IASG was an answer to keeping students who desire to pursue careers in cybersecurity engaged during their undergraduate coursework. IASG now has a membership of more than 130 students who attend weekly meetings in which upper-division undergraduate and graduate students deliver content and provide hands-on activities in an inquiry-based learning environment. Students can explore cybersecurity and create their own solutions to problems or "enigmas" for a given weekly topic.
IASG provides an excellent avenue for companies to interact with students. Organizations typically provide food for the meetings in which their representatives give a presentation. Depending on the topic, we can have more than 100 students in attendance. The IASG also organizes and runs the various cyber-defense competitions.
Practical security knowledge for non-majors
Finally, students desiring to pursue literacy-based learning options are in search of practical computer security knowledge. Whether these students have technical or non-technical backgrounds, their goal is to gain a firm understanding of security concepts; the identification of security threats; the purpose, strengths and weaknesses of security mechanisms and to develop confidence in the execution of security best practices.
At Iowa State University, we offer a one-credit half-semester course entitled "Introduction to Computer Security Literacy." External involvement in this effort is often part of the inquiry-based learning efforts; we invite students in the class to attend industrial presentations at the IASG club meetings.
Security education is a complex problem that requires not only multiple methods of delivery, but a partnership between educational organizations, business and industry, and the government. It is our hope you will reach out to the universities you have targeted for hiring and explore ways to develop partnerships that will help expand the number of students entering the workforce in security.
About the authors:
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.