Best practices for ethically teaching cybersecurity skills

Avoid rabbit holes and focus on foundational building blocks

For those just starting a career in cybersecurity, the industry might seem a bit overwhelming. The sheer number of insecure systems, endless list of skills to learn and vast number of potential sources from which to consume them can make it easy to get lost in the weeds. Plus, the industry is evolving on a daily basis, making it challenging to stay up to speed on the latest trends. Therefore, teachers must prioritize fewer pieces of high-level content for students to get their feet wet before jumping into the deep end. Once students are able to fully grasp the foundational knowledge, the skills they learn become transferable to many other avenues across the industry.

So, what are a few examples of these foundational materials and how long does it take to learn them? It's best to start with the broad strokes of how computers work, what IT actually is and an overview of the variety of topics within the space. Many beginners think they understand the core principles of computers and IT because they've used them for so long, but, more often than not, they hold many misconceptions.

Getting over the initial learning curve takes time, and a lot of it. Author Malcolm Gladwell's book Outliers: The Story of Success claims that it takes 10,000 hours of practice at something to master it. This couldn't be more true for the early and middle stages of cybersecurity career development. However, creativity and an understanding of how to circumvent the status quo tends to separate experts in this field from the rest of the pack. It's very similar to sports: the best of the best often have an X-factor that can't be taught or learned.

Focus on personalization and individualization

All teachers, especially those involved in security and IT, have to realize that no two students are alike and that everyone has different ways of problem solving. As such, enforcing strict guidelines or processes should almost always be avoided. Not only can this traditional way of thinking be easily replaced by cyber "call centers" and something that automation software is able to do at a fraction of the cost, it's also a reactive process. Hackers and cyberattacks move at lightning speed, which calls for a much more proactive approach. So, in order to cultivate outside-the-box thinking and encourage constant tinkering, teaching needs to be more individualized for each student. By providing this personalized guidance, teachers can encourage their students to grow and carve their own path forward.

Steering away from the Dark Side: Cybersecurity ethics

Another important item unique to teaching cybersecurity, rather than a traditional subject like history or math, is that the skills taught can be directly tied to illegal activity. Curiosity is human nature, and in this case, students often want to test out their newly crafted cyberskills to see what they can accomplish. So, how can teachers prevent their students from using the cyberskills they learn maliciously?

Teachers should understand this from the beginning and also acknowledge that it's difficult to tell somebody "no." This can be resolved by either slowing the pace of instruction or by teaching 99 percent of the story and letting the students figure out the rest on their own. There are also "test dummy" sites specifically designed to allow students to test what they've learned by legally attacking a site. Plus, the skills learned early on tend to be just the basics and attacks leveraging these skills can be easily prevented. We've seen examples of this at my company, where cross-site scripting attacks try to hit our website, sometimes five or six times a day. Thankfully, these low-level attacks can easily be blocked.

This also brings up the topic of ethics in the cyber community. Although ethical hacker training has started within the last decade, it's often overlooked and not prioritized as a pillar of cybersecurity, despite its importance. This can be partially attributed to professionals not working within a team structure and having a sounding board to bounce their ideas off, leading them to follow their own moral standards rather than the cybersecurity code of ethics. The online cybersecurity community has traditionally been accepting of legitimate debates, so leveraging their insights is crucial. In addition to technical skills, ethics should be one of the first topics addressed when covering the foundational aspects of cybersecurity. By putting a greater emphasis on ethics, teachers can empower their students to think critically about their actions and potential repercussions, rather than dealing with potential regret and legal consequences after it's too late.

If money is a main incentive for using cyberskills maliciously, the odds an individual will consistently make more money by using these skills for ethical purposes are infinitely higher. Just like Frank Abagnale Jr. eventually learned in Catch Me if You Can, government agencies, such as the FBI, and private companies will not only pay security and IT professionals to hack into their networks, but also offer a healthy paycheck and benefits. Not to mention the barrier to entry for hackers is extremely high in terms of time, resources and likelihood of success. Major hacks, such as the recent Garmin ransomware attack, often take multiple years to accomplish and a large majority of cybersecurity professionals have almost no shot at success.

Cybersecurity requires life-long learning to stay up to date

While teachers may worry about becoming irrelevant once they pass along all of their knowledge to their students, there are a few things they can do to seek their own continuous learning opportunities. It can't be overstated how much information and how many skills fall within the realm of cybersecurity, making it impossible to learn everything. Teachers should be students themselves, frequently reading news headlines, research reports and talking with their peers about the latest trends. Additionally, as cybersecurity professionals become more senior, they tend to specialize in certain areas, such as Javascript, DNS exploits or even ransomware. Once this specialization advances to a certain point, professionals can then claim their "street cred" as a trusted expert.

By considering and implementing the recommendations of focusing on foundational building blocks, personalization, ethics, and lifelong learning, both teachers and students can enhance the ways in which they teach, and learn about, the vast and ever-changing world of cybersecurity. Although the initial learning curve and the industry's constant state of evolution might be overwhelming to outsiders or newcomers to the security community, the feeling of being able to share extremely valuable information to others, while watching them learn and strengthen the security of individuals and organizations across the globe, is well worth the investment. The art of teaching may be difficult to master, but once perfected, its gratification is unrivaled.

About the author
Jonathan Meyers is the head of IT and a principal infrastructure engineer at Cybrary. He is responsible for designing, maintaining and securing all corporate infrastructure including a security enablement platform supporting over 200 companies and 2.5 million users worldwide. He previously worked as a senior DevOps and senior operations engineer at Forcepoint (formerly RedOwl Analytics) where he oversaw the operations and deployment of its hosted and on-premises UEBA e-surveillance product. Jonathan holds an information technology degree from The U.S. Military Academy at West Point.