As promised yesterday on my LinkedIn post, I will share a few of my experiences from my first foray into teaching cyber at the collegiate level.
As a foundation, consider that in this instance, the course is only five weeks in length, and so you really must get down to business – quickly. This is fine if all the students have a foundation in IT, and particularly networking…if they don’t, however, things get interesting.
As you all know, security (to be synonymous with ‘information security’) is an intricate song and dance of networking, systems administration, and this nebulous cloud we call “cyber security” – all rolled together to form a discipline that looks a lot like a jigsaw puzzle. Each puzzle piece plays its own part in creating the ‘whole’ – in most cases, a defensible, highly responsive security program commensurate with business objectives.
HOWEVER – understanding this interrelationship takes EXPOSURE, and what I found in my first pass at this, is that exposure was a fleeting reality amongst my students. Many of them had no IT background at all, and to confound the problem further, had no real concept of the interrelationships between IT, Security and the business…which is really the ‘glue’ that holds cybersecurity together as a viable discipline.
How does this manifest itself within the teaching experience, you might ask? Well…when teaching cyber, or anything for that matter, one must establish a common denominator among all students – lest you alienate your students (and they go hide in a corner and refuse to come out and play).
I spent a lot of time coaxing and baiting and luring students to engage in security topics that they really didn’t understand, and further spent a lot of time attempting to build the IT foundation that they needed, in addition to the cyber content…all at the same time.
I refuse to use the old cliché “building a plane while flying it”…initially, this was more like “fueling the engines while the plane is crashing”. The more I interacted with the content, however, it hit me: I needed to make these scenarios “real” for them if I had any hope of finding that common denominator. Examples of professions that were represented in my class:
- Security Guard
- Shipping Clerk
- Customer Service Representative
- Retail Clerk @ JCPennys
- Donut Maker at Shipleys
- Stay at home mom (Cyber was probably a breeze in comparison)
- And, and, and…
But wait – where are the IT people, or people with IT experience? I knew you would ask. Of the twenty-two students that I had, only four had actual practical IT experience, and only one had any networking experience/exposure. Just sigh…where then is my common denominator???
As it turned out, and I learned over the course of five weeks – the more I could relate the content areas to jobs that they do today, the easier I could reach them.
I will be the first to admit that this is no simple task, and it requires a LOT of effort on the part of the professor to do, BUT hey, I wanted to teach cyber right? So I took one for the team, and the buds started to blossom.
Many of my students knew more than they thought they knew, and by relating what they already knew from their careers to the content areas, I could make the course far more interesting and intriguing to them, and challenging (but satisfying) for me in the process. Many of the domains within cyber can be correlated to (with some magic and pixie dust) to just about any industry…the key is being creative and innovative with how you deliver the content to the students.
They were quite appreciative of my efforts, and their grades (save three casualties) were highly reflective of my teaching approach. Not bad for a first dive into teaching pool…now heading to the deep end.
So what does this mean for us as practitioners??? For those of us that have taken the plunge into teaching at the collegiate level, we must be diligent in working within our programs to add practical instruction – academic theory and “ought to” is great, but rarely does the world of cyber play out as planned. Leveraging stories, profiling current roles and how a cyber topic is relevant, guiding students on what they really need to know – all contribute to what I am referring to as practical immersion.
As practitioners, we are on the front lines of cyber-innovation…we see all the rust under the glitter that many believe cyber to be, and it is my firm belief that we have a responsibility to pay those experiences forward in a way that will arm the next generation with what they need faster (I want to retire at some point). There will be hand holding and coaxing and prodding – but in the end, they will thank us for it.
About the Author:
Paul Brager, Jr has been a contributing member of the cyber security community for over 20 years, covering the spectrum of the discipline from security architecture and defensive design to security operations and incident response. He has extensive cyber experience in oil and gas, manufacturing, chemical, and telecommunications sectors, having held various leadership, up to and including CSO of an emergency management and incident response organization. In his current capacity as a Cyber Security Architect, ICS/SCADA/EA SME for Energy and Manufacturing with a major defense firm, Mr. Brager works closely with energy, chemical and manufacturing clients to transform and mature their critical manufacturing and operating infrastructure against cyber-attack, and provide actionable and timely telemetry to assist in incident response and postmortem forensics, against some of the world’s most complex adversaries.
Paul holds a Bachelor of Science degree from Texas A&M University in Political Science, with a minor in Business, a Master’s of Science in Administration of Justice and Security (Criminal Justice/Cyber fusion) from the University of Phoenix, and is an Alpha Phi Sigma inductee since 2009. Additionally, Mr. Brager is CISSP, GICSP and CISM certified, and is currently pursuing his TOGAF and OSCP certifications, in addition to serving as an adjunct professor with the University of Phoenix, teaching cyber security courses within the IS&T program. He is currently involved as a non-voting board member of ISSA (South Houston Chapter), ISA-99 Working Committee member, ICSJWG committee member and contributor, InfraGard, OWASP, ISACA, ISC2, NSBE and various other focus groups and cyber-focused organizations, and regularly has speaking engagements with industry groups and peer collaborations. He is passionate about the security profession and looks forward to moving the needle in cyber, and helping others do the same.