Opinion

A Built-In Education

If we could make our organizations' infrastructures more secure in the center, imagine what this would mean to our ability to mitigate threats and reduce risk

By Bob Bragdon, Publisher, CSO

September 01, 2006 — CSO — You probably have heard the adage that businesses are like candy bars: hard and crunchy on the outside, soft and chewy in the center. This refers to the reality of security in most organizations. We defend our perimeters but, once past those defenses, it's easy to get around and find what you want on the inside. If we could make our organizations' infrastructures more secure in the center, imagine what this would mean to our ability to mitigate threats and reduce risk.

Educating an organization's employees on good security practices is arguably one of the most effective ways to secure our enterprises and our nation's critical infrastructure. While this has always been one of the most effective ways to prevent workers from doing "bad" things, even inadvertently, our recent research (CSO SecuritySensor 10, February 2006) suggests that CSOs are beginning to rely more on technology to counter the bad actions of trusted users. But even as technology to combat these threats improves, one has to wonder just how much more successful our efforts would be if we paired such tools with a workforce schooled in good security practices.

For too long this area has been ignored. It wasn't long ago that we received a textbook about application development in the offices of CSO. A quick search found not only that security was not a major tenet of the book, it was not even mentioned. At the time, I recall us asking ourselves, "If we aren't educating the troops on the front lines, what are we doing with students of business and engineering?" I'm afraid that the answer then was, and remains today: "Not very much."

The good new is that there are some initiatives out there to address this problem, and they are looking beyond the walls of the office and focusing on educating tomorrow's workforce at the university level. One such initiative is being carried out by the Team for Research in Ubiquitous Secure Technology, or Trust, one of two science and technology centers the National Science Foundation established in 2005. Trust, comprising University of California at Berkeley, Carnegie Mellon University, Cornell University, Mills College, San Jose State University, Smith College, Stanford University and Vanderbilt University, is partnering with IT security leaders from McAfee, Greater Bay Bank, Silicon Valley Bank, Xilinx, Sun Microsystems, Visa USA, General Electric and Oracle to develop a computer security curriculum that can be used at colleges and universities across the country. The goal is to teach this curriculum to university business and technology students preparing to enter the workplace.