6 reasons to study security in college (and 7 reasons not to)

There is a philosophical divide between academics and those in the workforce as to the value of taking security classes in college.

As the pace and scale of information security breaches accelerate and the threat landscape becomes ever more sophisticated, cybersecurity leaders must better prepare their organizations and security personnel to withstand the unknown. Today’s leaders must strengthen corporate capacity to mount comprehensive responses to high-impact security events by incorporating economic, human, legal, organizational, technological and socio-political factors into their plans.  

While you hear a lot about the skills gap in technology. And nowhere is that gap wider, many say, than security. Some companies are taking matters into their own hands. For example, Facebook is trying to teach middle schoolers how to hack so it might raise a generation savvy in security.

To gain the security skills most needed at many companies, students and graduates will have to take a counterintuitive approach to their education and career, said Shawn Burke, Global CSO, Sungard AS. To counter that argument, Alan Usas, director of Brown University’s Executive Master in Cybersecurity program, believes these skills and knowledge can be best learned on a college campus.

Stay in school

Usas discusses why it is beneficial to learn about security in a controlled setting like college.

1. Building resilient IT systems that limit cyber risk

Leaders need practical skills to meet the challenges of building and managing agile, resilient information technology systems and combatting cyber risks. This means juggling the costs and risks that are part of every security and privacy decision, and effectively competing for the internal corporate resources essential for security.  The best leaders must deepen their understanding of global security best practices and heuristics, apply their security and business knowledge and expertise to strategic planning as well as on-the-ground decision-making, and hone their leadership and operational skills.

2. Factoring in that troublesome human element  

Security is not solely, or even primarily, a technical problem. Major security concerns stem from the ways people interact with technology so the human factor is central in the risk and response equation. Proactive cybersecurity leaders consider the strengths and weaknesses of human agents by learning how human behavior exposes the organization to cyber risks; how to deploy nimble, knowledgeable teams to address them; and how to increase security awareness in all users. Leaders and their teams must consider workflows, tradeoffs between usability and security in how systems are designed and how corporate policies are established, ways to deter and detect intentional and accidental insider threats, and other human factors.  

3. Leveraging law, policy and governance structures

Cybersecurity leaders leverage law, policy and governance practices related to information sharing within and across the private and public sectors, the protection of critical infrastructure, the defense against cybercrime, Internet governance, and the complexity of international law to privacy, security and to cyber conflict. Accomplished cyber leaders address the challenges of network and computer insecurity across organizational, national and international boundaries while upholding civil liberties and other fundamental values.

4. Securing privacy and data protection globally

With the world going digital and humans surpassing machines as the preferred target of cybercriminals, protecting personal data and privacy has become a critical security issue.  Cybersecurity leaders can no longer rely solely on familiarity with HIPAA and other US consumer protection laws – today they need to understand privacy protection and legislation around the world. The privacy and autonomy of the individual in relation to the state as well as the corporation, the concept of privacy by design, and the emerging privacy and data protection challenges that arise from technological advances such as drones, driverless cars and the Internet of Things are just the tip of the iceberg as cybersecurity leaders seek to ensure privacy and data protection.

5. Getting results by influencing others with effective communication

Cybersecurity no longer operates in the IT silo but is an organizational drama in which every employee has a role in protecting critical assets, managing risk and achieving business goals. Cybersecurity leaders have to translate the impact of cyber attacks into compelling business terms such as lost revenue, productivity or profitability to ensure that all stakeholders, including employees, board members and shareholders, understand the risks and potential impact of security vulnerability. Being a persuasive communicator, change manager, negotiator, conflict resolver and champion of ethical action are the soft skills that today’s cybersecurity leaders need at their fingertips.

6. Anticipating the future of technology and its security challenges

Important technological and societal security challenges are coming in the next three to five years as new cyber threats emerge, network-connected devices form the ‘Internet of Everything’, and legal frameworks and social norms about cybersecurity evolve. Cybersecurity leaders must anticipate and plan for the legal, policy, economic and human challenges of emerging technologies and be ready to implement socially acceptable, defensive strategies that guarantee business success.

A waste of time

Burke counters says studying security in school is not the best use of your time. He gives these reasons why.

1. Don’t study security

You can be more valuable to an organization if you’re well versed in networking or development or some other discipline and are able to apply security logic to that. It’ll help you better understand and anticipate vulnerabilities than simply chasing the latest threats with “best practices.”

2. Don’t over-specialize

When you look for your primary discipline, avoid getting too specific. Let’s say you’re a Check Point expert – that’s great, but what if your future employer uses Cisco firewalls? Instead, be a firewall expert and know all the different technologies that might apply.

3. Know your discipline inside and out

Perhaps this goes without saying, but the better you know your field, the better you’ll grasp its security issues. If you’re studying firewalls, for example, understand packet flow, where to place equipment, how to analyze raw data, and how to better prevent threats.

4. Find the security path in your field

If you’re great at coding, you can go to the application side of the house and figure out how to make apps secure – a valuable service to many organizations. If you’re in network engineering, you can help figure out how to orchestrate solutions to denial-of-service attacks. For every discipline, there’s a security need.

5. Pick up leadership skills

Years ago Burke was looking for someone to run a vulnerability management program, and during interviews, he asked different candidates how they’d position the team, organize and delegate the work, and manage the employees. From some of the answers it was clear that the person had no idea what they were doing. And that’s for a pretty fundamental position. Hone your leadership skills for the higher-level positions later in your career.

6. Gain experience at the right company

In general, you’re better off at a service provider helping multiple, different organizations than working in-house at one company. Security policies are easier to apply for company employees by simply preventing users from engaging in a certain behavior. Those rules don’t always work when you need to accommodate complex solution requirements from various clients that stretch the boundaries of security policy. Instead of saying “no,” you are challenged to become more creative in figuring out ways to implement different infrastructures that keep a company running and secure.

7. Keep your skills fresh

Technology evolves too fast to focus on the same technologies for an entire career. The best employees keep their skills sharp, get involved with peer groups, and continue learning new technologies and practices relevant to their area of specialization. You know you’re working for a good company if it incents you to expand your knowledge base.