In an exclusive interview, Lawrence Rogers, chief architect of the SIA program, discusses:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is cybersecurity training and we are speaking with Larry Rogers, Senior Member of the Technical Staff on the CERT Program. He is also a member of the cyber forensics team. Larry, thanks so much for joining me today.
LARRY ROGERS: Oh, you're welcome.
FIELD: Why don't you just take a minute and tell us just a little bit about yourself and your role at CERT?
ROGERS: My role presently at CERT is, as you indicated, working on the cyber forensics team. We work with law enforcement in providing skills and talents and techniques that they need in dealing with cyber crimes. Before that, I developed a curriculum on survivability and information assurance, and I have done a lot of training in the computer security incident response and technical training for system administrators.
FIELD: Very good. Now Larry, I know that cybersecurity is a key topic with the Obama administration, so what I would like to talk with you about is the need for cybersecurity education. Maybe you can give sort of a benchmark of where we are starting and then where we need to go.
ROGERS: Okay. First, when we talk about cybersecurity education we are really meaning education and not training. While both areas are really important, the more successful cybersecurity practitioner will have had instruction in both areas. Education is more thinking-oriented and has more emphasis on fundamental principles and associated processes. In contrast, training is more doing-oriented and has more emphasis on technology and its operation.
Now the field of cybersecurity is dominated by technology. That is mostly what you read about in the paper and what people are taught, for example, firewall and antivirus patches and encryption. The first element that is really missing in cybersecurity education is a firm educational foundation. This foundation helps the cybersecurity practitioner understand the issues that they are dealing with and the technological solution candidates that they can apply to those issues. For example, what problems are firewalls the solution? If a person evaluating a firewall technology doesn't know what problem they are solving, how will they know if the product that they are selecting is the right one? Also, when a new piece of firewall technology is available in the marketplace, will those evaluating that type of technology know how to do the evaluation? Will they be able to access its capabilities in both the initial and recurring cost to the organization?
What is also missing in education, and this is a really important point, is the ability to connect the technology with the business where that technology resides. The computer systems and network infrastructure components scattered throughout the enterprise are there to enable the business to succeed. They contain information assets that are crucial to business operations and conformance to legal requirements. They are not just toys that have been purchased for the amusement of a system administrator.
So then the first key is to have a firm education foundation upon which a good command of technology can be layered, both are important. The second is to be able to connect the technology to the overarching business where that technology resides. The successful cyber security practitioner will have both.
FIELD: Now I know you do an awful lot of work in both the public and the private sectors. Where do you see now the greatest cybersecurity need?
ROGERS: In my opinion, the greatest need is for the practitioner to be educated in the fundamentals of cybersecurity in conjunction with their immediate managers providing them the time and the incentives to be come educated.
A business has to evaluate the educational achievements of their staff because of the foundation it builds for the continued success of the business. Now the world of cybersecurity is rapidly changing, and those who can successfully surf the waves of change and stay afloat will be among the most successful in the business. This requires education and the time for that education must be made available by the business.
FIELD: Now tell us about your cybersecurity training and the program focus at CERT, Larry.
ROGERS: Okay. Because CERT is part of the software engineering institute at Carnegie-Mellon University, we are very focused on both education and the concept of a process. Throughout our training we emphasize understanding the root causes of cybersecurity issues and then applying technology as part of the solution, all of which is contained within one or more processes. Students are challenged to think and to understand and to take action in the cybersecurity areas they will likely encounter in their regular jobs.
FIELD: Now give me a sense of what the skill sets are that are necessary for a student entering the program and what types of competencies are they going to gain along the way.
ROGERS: The more successful cybersecurity students will be the ones who can dig deeply into a problem and understand the root causes so that they can match the correct technology to that problem. That means that thinking was a very necessary and critical skill. Students will also have to identify, install and operate the technology they have chosen. That involves an amount of experimentation, configuration, deployment and maintenance and the necessary skills here are inventiveness, a resolve to complete a task, and obviously a significant interest in technology. From our classes, students will have a chance to experiment with technology and to learn and understand the fundamental issues of the cybersecurity issues we present to them.
FIELD: Larry, is there such a thing as sort of a traditional student? Do you get a sense of where they are coming from most immediately before they enter this program?
ROGERS: Most of the students that we get into the program have very much a technology perspective. They know how to operate some technology, and they have probably been system administrators in the past, and we challenge them to go beyond that and really to think about the issues and understand the root causes of the problems that we are placing before them.
FIELD: That makes sense. What are the types of career paths that they people are going to have when they leave the program and go into their cybersecurity careers?
ROGERS: Well, because the more successful cybersecurity professionals should also have a business sense, one potential career path that they can go beyond the cybersecurity realm is into upper management. You need to think of cybersecurity as an enabler of the business much as a highway is an enabler of interstate commerce. We don't think everyday of a highway as an enabler, and eventually will come to think of cybersecurity in the same. Way. It is a foundation upon which other business activities are layered.
Now the technology component of cybersecurity also drives future development in that technology as well as policy and governance. Both are potential career paths for cybersecurity professionals.
FIELD: Now what do you see in the government Larry with the new emphasis on cybersecurity there? Do you think that is an area there that there will be some immediate prospect for students?
ROGERS: Yeah, I believe so. Both business and government need to recognize and value a workforce that is trained and educated. Right now training is highly valued, as it should be, but education, that is the ability to think and to reason, is not so highly valued. A combination of the two is the key to success.
So whatever business and government organizations can do to put their employees in an educational setting, be that providing time or taking education-oriented courses or conducting seminars to challenge participants to think that would begin to address the need.
FIELD: Now one thing I always hear when I talk to people in education is that they don't get good input from business and from government for what they really need for real skills right now, so they have time being able to match the exact needs. What do you need now from business and government so you can make sure that you are turning out the people that can fill their most immediate needs?
ROGERS: Business and government need to let us know that they are going to value the training and educational perspective that we give to students and that is the most important thing, and not simply that they are looking for people with skills training who are essentially putting out one fire after another fire after another fire. That has never been the scale. It hasn't been scaled yet, but people need to have the time to think about what they are doing to put their thinking into practice so that they can avoid the constant putting out of fires. So business and government need to recognize that they need to give people time to think and not simply enough time to react.
FIELD: That makes sense. We all operate in such a sense of triage these days that that becomes the job doesn't it.
Larry I want to ask you for a couple of words of advice. First of all, for someone that might just be starting their career in cybersecurity, what is the one bit of advice that you would give to them?
ROGERS: What I think is most important either for people who are new or seasoned is to learn how to think. I was talking a high school teacher a while ago, and I discussed this issue of educational with him and he said 'What I do with my students is I ask them questions to have them draw conclusions and not just to spit back the facts that we talked about in class.'
So either a new student or a seasoned professional needs to put themselves in the position where they can learn, where they are forced to think and be challenged to think, whether that is in a class (and it doesn't have to be in the cybersecurity arena) any class where you are given a set of facts and you have to draw out a conclusion and extent beyond that I think benefits both the person who is new and the seasoned professional.
FIELD: Well, that is interesting because I wanted to ask you the same thing for a seasoned professional, and it makes me wonder if someone is coming in and they have had some maturity in their career, is there a degree of unlearning they have to do to be successful in this program?
ROGERS: I'm not so sure that it is unlearning as much as it is finally being able to stand back and look at what they have learned over the course of their years and see processes and see procedures and see more of a method to what they are doing. That is what I underwent when I put together the survivability and information assurance curriculum that is on the CERT web page. I had the opportunity five or six years ago to look back over 20 years of technology and say this is how I see the tasks of being a system administrator and a cybersecurity engineer and of doing this in an orderly way where I built it upon fundamental principles in doing that. I think the benefit, the wisdom of age and experience gives you the chance to look back and see those principles and see the processes that tie those processes together, and I think that is what the experienced person can do.
FIELD: Now that makes sense. Larry where is the best resource to go for people to get more information about the cybersecurity program?
ROGERS: The information that we have provided by CERT is on the CERT web page, which is http://www.cert.org. There is a training bar in the upper right hand corner. They can also do a search for the survivability and information assurance curriculum, which is a full three-semester course of which the public version is freely available for download. It is around 3,000 - 3,500 pages of materials that they can read that talks about fundamentals of security and also some applications of that through various technology.
FIELD: Very good. Larry, I appreciate your time and your insight today. Thank you very much.
ROGERS: Thank you.
FIELD: We've been talking with Larry Rogers, Senior Member of the Technical Staff with the CERT Program at the Software Engineering Institute at Carnegie-Mellon University. For Information Security Media Group, I'm Tom Field. Thank you very much.