Creating a Science of SecurityTraining Professionals to Take a Proactive Approach
Frederick Chang, the new head of the cybersecurity program at Southern Methodist University, says the time has come to create a "science of security."
"The field of cybersecurity today is very reactive and after the fact," Chang says in an interview with Information Security Media Group (transcript below). "Something bad has to happen, and then actions are taken. The field needs to get to a point where it can become proactive, where we can get ahead of the problem. In science, we talk about prediction, models and repeatability. The idea of taking the longer-term approach and creating a foundational science and engineering of cybersecurity is a key part of our mission."
Chang, the former director of research at the National Security Agency, also stresses the need to take an interdisciplinary approach.
"When it comes to cybersecurity, it's easy to think that it's only about computers, computer science, protocols and firewalls," he notes. "But we now know that there are issues that really go beyond just the technology. Certainly all those technical pieces are critically important; [there's] no question about that. But we also know that there are a host of issues surrounding users, policies and processes, issues that go beyond just simply a technical approach. One of our key objectives is to take this interdisciplinary approach at SMU."
Training InfoSec Pros
In his new role, Chang also hopes to help train more information security professionals. "As many folks know, there just aren't enough trained professionals in the field, and we're going to do our very best to help make a difference to close the skills gap."
The university has been recognized by the National Security Agency and Department of Homeland Security as a Center of Academic Excellence in Information Assurance Education. The school also participates in the Department of Defense's Information Assurance Scholarship Program.
In an interview about his mission at SMU, Chang discusses:
- The cybersecurity program's key objectives;
- How SMU will address the information security skills gap;
- Career advice for people now entering the security profession.
Chang is the Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security and a professor in the Department of Computer Science and Engineering in SMU's Lyle School of Engineering. He also is a senior fellow in the John Goodwin Tower Center for Political Studies in SMU's Dedman College of Humanities and Sciences. Chang is the former director of research at the National Security Agency. In the private sector, he was most recently the president and chief operating officer of 21CT, Inc., an advanced intelligence analytics solutions company. Earlier, he was with SBC Communications where he held a variety of executive positions. He began his professional career at Bell Laboratories.
TOM FIELD: Tell us a little bit about yourself and your unique background please?
FREDERICK CHANG: In terms of unique background, I'm not a traditional academic. I spent most of my career in the private sector. I spent several years in academia and have also spent time in government. Regarding my government service, most people will find it of interest to know that I'm the former director of research at the National Security Agency.
SMU's Cybersecurity Priorities
FIELD: You've got a new role at SMU - the Bobby B. Lyle Endowed Centennial Distinguished Chair in Cyber Security at the SMU Lyle School of Engineering. ... Tell us a little bit about this new mission you have at SMU.
CHANG: I would break it up into three parts. The first is really the idea of helping to create a science of security. The field of cybersecurity today is very reactive and after the fact. Something bad has to happen and then actions are taken. The field needs to get to a point where it can become proactive, where we can get ahead of the problem. In science, we talk about prediction, models and repeatability. The idea of taking the longer-term approach and creating a foundational science and engineering of cybersecurity is a key part of our mission.
A second component I'll mention is the idea of taking an interdisciplinary approach. When it comes to cybersecurity, it's easy to think that it's only about computers, computer science, protocols and firewalls. But we now know that there are issues that really go beyond just the technology. Certainly all those technical pieces are critically important; [there's] no question about that. But we also know that there are a host of issues surrounding users, policies and processes, issues that go beyond just simply a technical approach. One of our key objectives is to take this interdisciplinary approach at SMU.
Finally, I'd mention the area of working to help close the skills gap. As many folks know, there just aren't enough trained professionals in the field, and we're going to do our very best to help make a difference in helping to close the skills gap.
Top Cybersecurity Issues
FIELD: In announcing your appointment, SMU said that you're charged with helping the university to tackle "the most pressing cyber-issues." What do you see as the most pressing issues?
CHANG: We'll address some of the hard technical problems facing the industry today in areas like cloud security, disaster tolerance, high-confidence software in systems, etc. There are a number of hard, enduring problems that we'll participate in. We'll also be addressing some hard problems of a more social-science nature, such as the economics of cybersecurity; psychology and security cognition insecurity; issues about why do social-engineering attacks continue to work - and can we come up with ways to counter those things. There will be a collection of more technical information assurance sorts of issues, cyberdefense issues, but we'll also pursue a collection of more social-science issues that are emerging hard problems.
FIELD: I note that in your appointment that not only do you have one foot in cybersecurity, but you also have a foot in business. What can you tell us about this other role that you're going to be playing at the school?
CHANG: It gets to this interdisciplinary approach that we've been talking about a little bit. The cyber-initiative at SMU is anchored in the Lyle School of Engineering. I am appointed in the computer science department, but I also have an appointment in the Tower Center on campus that deals with issues of national policy. ...
Initially, I would like to get folks from various disciplines across campus to engage in a robust dialogue on the topic of cybersecurity. I think it would be extremely valuable to have folks gather in a room. We might have, let's say, a biologist, an economist, a psychologist, maybe somebody with legal training, a computer scientist, mathematician, chemist - a collection of disciplines - and have a robust conversation about some issues. I have no doubt that some really interesting new ideas would flow out of the dialogue with folks in these different perspectives.
Longer term, I would like to select a small set of projects that may emanate from these kinds of discussions that could really benefit from an interdisciplinary approach, along the lines that I've talked about, and make some real progress.
Filling the Skills Gap
FIELD: Earlier in our conversation you talked about the skills gap. How do you hope to help the school address the skills gap that we all certainly recognize but not many people have been able to do much about?
CHANG: That's a good question. I mentioned that SMU is one of the NSA and DHS's Centers of Academic Excellence in Information Assurance Education, so we have that as a base. We also offer an MS degree in security engineering, and we also participate in those DoD IASPs [Information Assurance Scholarship Programs] for students. We have this great foundation. By the way, in terms of undergraduates, we have about 250. We have about 50 students in the masters of security engineering program. We have a host of doctoral students as well. We've got a robust student base, but I would also like to extend beyond that.
It turns out next month I'll be doing a pep talk for kids, and in the audience will be a large collection of middle-schoolers. I would love to be able to create exposure to the importance of cyber-defense to some younger students. Then, perhaps in the future, we'd be interested in becoming involved in various cyber competitions as a way to create excitement and engage among potential students of all kinds.
Making Cybersecurity an Attractive Profession
FIELD: What is it that you think is going to make the cybersecurity profession more attractive to students, whether they be students you have in the school now or some of these younger people you want to reach out to? How do we get them into the field?
CHANG: ... For ... younger students, [I would maybe] appeal to their interest in gaming. In computer gaming, you're basically pitting your mind against another human being and they happen to be online somewhere else. Well, in many ways, the cybersecurity problem has that nature where your mind is being pitted against some cyber-adversary's mind. It's really a person-on-person engagement. The person just happens to be using a computer. If there's this natural sense of competition in the student along the lines that they engage when they're playing video games, then maybe that sense of competition can ... pull them into an interest in cybersecurity where they pit their human mind against another human mind in cyberspace.
Addressing the Private, Public Sectors
FIELD: One of the things I find unique is you've got private- and public-sector experience. What do you believe SMU can offer those two sectors, whether it be business or the government? The flip side of that is: What does SMU need to have from the public and private sectors in return in order to be successful in your mission?
CHANG: Research universities offer a couple of traditional sources of value to both the private and public sectors - certainly access to cutting-edge research and access to well-trained students. This field changes so quickly. To have access to the latest research on what has changed, what's changing, and access to these well-trained students is hopefully extremely appealing to the private sector. Then, the idea that they could potentially hire some of our students into good jobs I [believe] would be quite appealing.
I'd also mention the industry need for continuing education. Imagine if you got your degree five or 10 years ago and you're looking to advance your position in your company. Imagine how quickly the field has changed in five or 10 years. The requirement to replenish your knowledge is quite valuable. On the flipside of your question ... we're certainly extremely interested in active industry engagement with us. SMU has a track record of developing very innovative cybersecurity solutions over the years, and I believe we're poised to build on that success in a rather substantial way going forward.
FIELD: Drawing from your own experience, where do you see potential challenges or hurdles when you're looking to forge this relationship among private sector, public sector and academia?
CHANG: ... Some people talk about that there are really two kinds of companies. There are companies that have been hacked and they know it, and companies that are hacked and don't know it. You'd hate to get to a point where a company begins engaging only after they've been hacked, and unfortunately that happens sometimes. I talked about the notion of being proactive. I'm really hoping we can get to the point where companies are proactive about understanding the nature of the threat and engaging with programs like the one we're developing. I hope it will give them some visibility into that.
Being Successful in Cybersecurity
FIELD: You've been in the profession for a long time. For someone who's joining the profession today or thinking that it might be one they want to join, what advice would you give to them to help ensure that they have some success?
CHANG: The first thing I would say would be to keep your skills current. This landscape changes much too quickly. Technology changes much too quickly to feel like you've reached a plateau and you can sort of stay there for a while. There just has to be this constant understanding and commitment to keep current and keep your skills fresh.
Another thing I would say is to stay technical. The need for technically elite cyberdefenders will continue to grow. We've talked about the skills gap. That kind of position will be required ... across the board. I would encourage people to really keep a focus on staying technical over time.
Finally - and this relates a little bit to this interdisciplinary idea - remember that in the field of cybersecurity you really are dealing with a human adversary and they just happen to be using a computer. It's easy to get narrow and think that it's only about technology. I said a minute ago that a person needs to stay technical, but in doing that they also have to remember that they're ultimately dealing with a human adversary and that provides a perspective that I hope is valuable.