Organizers of a new workforce training program at Georgia State University hope not only to place their students with companies seeking fresh cybersecurity talent, but to export an evidence-based research methodology they claim is sorely absent from today’s industry.
The program, led by the university’s Evidence-Based Cybersecurity Research Group, will train and match 60 university students, who need not be existing GSU students, with private companies and other organizations over the next two summers, where they can intern for chief information security officers.
“Right now, many students who graduate with their cybersecurity degrees do not have practical experience,” said David Maimon, the director of the research group who is also leading the academic side of the mentorship program. “So what we’re trying to do is bridge this gap by teaching the students practical skills.”
Many universities have in recent years created programs attempting to ameliorate the oft-cited shortage of cybersecurity workers, but Maimon, who teaches in GSU’s criminology and computer science departments, said the evidence-based approach that has been adopted by many disciplines in recent years has yet to leap into the field of cybersecurity.
“What’s missing right now is ways to check the effectiveness of policies and tools in the context of cybersecurity,” Maimon told EdScoop. “You have all those companies out there, cybersecurity companies that sell all these products to large corporations and their security teams, but at the end of the day we’re not really sure how effective these tools are in achieving their goals. If you purchase a tool, if you deploy a policy, you want to make sure you’re getting what you are paying for.”
In addition to the private businesses joining the program, which so far include Lexis Nexis Risk Solutions, Maimon said his group has received interest from several law enforcement agencies eager to introduce greater scientific rigor into their cybersecurity disciplines. He pointed to the introduction of evidence-based practices that transformed policing in the 1990s, as criminologists were increasingly embedded within police departments and scientists began calling into question the efficacy of longstanding law enforcement practices.
A more scientific approach, particularly through consilience with criminal justice, could do the same for cybersecurity, he said.
“Technology is just in the background. It’s all about the human,” Maimon said. “What we do in our group is spend a lot of time understanding how the tools and the policies work in the context of the cybercrime ecosystem and the four key actors — [hackers, targets, guardians, enablers]. Because cybersecurity is all about protecting security infrastructure from criminals, there’s got to be a lot of knowledge about the humans who are launching an attack as well as getting impacted by the attack, as well as trying to defend the attack, and generating better understanding of what works and what doesn’t.”
Determining whether GSU’s mentorship program has succeeded in bolstering the workforce or transforming how organizations approach cybersecurity will take at least a few years. The pilot program will operate under a $300,000 grant from the National Science Foundation, guided by an advisory board of CISOs from government, academia and business. For Maimon, the benchmark for success is clear.
“We would love the companies that work with us to eventually hire our students, as well implement the approach in the context of their operations,” he said. “I think it’s really important for companies, especially in this time, to understand what is it that they’re getting for the tools they purchase, as well as the policies that they deploy.”