CSSIA – Closing the Gap in Cybersecurity Education for Nearly 30 Years

To provide insight into the positive strides the (ISC)² Global Academic Program (GAP) and its member schools are making in filling the pipeline for qualified professionals, we’re going to highlight a different GAP school every other month.

The National Center for Systems Security and Information Assurance (CSSIA), one of the country’s first comprehensive Centers for Advanced Technology Education, became a GAP member school in 2014. CSSIA has four goals focused on innovation in cybersecurity education:

• Expanding and enhancing cybersecurity curriculum labs, skills events and competitions
• Building a national infrastructure of qualified cybersecurity educators
• Developing national infrastructure remote virtualization lab environment and content
• Enhancing programs for historically minority and underrepresented academic institutions

According to Dr. John Sands, GAP instructor, department chair for Computer Integrated Technologies for Moraine Valley Community College and co-founder for CSSIA, who has taught cybersecurity for 28 years, CSSIA recognized the need for trained cybersecurity pros years ago. “Early on, we saw the scary things that were out there, and we knew there was going to be a future in this area. We established the first National Science Foundation (NSF) Advanced Technology Education (ATE) National Resource Center for cybersecurity in 2002 through an investment by the federal government in fields that have shortages.”

Back then, there weren’t many cyber programs available in the two-year colleges, and even the four-year schools were focused more on management than on preparing practitioners. CSSIA conducted national surveys to understand better the workforce gaps and to identify the barriers that were preventing schools from teaching cybersecurity. They identified three core areas and tried to engineer their programs to overcome those obstacles.

Obstacles Preventing Schools from Teaching Cybersecurity

1)      Experiential learning for students. The first area they discovered was that many schools were tentative about teaching students on their production network. So, CSSIA designed a virtual teaching environment and created a series of over 200 labs in which students can recreate attack systems. They serve as a clearinghouse for courses and content that can be taught virtually. Today, 260 schools now either use CSSIA’s system or have replicated it. Overcoming that barrier was huge, because it allows CSSIA to provide students critical hands-on learning.

Sands elaborates, “We are big believers in experiential learning. Students need to learn more than just how to isolate the tools. They need to have a target with vulnerabilities and tools that exploit those, and our lab allows them to do that. The beauty of our system is that by putting in a remotely accessible virtual lab, students can work on it 24×7 and work on it over and over again until they master that skill. This has made a big difference in students’ skill level and in readying them for cybersecurity jobs.

2)      Faculty professional development. CSSIA created the Professional Development Academy after identifying a deep need for continuing education and professional development for faculty. Since 2004, CSSIA has instructed more than 4,000 teachers and college faculty in cybersecurity-related areas. Surveys show that 73% of these teachers are already using or plan to use curricula and instructional materials provided at the professional development programs. They work closely with NSA and DHS on the Centers of Academic Excellence (CAE) program. To qualify for the CAE, you have to prove that your faculty has the credentials to teach the program. Sands adds, “It’s a nice blend that students benefit from – we are able to offer them access to qualified faculty AND offer them hands-on experience.

3)      Community outreach to underrepresented groups. The final core area CSSIA identified as needing development was outreach to communities that traditionally haven’t pursued a cybersecurity education, such as females, minorities, and veterans. As a result, they began casting a broader net to improve the types of training they offered, as well as their instructor pool and the number of students from those groups. CSSIA’s commitment of its vast resources, including an outreach toolkit, faculty training, state-of-the-art virtual learning environments, real-world learning experiences such as cyber competitions and subject matter knowledge and support, will help educators fulfill the increased student and industry demands for effective cyber security curricula.

To engage students in creative ways and make the learning fun, they hold several competitions, such as an annual Collegiate Cyber Security Competition, with heavy participation from student volunteers. One graduate who consistently volunteers his time at this event is now one of the top pen testers in the area. They also run Cyber Camps, which are on-line competitions that test students’ abilities to identify vulnerabilities in a virtual network and answer questions related to their findings.

According to Sands, the most rewarding part of his job is watching CSSIA graduates make a difference. “One of our graduates who started his own company actually came back to thank us after a few years and even invited a couple of us out for a show and dinner,” recalls Sands. “He now works for Cisco as a Tier 1 engineer. To see the type of work he’s doing and how he’s making a contribution to defending our nation’s infrastructure gives you such a sense of accomplishment. He works on some of the largest accounts Cisco has – Dish Networks, Fed Reserve, and he’s one of the top engineers in the country right now. It was very rewarding to hear about his success and know that CSSIA has played a part in that.”

CSSIA joined the GAP because they were looking for more ways to certify their faculty that they train in the Professional Development Academy. They’re offering an (ISC)² certification course this month, and it filled up in five days. They do a needs assessment every year, and certification training is always one of the top three requests faculty express.

To track graduates’ success, CSSIA did a three-year survey post-graduation, and the key to students’ success seems to be the number of certifications and amount of hands-on experience they leave the program with.

Sands reflects, “We’ve built this mantra into our program, but it’s extremely important to fill the gap. The vulnerability we have as a nation is tremendous. Anything the professional community can do to encourage the brightest minds to come into this field to protect our country is essential. We’re always chasing our tail, but in modern life, we’re so dependent on these systems. It’s critical that we have the best of the best to protect them.”

Part of CSSIA’s future efforts are to reach students earlier in school (even as early as elementary students) and let them know about the opportunity this field offers. Over the next four years, CSSIA’s efforts are going to focus on targeting this age group by giving them the opportunity to talk to people in the field and to introduce them to what it’s really like. More and more occupations require some knowledge of cybersecurity. CSSIA sees it as their mission to proliferate their knowledge combined with experiential approach into all schools at all levels. As part of that mission, they are actively helping other schools to meet the CAE requirements.

Sands reflected, “We believe our relationships with the government and all the professional associations are critical. The work (ISC)² is doing in this area through the GAP is really important, and it’s critical that we all work together to shore up the cybersecurity workforce.”

(ISC)² Management

[(ISC)² Blog]