Page 30 - Cyber Defense eMagazine June 2020 Edition
P. 30
The second group of organizations successfully adopt applicable standards and guidelines and make
valiant efforts to abide by them. The problem resides in the interpretation of those resources. These
valuable resources are written by industry experts charged with providing detailed explanations of
cybersecurity practices at a very concrete level. The organization is left to make their own
interpretation that sometimes can lead them into a direction that will be more costly, compared to if
they were not to have adopted the standard and guideline in the first place. Thankfully, recent books
have been published that provide greater understanding into such cybersecurity areas as:
understanding and applying the National Institute of Standards and Technologies (NIST)
Cybersecurity Framework, standardized approaches for implementation of cybersecurity controls,
understanding cybersecurity risk management and the implementation of risk practices using the
NIST Risk Management Framework, implementing guidelines that support cybersecurity
management throughout the entire supply chain, and how to make an organization truly cyber-
resilient.
Similarly, educational Institutions have struggled to find the right fit for how to prepare students for
careers in cybersecurity. Since the turn of the century many Information Technology programs saw
cybersecurity as solely the need to implement technology aimed at protecting information; hence the
reason for the old way of referring to the field as “Information Security”. Programs taking on that
understanding of the field prepare students with a narrow scope of simply presenting the technologies
that protect information. And in many cases those presentations are done through simulated
approaches.
However, as the field of cybersecurity has evolved, educators cannot take as narrow of an approach
to preparing students. Realistically, the field has become much more than just securing information.
Rather it is becoming a discipline in and of itself, which encompasses a complete body of knowledge
that requires standardized approaches (with well-defined outcomes) to introducing the expanded
areas that make up the entire field of cybersecurity. No longer can someone be prepared for work
within the field simply by understanding the difference between a router, switch, and firewall.
Cybersecurity has expanded to the extent that data security, software security, component security,
connection security, system security, human security, organizational security, and societal security
should all necessarily be included (from an interdisciplinary approach) within cybersecurity curriculum
in order to adequately prepare individuals for work within the field. And to that extent, organizations
should endeavor to understand the interdisciplinary knowledge of the individuals that they hire.
To support the growing need for standardized and interdisciplinary approaches of educating future
professionals in the entire cybersecurity body of knowledge, two standards have been developed to
assist educational institutions in the development of their cybersecurity curriculum. NIST published
the second version of the “National Initiative for Cybersecurity Education (NICE) Cybersecurity
Workforce Framework” in 2017. NICE breaks the field of cybersecurity down into specialty areas and
specifies what each areas of the workforce should be doing to ensure that security functions of
identification, protection, defense, response, or recovery are being carried out properly.
Similarly, later that same year, the Joint Task Force on Cybersecurity Education in association with the
Association for Computing Machinery (ACM), IEEE Computer Society (IEEE-CS), Association for
Information Systems Special Interest Group on Information, Security and Privacy (AIS SIGSEC), and
Cyber Defense eMagazine –June 2020 Edition 30
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.
