Fragmented cybersecurity regulation threatens organizations

Fragmented cybersecurity regulation threatens organizations

Organizations across the United States have a number of cybersecurity regulations to comply with, and need to show that they take protection of sensitive data seriously.

Consumer data in the US is currently protected by a patchwork of industry-specific, federal, and state laws, the scope and jurisdiction of which vary. The challenge of compliance for organizations that conduct business across all 50 states is considerable.

Forbes summarizes the issue:

“Increased regulatory fragmentation unduly diverts focus and resources, and ultimately threatens to make us more vulnerable to cyber attacks. Instead of a fractured approach by state, we need a coordinated national strategy for regulating cybersecurity.”

For example, NY financial institutions will be required to implement security measures in order to protect themselves against cyber attacks from March 1, 2017. They will need to not only maintain a cybersecurity policy and program, appoint a CISO, and implement risk assessment controls and an incident response plan, they will also have to provide regular cybersecurity awareness training, conduct penetration testing, and identify vulnerabilities.

Organizations also have the National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST SP 800-53) for guidance on helping reduce cybersecurity risks, and many organizations are required by contract or by law to implement the framework.

Complying with multiple cybersecurity regulations

ISO 27001 Cybersecurity Documentation Toolkit

Fulfil multiple cybersecurity obligations and benefit from international information security best practice to produce a solid framework with the ISO 27001 Cybersecurity Documentation Toolkit.

Covering state, national, and international cybersecurity frameworks, this toolkit will enable you to produce a robust management system that complies with:

  • NIST SP 800-53
  • New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies
  • Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth
  • ISO 27001, the internationally-recognized cybersecurity framework

Comply with multiple cybersecurity regulations

Pre-order now >>

Leave a Comment

Top 5 excellent Antivirus Protection of 2017

Excellence is achievable but perfection is not. Find an excellent anti-virus product based on your requirements.

 

Malware are evolving faster than ever, so it’s encourging to discover that the latest generation of antivirus (AV) are better equipped to handle this evolving pace of change. Information security best practice recommends that every PC should run at least antivirus (antimalware), antispyware, and a firewall, and you keep it up to date. So if you’re not running an anti-virus, or may feel your anti-virus could do a bit more, take a look at the list below  and find an anti virus solution which fulfill your current needs based on the modern day threats.

 

All five antivirus solutions below includes On-Demand Malware Scan, On-Access Malware Scan, Website Rating, Malicious URL Blocking, Phishing Protection and Behavior-Based Detection.

 

1) McAfee Antivirus plus

Unlimited protection for Windows, Android, macOS, and iOS devices. New behavior-centric antivirus engine. Essential antivirus protection for PCs, Macs, smartphones, and tablets.

 

 

2) Webroot Secure Anywhere Antivirus

For Cloud Security it will analyze files, phishing sites, malicious web pages, IP addresses, and mobile apps providing a real time view of current threats and enabling protection from zero day attacks.Can recover files encrypted by ransomware. Uses tiny amount of disk space. Very fast scan. Handles unknown malware. Includes firewall.

 

 

3) Bitdefender Antivirus Plus

Effective ransomware protection. Many bonus features including password manager, secure browser, and file shredder. Wi-Fi Security Advisor. Always secure on the go.

 

4) Symantec Norton Antivirus Basic

Protection is always up-to-date to defend against spyware, malware, and unsafe websites, while safeguarding your identity and online transactions. Powerful intrusion prevention. Norton Power Eraser blasts persistent malware. Password management.

 

5) Kaspersky Antivirus

Kaspersky Anti-Virus helps protect against viruses, spyware & more. Great for antiphishing and speedy full-system scan.

 

Our recommendation is based on The best Antivirus protection of 2017

Leave a Comment

5 Surprising Signs Your Employee is fibbing on their resume

Your resume is often the first impression employers get of you prior to the initial meeting. First impression is often considered the deciding factor in whether you may receive an interview call for the position.

To make a best first impression, it is tempting for the candidate sometime to fib with their experience, skills and qualifications and hope they will the one to get a call for that interview.

However, this may have serious consequences on your career in the long run. With social media word can spread quickly about applicants who aren’t being honest, and have their hard earned reputation ruined.

If you are unsure about something, if it doesn’t belong on your resume, please don’t use alternative facts.

Here are 5 common lies in resume.

If you’re convinced that your prospective employee is lying, you may be right! After all, your intuition is not often wrong. But if you’re going to accuse your prospective employee of lying, you definitely need proof. So, how can you find out for sure? What are the most accurate warning signs that your employee is lying? Lastly, and possibly most importantly, what can you do to catch your employee red-handed without breaking the bank?

By now, you’re probably convinced that he or she’s lying. But you need proof, Here’s your chance to get it.

1. Educational background Check

Competing with a educated workforce in US can be sometime frustrating, especially when you don’t have college degree. Perhaps for this reason some job seekers may opt to add false statements to the qualification area of their resume.

Checking qualification has become relatively easy these days, and perhaps the first thing most human resources departments will check. If someone is caught fibbing on their resume, the result can include termination after background check is complete and you will be automatically denied a possible position.

2. Technical skills 

Having certain relevant technical skills may make you a very desirable candidate for a job, but it will be hard to backup your lie once you get the the job.

Your interview based on skills set you mentioned in your resume, and if you can not answer relevant questions regarding that specific skill may raise a red flag, which may prevent you from landing or keeping the job.

At end of the day honesty is the best policy and you may be able to learn some specific technical skills while at the job

3. False employment dates

After a while, It can be difficult to remember when you started or left an employment.

Employment dates are very important to include on your resume, but if you can’t recall the exact month you started job, you may be better off listing just the year.

4. Salary history

It’s best to leave information about your previous salaries off your resume. Perhaps it is best if you do not include the salary history in your resume. However, some employers may ask for it.

Just like employment dates, this information can be confirmed with a phone call, and imprecision may be taken as sign of falsehood.

5. No need to over impress

If you claim to have worked with a famous name or big name company in your previous position, you should be ready to have that claim verified. You never know whom you may interview with and they may happen to know them.

Interviewer may trust you but will verify the inaccuracies of your resume through (Android) background check.

Reverse Lookup & Trace Any Phone Number – Include Phone Numbers, Addresses & Background check including sex offender

Automated background check service 🙂

 

Leave a Comment

The new CISO role: The softer side

 

English: Risk mitigation action points

English: Risk mitigation action points (Photo credit: Wikipedia)

By Tracy Shumaker

In order for CISOs to stay relevant in their field today, they must add communication and soft skills to their list of capabilities. Traditionally, their role has been to take charge of IT security. Now CISOs oversee cybersecurity and risk management systems. They must manage teams and get leadership approval in order to successfully implement a system that aligns with overall business goals.

Speak in a common business language

The CISO will need to appoint both technical and non-technical individuals to support a risk management system, which requires communication in a language that everyone can relate to. Additionally, senior executives’ approval is required and this will involve presenting proposals in non-technical terms.
Being able to communicate and having the soft skills to manage people is a challenge CISOs face. For CISOs to reach a larger audience, they need to clearly explain technical terms and acronyms that are second nature and translate the cybersecurity risks to the organization into simple business vocabulary.

Get the tools to gain the skills

IT Governance Publishing books are written in a business language that is easy to understand even for the non-technical person. Our books and guides can help you develop the softer skills needed to communicate in order to successfully execute any cybersecurity or risk management system.

Develop your soft skills with these books >>

Discover the best-practice cyber risk management system, ISO 27001

This international standard sets out a best-practice approach to cyber risk management that can be adopted by all organizations. Encompassing people, processes, and technology, ISO 27001’s enterprise-wide approach to cybersecurity is tailored to the outcomes of regular risk assessments so that organizations can mitigate the cyber risks they face in the most cost-effective and efficient way.

Find more information about ISO 27001 here >>


Leave a Comment

Cyber Insurance – an essential part of risk mitigation strategy?

CyberInsurancepng

By Foundstone Services

Advancement of technology is deriving proliferation of threat landscape rapidly which extend attack vectors. With proliferation of automated tools available for cyber criminals; it’s not a matter of “if” but “when” there will be a security breach. There are two types of organizations in this category, those who’ve been hacked, and those who don’t know they have been hacked. The likelihood that your organization is next is not very unlikely. Is your organization prepared for a target of information security breach?

That will depend on if you have an operational Security Program which is functional enough to manage risk of a potential security breach. Now, the million-dollar question may be, is your Security Program resilient enough to sustain the risk and can it afford to absorb losses for future security breach. The security threats are evolving on daily basis and there are unknown threats like zero day threats where you need to add cyber insurance (which provides coverage from losses resulting from data breach or loss of confidential information) as a part of risk management strategy to tackle unnecessary disruptions to your business. As a part of risk management program, organizations regularly determine which risks to avoid, accept, control or transfer. This where transferring risk to cyber insurance take place and it can compensate for some residual risk.

Some may argue that they got liability insurance, which should cover security breach. Those days are behind us when organizations thought liability insurance were enough to cover the security breaches. Sony thought their general liability insurance covered them, but the court confirmed that policy did not have specific clauses to cover the security breach which was estimated $170M. Another highly publicized security breach of Target cost the retailer about $348M but the retailer had only $100M in cyber insurance coverage from multiple underwriters.

To read the remaining article…


Leave a Comment

Encryption keeps you safe from malware

 

Cryptographically secure pseudorandom number g...

Cryptographically secure pseudorandom number generator (Photo credit: Wikipedia)

The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS. Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address. Encryption is important, and not only for Web surfing. If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won’t be able to steal your identity, or takeover your bank account, or perhaps steal your credit card information. To help you select an encryption product that’s right for your situation, we’ve rounded up a collection of current products.

 

Available Encryption Software to protect your information assets:

 

Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface. Read the full review ››

 

Cypherix PC creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, though it lacks secure deletion. Read the full review ››

 

Cypherix SecureIT  handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition.  Read the full review ››

 


Leave a Comment

Implementing an ISMS: where should you start?

ISO27ktoolkit

With the number of ISO 27001 certifications rising fast in the US, organizations will be looking to implement an ISO 27001-compliant information security management system (ISMS) quickly, before any of their competitors.

However, the hardest part of achieving ISO 27001 certification is providing the documentation for the ISMS. Often – particularly in more complex and larger businesses – the documentation can be up to a thousand pages. Needless to say, this task can be lengthy, stressful and complicated.

IT Governance Publishing’s (ITGP) ISO 27001 toolkits offer this documentation in pre-written templates, along with a selection of other tools to:

  • Help save you months of work as all the toolkits contain pre-written templates created by industry experts that meet ISO 27001:2013 compliance requirements.
  • Reduce costs and expenses as you tackle the project alone.
  • Save the hassle of creating and maintaining the documents yourself.
  • Accelerate your management system implementation by having all of the tools and resources you need at your disposal.
  • Ensure nothing is left out of your ISMS documentation.

When an organization’s need help with their ISMS projects, they’re normally at a loss.

The two major challenges they face are creating supporting documentation and performing a risk assessment.

With wide range of fixed-price toolkits, these toolkits can provide you with the official ISO 27000 standards, implementation guidance, documentation templates, and risk assessment software to aid your project.

  • Do you know how to implement an ISMS?
  • What steps should you take?
  • How long will it take?


Leave a Comment

Six steps to reboot your cyber security strategy

Cyber Security Strategy

By Marika Samarati

SecurityStrategy

The High Performance Security Report 2016 published by Accenture Security unearthed a clear disconnection between how companies perceive cyber threats and the reality of the situation. According to the report, 75% of security executives surveyed said they were confident in their cyber security strategies, and 70% reported that their organisations have successfully adopted a culture of cyber security fully supported by their top executives – yet one in three targeted attacks succeeded, resulting in a breach.

It’s time to face reality rethink-cyber-security-strategy

To close the gap between perception and reality, the report invited companies to “reboot their approaches to cybersecurity”. Here is the report’s six-steps to help you rethink your cyber security strategy:

1. Define cyber security success

One reason perceptions don’t match reality comes from the misalignment of cyber security strategies and business imperatives. Identify the best cyber security strategy for your company based on your assets and capabilities, which cyber threats it should secure your company from, and how you can measure its success or its failure in business terms.

2. Pressure-test security capabilities the way adversaries do

Get into the criminals’ shoes: engage ethical hackers to run attack simulations and realistically assess your ability to defend your company from external threats. IT Governance is a CREST member and its suite of penetration tests have been verified as meeting the high standards mandated by CREST. Moreover, all of our penetration testers hold the Certified Ethical Hacker (CEH) qualification.

3. Protect from the inside out

The only difference between internal and external attackers is that the first know where key assets are located. Prioritize securing your key assets from insider threats, which usually have the greatest impact. If you want to know more about insider threat, read the bestselling Insider Threat – A Guide to Understanding, Detecting, and Defending Against the Enemy from Within.

4. Invest to innovate and outmaneuver

The wider and more diversified your strategy is, the easier it is to stay ahead of cyber criminals. Instead of spending money in existing programs, widen your suite of programs by investing in seven key cyber security domains: business alignment, strategic threat context, extended ecosystem, governance and leadership, cyber resilience, cyber response readiness, and investment efficiency.

5. Make security everyone’s job

According to the report, “Fully 98 percent of survey respondents said that for breaches not detected by the security team, the company learned about them most frequently from employees.”. Consequently, a staff that is up to date with the latest cyber threats and cyber security best practices improves your threat detection capabilities and reduces the chances of staff-related security incidents. Implement a staff awareness program based on e-learning courses to empower your staff and make it part of your cyber security strategy.

6. Lead from the top

Cyber security should be discussed in the C-suite on a daily basis, not confined to the IT room. The CISO needs to proactively engage with enterprise leadership and make cyber security a top priority.


Leave a Comment

Cyber security is not enough

CyberresilienceSuite

Cyber security is not enough – you need to become cyber resilient

Cyber Resilience Implementation Suite

It’s no longer sufficient to suppose that you can defend against any potential attack; you must accept that an attack will inevitably succeed. An organisation’s resilience in identifying and responding to security breaches will become a critical survival trait in the future. The Cyber Resilience Implementation Suite has been designed to help organisations create an integrated management system that will help defend against cyber threats and minimise the damage of any successful attack. This suite of products will help you to deploy the cyber security Standard
ISO27001 and the business continuity Standard
ISO22301 to create an integrated cyber resilience management system. The books in this suite will provide you with the knowledge to plan and start your project, identify your organisation’s own requirements and apply these international standards. Management systems can require hundreds of documents and policies. Created by experienced cyber security and business continuity professionals, the toolkits in the Cyber Resilience Implementation Suite provide documentation templates to save you weeks of researching and writing and the supporting guidance to ensure you’re applying the necessary polices for your business. Administration and updating of the documentation is made easy with the toolkits’ integrated dashboard, easy customization of templates and one-click formatting.

Cyber Resilience Implementation Suite

Contents

This suite includes:

Start building cyber resilience into your organisation today.


Leave a Comment

5 Must Read Books to Jumpstart Your Career in Risk Management

FAIR Institute blog by Isaiah McGowan

Read Books to Jumpstart Your Career in Risk Management

What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.

They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.

hubbard_failure_of_risk_management_cover.jpg#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)

In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.

fair-book-cover.jpg#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)
In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.

With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.

This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.

Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.

Superforecasting_cover.jpg#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)

We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.

If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.

Tetlock_expert_judgement_cover.jpg#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)

Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.

Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.

Thinking_fast_and_slow_cover.jpg#5 – Thinking, Fast and Slow (Daniel Kahneman)

Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.

There it is…

This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?

 


Leave a Comment

Why you should care about ISO 22301?

bcms

Business Continuity is the term now given to mean the strategies and planning by which an organization prepares to respond to catastrophic events such as fires, floods, cyber-attacks, or more common human errors and accidents

Business Continuity Management System (BCMS) puts such a program in the context of an ISO Management Systems, and ISO 22301:2012 sets a certifiable standard for a BCMS. It is the first and most recognized international standard for business continuity.

Several other standards, particularly BS 25999 have had wide international acceptance, however, they are now largely supplanted by ISO 22301.
The obvious benefits to an organization having a robust, mature business continuity program have been outlined in this Newsletter previously (April, 2015). They center on being able to respond to disruptions so an organization stays in business and meets its obligations and commitments to all stakeholders.
However, there are additional ways that an organization can benefit from adhering to a business continuity standard, particularly ISO 22301. These benefits can accrue from obtaining certification to the Standard, and also from formally aligning to the Standard without actual certification.
For more on additional benefits: So, why should you care about 22301?

Steps in ISO 22301 implementation are the following:
1. Obtain management support
2. Identify all applicable requirements
3. Develop top-level Business Continuity Policy and objectives
4. Write documents that support the management system
5. Perform risk assessment and treatment
6. Perform business impact analysis
7. Develop business continuity strategy
8. Write the business continuity plan(s)
9. Implement training and awareness programs
10. Maintain the documentation
11. Perform exercising and testing
12. Perform post-incident reviews
13. Communicate continuously with the interested parties
14. Measure and evaluate the BCMS
15. Perform internal audit
16. Implement all the necessary corrective and preventive actions, and
17. Perform the management review


Leave a Comment

Information Security Expertise Bundle

InfoSecBundle

If you’re just starting a new job in information security, you’ve just finished your university degree, or you’re looking for the next step in your career but not sure which direction to take, try this…

Information Security Expertise Bundle

Designed to help you develop your knowledge and understanding of key information security topics, this collection of best-selling titles will help you learn more about open source intelligence techniques, penetration testing, information security best practices, and how to succeed in the industry.

The bundle includes:

• Information Security – A Practical Guide
• The Tao of Open Source Intelligence
• The Security Consultant’s Handbook
• Penetration Testing: Protecting Networks and Systems

»» Buy now Information Security Expertise Bundle



Leave a Comment

Fundamentals of Information Risk Management Auditing

FIRMA

An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.

For any modern business to thrive, it must assess, control, and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed, and managed, and assigned to risk owners so that they can be mitigated and audited.

Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.

 Book overview

Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:

  • What is risk and why is it important? An introduction to general risk management and information risk.
  • Introduction to general IS and management risks An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity, and availability of information.
  • Introduction to application controls An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
  • Life as an information risk management specialist/auditor A guide for those considering, or undergoing, a career in information risk management.

 

Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.

Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.

The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.

Topics covered

Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defense; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL®, and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301, and ISO 38500; the UK Government’s Cyber Essentials scheme; IT security controls; and application controls.

Download your copy of Fundamentals of Information Risk Management Auditing



Leave a Comment

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

By Kelly Jackson Higgins

New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

There’s the cybersecurity skills gap, but a new study shows there’s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. “The results were pretty profound,” Thomas says. “When we tested the top universities’ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduate” with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. “Universities have a responsibility to start moving … to [address] bigger problems in security,” he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings from US News & World ReportBusiness Insider, and QS World of the top schools in the field.

The University of Michigan, which is ranked 12th among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassage’s study found. Among the top 10, there are three universities that don’t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insider’s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insider’s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just aren’t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they don’t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men aren’t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

“If you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,” says David Shearer, CEO of ISC2. “Many have not had the money or time or skills to develop cybersecurity programs.”

Shearer says ISC2 is working to fill those gaps with its academic outreach program. “If there’s not a formal education for kids once they get to universities, we [the US] haven’t accomplished a whole lot,” he says.

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE ...

AFIS BILLBOARD POSTERS. WEB SECURITY. DEFENSE BILLBOARD #132 (Photo credit: Wikipedia)

Awareness Gap

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just aren’t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because they’re interested in writing new applications to solve problems in their areas of interest. Coding is considered “cool,” security experts say, while security is seen as a hindrance to application development, for example.

ISC2’s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. “They don’t see it as exciting, intriguing work, but they should,” he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.




Leave a Comment

25 Years of Information Security

Opening theme video from RSA Conference 2016 – #RSA2016

Observations from the 2016 RSA Conference



Leave a Comment