Dr. Mark A. Harris, Integrated Information Technology Department, The University of South Carolina
In the past five years, enterprises have seen some astounding new technologies emerge that have created major security concerns for businesses as well as cyber security professionals. The proliferation of mobile devices and applications, cloud services, virtualization, social media, and the emergence of big data pose both opportunities and challenges for enterprises and their customers. The enterprise IT infrastructure is no longer constrained to a brick and mortar building, it has expanded globally.
The first major way enterprise data has left the building is through mobile devices and applications. Enterprise employees carry personal devices and/or corporate issued mobile devices almost everywhere they go. A recent Mobile Consumer Habits study demonstrated that three out of four people keep their smartphones within five feet of themselves a majority of the time. Though many positives can be drawn from employees having access to enterprise data from mobile devices, the use of mobile devices creates a major security concern for cyber security professionals. The most popular mobile device operating system, Google’s Android, is the biggest target for mobile device malware with 92 percent of all known threats written for the platform. Across all mobile device platforms, there has been over a 600 percent increase in malware from 2012 to 2013. An employee simply checking their enterprise email on an infected mobile device is enough to cause enormous damage. Beyond security concerns for mobile device applications from primary and 3rd party markets, enterprise developed applications also raise concerns. Enterprise developed mobile applications that allow access to enterprise recourses and data need to be carefully developed and managed with security as much of a priority as functionality. Cyber security professionals need to have the necessary skills to protect mobile devices that access corporate networks and data across all platforms and applications.
Another way enterprise data has left the building is in the utilization of cloud services. Cloud services can offer an enterprise many benefits, including cost savings, scalability, elasticity, and improved accessibility. However, enterprise data on the cloud pose additional security risks. Cyber security professionals need to understand the pros and cons of public clouds versus private clouds. They need to understand the potential security threats, such as data breaches, data loss, traffic hijacking, denial of service attacks, cloud server virtualization, among others.
While virtualization is found throughout the enterprise, it can also threaten cloud services. Server virtualization has many benefits, such as hardware consolidation costs savings, energy savings, smaller datacenter footprint and increased uptime. There are several server virtualization implementations, including the hypervisor running directly on base hardware without a host operating system, the hypervisor running within a host operating system, and virtualization taking place within the operating system without the need for a hypervisor. Server virtualization poses several security concerns, including the need to maintain, monitor, and patch each of the virtual machines as independent operating systems, monitoring traffic between VMs, and more. In addition to server virtualization security concerns, cyber security professionals must also be able to address desktop virtualization, network virtualization, and even virtualization on mobile devices.
Next, social media is a major concern for cyber security professionals due to the potential cost to the enterprise’s reputation as well as the proliferation of malware. For example, The Associated Press’ Twitter account was hacked with a false tweet that affected the stock market by billions of dollars. This underscores the trust the general public has in social media. Other recent large scale social media hacking incidents include Reuter’s Twitter account, the New York Post’s Facebook page and Twitter accounts of some of its reporters, the Onion’s Twitter account, Burger King’s Twitter account, and Jeep’s Twitter account. In addition to the enterprise’s social media sites, employees also need to be aware of their own personal social media activities. Hacking social media sites with a large number of followers is still popular because malware links can be sent to all of the followers that are made to look as if it came from the trusted source. Another concern with social media is malware infected social media add-on applications. Cyber security professionals need to be aware of all the different types of social media security concerns and how they could potentially impact the enterprise.
Big data is another major security concern for today’s cyber security professionals. With 2.5 quintillion bytes of data generated daily, it is an enormous task to manage the sheer volume of data that is out there. The data can be structured or unstructured and come in a variety of formats. The data can also come from a variety of sources to be aggregated for analysis. Big data analytics has enormous potential, however, the conclusions drawn are only as good as the security of the data. Cyber security professionals need to have the skills to manage big data sources, storage, conversion and analytics. With 1 in 3 business leaders already not trusting the information they use to make decisions, it is of the utmost importance to secure all aspects of big data to establish that trust. Proper analytics on secure data can yield information that business leaders can trust to make proper business decisions.
Enterprises are currently seeking cyber security professionals that have a comprehension of current cyber security risks, including the concerns associated with these emerging and growing technologies referenced above. However, there is currently a major shortage of cyber security professionals to fill this growing enterprise demand. One report states it will take at least 20 years to fill the gap. Another says schools are just not graduating enough students to fill the gap. Without adequate security, organizations are left with the decision to either forgo the use of new technology or adopt the new technology with added security risks. The latter can be a very risky decision considering a potential data breach can cost millions of dollars per incident.
With the proliferation of new technologies comes the need for a new type of cyber security professional. This new breed of cyber security professional has more to consider than ever before. It has become essential to integrate cyber security into every aspect of enterprise computing. Cyber security professionals not only need to fully understand the new technologies, they need to understand the business strategies behind the technologies and the business implications of failing to secure said technologies. The next generation cyber security professional will have the business skills and knowledge necessary to sit at the table with CEOs and CFOs to explain the need for cyber security resources in a way that business managers will understand. They will also have the skills necessary to secure current and emerging technologies and communicate effectively with other IT professionals. The new age cyber security professional understands how business decisions affect technology and how technology affects business decisions. This integration of business and technology skills is a distinguishing characteristic of the next generation cyber security professional.
To help create the next generation of cyber security professionals and to increase the number of cyber security skilled workers graduating from colleges and universities, IBM created and expanded the IBM Academic Initiative to include cyber security. Educators that become members get no-charge access to hardware, full-version software, professionally developed courseware, tools, training, books, as well as discounts. Resources are divided into ten teaching topic areas, such as security and information assurance, information management, cloud computing, and business analytics. Within each teaching topic, educators can access the resources pertaining to that topic, such as courseware and software. Courseware includes professionally developed resources to help teach classes. Software includes full download versions of software from hundreds of top choices and members can request virtual access for themselves and students to an IBM mainframe or Power System.
The University of South Carolina’s Integrated Information Department is one of the latest members of the IBM Academic Initiative and is currently seeking ABET (Accreditation Board for Engineering and Technology) accreditation. ABET is tied to the Association for Computing Machinery (ACM) and IEEE Computer Society guidelines for information technology, which describe thirteen primary knowledge areas, such as programming, information management, networking, information assurance and security. The guidelines also describe pervasive themes, which are concepts regularly woven into the curriculum in order to become an integral part of it, such as professionalism, problem solving capabilities, and information assurance and security. It should be noted that information assurance and security is the only topic that is a knowledge area and a pervasive theme. The ACM believes the topic is important enough to stand alone as a knowledge area and to be woven into other knowledge areas throughout the curriculum. This is important for any university seeking or maintaining information technology ABET accreditation.
To satisfy ABET, students in the Integrated Information Technology Department get a mix of business courses and information technology courses. To integrate security as a pervasive theme in the curriculum, security is taught not only as a standalone course, but as a part of multiple other courses. For example, network security, mobile device security, cloud services, and virtualization are taught in a series of networking courses. Secure application development is taught in a series of programming courses. Big data is addressed in an information management class. Managerial security topics like security policies, contingency planning, risk analysis, disaster recovery, and law and ethics are taught in the security course, along with encryption, forensics, and social media security. With the recent IBM Academic Initiative membership, the IT Department is now working to integrate IBM technologies into the classroom. There are plans to introduce products like Endpoint Manager into the networking classes for protecting mobile devices, laptops, desktops and servers. There are also plans to introduce AppScan in the programming courses and InfoSphere Gardium in the information management course. It is the department’s belief that hands-on experience with leading security products combined with classroom instruction, will better prepare students to enter the job market and will help foster the next generation of cyber security professionals. If other university members of the IBM Academic Initiative take advantage of the benefits, we will be well on the way of closing the cyber security skills gap.
# # #
Dr. Mark A. Harris is an assistant professor in the Integrated Information Technology program at the University of South Carolina, Columbia, SC. He has a Ph.D. in Information Systems from Virginia Commonwealth University, a MS in E-commerce and a B.S. in Information Technology from Old Dominion University. His research interests include security policy management, awareness training, human factors of security, health IT security, and mobile device security. He has authored multiple papers in well-respected refereed information systems journals and conferences. Before academia, Mark was a senior network engineer for a large university, where he oversaw an expansive computer network.