Future of Cybersecurity Education in Europe

Recently I was listening to recording of Sir Ken Robinson, a professor, advisor, author, and speaker on education theory. He is famous for the talk, “Do Schools Kill Creativity?”, and the critic of the education system singular focus on preparing and processing students as they were prefabricated factory products, that has an objective of providing a steady output of predictable, compliant labor units. The degree, in his opinion, serves for the same purpose as a certification of a satisfactorily conforming product. Students are immersed in an anti-creative environment which pressures them to be compliant and to compete.

This is likely to resonate with many students that remember how they were asked to memorize answers, without chance of getting around context, going beyond or even challenging the current state of knowledge.

In Europe now there is a lot of attention given to the future of professional workforce, and in one case is cybersecurity workforce. Memorizing does not help in cybersecurity education, no matter how many certificates you obtained for courses that are based on “traditional” question-answer paradigm. Problem solving, where cybersecurity professional must search for the information on internet or elsewhere, is closer to the reality. This holds similarities to application of theories or patterns in math problem solving, except that you do not need to memorize anything. However, time constraints are important here, so the critical ability for the future cybersecurity professional should be linked to recognizing rapidly relevant information and processing it rapidly. Then we have experimentation. In a classical education it could be used in the science lab e.g. physics, chemistry, biology, but in cybersecurity we have hands-on exercises, cyber-ranges, capture the flag or hackaton events.

What about creativity? What about recognizing this innovative solution that accidentally springs up, while trying problem solving through internet search, or during an experimentation?

The inward focus of traditional problem solving, creates boundaries or “in the box” thinking. Problem is even bigger with “powerpoint” based education, that might be good for lawyers (no offense to lawyers) or policy makers, but not for cybersecurity practitioners. Since there isn’t a “one-size-fits-all” solution to cybersecurity, related education and certifications should always consider creative and divergent thinking.

Related, though different, is the problem of cybersecurity team or workforce in general.

To maintain high level of cybersecurity workforce, we need to create a common framework where academia, industry, law enforcement and the public sector all fit, and can all refer to or understand. National Institute of Standards and Technologies (NIST), for example, published National Initiative for Cybersecurity Education Cybersecurity Workforce Framework where they define 7 categories; 33 specialty areas; 52 work roles, and then map these to 1,007 tasks, 374 skills, 630 knowledge areas and 176 abilities. It looks to me like “in the box” thinking, but I guess there is a need to start somehow, and Europe might need to adapt this framework to its own context.

Professional workforce must consider not only EU member state context, but also organizational and scenario-specific situations. Cybersecurity expert in police will likely have a different profile, compared to a cybersecurity specialist or practitioner in the hospital. Personality traits should fit organizational cybersecurity context, although it is still a sensitive issue, often neglected or avoided. Cyber threats, for example, might be ambiguous, which results in different categorization, labeling or structuring, depending on the cognitive or cultural bias of an individual. A well-balanced cybersecurity team must take this into account and should take care of leveling individual differences when it comes to these bias-driven situations.

Europe wide cybersecurity workforce development plan must confront, sooner or later, this diversity and complexity, as well as cultural or technological legacy in some EU member states. The same applies also to the future European Cybersecurity Competence Centre, Network and Community. This framework should acknowledge regional differences, organizational or sector specific fitness, and social capabilities. Assessing individual or team performance in constantly changing cybersecurity landscape is very difficult, but this is where CONCORDIA and other EU funded projects have an opportunity to contribute. We should also not forget workforce diversity and how an inclusive culture can influence positively cybersecurity team and workforce. Studies have found, for example, that gender-diverse cybersecurity teams make better business decisions 73 percent of the time[1].

In summary, we should move away from “repeat what you see” type of education and cybersecurity courses, towards auto-didactic schemes (e.g. cyber-ranges or hands-on activities where you need to search in google for the solution) and then even further, towards the creative problem solution for cybersecurity (e.g. finding multiple ways to solve single problem).

Education appetite and curiosity is essential to remain up to date, regardless whether student is a leader, team player, good communicator, or technical guru. Strong situational awareness and analytical abilities, handling complexity, positive attitudes, and stability, are obvious abilities for a cybersecurity practitioner, but understanding human behavior is increasingly important as well.

To finish, once again we go back to Sir Ken Robinson, that said “As artificial intelligence begins to accelerate, we should focus on those things which are distinctively human, such as the powers of creativity, of curiosity, of compassion, and of collaboration.”

[1] https://www.microsoft.com/security/blog/2020/08/31/microsoft-security-cultivate-diverse-cybersecurity-team/