A Call for Cybersecurity EducationSchools Must Put New Focus on Training Youngsters
Computer hacking has always been somewhat of a hobby for the independent-minded high school and college kids, and the self-learning that goes with it can be a positive thing, provided they do not use with ill intentions. However, as technology becomes increasingly available to kids at a much earlier age, it is time to ask some basic questions. Where do kids learn about the dangers of the Web? Where do they learn to be responsible digital citizens and to practice ethical use of the Internet? In addition, how is that knowledge being vetted or tested?
A middle school student in virtually any country today has the expectation to have at least a baseline understanding of certain critical subjects, namely math, language, science. The student is probably tested regularly on this understanding, always with an emphasis on the key lessons that every student is expected to know. Proficiency in these subjects is not only essential, but is also required for any advancement toward higher learning. These are the basic "building blocks" of human education.
Security education should not just be an elective, but a requirement for any student.
But in a world where there are more smartphones and computers than there are people, shouldn't IT - and particularly IT security - be considered to be one of these basic building blocks? A basic knowledge of IT is not just a nice-to-have or an industry-specific technical skill, but an understanding of computers and communications is essential to real-world survival, and it is important that schools undertake teaching of such skills.
At a very young age, children gain introduction to computers, but seldom have we taught them the consequences of misusing a computer, or even the dangers of giving out personal information online. The most common method of learning about "hacking" is from friends or acquaintances who may or may not have a working knowledge of computer security - or the responsibilities that come with it. This is like buying children a car without teaching them the rules of the road or the potential effects of a wrong turn.
As a community, we should be taking this message to our schools and playgrounds: Cybersecurity is an essential element of modern education. Every day, people who use computers and smartphones face important decisions on what data to share or how to handle a message received from a stranger. All Internet users should be able to make the right decisions to protect themselves and their data. This is not an elective - it is a survival skill.
Just as importantly, today's economy is dependent on a growing group of security professionals who need a working knowledge not only of threats and exploits, but also of rights and privileges. An estimate is that there will be 4.2 million security professionals working by the year 2015, and even this number will not meet the requirement for skilled workers, of which there is already a well-documented global shortage. I want to understand whether all of these workers will go through training via the "wild west" of the Internet. Or, on the other hand, will we step forward and say that all humans need to learn such skills at a young age, and that these skills should be taught and maintained in our schools?
With the help of our members, (ISC)Â² runs a number of programs dedicated to giving young students the background they need in order to function properly and safely on the Web. We are recommending the implementation of basic security awareness programs in schools, as well as early adoption of a basic code of ethics for online behavior. Parents may even want to sign an Internet contract with their kids so everyone knows what is expected and to reinforce what they have learned at school. We are backing these initiatives with cybersecurity competitions, scholarships, career events and other awareness campaigns. All of these efforts aim at helping students understand that security knowledge is to update and verify constantly, rather than be learned once and forgotten. Just as doctors and medical students must keep up on the latest diseases and medicines to practice responsibly, security professionals who are not proficient in current, threats and defenses may be doing more harm than good.
Security education should not just be an elective, but a requirement for any student - elementary school, middle school, high school or college - who plans to turn on a computer or mobile device. Such learning should begin as early as possible in the student's education - at least as early as their introduction to computers. Without such education programs, we are giving students a Ferrari with no driver's education.
Hord Tipton is the executive director for (ISC)2, the largest not-for-profit membership body of certified information security professionals worldwide, with more than 80,000 members in more than 135 countries.