The Talent Shortage Epidemic in Cybersecurity

by Terry Vahey
The cybersecurity shortfall in the workforce remains a critical vulnerability for companies and nations, according to Intel Security.  In a report called Hacking The Skills Shortage, 82 percent of IT professionals confirm a shortfall in the cybersecurity workforce in companies and nations.

The FBI has predicted that cybercrime will be a massive crime wave and a national security problem unlike anything the world has ever seen.  Today, the IT security skills shortage is occurring right as the volume of sophistication of cyber attacks continues to rise.  This battle means that companies might be in danger of losing simply because they lack the manpower to deal with it.

There are several reasons for this problem.  One is the changing nature of cyber attacks.  The sophistication of the technology and tactics used by online criminals have outstripped the ability of IT and security professionals to address threats.  Another phenomenon is the expanding attack surface.  More things are connecting to the internet than people.  Last year, there were 5 billion cell phones, 2 billion broadband connections and 1 billion people who are on Facebook and Twitter.  By 2020, there will be 50 billion devices connected to the network.

The skills gap is so large it can’t be closed in a year or two.  Some experts estimate we are already 1 million security professionals short just this year.  In the U.S. alone, 209,000 cybersecurity jobs went unfilled in 2015.  By 2020, we expect the global cybersecurity talent shortage to reach 2 million.  It requires a multi-year effort, innovative approaches, and collaborative efforts across industry and academia.  Higher education plays a critical role in solving this difficult challenge.

CyberGirlz Silicon Valley
Only 10% of information security professionals are women, and that needs to change. Offered by SJSU’s Jay Pinson STEM Education program, in collaboration with Facebook and local schools and afterschool programs, CyberGirlz Silicon Valley is a project that encourages girls in grades five through eight to participate in cybersecurity and computer programming activities during their afterschool programs. The project culminates with the CyberGirlz Silicon Valley Summit  – an exciting event held at SJSU where girls from local schools showcase their Cyber skills, engage in panel discussions with STEM professionals from local industry such as Facebook, Anomali, and Cisco, and test their cybersecurity, hacking, and team work skills in a Capture the Flag competition.

Virginia Lehmkuhl-Dakhwe PhD is director of the Jay Pinson STEM Education Program in the College of Science and leads the CyberGirlz program.  According to Lehmkuhl-Dakhwe, “We listen to the girls and adapt our methods based on what we’re hearing.  The girls come prepared as contributors, not attendees.”

Collaboration, ongoing funding, and partnership are key to the success of programs like CyberGirlz.  In addition to funding the program, partners like Facebook put skin in the game and provide bus transportation, chaperones and hands-on assistance with applications.  But sustaining a program for the long-term requires that cybersecurity becomes core in the educational curriculum in schools, afterschool programs, and at SJSU.  “We need more advocates and champions and a career path now for people who pioneer innovation in cybersecurity education,” said Lehmkuhl-Dakhwe.

The Silicon Valley Center for Big Data and Cybersecurity
Part of the College of International and Extended Studies, the Silicon Valley Center for Big Data and Cybersecurity was established in 2014 to provide interdisciplinary training to our students in the emerging fields of big data and cybersecurity, and to provide exciting and sustainable career paths into these fields to students with a wide variety of skill sets and interests.  According to Dean Michael Parrish of the College of Science, “SJSU has received a clear message from many of our corporate and government partners that the biggest unmet need in the coming decades will be in the areas of cybersecurity and big data science.”

Currently, a number of certificate and degree programs at SJSU are in various stages of development, most notably in Software Engineering, Computer Science, Computer Engineering, Management Information Systems, and the School of Information.

The global search for a skilled cybersecurity workforce requires unique strategies as organizations face shortages, and encounter stumbling blocks ranging from performance issues to the political climate.  Innovation and collaboration will be key to creating a new generation of cybersecurity professionals.

Powering Silicon Valley Through Technology in Higher Education

by Terry Vahey, Associate Vice President for IT Services, Chief Information Officer

At San José State University, we seek to become and be known as innovation leaders in using technology to enhance teaching and learning in support of student success.  We promote “unbounded learning” through the innovative use of technology in the classroom and across campus. We do this by providing technology services to maximize user collaboration, integration, mobility, and security while protecting and securing university information resources.

Over the past three years, significant upgrades have been made to SJSU’s IT infrastructure to support new collaboration initiatives across the campus.  This has allowed our faculty to test and evaluate innovative pedagogical approaches, from virtual and flipped classrooms to distance learning, asynchronous learning, and hybrid combinations of these strategies.

Collaboration
As Silicon Valley’s number one source of graduates in education, engineering, computer science and business, it is essential for our students to understand how to harness the power of collaboration to be successful in today’s global environment. The earlier we can get students to understand how to work in collaborative, interdisciplinary environments, the more successful they will be when they enter the workplace.  Collaboration technologies currently in the classroom and on campus include the following technologies:

  • The TelePresence Experience allows us to expand the learning environment for everyone by conducting live, lifelike meetings beyond the confines of the classroom walls.  With TelePresence, you can provide access to content and experts anywhere, anytime; bring together multicultural students; and integrate course lectures and live content with learning management systems.
  • SJSU WebEx provides flexible instruction with extended reach online.  Interactive features include recorded class sessions, real-time testing and grading, instant feedback, assessment tracking, breakout sessions, and hands-on labs to deliver a variety of dynamic e-learning opportunities.  Students, Faculty and Staff can access WebEx from the MySJSU homepage, and use their SJSUOne ID & password to sign in.
  • Lecture Capture is a webcasting and video sharing solution that enables schools to create video libraries with simple tagging, archiving, commenting, and retrieval of stored video assets.  Faculty can make recorded class events and activities available to students for review after class. This provides a great alternative when students miss class or when they want to review materials prior to tests.
  • Google Drive is a free Web-based application where documents can be created, edited and stored online. Files can be accessed from any computer with an internet connection.
  • Canvas uses Google Docs technology to allow up to 50 collaborators to work together on the same document at the same time. Documents are saved in real-time, meaning a change made by any of its users will be immediately visible to everyone.

Other software tools free to employees and students are located on the IT Services Software Website.

Integration
Effective technology integration supports the achievement of student learning outcomes.  It must support four key components of learning: active engagement, participation in groups, frequent interaction and feedback, and connection to real-world experts.  Using technology in combination with novel approaches to education enables a more personalized style of learning.  A recent article in CIO Review features Julia Curry-Rodriguez, a SJSU associate professor of Mexican American Studies in the College of Social Sciences, who has discovered an innovative use of technology in the classroom.

Mobility
Mobility provides the ability for SJSU campus users to access materials, resources and tools they need anytime, from any place, on any device – creating a dynamic learning environment.

Information Security
Maintaining the safety of information assets is vital to the educational, research and operational mission of SJSU.  The campus Information Security Program helps ensure the confidentiality, integrity and availability of SJSU’s Information through a number of programs designed to:

  1. Build a culture of Information Security.
  2. Promote quality and integrity throughout the University.
  3. Protect information assets and comply with laws, regulations and policies.

For more information visit the Information Security Website

These four foundational components provide agility through technology to improve organizational responsiveness through an advanced technology infrastructure.  We continue to provide technologies, services and resources that support an innovative, engaged learning community and enhance student success at SJSU.  We believe that technology enriches the educational process. It transcends geographical and cultural boundaries to provide greater learning and teamwork experiences.

Cybersecurity Safeguards: How to Keep Your Identity and Your Information Safe Online

by Terry Vahey, Associate Vice President for IT Services, Chief Information Officer

While data breaches are a hot topic these days, most articles and statistics focus on “infiltration” – getting into a company’s network.  You may have heard about Target, Home Depot and other breaches in the past year.  There is very little information on how data is taken out – exfiltration. Just under 60% of data breaches are initiated by external actors – primarily hackers and malware authors. 40% of breaches are initiated by internal actors or are attributed to 3rd party suppliers and vendors.  Nearly half of those initiated by employees are reported to be intentional.

Common programs used to steal your information or identity – MS Office (Word, Excel, PowerPoint), CSV, and PDF – the formats we use most at San Jose State, are the most common data exfiltration formats. Information and identity stolen could also come from general web surfing to malicious websites, social media, and phishing. About 40% of all data breach incidents involve the use of physical media, with laptops/tablets and USB flash drives being the most prevalent. A technology that offers the convenience of accessing photos from any device anywhere in the world, Apple’s iCloud can also be used by malicious third parties to expose your most private moments.

How does it happen?  There are several ways.  Attackers use a mix of legitimate and malicious tools and techniques to extract specific data from the target’s perimeter.  “Back doors,” intentional or otherwise are mechanisms attackers can use to circumvent security controls. File transfer protocol (FTP) is a standard (insecure) network protocol used to transfer files and can be used to exfiltrate data. Attackers open their own browsers and can directly access information. Cybercriminals use this to easily gather these files for transferring data to which they don’t have legitimate access rights.

What can we do to protect ourselves?  There is no way to completely win the war on cybersecurity.  The bad guys and people with bad intentions are creative and will constantly find new ways to attack.  They generally have more time on their hands to poke at vulnerabilities most people don’t think about.  Sometimes the bad guys have full-time jobs trying to break into other systems.  Vigilance and precautionary steps are key to keeping you, your identity, and your information safe online:

  • Set strong passwords with numbers, letters, mixed case, more than 8 characters and one that doesn’t contain words found in a dictionary, and don’t share them with anyone. http://its.sjsu.edu/docs/security/SJSU_%20Password_Standard.pdf
  • Don’t use the same password for all web sites. Make your bank password different from your work password, your email password different from your credit cards.  Be creative!
  • Use a password safe to keep your passwords secure so you don’t have to write them down. Here is a review of some of the best password managers: http://www.pcmag.com/article2/0,2817,2407168,00.asp
  • Keep your operating system, browser, and other critical software optimized by installing updates regularly. You can do this in the settings so this is initially automatic for you…but you still have the ability to confirm when it’s started so it doesn’t disrupt what you’re doing.
  • Install anti-virus software: https://anivirus.sjsu.edu  Along with computers, smart phones, gaming systems, and other web‐enabled devices also need protection from viruses and malware.
  • Maintain an open dialogue with your family, friends, and community about internet safety.
  • Protect your valuable work, music, photos, and other digital information by making an electronic copy and storing it safely.
  • Limit the amount of personal information you share online, and use privacy settings to avoid sharing information
  • When banking and shopping, check to be sure the site has security enabled. Look for the lock icon in your address bar. Look for web addresses with “https://” or “http://”, which means the site takes extra measures to help secure your information. “Http://” is not secure!
  • Be cautious about what you receive or read online—if it sounds too good to be true, then it probably is. If you are not expecting an attachment or a link from someone, don’t open it, don’t click on it!  Links in email, tweets, posts, and online advertising are often the way cybercriminals compromise your computer. If it looks suspicious, even if you know the source, it’s best to delete or if appropriate, mark as junk email.
  • Report stolen finances or identities and other cybercrime to Internet Crime Complaint Center and/or the Federal Trade Commission.
  • Take a few minutes to take the phishing training and awareness quiz: https://phishingquiz.mcafee.com/
  • Visithttp://cyberaware.securingthehuman.org/ to access dozens of tools, videos and articles all related to security awareness and National Cyber Security Awareness Month.  Five of the most popular resources include:
  1. Securing Your Kids Handout –
    https://cyberaware.securingthehuman.org/securing-your-kids/
  2. Top 3 Takeaways from 2015 Security Awareness Report –
    https://cyberaware.securingthehuman.org/2015-security-awareness-report-takeaways/
  3. Phishing Planning Kit –
    https://cyberaware.securingthehuman.org/phishing-planning-kit/
  4. How to Use Mobile Apps Securely –
    https://cyberaware.securingthehuman.org/use-mobile-apps-securely/
  5. How to Use Social Media Securely –
    https://cyberaware.securingthehuman.org/use-social-media-securely/