In an era when cybercrime has become a significant global threat, cybersecurity has evolved from a strictly technological challenge to a vital problem that people from diverse sectors must tackle.
This week’s passing of the controversial Cybersecurity Information Sharing Act is an attempt to create partnerships in the fight against cyber threats but—as many see it—comes at a price to the privacy of our online activities.
To better understand the today’s cybersecurity issues and delve into why the problem will take more than a technical solution, we connected with two Harvard Extension School faculty members, Scott Bradner and Benoit Gaucherin. Bradner is a senior technology consultant at Harvard, and Gaucherin is the University deputy chief information officer. Together they teach the two foundational courses for the Extension School’s new Professional Graduate Certificate in Cybersecurity.
Q: What are some of the greatest challenges in cybersecurity today?
Gaucherin: The time we spend interacting with technology has grown exponentially over the past few decades. More and more of our lives are in digital form, and we need to be better equipped and better prepared. Security is everyone’s responsibility because the decisions we make may put ourselves or others at risk.
Bradner: The environment is always changing. Cyber criminals and espionage folks adapt and learn quickly. So what protected you yesterday will not protect you tomorrow.
You have to be right 100 percent of the time, while they only have to succeed a fraction of the time. Once they’re in, they’re in.
When we teach about cybersecurity, we’re focused on building understanding of cybersecurity concepts and techniques rather a developing specific technical skills: how does one continue to protect information assets as technology changes or improves, and how do you apply those concepts and techniques to emerging threats?
Gaucherin: Cybersecurity and cyber threats have become an enormous business. Some countries now describe their cyber-threat sector as an industry sector, to the point that in some places in the world, you can see the cyber-threat activity pick up at 9 am and drop off at 5 pm. It’s turned into a 9 to 5 job.
So it’s not if you come under attack, it’s when. And of course that “when” refers to when you realize it has happened, not when it has actually happened. Often people don’t know when their information is compromised and when they’re under attack.
Q: You teach two required courses – The Cyber World: Hardware, Software, Networks, Security, and Management and The Cyber World: Governance, Threats, Conflict, Privacy, Identity, and Commerce – for the Harvard’s cybersecurity certificate. What is the goal of these courses?
Gaucherin: We aim to pull back the curtain so that people understand more about how technology works. So we cover what every good computer user should know.
When you’re online and data leaves your computer and goes to the Internet, how many hands does it go through? How many people get to look at that? How bad can things get if your computer or computers in your organization get compromised? What does the law say about your computer getting compromised, taps on your conversations, and so on?
Q: What professional fields would benefit from a stronger grasp of cybersecurity?
Bradner: We focus on developing what we call a “security mindset,” which is one of looking at a situation and being able to tell if there are security issues. We want people who are going to be policymakers to understand enough about technology that they make sensible rules that can be implemented.
Some people seem to be unable to internalize that cybersecurity is important, particularly those working in the area of critical infrastructure, such as nuclear power stations and home automation. We really need corporate decision-makers to be capable of talking to security people in their organization.
In our foundational courses we take the broader view, exploring how networks work and how to make environments secure. We’re not focusing just on one type of person. People in almost every field will find this a useful review and a helpful way to think about the issues.
Gaucherin: It’s also relevant for people in the legal services space, who are likely to deal with technology-related issues in their practice. More and more, police and law enforcement are called upon to deal with cases where technology is part of the mix, and many of them don’t have this background.
For that matter, anyone in a nontechnical role in a company that has a great deal of dependency on technology as its main products or services, or people who work with or for online businesses, would also benefit, as well as people in marketing or web publishing.
Q: Is an information technology background necessary for these courses?
Gaucherin: Not at all. A lot of what’s in the cybersecurity certificate courses we teach gives people a breadth of understanding of technical and nontechnical issues, not to turn them into experts, but to give them a framework to work with the experts.
Security is not a technical thing. Security is a multi-faceted thing that includes technology, design, law, privacy, and much more. It’s everybody’s business. We like to cover all sorts of issues because cybersecurity requires such an array of skills and calls upon diverse roles.
Many people tend to view cybersecurity as solely the realm of technical wizards. In reality, there is a level of cybersecurity that is not deeply technical. It’s a way of thinking about policy and other nontechnical issues.
Through our foundational courses for the certificate, we aim to demystify cybersecurity. You don’t need to go too deep.
You merely need to have a solid foundation in the concepts, trends, ideas, and history. We want to help our students to get there, to be able to adopt a cybersecurity mindset, so that they can have informed, purposeful conversations with the experts and together tackle the security challenges.