Cybersecurity Business Education: It's Time for Academia to Take the Lead

Kevin R. Powers, J.D, Founder and Director, M.S. in Cybersecurity Policy & Governance Programs, Boston College Assistant Professor of the Practice, Boston College Law School And Dr. Caroline McGroary, FCA, Fulbright Scholar, Boston College Assistant Professor of Accounting, Dublin City University

Kevin R. Powers, J.D, Founder and Director, M.S. in Cybersecurity Policy & Governance Programs, Boston College Assistant Professor of the Practice, Boston College Law School

Each day we are faced with media reports about large scale cyber-attacks and the devastating impact such attacks have on various stakeholders ranging from governments to individual citizens. Cyber-crime has also seen unprecedented growth as a result of the pandemic. This growth is both in scale and sophistication and has at times been referred to as our next pandemic. It is for this reason that cybersecurity has become one of the most significant risk assessment and management challenges facing senior executives and Boards of Directors for all industries and every type of organization, both large and small, public and private. Despite the widespread understanding of these cyber-threats, whether from cyber-criminals, hacktivists, Nation States, or insiders (e.g., negligent or malicious employees), and the need to be better protected, many organizations continue to suffer cybersecurity and data breaches. Consequently, an important role is attributed to education and training in ensuring that organizations and individuals understand the risks they face and their responsibilities when navigating the cybersecurity landscape. To that end, we are at the dawn of an era when education, risk assessment, security and data protection go hand in hand, and become regularized and professionalized. It is for this reason that cybersecurity must then be seen less as the realm of IT, and instead, the responsibility of everyone in the organization, with academia, while collaborating with governments and private industry, taking the lead in educating and training today’s business professionals.

Dr. Caroline McGroary, FCA, Fulbright Scholar, Boston College Assistant Professor of Accounting, Dublin City University

Today’s cyber-threats not only impact an organization’s business operations, intellectual property, customers’ sensitive personal data, and supply chain, but also threaten its very existence. Indeed, statistics report that more than 80 per cent of U.S. companies have been successfully hacked in the last year. Although executive leaders commonly report that, while they understand that cyber-risk is one of the top business risks facing their organization and are encouraged to see it receiving more attention in the Boardroom, they find that, given the complexity of the concept, they lack the expertise and understanding to adequately deal with the issue. In addition, they report having limited time to invest in developing expertise in this new domain of business risks, and thus, rely heavily on the IT specialist/Chief Information Security Officer (CISO) to brief them on all issues related to cybersecurity. However, cybersecurity should not be viewed or limited to a computing-based discipline involving technology; rather, cybersecurity is a business risk management issue that needs to be addressed holistically, including people, information, and processes, as well as being an interdisciplinary course of study, with aspects of law, policy, business, human factors, ethics, and risk management. Cybersecurity should not be a siloed specialty within the sole remit of ‘IT’; it needs to draw on the expertise of many different business functions, both internal and external, requiring all members of the organization, from the top down, to be educated and trained in this field. As such, education, training, and an understanding of cybersecurity risks and vulnerabilities, as well as setting the appropriate tone at the top, is a critical first step in creating an organizational culture that is equipped to adequately recognize and address cybersecurity as a business risk.

"Tailored and substantive cybersecurity education and training is essential to combating today’s cyber-threats and must be implemented across all organizational functions"

In order to achieve these objectives, cybersecurity education and training at all levels in the organization is critical. First, at the Board level, especially with looming regulatory requirements mandating as much, there needs to be education and training that creates a shared understanding about the linkages between cybersecurity, business strategy, and compliance risks to allow informed and transformative decision making. In turn, this facilitates investment in cybersecurity that is focused on value creation. This is important as recent trends have shown that while investment in cybersecurity is increasing it often tends to be defensive and reactive. Therefore, by treating cybersecurity investment as a key part of the organizational strategy, it will expedite the digital transformation of the business by doing so in a way that better protects against cyber-threats while building trust across the enterprise.

Second, through strategic and increased investment, security leaders will be better placed to develop a holistic risk management system which combines people, technology, process, and data to enable efficient integration of operational processes. This holistic approach to cybersecurity is essential, as it focuses on both value protection and value creation. Additionally, it encourages a dialogue between cybersecurity and business leaders to ensure cybersecurity investments are aligned with business outcomes and strategic priorities.

Third, organizations need to build a culture of cybersecurity across the entire enterprise, which requires a formalized approach to education and training. Statistics commonly report that 80-90 per cent of cyber-breaches are caused by human error. Accordingly, organizations, when developing its training program, should analyze the current cybersecurity education and training that is available and determine whether it is fit for purpose. There have been many reports recently highlighting that general cybersecurity training, for example in the form of online “check the box” training, is not enough to develop the required culture. Instead, organizations need to focus on understanding actions, habits, and behaviours, and then identify the gaps and proactively engage employees with tailored training to address their needs. By having a workforce that is well versed on cybersecurity issues, an organization’s cybersecurity program will better protect its business operations, as well as build trust both internally and externally between the security teams and business units.

In conclusion, it is clear that tailored and substantive cybersecurity education and training is essential to combating today’s cyber-threats and must be implemented across all organizational functions. Not only does it improve communication between the IT functions and business units (e.g., management, C-Suite, and Board), enabling the coordination of cyber strategy with business strategy, it also allows security leaders to approach their role in a holistic manner and to align their work with key business goals. In addition, cybersecurity education and training facilitates the building of knowledge, skills, and resilience across all members in an organization, as well as building trust. Together, this helps instil a culture of cybersecurity, shapes the organizations growth potential, and builds a competitive edge. Thus, it is time for academia to collaborate with governments and private industry to develop and implement education and training programs, tailored for business and governments leaders and executives, so they can effectively address the varying cyber-threats and better protect their organizations. 

Weekly Brief

Top 10 Innovative School District Tech Director

Read Also

Importance of Technology in the Education Sector

Importance of Technology in the Education Sector

Frank Williams III, IT Director, Student Management Systems at Houston Independent School District
Designing Learning Experiences with Educational Apps

Designing Learning Experiences with Educational Apps

Bucky J. Dodd, Ph.D, Assistant Vice President, University of Central Oklahoma
Bridging the Gap from Education to Employment

Bridging the Gap from Education to Employment

Mark Grovic, the Co-Founder and General Partner of New Markets Venture Partners, also taught at the University of Maryland for 20 years
Cybersecurity Worker Shortage is a Matter of National and Economic Security

Cybersecurity Worker Shortage is a Matter of National and Economic Security

Charla Griffy-Brown, Professor of Information Systems and Technology Management At Graziadio Business School
Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Three Things K-12 EdTech Leaders Can Do to Bolster Cybersecurity

Tim Tillman, Ed.D., Chief Technology Officer, Chesterfield County Public Schools