Security education has always been a passion of mine – I hosted my first security conference nearly 30 years ago and built my first employee security awareness program nearly 20 years ago.
That passion is more focused than ever on passing the baton – on encouraging the next generation to follow the same career path that I’ve enjoyed for the last three decades but perhaps with a little more planning and support.
That’s why I’m so proud of a new school-based security initiative I’m working on called Schooled In Security.
By encouraging students at middle and high schools to perform Security and Privacy Assessments amongst their fellow students, teachers, and parents, we think we might have found a formula to achieve a number of very important security wins:
Security and Privacy Assessments for schools is program of interview-based exercises to encourage teams of middle and high school students to ask questions and share ideas about cybersecurity and privacy - what it means to them, how it impacts them, what they understand and think about these topics etc.
- All classes and students are encouraged to participate, so we're not just targeting the obvious 1% of students who have an inclination towards this topic or a tech career. There's no talk of coding or cyber games or capture the flag, so no one's turned off or excluded before we even start.
- Students are given a work program to interview each other, other classes, their teachers, their parents, grandparents, siblings, neighbors, on a variety of security and privacy topics, then generate a report of their findings along with suggestions and recommendations.
- Team reports could include common themes they find, like the most often expressed worries or concerns, generational differences (attitude differences between students, parents, and grandparents), opinions about online privacy, social media, online safety, and any other related topics, and then present their collective recommendations on how security and privacy could be improved.
- Schools would also have the option to turn the exercises into competitions, between classes and between schools and districts - for the best report generated.
- Beyond security, the program also teaches the students about things about teamwork, leadership, communications, project management, presentation skills etc.
We're hoping for a number of important outcomes:
- Get students to start thinking about these critical social and cultural issues and how they're impacted by them.
- Get a better understanding (great survey data) of what upcoming generations really think and worry about around security, safety, and privacy.
- Use that curiosity to get students thinking about careers in cybersecurity and privacy.
Here’s why it’s so important to approach this challenge differently - at a national level, we're simply failing to raise these issues directly with students, and at the same time we're not building enough of a national pipeline of qualified security professionals.
So what we're trying to do is something more radical, a program that can attract and involve 99% of students in a school instead of the 1% typically targeted by cybersecurity programs in schools.
We're starting with a small group of schools in the greater Cincinnati area, and already have great support and encouragement from organizations like the Attorney General's Cyber Ohio initiative, the Governor's Ohio Cyber Collaboration Committee (OC3), and the Northeast Ohio Cybersecurity Consortium.