Tomorrow’s security professionalsTeaching the next generation of cybersecurity professionals

By Nasir Memon

Published 19 September 2016

In 2003, I founded Cyber Security Awareness Week (CSAW) with a group of students, with the simple goal of attracting more engineering students to our cybersecurity lab at NYU. Today, with as many as 20,000 students from around the globe participating, CSAW is the largest student-run cybersecurity event in the world. The ability quickly to adapt as new threats are perceived is a top priority for security personnel. That’s a key element of all CSAW competitions – the idea that successful cybersecurity is not limited to mastering what’s known. Rather, students and professionals alike must constantly push their abilities to intercept future threats in an ever-evolving field. The competitors in the CSAW-sponsored games and competitions, which take place in educational settings in the United States and around the world, will — not long from now — be the protectors of our most sensitive personal and national data. We need them to be prepared.

Each morning seems to bring new reports of hacks, privacy breaches, threats to national defense or our critical infrastructure and even shutdowns of hospitals. As the attacks become more sophisticated and more frequently perpetrated by nation-states and criminal syndicates, the shortage of defenders only grows more serious: By 2020, the cybersecurity industry will need 1.5 million more workers than will be qualified for jobs.

In 2003, I founded Cyber Security Awareness Week (CSAW) with a group of students, with the simple goal of attracting more engineering students to our cybersecurity lab. We designed competitions allowing students to participate in real-world situations that tested both their knowledge and their ability to improvise and design new solutions for security problems. In the past decade-plus, our effort has enjoyed growing interest from educators, students, companies and governments, and shows a way to closing the coming cybersecurity workforce shortage.

Today, with as many as 20,000 students from around the globe participating, CSAW is the largest student-run cybersecurity event in the world. Recruiters from the U.S. Department of Homeland Security and many large corporations observe and judge each competition. (Registration for this year’s competition is still open for a little while.)

But the pipeline for cybersecurity talent cannot begin in universities. High school students and teachers also participate in CSAW events to teach young people the computer science and mathematics skills that will allow them to succeed at the university level.

Teaching students to be adversarial
The main draw of CSAW is our Capture the Flag event, a contest in which the team members must pool their skills to learn new hacking methods in a series of real-world scenarios. Named after the outdoor game where two teams play to find and steal the enemy’s hidden flag, it includes multiple games that cover a broad range of information security skills, such as cryptography (code-making and breaking), steganography (hiding messages in innocent-looking images or videos), and mobile security.

Teams start by being assigned systems that have security flaws, and are given a certain amount of time to identify and fix them. Then each team is set against an opponent, and must protect its own system while attacking the other team’s. The hidden “flags” are data files stored on the opposing system. In the real world, these would contain critical information – such as credit card numbers or codes for