Educating the cybersecurity professionals the world needs
Historians sometimes point to 1834 – when two brothers, François and Joseph Blanc, hacked into the then-new French Telegraph System to steal financial information – as the date of the world’s first cyberattack. Since then, technologies have grown exponentially more sophisticated, and so have the hackers seeking to exploit them for their own gain. And with digital platforms now integral to everything from banking to healthcare, cybersecurity is a major everyday concern.
As a result, the World Economic Forum asserts that as of 2024, some four million skilled professionals are urgently required to keep up with the ever-evolving threat landscape, with that number only expected to grow. NYU Tandon was among the first schools in the world to champion the idea of cybersecurity as a field for academic study, and for a quarter-century, the cyber-experts the Digital Age demands have been training here for their vital roles.
Home to a cyber-pioneer
When computer scientist Nasir Memon arrived at NYU in 1998, he was tasked with teaching a graduate-level course called Information Security and Privacy, thanks to his knowledge of cryptography.
It was an unusual academic offering at that time: Internet threats were still being thought of as the purview of bored teens coding viruses for fun, rather than for any truly nefarious purpose, and cybercrime was not yet considered a major problem. So while students in an operating systems or networking course might hear rudimentary mention of security issues, there was little attempt to systematically cover the topic.
Understanding the need to engage students in hands-on activities that demonstrate methods for building strong systems, Memon — who has since held a variety of posts at Tandon, including chair of the Department of Computer Science and Engineering; vice dean of academic and student affairs; associate dean for online learning; and interim dean of computer science, data science and engineering at NYU Shanghai — began creating innovative new labs, and he soon hit upon the idea of using virtualization — the process of creating computer-generated versions of hardware, operating systems, and storage devices — since many of the exercises could not be conducted on the campus network and had to be isolated. This was well before the cloud or virtual technologies became ubiquitous.
The true genesis of Tandon’s Cyber Security program can be traced to 1999. That year Memon won an NSF Course, Curriculum, and Laboratory Improvement (CCLI) grant and used it to launch the Offensive Security, Incident Response, and Internet Security (OSIRIS) Lab, a student-run group that has proven to be a training ground for generations of cyber professionals, and to develop a sequence of undergraduate courses in computer and network security.
Aspirations
In 2000, as part of President Bill Clinton’s National Plan for Information Systems Protection, the CyberCorps® Scholarship for Service (SFS) Program was created, and soon after that, Tandon became a host school. Dubbing the initiative ASPIRE (A Scholarship for Service Partnership for Interdisciplinary Research and Education), Memon and his colleagues focused on creating vibrant cybersecurity offerings guided by the core belief that securing a system requires a marriage of good science and engineering, and that engineering concepts are best taught in the classroom and then reinforced with hands-on experiences in the laboratory.
ASPIRE scholars got a variety of benefits, including tuition, a stipend, an allowance to attend professional development events and classes, mentoring, and career planning support; in return, they agreed to work after graduation for the federa, state, or local government in a position related to cybersecurity for a period equal to the length of their scholarship.
Since then, dozens of ASPIRE scholars have gone on to forge careers at such organizations as the National Security Agency, Nuclear Regulatory Commission, Sandia National Labs, and a host of others.
CSAW — Let the games begin
In 2003 Memon launched Cyber Security Awareness Week (CSAW), a competition that drew a few hundred local students who pitted their skills against one another in an embedded systems challenge, a capture-the-flag exercise, a team security quiz, and a handful of other security-related events. Within a few years, CSAW was attracting thousands of students from around the globe, gaining the attention of major sponsors, and developing into one of the school’s most eagerly anticipated annual events.
Now known as CSAW: Cybersecurity Games and Conference and held under the auspices of the NYU Center for Cybersecurity (CCS), it has since expanded to competitions hosted by five global academic centers, including NYU Shanghai and NYU Abu Dhabi, and the games have evolved to encompass new topics like additive manufacturing, machine learning, and cloud-based AI — all of which are changing the cyber threat landscape.
CSAW is now considered to be the most comprehensive student-run cybersecurity event in the world, and many of its competitors have gone on to become leaders in the field.
Getting more women involved
One day, while surveying the crowd at CSAW, Memon had a troubling epiphany: there were almost no young women among the competitors. That mirrored the equally troubling lack of gender diversity in cyber security jobs: at the time, only about one in 10 cyber jobs was held by a woman. That underrepresentation was due to many challenges, including girls’ limited experience with computers, negative stereotypes about girls in computing, and limited access to female role models in the field.
Determined to help change the situation, Memon and his colleagues launched outreach programs for high school students and teachers aimed at introducing them to computer science, in general, and to cyber security in particular. Thanks to funding from the NSF, NSA, and Sloan Foundation, they had great success with an early initiative: a summer camp called Computer Science for Cyber Security (CS4CS) that offers an introduction to a spectrum of topics such as “white-hat” hacking, cryptography, steganography, digital forensics, privacy, and data usage.
They also launched an after-school camp for girls in Brooklyn high schools, teacher training programs that allowed them to reach exponentially more students, and an annual Women Leaders in Cybersecurity Conference, which takes an interdisciplinary approach to exploring the many cybersecurity challenges posed by today’s emerging technologies and which draws hundreds of attendees each year.
By 2017, journalists were reporting that the School of Engineering was close to reaching total gender parity in its overall student body, and, according to recent reports, the number of women employed in cybersecurity jobs has leapt from one in 10 to one in four.
“This issue was on our radar well before it came to the attention of the rest of the country,” Memon says. “And as the steps we took to mitigate the situation prove effective, it’s something I’m very proud of.”
NYU Center for Cybersecurity (CCS)
An interdisciplinary center cements NYU’s position as a hub of cyber-education
Although engineers and computer scientists play major roles in creating secure cybersystems, psychologists, law-enforcement personnel, economists, policy makers, and others also have vital parts to play.
Acknowledging the multidisciplinary teamwork involved, in 2009 Memon and Professor Ramesh Karri spearheaded the creation of the NYU Center for Cybersecurity (CCS), a collaboration between Tandon; NYU School of Law; Steinhardt School of Culture, Education, and Human Development; and other NYU schools and departments.
The Center is now 50+ members strong, all identifying and developing solutions for a wide range of cybersecurity challenges, including ways to protect personal data, deter disinformation and deepfakes, strengthen manufacturing and hardware security, protect cyber-physical and communication infrastructures, bolster software security, fortify supply chains, and enhance the trustworthiness of Internet-of-Things systems.
“Cyberspace has no geographic boundaries and it hosts a mix of ideologies and beliefs,” Memon has explained. “The laws and institutions on which we traditionally count don’t exist there, so mechanical solutions alone are not going to suffice.”
Master’s degree in cybersecurity
In 2009 Tandon became one of the first schools ever to offer a specific master’s degree in cybersecurity, and its doctoral programs in computer science and electrical engineering each includes a strong focus on secure systems.
Additionally, since 2017 CCS has offered a unique one-year master’s program in Cybersecurity Risk and Strategy, which is built around interdisciplinary training and perspectives and which falls under the joint aegis of Tandon and the School of Law.
The highly selective program was conceived in the face of a trend that shows no sign of abating: the lines between technology companies and other enterprises are rapidly diminishing, with sectors from healthcare to automotive to entertainment making increased use of digital data and high-tech solutions like cloud computing.
This has resulted in a great need for businesspeople with a deep understanding of cybersecurity risk and strategy. Because cybersecurity — both prevention and response — requires coordination between public- and private-sector organizations and expertise in technology, law, and policy, that’s an admittedly tall order.
The highly selective master’s program was launched to help meet that need. Students admitted to the program touch upon such areas as AI, National Security, Critical Infrastructure, Information Privacy Law, Cybercrime, Network Security, and Cybersecurity Regulation taught by professors from both schools. The end goal: to graduate cyber professionals with technical knowledge, a grounding in law and policy, and the ability to determine how best to balance organizational security and individual freedom.
Upskilling and reskilling
Recognizing that cybersecurity can no longer be pigeonholed as an IT function or specialist role, the school recently began offering an intensive, online chief information security officer program that guides aspiring CISOs in communicating the need for security to others in their organization, using effective assessment methods and tools, and leveraging threat intelligence, among other vital tasks.
Additionally, students can opt to earn cybersecurity skills badges and certificates for completing online learning opportunities in such areas as Cross-site Scripting (XSS), SQL Injections, Cloud Security, Third-Party Risk, and Operational Technology Security.
Bridging the cybersecurity workforce gap
In 2017, when a pilot initiative dubbed the Bridge Program designed to attract people without traditional STEM backgrounds launched, it drew a wide variety of participants: a Princeton psychology major who always loved computers but was sidelined by dreams of Olympic pole vaulting; an economics and anthropology student who saw the chance to create online education opportunities in underdeveloped nations; and a music technologist who understood that deep computer science knowledge would open a wide variety of career options.
For various reasons, none of them had earned a bachelor’s degree in computer science. Some were introduced to the field late in their undergraduate careers; others mistakenly believed that computer science was only for geeky loners who did not enjoy working with other people. A few female participants, warned of a field then rife with gender bias, were dissuaded from even trying.
NYU Tandon was presenting exciting new possibilities: Bridge was developed to build foundational skills in those with little to no technical background, in order to prepare them for applying to select STEM graduate programs, including cybersecurity. The online program covers topics that include discrete math, data structures and algorithms, and principles of operating systems, and students who successfully complete the rigorous 21- or 28-week asynchronous coursework are as prepared as those who spent years and thousands of dollars studying those topics as undergraduates.
Support the Creating Bridges Campaign
In 2018, with then-mayor Bill de Blasio calling for the creation of 10,000 cybersecurity jobs within the next decade, Tandon launched Cyber Fellows, an affordable online master’s program designed in collaboration with New York City Cyber Command and industry partners like Morgan Stanley and IBM Security. One of the critical elements of success for the Cyber Fellows program is maintaining an active, ongoing connection with an impressive group of advisors who hail from major companies and agencies in New York City and beyond who are encountering threats every day. Their input ensures that the Cyber Fellows curriculum fully prepares graduates to meet the real-world challenges facing industry and government leaders. Fully online and with a 75% tuition subsidy, the program is popular with graduates of the Tandon Bridge program and others seeking a foothold in an in-demand field.
NSA recognition
In the 2000s, the National Security Agency (NSA) began designating noteworthy schools as Centers of Excellence. Schools could be recognized for Information Assurance Education, Information Assurance Research, or Cyber Operations (for those with a deeply technical, interdisciplinary, higher education program firmly grounded in the computer science, computer engineering, and/or electrical engineering disciplines, with extensive opportunities for hands-on applications via labs and exercises).
In 2014, NYU Tandon became one of just a handful of schools in the country to have earned all three of those designations.
Evolving education faster than threats
Memon, describing why Tandon has long taken such a multidisciplinary, multipronged approach to cybersecurity education, sums up: “You need credentials that can be obtained quickly and get you up to speed to becoming a useful member in the cybersecurity workforce. You need people who are operational, who understand the basic tools and techniques. But you also want people who understand the processes and are able to audit and then check for compliance and implement processes and people who understand the technology very deeply, who know what’s going on under the hood. That’s what it takes to create tomorrow’s protection mechanisms when technology and the threat landscape change so rapidly.”