What can students expect from studying cyber security today? How do you make it interesting and relevant? And what are the biggest challenges lecturers face?
As cyber threats increase worldwide, training new cyber security professionals becomes ever more important. Estonia’s Tallin University of Technology (TalTech) and Belgium’s Howest University of Applied Sciences offer some of the longest-running cyber security courses, since 2009 and 2010 respectively. Both are known for their strong focus on applied research and incorporating practical, hands-on experience into their teaching.
Here, we take a peek inside these two eminent cyber security academic programmes. Kurt Callewaert (Howest) and Rain Ottis (TalTech) share their experiences, challenges and lessons learned.
How do you make studying cyber security interesting and relevant for students?
Rain: Most of our master’s students will go into industry or government. So we need to teach them about how things work in real life, and how to apply cyber security in real life. Many of our courses have a practical aspect.
“We include a lot of industry experts in our lectures, to make sure we don’t just talk about theory. And we tell students all the ways cyber security normally goes wrong, and what to do when it goes wrong.”
Most of the people teaching practical aspects of cyber security have first-hand experience of actually doing it, which is useful for the students. The instructor for our monitoring systems course, for example, runs the university’s SOC monitoring systems.
Our multi-disciplinary research group can give various perspectives to our students. Because cyber security isn’t just about information technology. You also need to know a bit about law, how humans behave, and the organisational side of security.
TalTech’s cyber security research group and the master’s programme have grown up together over the last 15 years or so, supporting each other. Everything we learn during research gets fed into the teaching.
Kurt: We have a similar approach. We transfer the deliverables of our research projects into our study programme as soon as possible. That’s how we make sure the curriculum and all modules stay up to date. So getting funding for research projects is very important to us.
We give students a lot of practical exercises, rather than leading with theory. Students also spend the last six months of their studies on an internship with a cyber security or software company.
What kinds of real-life experience can students get from your courses?
Kurt: We have a contract project with the Ministry of Internal Affairs. Belgian municipalities and cities have older IT infrastructure and software platforms. And our third-year students try to hack them using just their laptops and network or internet access. Then the students write reports, which the local governments use to improve their cyber security.
So far, our students have ethically hacked more than 120 municipalities and cities across Flanders [the Dutch-speaking part of Belgium]. It’s working very well, and we get excellent feedback.
It’s a unique project, because many people are afraid of letting students hack real IT infrastructure. But it means students learn the job. They can put into practice all the things they’ve studied, and they do it without any outside help.
Rain: I teach a course on cyber incident handling. As part of this, students do tabletop exercises on how to respond to various cyber incidents, based on real life examples.
We see how students react in situations where they have the fog of war [uncertainty about what’s happening because you have incomplete information]. And they’re under time pressure to come up with an answer, whether it’s in their incident response plan or not.
Nothing bad will happen if students fail in these exercises. But they will understand what’s involved in incident response. And that helps them decide if they would like to work in that role or not.
“During cyber incident tabletop exercises, we see some scenarios getting out of control. Panic isn’t the correct word, but we allow students to experience mass confusion. So they don’t just read a bullet point on a slide saying, ‘You will have information overload’. They get to actually experience it in a safe environment.”
Demand for cyber security professionals is greater than supply right now. How can we reduce this gap?
Rain: There’s absolutely a need for programmes to teach dedicated cyber security professionals, like mine and Kurt’s. However, what we also need is cyber security integrated into all other IT programmes. Because security should be baked in everywhere in the IT sector, not just a niche responsibility.
So when you learn programming, you discuss the security aspects. When you learn networking, you discuss the security aspects. Whatever IT topic you’re learning about, security should always be part of it.
Kurt: I agree. Security and privacy by design is the solution. But we are still far away from this situation.
Five years ago we started offering post-graduate distance learning and weekend courses, for people working in IT who didn’t have cyber security modules during their first degree. So this is another solution to upgrade IT professionals’ skills and fill that knowledge gap.
What are the biggest challenges you face as lecturers?
Explaining the importance of non-technical knowledge and skills
Kurt: Our cyber security bachelor’s programme has three pillars: offensive cybersecurity, defensive security, and then governance, law and policies. Teaching this third pillar is a challenge, because students just want to do the technical topics. They don’t realise they also need to understand the conceptual side, and how to organise cyber security in a company. But if you can teach them the right way and explain why they need it, they will listen.
“Students have to learn about risk management, the legal side, all kinds of policies and procedures. They don’t expect it and they don’t like it. But once they start working, after graduating, they say, ‘Ok, now we understand why those boring classes were necessary to give us a full 360° view of cyber security’.”
Rain: Yes, this is the number one roadblock we get when students start – they assume cyber security is just an IT thing. But to work in cyber security, there are many things outside of pure technology you have to at least understand, if not master.
Even though you want to work in a specific technical niche, you will still have to interact with other departments, other organisations, maybe the law enforcement authorities.
Building human interoperability in the cyber security community is a foundation of our programme. So that in future when our graduates are working, they can have a meaningful conversation with any other cyber security specialist regardless of which aspect of cybersecurity they focus on.
Keeping students motivated through heavy workloads
Kurt: We only have three years to teach bachelor’s students all the fundamentals of IT and cyber security – in fact, two and a half years, because they do a six-month internship.
So students have a very heavy workload. They have to work hard each day from 8am to 5pm. And it’s a real challenge to keep them motivated throughout the weeks and years.
At least they can relax in the evenings, because our programmes are practical, not theoretical. We don’t give them lots of maths or reading to do.
Making study feasible around a full-time job
Rain: In Estonia, most IT students get hired during the first year of their bachelor’s degree. This is quite different from most western European countries I’ve spoken to.
This means a significant additional challenge we face is that almost all of my master’s students work full-time while studying full-time. Obviously, this puts an enormous burden on them individually. And also on me as the programme manager, because I need to make sure the schedule is doable for a working student.
Because if I sabotage the working student, I might not have many applicants in the first place.
What are your biggest lessons learned?
Kurt: Normally in education, we first teach theory and then move on to practice. But if you turn that around, and start with practical use cases before giving theoretical background, students are much more engaged.
“Give students a challenge each lesson, give them practical examples to work through. They will want to work for eight hours a day, no problem. I started my studies in mathematics, and maths is very boring! But if we teach students cryptography, then they like maths.”
Rain: Firstly, don’t assume you’re the most experienced and most knowledgeable person in the room, especially in a master’s programme. Every year I get students who already have good cyber experience. Getting them to share what they know is always useful, both for the other students and for me as an instructor.
My second lesson learned is from the COVID experience. The tabletop exercises I mentioned earlier used to take place with students all together in one big room. But we couldn’t do this during the COVID lockdowns. And I was very worried the exercise wouldn’t work in a remote learning setting.
However, it turns out the exercise is actually more realistic when conducted online. Because in a real major cyber incident, you probably won’t be able to get everybody in the same room.
So even though we are now back to normal classroom teaching, I’ve chosen to keep the tabletop exercises as an online experience, because of the teaching benefits.
To wrap up, what’s the strangest thing that’s happened during your teaching career?
Rain: The strangest experience has been the COVID years. They forced us to rethink a lot of things, and to experiment at an accelerated pace. It’s been a difficult experience but also very beneficial in terms of evolving how we do certain things, as teachers or as a university.”
Kurt: Ten years ago, I couldn’t get companies to take our students as cyber security interns. They thought it was too risky.
Nowadays, when I go to the same job fair, companies try to ply me with champagne because they’re so keen to take our students as interns! That’s a strange situation to be in. But it’s fantastic that the mindset has totally changed.
About the interviewees
Kurt Callewaert is Valorisation Manager Digital Transformation at Howest University of Applied Sciences, Belgium. He was previously Howest’s Head of Research Applied Computer Science for 17 years. Kurt heads a team of 85 researchers working on topics including industrial cyber security, artificial intelligence, blockchain, game technology and more.
Rain Ottis is a professor at Tallin University of Technology, Estonia, where he leads both the cyber security research group and cyber security master’s programme. TalTech has a strong focus on practical, hands-on research and collaboration within the cyber security industry. A trained signal officer, Rain was previously a senior cyber security analyst at NATO CCDCOE.
Also this year GÉANT joins the European Cyber Security Month, with the campaign 'A Community of Cyber Heroes'. Read articles from cyber security experts within our community and download resources from our awareness package on dev.connect.geant.org/csm2022