Welcome to CyBOK with Awais Rashid Podcast

Download Mp3

Dave Bittner: [00:00:03] This is CyBOK, the Cybersecurity Body of Knowledge, distilling the knowledge from internationally recognized experts and providing foundational education and training for the cybersecurity sector.

Dave Bittner: [00:00:21] Hello, and welcome to CyBOK. I'm Dave Bittner from the CyberWire. Joining us today is Professor Awais Rashid, director of the EPSRC Centre for Doctoral Training in Trust, Identity, Privacy and Security at Bristol University. He shares his thoughts on the need for a cybersecurity body of knowledge.

Awais Rashid: [00:00:42] This is a project that is funded by the National Cyber Security Programme in the U.K., but it is an international effort. And the fundamental motivation behind the project is that more mature disciplines such as physics, chemistry, computer science, software engineering even have bodies of knowledge which people can refer to to understand what the next generation of experts should be learning about at all different levels of education, all the way from schools and undergraduate programs through to postgraduate programs and continuing professional development. Cybersecurity as an emerging discipline currently does not have a body of knowledge like that, so the primary motivation was to provide a strong foundational body of work which - to which people can refer as they are designing education and training programs and, very importantly, to ask the question, what should cybersecurity knowledge workers be learning about? Dave Bittner: [00:01:43] And so what is the process that you all are following here to assemble this body of knowledge?

Awais Rashid: [00:01:49] Though the project is based and is funded by the National Cyber Security Programme in the U.K., this is an international effort. So we started just under two years ago with a scoping exercise where we did a range of consultations within the U.K., which were in-person workshops as well as online calls for input and evidence, some interviews with some key experts and - as well as an online survey to gather input from international colleagues. And all of that was used to define the scope of what currently is known as CyBOK. And from that, what came were 19 knowledge areas, which we could derive from clustering together all the input that we received. And then we subsequently divided them into - again, based on community feedback because we put out that scope document for review, again, by the community.

Awais Rashid: [00:02:38] We divided them up into five broad categories, and those categories were something that we as a project team developed. They are the systems security, infrastructure security, software and platform security, attacks and defenses, and human, organizational and regulatory aspects. But other than that, all of that has come through as an input from the community. Subsequent to that, the way the process works is that the project management team, which is myself, the SPI (ph), and four of my colleagues - as co-investigators, we identify an international expert to author each of the 19 knowledge areas. This is then reviewed by our independent academic advisory board as well as a professional advisory board of industry and government experts. And we then approach that author, who then develops a description of that knowledge area, which is reviewed by a panel of international experts from both academia and industry.

Awais Rashid: [00:03:33] And once that has all been done, then it is sent out for a public review by the whole community, who can all comment on it. And then those comments are then taken on board, and if they're relevant, they're addressed. And then we lead - that leads to version one of each knowledge area. So we are expecting to complete all the knowledge areas within the next six to eight weeks. And that would really lead to the release one of the Cyber Security Body of Knowledge.

Dave Bittner: [00:04:00] And then will this continue to be sort of a living document? Will we expect updates to come along the way and expansion into other areas?

Awais Rashid: [00:04:09] Yes. So it is - a body of knowledge, particularly in a fast-changing discipline as cybersecurity, is unlikely to be ever fully finished. And of course, you know, there are some areas that are more established. So, you know, we know a lot about sort of software security and cryptography, as well as, you know, network security and so on. But then there are other areas, such as hardware security or cyber physical systems security, that are still, you know, developing further and further. So there will naturally be updates. There will be - we - once this phase of the project finishes, we are moving into what's called phase three, where there will be an international steering group that would look after the CyBOK for the next few years and decide, based on input from the community, as to where updates are needed, where, perhaps, we need new knowledge areas, which may - we may have missed in the first scoping exercise.

Dave Bittner: [00:05:01] Now, in terms of outreach, how will you be spreading the word about this? And how do you expect people to engage with it?

Awais Rashid: [00:05:08] So we already have had wonderful engagement from a lot of different stakeholders - academia, industry, government, as well. And there are various ways in this would be used. We would hope that this would be the basis of a certification program for all the undergraduate and master's-level courses within the U.K., and itself which is a national program. We would also hope that this would be used by other organizations that, for example, have professional certifications to provide a solid basis. One of the pieces of work that we have already done is to look at, what is the focus of different master's and undergraduate programs as well as various professional certification programs? Awais Rashid: [00:05:49] There is this notion that there is a single cybersecurity expert, so one of the things that I often do when I speak about the project is that my first slide often says, I am a cybersecurity expert, and I ask the audience, what is their response to that? And they go, well, but what kind? The point is that, yes, I am a cybersecurity expert, but my expertise is specifically around cyber physical systems, and software security and human factors. And even within that, there are specific topics that I know a lot more about than other topics. And we have this kind of almost misconception that there is a single cybersecurity expert. And there are professional certifications and academic degrees that will provide you much better understanding of, for example, risk management and law and regulation, those kind of things, while there are others that may teach you a lot more about software security, or system security, networks, and operating systems and those kind of things. And what we have done is, we've actually looked at a number of these programs, and all the programs are not alike.

Awais Rashid: [00:06:51] And at the moment, it's not possible for programs to quite easily portray where their center of gravity lies. And if you are a student, it's not very easy for you to identify, what is the knowledge that you will get from a program, and does it actually meet the needs and the ambitions that you are going to aim for? And what this provides is a common basis for both programs to be very clear as to where their center of gravity lies, but also for students to be able to see as to the knowledge that the program will provide - would it actually meet the knowledge gaps that they feel that they have? The other thing that we have had sort of some quite good interest - particularly from industry in this area - is, to use it as a basis to define the job descriptions for when they are looking to hire new people to be clear as to what is the knowledge they expect their new employees to have, but also use it as a way to actually really distill whether the people that they are getting have the knowledge that they require in the first instance. So the users are quite diverse from design of programs.

Awais Rashid: [00:07:55] So if you are designing a new program and you want to go and see what are authoritative sources, you go to CyBOK. If you want to see what the focus of your program is to portray it to the world, you provide a mapping onto CyBOK. If you are a student, you can then see whether it actually meets your needs. And if you're an employer, you can decide what other knowledge you want to have from your future workers. And you can make that very, very clear.

Dave Bittner: [00:08:20] That's Professor Awais Rashid from Bristol University. To learn more about the CyBOK project and the knowledge area we spoke about today, visit cybok.org.

Dave Bittner: [00:08:32] This podcast is a product of the University of Bristol. CyBOK is funded by the U.K. National Cyber Security Programme and led by the University of Bristol's Professor Awais Rashid, along with Professor Andrew Martin, Professor George Danezis, Professor Emil Lupu, Professor Steve Schneider and Dr. Howard Chivers.

Dave Bittner: [00:08:53] The CyBOK podcast is produced by the CyberWire with coordinating producers Jennifer Eiben, Kelsea Bond and Bristol University's Yvonne Rigby. The executive producer is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.