Photo by James F Clay. From Flickr. Licensed under Creative Commons.
(Disclaimer: although I do not work for government, I will use the term cyber security when I speak about general computer security, network security, information security, or application security topics. Cyber security is as good a term as any, and since most people at least have some form of gut reaction to the term, I'll use it. When I talk about specific sub-disciplines in the field, I will use more focused verbiage).
Lately, I have been thinking quite a bit about teaching cyber security to college students (graduate and undergraduate) as well as to people who are active in the cyber security field and who are looking for professional development and/or training.

The discussion more-or-less started last year, at SOURCE Boston 2011, where a panel discussed questions like
- Is there a role for higher education in information security research?
- Is information security mature enough to be teachable?
- What skill set should information security faculty possess?
One of the topics that came up over and over is that people do not see much need in textbook knowledge, but do place a lot of value on hands-on skill development.
Although I spent a lot of time in school, and I have been exposed to countless hours of classroom style teaching, the courses that stand out the most are the ones in which I was made to work hard, address realistic problems, and put relevant skills to the test. Now that I am on the other side, I have to admit that I find myself teaching lecture-style all too often.
Although I do not enjoy lecture style learning all that much, all too often, I end up teaching that way. Sometimes that is because the topic doesn't really lend itself to hands-on learning, and sometimes it is simply a matter of logistics. However, the teaching style that I prefer most is very light on talk-and-listen and high on hands-on content. When I am able to teach in that style, student evaluations are consistently the higher than in lecture setups.
The concept that teaching through experience is nothing new; we have seen it for centuries in master-apprentice relationships. These days, we call it 'experiential learning' and many colleges are now exploring the benefits of such 'high-impact' teaching methods.
In our field, experiential learning can take many forms, and I feel confident enough to state that many of the most successful and well-known security professionals who are active in the field presently are self-taught, and have developed their skills through experience and hard work.
So, if, by looking at my own experience, and by listening to others, many people feel that the most effective way of learning is through this experiential learning thing, the questions become:
- What  topics should students be exposed to in school if they are looking for a career in cyber security?
- Of these topics, which are well-suited for experiential learning?
- Of these experiential learning topics, what kind of experience would be useful to acquire the relevant skills?
Note that not all topics are suitable for such hands-on learning. Some topics may not translate directly into actionable skills, but are necessary to build the proper conceptual framework and establish terms-of-reference. As with any topic, basic, foundational skills are needed before practical skills can be developed. The trick is to find the right balance.
In future posts, I will discuss what topics I think students should learn, how well they can be developed into experiential programs, and what techniques we can use to do so.