We recently interviewed a Virginia government Chief Information Security and Privacy Officer, David Jordan, who shared some ideas about the role of education in creating a safer cyber landscape, as well as the role of cybersecurity in educational institutions. David has worked for Arlington County for almost 15 years, and participates in the Virginia Governor’s recently-formed cybersecurity commission, which focuses on both infrastructure and education (general and within the K-12 and academic systems), bringing public and private sector experts together to make recommendations on how to make Virginia a leader in cyber security.
Technology is pervasive in almost all aspects of our lives, but many people are still unaware of some of the dangers and scams that have developed in this evolving technological landscape. What’s more, our children are being exposed to these technologies younger than ever before. Many parents are downloading child-focused apps to their phones and tablets, and then handing them over to their children. David states emphatically that cybersecurity education can, and should, start as early as kindergarten. He believes we need to start educating young people about cyber safety at an early age and use age-appropriate media to teach everyone about basic computing and privacy.
In addition to education in schools, Jordan advocates for public service announcements and workplace education, which would also help advance the goal of making the Internet a safer place. As we talked, Jordan shared how public education about technology and security should be broadened to include the media. For example, with respect to the technical support phone call scams, in which a caller purports to be from Microsoft or a similar company, we agreed that the media could do a better job of educating the public.
When discussing academia and the security of school networks, David supports legislation to have public schools use government enterprise networks in their jurisdictions. He says that such a solution would eliminate expensive duplication and would also get rid of less secure environments where botnets thrive and often take months to clean up.
In terms of specific examples from which we can learn, Jordan is quick to commend the University of Virginia (UVA) for what he sees as a common sense approach to protecting personal information. He recalled how years ago UVA did away with Social Security Numbers as student and employee identification numbers, and he would like to see state governments do the same. “Stop, or if you can’t stop, at least encrypt,” he advises.
During our lively discussion with Jordan, three themes were clear: educate, invest, and develop products with native security integrated from inception to production. We discussed how often testing, training, and security get squeezed out of the software development life cycle. “Everyone wants security until they learn what it’s going to cost. This problem is 40 years old,” Jordan reminds us.
Remember the adage, “Neglect costs; prevention pays.” Investing in educating children, employees, and in security solutions that work pays long-term dividends.