Today marks a special day; the first post in our new series "Application Security Education Spotlight". In this series we will highlight the exciting world of application security education and hear the perspectives of University faculty across the nation. For our first interview we caught up with Oklahoma State University professor Jim Burkman. At the OSU Spears School of Business, Jim's main area of research is Information Assurance and Security. Dr. Burkman has his PhD from Indiana University, years of experience in the field, and recently advised the OSU Information Security and Assurance Club to the National Collegiate Cyber Defense Competition.
1.Tell us a little about your experience prior to joining the Spears School:Jim: Academically I got my start at Western State College in Gunnsion, CO then passed through Boise State on my way to Indiana University where I earned my Ph.D. in MIS. Professionally I’ve ran the gamut from short-order cook to Army vet, with the bulk of my button-down career in the insurance industry (personal and crop/agriculture). My MIS areas of specialty are in IA and database design.
2. How did you get involved with the institute for research in information systems?Jim: Dr. Ramesh Sharda kindly offered me a position with IRIS when I arrived at OSU. I was involved for a couple of years documenting an ammunition encyclopedia project that we did for the US military.
3. What do you find most rewarding about teaching information security and assurance?Jim: The field is alive! Every single day the media is full of stories that directly involve IA. And I get to share these stories with our students and show them how this area of study is directly relevant to their everyday lives. IA is also a fast-moving, constantly evolving target surrounded by tons of rhetoric. I can’t think of a better environment for fostering critical thinking.
4. According to Rate My Professor you’re considered a pretty great teacher: “Hands down, the best professor I’ve EVER had. Knows Information Security and Computers (not programming) like nobody I’ve met and I know serious geeks! Can explain EVERY situation with ease clarity and humor. Class FEEDS off his energy. Actually determined the focus of my major because of his class. Wish he taught ALL my classes”. What do you do to keep students engaged in a subject that can sometimes be very dry?Jim: I’m a story-teller. I love using analogies and telling stories to make my point. I’m also very much in agreement with Hegel in his quote “Nothing great in the world has been accomplished without passion.” I’m very passionate about my responsibility to teach these awesome young adults who trust me to help them learn, and I’m very passionate about the subjects that I teach. The intersection of those two passions yields a remarkable amount of fun energy and opportunity. I’m all about seeing the light bulb go on. Ultimately though I think it comes down to being emotionally and intellectually accessible to my students and treating them with respect.
5.What is the goal of the Information Security and Assurance Club at OSU?
Jim: That’s an evolving target. The club is only four years old and was initially started simply for like-minded students to come together and share/learn offensive and defensive security tools. The club currently spends about half its time preparing for, and competing in, the CCDC competition. Bi-weekly meetings are also held where club members demonstrate one or two security tools to 80+ students. We also occasionally have guest speakers come in from our employers. Looking forward, ISAC is looking at getting involved with the local schools to help the younger kids understand the field.
6. What was it like seeing your team compete at the national level in the “National Collegiate Cyber Defense Competition?Jim: I was so proud of our students! They got to nationals in just four years and they are 100 percent self-driven. They decided on their own to reserve Wednesday nights for CCDC training during the school year and they run that entirely on their own.
Outside of their technical skills, though, I was really pleased when the NCCDC director complimented our team on their fantastic attitude and professional behavior. They also received high praises from Raphael Mudge (creator of Armitage and Cobalt Strike), who was one of the two professionals attacking them at NCCDC.
7. What do you see as the biggest challenges facing information security education?Jim: Infosec is inherently technical, so we find ourselves (as a four-year college) constantly walking the fine line between technical education and theory education. We seek to produce students who can become managers and leaders while at the same time have true technical chops. That’s a tall order for a B-school department. I think our MSIS department is doing a fantastic job, though, as reflected by the fact that all of our degree programs (undergrad and graduate) in the department are classified as STEM programs.
I think we also have to be careful not to get caught up in the security theater, fear-mongering and rhetoric surrounding information security right now. So much of the media equates hackers with terrorists and suggests that hackers uniformly have amazing powers, etc. The reality is a lot more sobering. Check out the 2011 CWE/SANS Top 25 Most Dangerous Software Errors or the OWASP Top 10 and you’ll see that common vulnerabilities should be our educational focus. It’s sexy to imagine the magical unicorn hackers shutting down the US power grid with three lines of VB code but that doesn't translate well to solid classroom instruction. I much prefer pointing out to my students the fallacy of automatically assuming that major power SCADA control systems are directly connected to some PHP page on the Internet. If that case exists, it’s a managerial fault and somebody needs to find a new job. If someone is bringing infected USB drives in, or downloading trojans, that’s also a managerial problem that we can analyze for teachable points.
I also firmly believe that most companies could see their best security spending value in employee training and culturally-embedded security best practices. See Question 4: I’m available for employee training too!
Thanks to Jim for participating in our interview, you're a credit to appsec education and the industry as a whole. Are you trying to build an information security program? Feel free to ask Jim further questions in the comments!
Do you run a similar information security awareness program? If so let us know, we'd love to hear what you're up to (and perhaps feature you too!).