Security | Feature

Security Pros on a Mission To Teach Cyber Safety

Dan Waddell is just the kind of security expert you want on your side. He's been doing IT work for 18 years and began focusing on cyber security 10 years ago. Currently, he works for Arlington, VA-based consulting firm eGlobalTech as a senior director of IT security, advising federal agencies on security strategies. Along the way he's earned his CISSP, the Certified Information Systems Security Professional credential, from (ISC)2 (pronounced, "I-S-C-squared"), an organization that educates and certifies security professionals.

So what's a guy like that doing in a classroom teaching kids as young as seven years old about cyber safety and security? "It's a civic responsibility for me," he said. "I have three kids. This cause hits home for me. I wanted to get involved."

Waddell is one of 550 CISSPs who make up a corps of (ISC)2 volunteers who go into schools to educate students about how to do safe and secure computing. While topics evolve depending on what the current threat landscape looks like, the primary areas of focus right now are cyberbullying, mobile security, safe social networking, identity theft, and overall safe computing practices, such as keeping anti-virus software up to date.

The Safe and Secure Online program started in 2009 as part of Cyber Security Awareness Month, a Department of Homeland Security initiative to raise awareness of the problems caused by lax computer security practices. But more recently its popularity among school district staff, teachers, and parents has given it a life of its own. Now, according to (ISC)2 Foundation Manager Julie Peeler, the program runs year-round and has reached 80,000 children in schools. It's funded by a combination of sources, including the main (ISC)2 organization, corporate partners such as Booz Allen Hamilton, grants, and donations.

Dan Waddell Teaches a Safe and Secure Online class.

Reaching Students
Waddell's participation started when he met with one of the high schools he supported through Junior Achievement to go over some of the materials he'd be using for a presentation. His stock ideas generated yawns among school staff. He'd just heard about the Safe and Secure Online program and suggested that they consider letting him offer that instead.

As he recalls, their response was wildly enthusiastic: "This is great! It fills some gaps for our teachers. They don't have anything in their lesson plans, and they're not comfortable talking about this kind of stuff, because they're not experts. Can you come in next week?" In other words, his proposal was "fast-tracked."

Soon he found himself in front of a group of about 50 high school kids. The presentation he made included PowerPoint slides and video clips supplied by (ISC)2--as well as a lot of interactivity that he inserted himself. To engage the students, he asked questions and threw out rubber wrist bands that said, "Safe and Secure."

On a subsequent visit to that same high school, two students approached Waddell to let him know that they found a video he'd shown on cyberbullying "very moving." In response, they set up a student organization around cyberbullying with a teacher as a sponsor. The idea, he explained, was that if kids weren't comfortable enough going to a parent or authority figure, "they could go to a peer." If there was an issue, the teacher would get involved. "It gave the kids another avenue and another communication channel to talk about cyberbullying and get it out in the open."

Waddell, like his fellow volunteers, customizes the presentation for the audience. For the youngest kids--the ones in grade school--the session focuses on gaming, cyberbullying, not sharing passwords with friends, and not sharing personal information with strangers. For the older kids--the "tweeners" and teenagers, he'll introduce more sensitive topics, such as sexting and social networking do's and don'ts.

With the oldest students he'll also add career advice into the mix. "That seems to get some interest," he noted. He shares examples from his work as a security professional and techniques he uses that might relate to stories they may hear in the news, such as popular social networking sites being hacked. "I say, 'If this is a career you're interested in, start thinking about these things. The tools and techniques you use now to protect yourself and your family's computers you can use moving forward into a career."

He estimates that he and fellow volunteers have been back to that school for repeat performances "probably five or six times." By now he estimates that his own talks have reached about a thousand students and just as many parents and teachers.

Becoming a Security Presenter
Becoming a volunteer in the program isn't easy. First, participants need to be a CISSP. Then they fill out an application and attend training, either online or at one of the major security conferences where (ISC)2 has a presence. Next, they need to sign a volunteer waiver and undergo a criminal background check. Once those steps are done, the volunteer downloads and studies teaching materials from a Safe and Secure Online Web site, which also has a chat area where volunteers can share questions and ideas.

Waddell, who has become a lead volunteer by virtue of his dedication to the program, also recommends to "newbies" that they tag along with an experienced volunteer before going into the classroom to make their first presentation.

Then they're on their own. Many of them approach the schools their own children attend to make those initial presentations. From there it can grow by word of mouth or by stepping up when (ISC)2 sends out a call for a volunteer to make a presentation at a specific school. Schools and districts can fill out a brief form on the program's home page to request a free presentation.

Latest Addition: Parent and Teacher Presentations
Most recently, (ISC)2 has identified a new audience for its security and safety training: parents and teachers, many of whom rely on the kids to be IT experts. The organization is currently beta-testing materials its volunteers can use to make presentations to those group too.

"What we were finding was that sometimes we'd run into administrators or parents who were skeptical about what we were teaching, so they wanted to see the presentation first," explained Peeler. The volunteers would give a preview of the program to the local parent-teacher organization the day or week before meeting with the kids. "Based on the kinds of questions that parents and teachers were asking, we realized that they needed to be educated with a separate set of teaching materials that are far more iterative than what we do with the kids."

For instance, Peeler said, the parent and teacher presentation will talk a lot about geotagging, the process of automatically adding geographical metadata to media, such as photographs or SMS messages. "We'll say, 'When you take a picture with your cell phone, unless you have your geotags turned off, it's providing the geographic longitude and latitude of where you were when you took that picture of your kids half-naked in the pool in your backyard, which you've now posted on Facebook with no security. Anybody can now download that geotag. They now know where you live with your kids.' The eyes pop open. There's a gasp in the room. Then we all pull out our cell phones, and we say, 'Press here. Press here. Press here. Press here. You have now all successfully shut off your geotags.' We will walk them through that."

The problem, she noted, is that so many passive resources on cyber security say things like, "'You should set the parental controls on your laptop.' Unless you know where they are and what good settings are or what the variables are in the settings, that doesn't help."

International Concerns
Because the Safe and Secure Online teaching materials are modular, an individual volunteer is allowed to "illuminate to a greater or lesser degree whichever module they prefer," Peeler said. "We want them to cover everything. But they can spend more or less time on the varying modules, depending on what is more or less important in any given society."

That includes addressing regional differences. For example, while cyberbullying is extremely important in the United States and the United Kingdom, it's not an issue in Asian countries. There, the bigger issue is keeping a child's identity a secret so no one has access to them physically. In South America, cyber crime, phishing, and identity theft dominate the focus.

Along with the United States, the United Kingdom, Hong Kong, and Canada, the four countries where the program currently exists, 10 additional countries are working through an 11-step (ISC)2 process to set up their own programs.

Major Impact for a Little Investment
While a lone 60- or 90-minute session may not sound like it would have much impact, it's still an improvement on where cyber security and safety training was only a few years ago. In one of his early visits to a school, Waddell recalls, he found that the campus' entire lesson plan was 30 minutes long and consisted of showing a video that was "probably 10 years old--a videotape on VHS."

Now he's seeing much more attention paid to the topic at all levels in a school district, from the school board on down. His preference would be to see the subject built more fully into lesson plans by teachers rather than the reactive steps schools take now.

"This is such a dynamic field," Waddell stated. "The threats that we face are constantly changing. There is something new out there every month, sometimes every week or every day. So schools need to build in some type of continual improvement process to make sure that whatever they're teaching today is continuously updated and looked at and refreshed to keep up with the times."

The CISSPs who volunteer for this educational work say they wouldn't mind being part of that planning. As Peeler observed, "You can see the passion and the burn in their eyes for this program. They're truly mission-driven people."

She recounts a story shared by a volunteer. He'd gone into a classroom and done a decent job of engaging with every student there--with the exception of one little girl, whose head continued dropping the more he talked. The volunteer got the attention of the teacher and pointed her out. "The teacher swung around to the back of the classroom and kneeled down next to this girl. It turned out she was being cyber-bullied," Peeler said. "When the teacher asked the little girl what was wrong, the girl said, 'If I tell, will it stop?'"