Cybersecurity in education: What’s missing?

In this week’s newsletter, Dr. Erdal Ozkaya (Group CISO at MAVeCap) tells us how he became a lecturer in cybersecurity. And here on the blog, we wanted to find out more about his perspective on cybersecurity in education – and the wisdom he’s gained over 25 years working in the sector. 

Recognised as a global cybersecurity leader, Ozkaya leads security for MAVeCap – a VC firm focused on the incubation of groundbreaking ideas, including novel cybersecurity solutions. With a doctorate degree in information technology and involvement across a range of cybersecurity organisations (from Binalyze and ThreatMon to the Global CISO Forum), Ozkaya has a wealth of knowledge to share. 

Here’s what he told us.

Broadly speaking, what's your perspective on cybersecurity in education right now? Are there gaps that need to be filled in order to enable new generations of talent in the industry? 

“Absolutely! The current landscape looks like this: 

• Awareness is growing: thankfully, the importance of cybersecurity in educational settings is no longer a niche concern. Schools, universities, and governing bodies are taking it more seriously.
  
  
• Resources are...uneven: unfortunately, funding and access to expertise are highly inconsistent. Some institutions have strong programs, while others struggle with the basics due to limited budgets and difficulty attracting cybersecurity talent.
  
  
• Focus is often reactive: too many schools only prioritise cybersecurity after a breach happens. This needs to shift towards proactive security measures and education.

“And there are a number of gaps needing urgent attention:

• Beyond the IT department: cybersecurity shouldn't just be the IT team's problem. We need basic cybersecurity literacy integrated into curriculums across all subjects, from teachers using strong passwords to students being aware of online scams.
  
  
• Early pipeline development: high school and even middle school is where we need to start sparking interest in cybersecurity careers. This means gamification, hands-on workshops, and highlighting diverse role models in the field.
  
  
• Accessibility and inclusion: cybersecurity needs to break out of the stereotype of the lone-wolf hacker.  We need programs that encourage girls, minorities, and individuals from nontraditional backgrounds to see this as a path for them.
  
  
• Teacher training: educators are on the frontlines. We can't expect them to teach cybersecurity without proper training and tools themselves. Upskilling existing teachers is as important as attracting new cybersecurity professionals.
  
  
• Partnerships: schools can't do this alone. Collaboration with cybersecurity companies, local tech communities, and government programs can provide resources, mentorship, and real-world experience for students.” 

How can we fill in the gaps?

“We can fill in the gaps with: 

• Advocacy: we need louder voices championing cybersecurity education funding and policy changes.
  
  
• Innovative curricula: developing exciting, age-appropriate ways to teach cybersecurity concepts is vital.
  
  
• Celebrating success stories: highlight students excelling in cybersecurity, particularly those from underrepresented groups, to create visible role models.
  
  
• Accessible resources: free or low-cost tools, online training platforms, and mentorship programs can democratise access to cybersecurity knowledge.” 

If you could go back to the beginning of your career and tell yourself one thing you wish you'd known then, what would it be? 

“If I could give my younger, more anxious cybersecurity-self one piece of advice, it would be this: focus on the human element as much as the technical one.

“Early in my career, I was obsessed with mastering the tools, the vulnerabilities, and the latest attack techniques. And while those are crucial, I hadn't yet grasped how much cybersecurity is dependent on the human factor.

“That includes the psychology of threats: understanding how attackers manipulate people, why employees make risky decisions, and how to change behaviour. That's just as powerful as any firewall. 

“And communication is key; the ability to explain complex threats to non-technical stakeholders, get buy-in for security initiatives, and train people effectively would have made my life much easier (and our systems much safer!).

“Cybersecurity isn't about being the smartest person in the room. It's about fostering a collective sense of responsibility – from the mailroom to the CEO's office.

“Don't get me wrong, technical skills are the backbone. But knowing what I know now, I'd have invested time earlier in understanding psychology, communication, and the art of building a security-conscious culture. It might have saved me a few late-night incident response sessions!”

Finally, why are events like Black Hat MEA valuable to you? 

“Events like Black Hat MEA are incredibly valuable to me as a cybersecurity professional for several key reasons. 

“All global Black Hat events attract top-tier speakers and researchers who are at the forefront of the cybersecurity field. The presentations and research unveiled at the event provide a glimpse into the latest threats, attack methods, and emerging defensive techniques. This helps me stay ahead of the curve in a constantly evolving landscape.

“The events provide an opportunity to connect with a global community of cybersecurity practitioners, from fellow field experts to CISOs and security leaders. These interactions spark new ideas, enable collaboration, and provide valuable insights into challenges faced by different sectors.

“And attending workshops and briefings allows me to hone existing skills and delve into new areas of interest within cybersecurity. It's a focused time for targeted learning, often in a hands-on environment, that I might not easily access in my day-to-day work.

“Stepping outside of my daily work environment and immersing myself in the broader cybersecurity landscape renews my energy and motivation. Seeing the passion, innovation, and challenges faced by others helps me gain perspective on my own work.

“Black Hat MEA specifically helps me understand the unique cybersecurity threats and considerations in the Middle East and Africa region. This knowledge is invaluable as cyber threats become increasingly borderless. The opportunity to connect with professionals from different backgrounds and cultures broadens my understanding of cybersecurity challenges and approaches on a global scale.

“Ultimately, attending events like Black Hat MEA makes me a more well-rounded and effective cybersecurity professional and allows me to better serve my organisation and the wider community.”

Thanks to Dr. Erdal Ozkaya. Do you want to learn more from the world’s leading cybersecurity experts? Join us in Riyadh for Black Hat MEA 2024.