Pennsylvania Security Center: Educating Staff to Protect Data from Cyberattacks

The Security Center of Excellence, set to open in spring, is targeting to educate security staff about protecting data at the state and local levels, and in public schools -- and may eventually spread outside Pennsylvania's borders.

by Jessica Hughes / January 29, 2015
Inside the Pennsylvania state capitol in Harrisburg. e.Republic/David Kidd

In the face of ever-present and increasingly sophisticated cybersecurity threats, a new entity in central Pennsylvania is a public-private partnership effort to tackle such threats head-on.

The Harrisburg University Security Center of Excellence opened in November, and is developing security curriculum aimed at boosting the skills of security specialists in the area's government sector. 

"What this is going to really allow us to do is to educate staff in their professional career development but, more importantly, help us combat the ever-changing landscape of cybersecurity," said Pennsylvania CIO Tony Encinias. 

Encinias and Erik Avakian, the state's chief information security officer (CISO), are involved in helping the center to develop and deliver its curriculum and shape security best practices. The state is a leader in cybersecurity and has received awards for the management of its network security.

In addition to the state, the center, which is housed at the Government Technology Institute (GTI) at Harrisburg University of Science and Technology, is partnering with Cisco, Deloitte Consulting, IBM, Symantec and Unisys -- all leading cybersecurity companies. While Unisys is a founding member, the other companies quickly followed in offering to sponsor the center's efforts, according to Charlie Gerhards, executive co-director at the center and former CIO of Pennsylvania.

Before the center's launch late last year, experts from the university and partner organizations gathered to provide input for the center's security courses and seminars, which are set to open in spring; there are other facets of the center in the works too, including internships, collaboration sessions bringing together all levels of government, and test beds for new technology.    

Recent major breaches in the news affecting Utah, South Carolina and the Department of Defense, to name a few, have made the need for the security center clear, said Gerhards, who pointed to the 2014 NASCIO and Deloitte Cybersecurity Study -- the third in a series -- for more evidence to spur such a security center. According to the study, which surveyed leaders in 49 states, about 60 percent of CISOs cited an increase in the sophistication of threats, and nearly that same amount said there's a shortage of cybersecurity professionals -- up from 46 percent in 2012.  

"One of the biggest challenges we see consistently is the availability of the talent -- cybersecurity talent and the ability of the states to attract and retain cybersecurity talent," said Srini Subramanian, principal at Deloitte, and co-author of the study. 

Hiring and training cybersecurity staff is especially important for states and other governments, he said, which deal with personal information on countless dimensions, making the possibility of compromised data great.

The study also spotlighted the disconnect regarding the comfort levels on security of IT leaders versus government officials. While about 60 percent of government officials, according to the study, are very confident that their current security is robust enough to face cyberthreats, nearly 25 percent of CISOs have that same confidence. 

And this over-confidence by government officials is reflected in the funding -- in the study, nearly 50 percent of states spend 1 to 2 percent of their technology budget on cybersecurity. 

"One of the messaging, based on the survey ... is that perhaps there is room for improvement in how you communicate the risks and impacts of cybersecurity to your business leaders," said Subramanian, who lives near the center and will be involved in its courses.

Regarding the questions that the study raises, Gerhards said those are the stimulation for doing this. "There's a tremendous need [for security]," he said, "and a tremendous consequence for not taking action."  

Indeed, the center has been targeting the disconnect reflected in the study; upon opening, it hosted an awareness program for government officials -- security and otherwise. To a full auditorium audience, Avakian presented the challenges that government security specialists face in keeping data and systems safe, and a panel of industry experts discussed global security threats and the importance of a robust security program to combat them, according to Gerhards. 

"One of the objectives, Gerhards said, "is to actively have awareness programs that touch senior officials in government to give them that sobering assessment in the hopes that they then will make this a priority."

Education is also a key focus of the center -- it will include a 100-hour security certification, as well as specific training on malware, security applications and new toolsets and approaches being developed. Some of the courses will prepare security professionals to take on leadership roles, and to communicate security information to those unfamiliar with the technical processes. All offerings, though, will evolve with the changing cybersecurity landscape, Gerhards said. 

"Security is a journey and not a destination," he said, "so this has to be a continuing effort."

The university itself is situated across the street from state government, but the center is also targeting security staff at the city, county and public school levels; this is important, Gerhards said, since local systems are connected with, and thus affect, state systems.

Although the center is committed to providing its resources within the state and will begin offering courses in the classroom, Encinias noted that it could grow to serve others like neighboring states and nearby communities. 

"We need to focus on Pennsylvania first," Gerhards added, "but that doesn't mean that we will focus on Pennsylvania exclusively." And any collaboration between the center and others regarding its work will only make it better, he said. 

Given mounting cybersecurity threats and the increased demand for trained professionals, other states and universities have also pursued security programs. One example is the Michigan Cyber Initiative, a public-private partnership formed in 2011 that ultimately led to the Michigan Cyber Range that launched in 2012 to create real-life exercises and more than a dozen security classes. Others are offering undergraduate and graduate courses in cybersecurity and homeland security, including the University of Maryland. 

Originally the idea for the center sprouted from security concerns voiced from graduates of GTI's other programs; the GTI is now using those programs and the collaboration within them as a jumping off point for creating the center. 

The institute has four years' experience training government IT managers and leaders within several certification programs, such as its key initiative the Certified Government CIO program. Nearly 140 IT managers and leaders have graduated from GTI's programs, Gerhards said. 

Encinias, who has also been involved with GTI's other programs, said he wants the center's curriculum to focus on real-life experiences so that his staff can get the practical training they need. 

"I'm a true believer in education," he said. "I think it's our responsibility as leaders to make sure staff is adequately prepared not only with the right tools, but also knowledge."

Platforms & Programs