107. The rise of micro cyber credentials with Naveen Chilamkurti
Claire is joined by La Trobe scholar Naveen Chilamkurti as they cover some of the amazing work La Trobe is doing to welcome people into the cyber industry through great micro credentialing programmes. They discuss what micro credentials are, the value of this way of study, and how employers are valuing University qualifications such as micro credentials. He also shared what academia are currently working on, including crypto and 6G.
Naveen is currently the Associate Dean (International Partnerships), SCEMS Professor and Head of the Cybersecurity discipline, previously the Director of International Programs since 2017. He serves as the Technical Editor of the highly ranked IEEE Wireless Communications Magazine and IEEE Transactions on Vehicular Technology. Naveen has published more than 330 journal and conference papers, including IEEE and ACM Transactions and is active in editing and authoring 9 books with Elsevier, Springer, IGI-Global and NOVA publishers. Naveen has successfully attracted 20 research grants since 2000 to support PhD Scholarships, fellowships, and travel grants for research collaboration and in 2012 and 2018, he was awarded a research fellowship to work with IIT Kanpur and IIT Hyderabad.
Links:
The Security Collective podcast is proudly brought to you in partnership with LastPass, the leading password manager.
Transcript
CP: Hello, and welcome to The Security Collective podcast. I'm Claire Pales and today's guest is Naveen Chilamkurti. Naveen is currently the Associate Dean of International Partnerships, the SCEMS professor and Head of Cybersecurity Discipline at La Trobe University. Naveen has also been the Director of International Programmes since 2017. He served as the Technical Editor for the highly ranked IEEE Wireless Communications Magazine and the IEEE Transactions on Vehicular Technology. And in 2012, and again in 2018, Naveen was awarded a research fellowship. Naveen and I covered some of the great work La Trobe is doing to welcome people into the cyber industry through great micro credentialing programmes. We discussed what micro credentials are, the value of this way of study, and how employers are valuing University qualifications such as micro credentials. He also shared what academia are currently working on, including crypto and 6G. I'm really pleased to share with you my chat with Naveen Chilamkurti.
So Naveen, thank you so much for joining us on The Security Collective podcast today.
NC: Thank you.
CP: So our audience has heard a little bit about you in your bio that you head up cyber at La Trobe and there's a great new micro credential programme for cyber at La Trobe. Now, can you explain a little bit about what a micro credential is and how this programme came about?
NC: Sure. Let's go back to let's say five years ago, see all the courses generally are at least a year and two years, but generation has changed. Everything is faster these days, internet has given a lot of resources, people are thinking lot more people are actually thinking, changing their career directions, going into different fields, basically. And cyber is one of them where a lot of people want to know about this. But unfortunately, they can't afford a long time basically, sitting there in the classes and doing all the assessments, it's a long way to go, two years is really a long way for them. Even if it is a part time it takes four years. So here micro credentials are nothing but the same subjects we use in this Masters or Bachelor courses are divided into two, you know. Basically each one is called one micro credential. And the good thing about them is basically it's like a stepping stone, you do the first one, and you go to the second one, combine these together, it will become like a one subject. And these are called stackable credits. So if you do two credits of one subject, you will actually then finish the one subject basically. And if you pile up like that, about eight micro credentials, it could be long, but actually you can do it on your own time, take it six months or eight months, you can do it. All the resources are available online, which means you can actually get a certificate in cybersecurity.
CP: I guess the idea is that if you do a couple and you really like it, then you can do more and then in a short time you would have a qualification.
NC: Exactly. And the good thing is they are stackable, so take one by one, there are a lot of options you can take, there are a lot of specialisations you can go into, so there is a lot of pathways you can go once you do some micro credentials.
CP: And I you saying any particular subjects that are more popular than others, in terms of the micro credential subject completion?
NC: Absolutely. There is one subject every student wants to take it basically, not only cybersecurity students actually, we get students from humanities, business, law and so on so forth. The subject is called 'inside the mind of a hacker', very long subject, a very long title. And a lot of people ask, what is this subject about? So basically, the outline is in cybersecurity there are a lot of old sayings that you need to know who's the enemy is to win the war, a war in the sense of the cyber war. And here in this subject we will tell you who are these hackers, what type of hackers are they, and hackers come in different size, shape and age. So how to deal with them. There are different ways to attack, there are different psychologies behind them. There are different reasons to attack. So what we're trying to do is to estimate what are these type of attacks. Who's this hacker coming into the system? What is their motive behind this attack, and then try to different them.
CP: I'm not surprised that that is the most popular subject. And you mentioned that people are coming from all across the university, from different faculties to do this particular subject, are these courses are these micro credentials are they good for people who are coming from a low tech or cyber literacy.
NC: Absolutely. While designing these courses, in the back of our mind, basically, that's the main reason. We want to attract people who actually are not from IT background or not from technical background. That's where we found the foundation is basically absolutely no prerequisite required, means no knowledge, even networking knowledge, nothing. I mean, as I said, people come from arts, science, business, where they have, they don't know anything about internet. Of course, they can use applications, they can use the web, they can browse everything, but they don't know anything about how it works. So we start with this subject is completely non technical. That's what a lot of people ask us, you know, where is the technical part? This subject has no technical part. It's all about psychology of the hacker. And really, it'll tell you the backgrounds of this sort of cyber attack, see why people attack others. Why or what is the reason? What is the motivation and things like that? So absolutely no technical background required.
CP: So I can understand some people doing this subject or a couple of subjects out of maybe curiosity, but people hiring, are they recognising these smaller micro credentials during the hiring process? Or are you seeing people doing these courses just because they're curious? Are they actually doing it so they can leverage these credentials when they are applying for cyber related roles?
VC: Initially, you're right, initially, they are a bit curious saying that what is this cyber, you know, what is this all things going around the world? What are these attacks and things like that? There are subjects specifically to introduce the cybersecurity fundamentals, as I said before the inside the mind of a hacker. So people start with curiosity, like saying, let's see. I mean it's hardly four weeks, they can, you know, do these micro credentials. What happens is, these are the foundations laying for the bigger cyber subjects. So once they do these foundation subjects, they want to go in inside the fibre. That's why they choose the three different pathways they can go in. They can go in the technical pathway, if they're really background is a technical background. They can go in business organisation risk management, if they are in the sort of business background. They can also do AI, artificial intelligence in there. So what I'm saying is, they start with curiosity, but they generally do a little bit more further. And they're trying at least to get some certification or diploma, or some end up with a Masters.
CP: Which I guess is helpful for organisations who might hire someone who's maybe done their certificate, and then if they continue to go on with their studies, and get deeper into the content in any one of those chosen paths, then they become even more of an asset to the organisation.
NC: See, industry actually looks for the skills not just for a particular, you know, sort of particular set of skills. So having some cyber background, having done some sort of introduction to the cyber will definitely help for your position. That's where I'm coming in the next questions you may ask me, you know, what are the skills required for cyber or who the employers prefer? They look for something like a broader skills, and cyber one part of that skills spectrum.
CP: Do you think organisations are equipped to face the cyber threats that are on the horizon? Have they got the right people in the organisation? Have they got the right approach?
NC: Look, we are doing our best and even the businesses are really doing well. But you know, there is no fixed goalpost. All the attacks will happen and hackers are really becoming sophisticated, there are a lot of tools available. So what they can do is they can really do things like you know, mitigating the threat, which means there are known attacks already and quickly catch up with this sort of particular attack, know how they can protect from this attack. And doing a lot of updates is really important. Industry has to do updates because most of the industries use some standard operating system like you know, Microsoft or any other standard operating system, and they may find some bugs in that particular one. So whenever there is a update worldwide, they need to do the real quick update, make sure their systems are up to date. Make sure their employees and everyone knows you know how attacks can happen.
CP: I think we have seen maybe in the last two or three weeks, the Australian Cyber Security Centre put out a piece about the fact that we're still seeing issues now or viruses or malicious software now that we've been seeing for a decade. And you know, your point around, making sure you're patched and making sure you're up to date, it just seems that some organisations are still not getting to that baseline of even patching. And keeping up with what the software companies are pushing out to help organisations protect themselves and be proactive.
NC: Yeah, look, I'll tell you an example without naming them. I think it's one country where a very big ransomware attack where simply they didn't update the system. And the hacker, it's a well known bug, basically, we call bug, it's a loophole. Everyone knows this loophole, a hacker actually exploited this bug, went into the system, locked all the files, medical files, and the whole system had been locked for three days, and they had to pay the ransom the hacker was asking. So it's a very simple, it probably will take couple of days for them to update, you know, stage by stage. But unfortunately, they didn't. And eventually, they had to stop the whole system for three days. Small things can, you know, can explode basically. And not only this, that's five years ago, I'm talking about 2017. And a recent one there was a big oil, critical infrastructure attacked, again, very simple things they could have done. See, the population, you know, is now using the internet a lot more than we used it 10 years ago, and everything is connected now. So a small thing will cause a rippling effect around the world, not just in Australia, but other countries around the world. So I agree, I think people have to be aware of, you know, things going on. And one point I want to really make it clear is cyber is not something one person will, if there is a cyber person in your industry, it's not his job. It's everyone's duties, basically. So make sure that you have cyber awareness, your antivirus is on up to date, your computer is not, you know, sort of acting very funny because that's how you detect there is a virus. So anything you detect early, is really beneficial.
CP: Yes, it's instilling that healthy paranoia into the employees in an organisation to be looking out for something that might look suspicious as well. So you've mentioned patching, but where do you think organisations should be focusing their investment and resources in relation to cyber? Where do you see this risk going and how can they be proactively investing now?
NC: So a very good question, because we are doing a lot of work with businesses, you know, we have a government funding to upskill basically, we call upskill. Where, you know, employees actually, we assume no background again, for this one, we are trying to help them, as you said, with cyber hygiene. Very simple things, like how to detect something, how you report, that's very important. The reporting is maybe not very clear in your organisation, but it is helpful for the whole community. Because when you report something others can be alerted, and that's where things can happen. Coming to the business, what they can do is they have to make sure there is a clear communication line, especially with cyber from the top executives to the frontline team. This is where they lack that community sort of communication. The cyber person will be telling something and the senior executives because of their budgeting, or some sort of different focus or it maybe complex, you know, organisation, sometimes they may not listen to this sort of as a high priority. They're not putting the cyber as a high priority. Upgrading equipment, upskilling the workforce, I think, really, it's very important that the executives, the top line people has to be involved with cyber, and they have to make sure they are listening to the people who are in the front line, and then there is a clear communication between them. Upskilling is really important and regular upskilling. It's not just do it once in five years, because cyber is very dynamically very fast moving, you know, dynamic space.
CP: Yeah, I think you know, your point about education and really just getting the basics right. We should always be investing in that. And yes, there are new threats coming over the horizon all the time, but making sure that our staff know their role. You know, our board knows their role in managing cybersecurity threats and managing cyber risk. Investing in that all the time and it's not always money or financial investment, sometimes it's time and resources and helping the business. Just having those conversations about cybersecurity is the best investment you can make.
NC: Correct. And also remember, the cyber risk management is a big thing in any organisation. And you have to update every time. This is not a tick the box exercise, because it's a very dynamic risk. For example, if you have a car, the risk is very clear. But unfortunately, there is no defined risk management for cyber, it's changing every sort of, often, you know, months and months. Because the threats can be from anywhere, human threats, technical threats, and now we are dealing with many devices. That's one thing I want to add is, it's not like, everyone has a computer these days, everyone has more than one computer these days, more than one device these days. So that adds the complexity. And instead of protecting one, you have to protect five devices per employee, because he will be remotely working. So he may take his laptop outside. So that needs to be connected to the network of you know, the business network, and how safe it is. There is some VPNs and other things. So there is a lot of complexity added, especially because of our remote working, you know, from the last few years.
CP: Yeah, I mean, you make a good point that a board or executive might think, well, we've given you several million dollars to invest in cyber, and then the security leader or the CIO might come back and say, well, as you said, now we need VPN, or now we need to put protections on mobile devices, or like it's constant. The board probably feels like their hand is constantly in their pocket giving out money for this, but because of the evolving nature of the risk, and because organisations, some haven't spent a lot of money in the past, now they're really having to invest further and further. It's not just something that you have one project and you're done. It's sort of this constant stream of investment to make sure that you're always protected.
NC: And just imagine, I mean, if you're in their shoes, their focus can be different. I mean, they're, for example, telling, there is a coffee shop, and a large chain, and they have computers, they have network, but their focus is on selling coffee and other things, not the IT or cybersecurity. So generally they outsource their IT to a large organisation or something. So this is where things will go wrong. Your organisation where it's not focused on IT or not IT organised business and you outsource your data, you collect data, you know, the frequent flyer cards or anything that data will be send to a third party. And sometimes these third parties are not trusting entities. So that's where things will go wrong.
CP: I want to finish up asking you given that you're at La Trobe, I'd really be interested to know what the academic community is focused on at the moment in terms of research into cyber and maybe what new discoveries that you can talk about that are being focused on?
NC: Sure. Look, we have a big team working on various cyber intelligence, cyber threats, anomaly detections, and so on so forth. Actually, what we are short in supply of I would say is trust. Previously, I mean, as I said before, each person used to have one computer and it is named with your ID and things like that. Now, each person is having more than five or six devices. Trust is really hard. Who is actually using, who is the owner of this particular asset, and things like that, it's becoming very complex, because people are carrying so many devices. So in technology you must have heard or people must have heard a thing called Blockchain. Don't confuse it with Bitcoins, Bitcoins are one of the applications of Blockchain, but not the other way around. And Blockchain is a very big, trusting mechanism. This mechanism can give you almost like 99% trusting, you can trust an entity or asset using Blockchain. It's a very big concept used in Bitcoin, basically, that is one of the areas where we're looking at. And don't forget, in coming years, the Internet of Things will become very large. We're talking about billions of devices connected, and we have to secure them. We call this attack surface. Attack surface means where there is a very possible way of attacking will increase 25 billion times. Just imagine the scale and magnitude of that and every device. Remember, in cyber, nothing is small, nothing is big. Everything has the same threat, small to large. That's why we have to make sure threats are actually contained, trust is, you know, enabled using the Blockchain. And last but not least, we are actually moving into different technology. Now, I'm not sure many people must have heard we are in 5G networks now. But soon we'll be moving into 6G, where security is part and parcel of that network. And we'll see 100 times more faster internet, security and things like that. And we are talking about the research communities are talking about 2030, another eight years. So we are working on in this area where we can integrate all this new technologies into one network called the 6G network.
CP: Well, I think the opportunity for La Trobe to do that research and the funding that you've received is so incredibly helpful, because we have to be thinking forward as you said, you know, if we're talking about 2030, that's going to be here before we know it. And I'm also very grateful for the micro credentialing that we've talked about today, that allows many more people to start to get their head around cybersecurity and come at this from a very low technology or technical literacy and build that through their curiosity. So I think you're doing great work. And I really want to thank you for joining us on the podcast today and sharing some of your wisdom. Thanks, Naveen.
NC: Thank you very much.