In my new role, I regularly speak with business leaders and senior cyber professionals about the next generation of cyber warriors and what skills they will need to succeed. Ironically, most forward-looking professionals are not focusing on the technical prowess and skills of the future workforce; instead, their emphasis invariably settles around the concept of Critical Thinking.
The concept of critical thinking and what is required to cultivate this habit can be hard to define. At its most basic, critical thinking is the ability to analyze, synthesize, and evaluate information in an objective fashion in order to reach a conclusion. Via critical thinking, we can conceptualize solutions to vexing problems and circumstances. In a world where data and/or information is at one’s fingertips, the need for critical thinkers is at a premium; we need to sort through mounds of chaff as we try to ascertain where the relevant golden kernels are…and in most cases, the kernels and chaff look almost identical.
As educators, we cannot create critical thinkers by merely delivering lectures in classrooms. We must embrace problem-based learning in order to stimulate analytical processes in our students. This isn’t news, and most learning environments are adopting this approach. That said, we also cannot forget that enhancing critical thinking abilities requires exposure to concepts and ideas outside of one’s primary area of expertise. This is particularly true of technology and security professionals. While technology and security trade-offs may seem black and white when confined to technological considerations, factoring in relevant intangibles may lead to more appropriate and more effective solutions.
One example of the challenges of thinking only from a technological basis concerns the implementation of email encryption software such as PGP. In the seminal paper, “Why Johnny Can’t Encrypt,” the authors showed that great technology failed to be effective because its creators did not adequately factor in usability issues. Specifically:
· Only 33% of users were able to properly sign and encrypt an email…in 90 minutes
· 25% of users accidentally sent their secret email in the clear
In a follow-up study done 8 years later, these problems persisted despite upgrades to the software.
It would be a fallacy to believe that the designers of PGP were inept; rather, the problem was their frame of reference as pertains to usability. Specifically, how do you make your tool intuitive enough so that a non-technologist – whose priorities are not security-based – can use this tool properly every time? This at its most fundamental is a critical thinking problem; had the software designers been able to objectively account for their environment and their customer base, we might have seen more broad-based adoption of PGP as an email encryption standard.
What should be particularly disturbing to cyber professionals about this example is that many of today’s cybersecurity degree programs are so myopically focused on technical skills that they actually limit a student’s critical thinking ability. Sure, these programs use problem-based learning; but what about the study of other factors such as risk management, organizational culture, human-computer interaction, business priorities, and leadership/management? Many cyber degrees have sacrificed even a basic focus on topics such as history and social studies – topics for which there are defined no algorithms, and to which students must therefore employ critical thinking skills in their analysis – in favor of the immediacy of certifications. Further, many technical programs are not just reemphasizing reality-based learning over theory but eschewing theory altogether. If we don’t understand the hows and whys of how things work, we may be hamstrung in our ability to look at a new situation and properly diagnose the root cause. Remember: the security problems we are trying to solve rarely have answers on Google.
Despite the importance of technical skills, critical thinking skills remains of preeminent importance to business leaders. As the CEO of a security services firm once said to me, “Give me people who can think critically and solve problems, and I can teach them the technologies.” In today’s cyber environment, it’s crucial that we foster critical thinking skills as much if not more than technical skills. By definition, this means taking students out of their technologically-only comfort zones and continuing to expose them to fields and topics for which there are not clear right answers.
My two cents...