When most of us think about what it means to teach cybersecurity, we tend to think of long lectures and dense textbooks, stuffed to breaking point with information about various tools and techniques.
That’s a fair assumption; cybersecurity is, by its nature, a technical business, with an ever-growing list of tools.
However, my conversation with Danny Dresner, Professor of Cybersecurity at the University of Manchester (among many other things), taught me that teaching cybersecurity is about building a mindset, not just technology. That’s an important distinction.
In this interview, Danny provides a panoramic view of cybersecurity teaching, exploring his journey into his current role, the importance of hands-on experience, the difficulties and joys of keeping course materials up to date, and how to manage student expectations.
Let’s start with an easy one. How did you get into teaching cybersecurity?
It all goes back to about 1994 (possibly the year before, it’s hard to remember these things after all those years). As far as I can remember, I edited the very first Information Security Breachers Survey at the National Computer Centre – if I didn’t, then I definitely worked on the second one.
I’d just moved on from my first job as a technical author at Ferranti – one of the great British engineering companies – where I had developed an interest in standards. The Information Security Breachers survey was a DTI project (I wonder how many readers are old enough to remember DTI), carried out by International Computers Limited – the last bastion of British computing, acquired by Fujitsu in 2002.
ICL was the bees’ knees for major mainframes at the time, and I learned how to program on punch cards (I appreciate I’m really showing my age – and my hairline – here) on an ICL mainframe.
Anyway, the NCC asked me to edit the report from the Information Security Breachers to make it readable. Somehow, as a result of that, I ended up talking a lot about security. And then off the back of that started running, I suppose what you’d call commercial courses on information security and risk management.
Paul Vlissidis – a friend and colleague – came along and said he was teaching on this industrial liaison panel at the university, and that he thought it would be my kind of thing. So, I went along (they didn’t have any kosher biscuits, much to my disappointment, but I got a free cup of tea) and gave advice on what to teach students so they were as prepared as they could be when they graduated.
The MSc course at the time included about one hour on security – I think it was on a Tuesday afternoon in October. So, I’d go in, bang on the table, and implore them to teach more about security.
Eventually, a lovely lady called Alex Walker (sadly no longer with us) told me the university had the budget to second me to develop and deliver some extra security teaching. Over time, I did more and more teaching, and when the NCC eventually folded, I asked the university for a job. They wanted a Nobel Prize winner (apparently, they attract more funding), but I managed to land a job as a lecturer.
Do you need to have hands-on experience to teach cybersecurity?
I imagine there are few topics that, if one is clever enough, one can’t read a book and be able to teach it. But there is nothing to compare with having gone through the mill.
You’ve got to have a genuine belief in what you’re saying to students. You’ve got to be entertaining; you’ve got to be authentic. I think you have to have done the actual job – security management in an organization – to teach how to deal with security problems, to share your war stories. That kind of thing keeps people engaged.
I also think you need that experience to manage student expectations. Oscar Wilde once said, “I wish I was young enough to know everything.” As a lecturer, that really rings true.
Students have said some bizarre things to me over the years. One highlight (or lowlight, depending on how you view it): “You’re not teaching computer science the ways it’s been taught for centuries.” Others have said what I teach isn’t relevant in the real world. A lot of them think cybersecurity is just finding vulnerabilities and pentesting, but it isn’t. If I hadn’t had my experience, I wouldn’t have been able to push back. I might have just curled up in a ball and cried.
The other advantage is my network of fabulous people I’ve met over the years. I knew I couldn’t talk with conviction about the broad spectrum of what we’re now calling cybersecurity. There’s a wonderful altruism in cybersecurity, and the people I know are genuinely happy to come in and talk about what they do.
How do you keep cybersecurity course materials up to date?
One of the reasons I love this job is that I’m paid to learn.
I think my job title is teaching and scholarship, although actually I don't think anybody really knows what scholarship means. But to me, it's about keeping up to date with new developments, and how you might communicate what you learn and what you experience.
I’m really immersed in this. I have more keyboards than Rick Wakeman and more screens than the Odeon. I have continuing hands-on experience. I see my responsibility as balancing the basics – and boy do I know the basics; I helped develop Cyber Essentials – and the more advanced stuff.
I mean, everything comes from the basics. We’re all panicking about AI security, but it just adds another layer over the basics.
Ultimately, it’s my responsibility to stay up to date. But a good student accepts that you can’t know anything. Fortunately, I know enough people to point students in the right direction – to people who know more than me.
How do you manage expectations? Do students come in wanting to be Mr. Robot?
Fortunately, I haven’t had to bring any students down to earth. The University of Manchester is pretty selective; it would be a bit odd if people with those kinds of ideas made it onto the course.
That said, a few years ago, when class sizes started to grow, some of my colleagues were a bit miffed – they wanted us to be more selective, so we were really only getting the best of the best.
My thing was that although I didn’t want to fail anyone, I’d rather someone come on the course, even if they don’t do well, but they leave with a little bit of a grounding in cyber. In 10 years, they think, “I better not do that, I better do it this way,” even though they don’t actually go into a cyber career.
I think that’s an area where we really fail in cyber. We’re obsessed with creating pure cybersecurity people, where actually we need more people across the workforce who have an appreciation of – not awareness, I hate that word – cybersecurity.
Another big part of the job is calming students down about career decisions. A lot of them think their first job is a life sentence, or that if they mess up their first job, that’s the end of everything. And sometimes it’s advising them on making the right decisions – one student asked me if it was normal to pay for their own training. I steered them away from that job.
And then there are some students who are better suited to graduate schemes, while others are better suited to startups. I see it as my job to help them figure that out.
Another thing students sometimes get wrong is approaching projects purely to get the best marks. That’s really not what I’m looking for. Obviously, I want them to get good marks, but the objective of these projects is to get students solving cybersecurity problems. It’s about nursing their talent and their interest and helping them grow.
And God, I wish I’d had someone do that for me.
Meet Our Thought Leaders
Fortra® subject matter experts share their real-world experiences, offer practical tips, and help organizations navigate the cyber threat landscape.
