Fall 2020 brought a new option for SPA students interested in cybersecurity. The practicum JLC-695-003, Applied Cybersecurity in Nonprofit Organizations, pairs students with nonprofit organizations to identify and ward against cyber vulnerabilities. This option adds to the Department of Justice, Law and Criminology’s growing hub of cyber curriculum, which began to support its MS in Terrorism and Homeland Security Policy but has expanded through additional classes, research initiatives and reporting, and special events.
“Nonprofit organizations face many similar as well as different challenges when it comes to information and cybersecurity,” reads the course description. This practicum addressed these challenges through a mutually beneficial arrangement, providing eight SPA students with hands-on experience and their two nonprofit partners with valuable consulting services.
Over the 16-week course, students first assessed the organization externally using social media and web searches. They developed assessment questions tied to the NIST (National Institute of Standards & Technology) Cybersecurity Framework, completed a controlled assessment of the nonprofit, analyzed the results, and prepared and presented their findings to the organization’s executive leadership.
The practicum was taught by Dr. Kelley Misata, founder & CEO of Sightline Security and executive director of the Open Information Security Foundation.
Her own experience as a victim of cyber stalking led Misata to the security field, where she earned her PhD in information security and communications from Purdue University in 2016. Inspired by results revealed during her dissertation, Misata formed the non-profit Sightline Security, which provides nonprofits a holistic approach to embracing cyber and information security with confidence. Sightline’s focus, as with this course, is to deconstruct cybersecurity jargon into common language while aligning with best practices in cyber and information security to help nonprofits assess, analyze, and improve.
“I wanted students to understand the complexities of bringing cyber and information security practices into any organization not familiar with it,” said Misata. “At times, in the security field, we make things too complicated - but it still leaves the responsibility for us to help people ‘get it.’”
Misata designed her section of JLC 695 with this same vision in mind. The unique partnering of students and nonprofit organizations teaches students to perform an assessment and collaborate with the agency to develop and build recommendations. To identify partner nonprofits, she worked with the United Way, which searched its affiliates to identify organizations who need the services and would be interested in connecting with students.
This free cybersecurity service can be invaluable to under-resourced nonprofits, said Misata. Partnering nonprofits receive an external and internal assessment, threat evaluation, valuable training on the difference between information security and cybersecurity, and customized report including mutually agreed next steps.
Meanwhile, SPA students get first-hand experience of the complexity of cybersecurity. Misata’s class found that their assumptions about the state of cyber and information security at the start of the semester did not match with the actual state of their nonprofit partner. They dispelled their own assumptions about security in these organization while providing invaluable new perspectives on the importance of cyber and information security.
Student Elizabeth (Betsy) Joslyn agreed. "The entire experience was rewarding, not only in my own education regarding nonprofit capabilities and operations, but also in the working relationship that was established between us,” she said. “During this practicum, I honed my skills in leadership, client relationships, and professional presentations. These will serve me well moving forward in my career."
Misata looks forward to ongoing partnerships with Sightline, SPA students, and the nonprofit sector.
“The course only scratches the NIST Cybersecurity Framework, and with security being a constantly moving target, there is always work to be done,” she said.
More information on SPA’s cyber offerings and events can be found at SPA's Policy Studies in Cybersecurity page, or look for #SPACyber.