The Learning and Innovation Hub at the Canadian Centre for Cyber Security recently issued a draft Cyber Security Curriculum Guide for Post Secondary Training and Education Providers “for public dissemination and open use.” The Guide provides a role-based perspective on post-secondary cyber security curricula in two domains: security and business.
Setting aside the fact that the “public” is tightly restricted to subscribers of an internal Government of Canada website, it is important to note that the Guide is intended to “provide a catalogue of curriculum elements that establish a national benchmark against which post-secondary institutions, including private sector providers, can assess their programs, courses, and micro learning programs.”
As part of the development process, the Centre conducted an environmental scan that addressed cyber security specific programs, largely technical in nature, and business-related programs, largely non-technical in nature. Researchers also collected anecdotal information from subject matter experts, business councils, professional associations, community groups and others that have reinforced the results.
Among the most important findings from the scan and subsequent analysis, researchers determined that “Programs that focused on generating graduates for the workforce, predominated. Relevant, yet underrepresented topics were: the Canadian legal and policy context including personal information protection and privacy; ethical considerations including workplace and investigatory practices in organizational contexts; integrated risk management; business communications; and emerging issues.”
Despite the glaring underrepresentation of topics related to “the Canadian legal and policy context including personal information protection and privacy,” however, the draft Curriculum Guide does not include privacy among any of the role-specific basic, intermediate, or advanced key education or training topics listed in the Guide.
The Guide notes that strategic planners and policy analysts might be required to be able to identify “other related federal, national or provincial imperatives and compliance requirements (e.g. Privacy, etc.).”
Similarly, financial analysts must be able to forecast cyber security incident/privacy breech costs. How they might do that without a good understanding of the harms and unintended consequences can arise from privacy breaches is anyone’s guess.
Training topics for advanced-level communications specialists include “Managing crisis communications arising from a cyber security incident or privacy breech” — but that does not require any particular knowledge about how breaches are caused or skill in preventing breaches; it only requires skill in communicating about breaches.
The draft curriculum for entry-level Cyber Defence Operators is equally sanguine, noting a training requirement for “Legal and ethical responsibilities associated with cyber security operations including conduct of investigations, privacy, and preservation of evidence.” Once again, though, there is no mention of knowledge or training about privacy law or generally accepted privacy practices.
The draft Cyber Security Curriculum Guide for Post Secondary Training and Education Provide is a valuable opportunity to ensure that privacy and access to information are included and well addressed in cyber security curricula. In its current iteration, the Guide is a missed opportunity that helps to further entrench the current state of siloed domains, with security practitioners continuing to suffer from an inadequate understanding (and often incorrect perceptions) about the requirements, nuances, laws and practices relating to information privacy and access to information and how those interrelate with cybersecurity.
Note to Reader: PACC members can view the draft CYBER SECURITY CURRICULUM GUIDE and submit comments to registrar_at_PACC-CCAP.ca. Comments will be anonymized and submitted to the Canadian Centre for Cyber Security.
