Q&A: Charles Cayot, a Founder of the Cybersecurity Program's Predecessor
October 28, 2020Charles Cayot, Associate and Adjunct Professor at Capitol Technology University and Lead Faculty for Risk Management (IAE 674) and Principles of Cybersecurity (IAE 685), spoke with us about his experience building the Information Assurance program, now known as the Cybersecurity program at Capitol Tech.
Question: When you arrived at Capitol Tech in 2002, what was your title and role at the university?
Answer: I held a number of positions since starting at Capitol. These have included: Professor of Practice, Subject Matter Expert, Adjunct Professor, Lead Professor for IAE-611; IAE-674; IAE-682 and IAE-685, and Program Manager and Lead Developer for Professional Development Programs in the Critical Infrastructure and Cyber Protection Center (CICPC). I worked on mapping the MS in Information Assurance curriculums with Dr. David Ward and Dr. Bill Butler to the National Security Agency's (NSA) National Training Standards in Information Assurance Education winning our first designations as NSA Centers in Academic Excellence. Later when Ken Crockett and then Helen Barker were Deans I was placed on Professor of Practice contracts to de-conflict the many redundancies in the BS in Information Assurance curriculum and redesign the MS in Information Assurance program.
Q: What is IA? Could you provide a technical and nontechnical definition with examples?
A: IA, or Information Assurance, is a holistic approach to securing an information system. It is the trustworthiness of the system and how the defense in depth controls work together to provide for the trusted operation of the information system. IA includes the technical cyber controls and countermeasures as well as administrative, policy, disaster recovery, business continuity, and physical security controls. The non-technical IA controls become the glue that binds and supports the technical or cyber controls to form the defensive shield around the system.
We moved from information security, or InfoSec, a number of years ago in recognition of the many vulnerabilities to any information system. This is why Capitol Tech changed the degrees from MS and BS in “Network Security” to the MS and BS in Information Assurance, recognizing the significance of information assurance vs. simple network security.
In light of the many and varied threats systems face, the technical or cyber controls may be the most significant protection strategies a system has. It is simply not enough on their own to provide for the trustworthiness of the system. For example, what good is it to have the best and strongest suite of technical or cyber controls around a system, but have a lacking physical security system where someone can walk into a location or server room and steal or destroy a server? Likewise with policy if you neglect configuration management and allow users to inject software or applications that have not been tested and approved into the environment there is no way of attesting to the trustworthiness of that application or software and those elements could defeat the entire defense in depth by becoming the weakest link in the defense in-depth architecture.
Cybersecurity is the technical controls used to protect a system or enterprise while IA is the more inclusive/holistic defense which includes the technical controls (firewalls, identity management systems, IDS, IPS, etc.) together with the non-technical controls (administrative, policy, physical security, disaster recovery).
Q: Could you please list and describe common IA applications?
A: I believe you are asking how we use IA here and the answer is any and every information system where we have assets hardware, software, or data that requires protection either by law, classification, or privacy needs.
Q: You are a founder of the IA program. What steps did you take to establish this program and advertise it to prospective students?
I believe Dr. Butler and myself (along with several other military and professionals in the information security field) were recruited by Dr. Ward (deceased) to help institute a network security program which included traditional information security, legal, network architecture, voice and data communications network engineering, malware, cryptography, and wireless for undergraduate and graduate students. To increase the student population at Capitol Tech, in 2005 Dr. Ward and I won approval from the executive committee to establish the Critical Infrastructures and Cyber Protection Center (CICPC). Here we moved to target the IA workforce market in the security professional, consulting, and DOD workplace. We initiated professional development programs for those that did not want to partake in a formal academic degree program but needed work place credentials for the IA workforce. Today we offer various certificate programs. We developed a CISSP review program and one for certifying various NSA Standards in IA for system certifiers.
The move from information security to information assurance started in the late 1970s when the Department of Defense moved from the Trusted Computer Standards to Information Assurance. This was a real cultural change for those of us that came up in the Infosec world, like what cyber security is today, into the more holistic approach to trust vs. security.
Q: In your opinion, why was it was important to found the IA program?
A: As you can see from the above information systems became more integrated and complex. Basic security technics needed to be enhanced / supported by those non-technical components of policy, administration, physical security and disaster recover to protect the increasingly diverse sets of hardware, software and data that required protection.
Q: How did the IA program transition into becoming the cybersecurity program? Why did this transition occur?
Things change and there were those in the community, Federal and Defense, that wanted to have a sharp new term to adopt. Personally, and this is just from experience and working in the field since the early 1970s, I believe IA was becoming too complicated for many working in the field and they needed to revert back to the technical aspects.
The depth and breadth of experience required to succeed extended into functional areas many had no experience in. For example, it is uncommon for a network or data security professional to have any experience in physical security. Now to insure a trusted environment you must ensure that the physical plant and even the surrounding neighborhood risk must be mitigated. Likewise most technically oriented people and engineers never gained experience with policy or business continuity. Configuration management (CM) was looked at as documentation writers while in fact CM is probably one of if not the most important component of IA. This gives you your baseline of hardware and software where if these are not controlled and validated there can be no way of trusting how well the system can be protected.
Q: Why is IA important in today’s society? How are everyday people affected by IA and problems associated with the industry?
A: Look around, there is very little that can be done today without the support of some form of information system–in government and business where data sets grow exponentially in size and complexity. Privacy and compliance regulations and laws continue to be published requiring businesses small and large to protect data. Financial data for the organization and personal data from customers or associates along with and medical data all require protection.
Whether it is next year’s product designs, stock projections, or family finances, information system security affects everyone. An emerging area that will be an ever increasing threat to individuals and organizations alike is the Information of Things or IoT. We are entering a world where homes, automobiles, and everything used by consumers are being integrated with some form of internet connectivity or computer reliance. Where there is any underlying connectivity or software code there will be a potential vulnerability for thieves or bad guys to steal, injure, or deny whatever the supporting processes are. We already have documented occasions where an Alexa device has been listening to a household and that recorded voice data has been used in legal actions.
George Orwell was only off by a couple of years, but we are here. 99% of the population has no understanding or appreciation for the potential adverse actions that can come from the evolution of IoT.
Q: What role do you think IA and cybersecurity will play in the future of businesses and everyday online users?
A: Threats continue to grow in scope and complexity. Everyone and every business will be increasingly at risk. The real problem is spreading that word. There is nowhere John and Jane Q hear about the risks out there or how they can first be effected and second how to lessen their exposure to risks.
Q: Do you think there are unique aspects of Capitol Tech’s cybersecurity programs? If so, could you please describe the unique benefits students gain by completing a cybersecurity degree from Capitol Tech?
A: The various assignments and involvements with most every course in the BS and MS program has provided a perhaps unique vision of the overall programs and their potential.
For over 15 years I have been an evangelist that Capitol Tech owned or should own IA. We have one of the first academic undergraduate and graduate information security oriented programs. The programs were developed and presented by subject matter experts from defense and business sectors. Capitol was unique in that our programs were live online or synchronous. That created a unique symbiosis between student and professor people migrated from other asynchronous institutions to benefit from. We enjoyed proximity to NSA that provided exposure and word of mouth advertising. Capitol was one of the original 4 institutions gaining certification by NSA in all of the NSA-CAE certifications at the advanced level, where there was an advance level. We opened the CICPC attracting non-academic “customers” to our programs.
So how did we own IA–undergraduate, graduate, and doctoral programs in IA.? Professional development offerings for the IA workforce. Expanding curriculum including new areas on the supply side of security and identity management. Our programs were only limited by the organization culture in Laurel. I fought for several years to expend our synchronous programs into other than Eastern Time evening classes. We have students and potential students around the globe. Asynchronous offerings offer availability to this larger potential audience. BUT our synchronous classes could be available to this increased audience while holding the additional benefits of live interactions between students and instructors.
As an instructor I also have a unique view of the IA population. I have the first and last course in the MS program so I see enrollment trends. When we had live classes I would talk to the students about much of the subject matter here so it’s not just conjecture and the old recordings are still, or should be still archived, to verify what I am saying.
Q: Please describe the CICPC professional development programs.
A: We participated with the United States Department of Agriculture (USDA) offering our academic courses to their workers with the option of taking our exams to gain academic credit at Capitol Tech should they enroll. I held several programs for Department of Defense (DoD) consulting companies for their workers requiring Navy System Certifier certifications on Saturdays and even ran a “lunch box” series where the same materials were presented over a 90 minute lunch window for about 15 sessions. I believe that Dr. Butler has expanded some offerings with other organizations in the CICPC. We were prepared to offer 6 courses covering all 6 of the NSA National Training Standards in Information Assurance Education.
Q: How do CICPC professional development programs prepare students for future career responsibilities?
A: The programs were tailored and targeted to workforce needs not academic requirements. That expanded the potential student population, where some people did not care about a formal academic degree or certification. Our reputation in Information Assurance (IA) allowed us to begin to operate in the professional development space. That had great potential.
Q: Would you like to share any other information about IA or about Capitol Tech's former IA program?
A: Our strengths were:
- Subject matter content.
- Mapping to established and recognized NSA IA training standards.
- The original courses were also mapped to the International Information System Security Certification Consortium, or (ISC)² Certified Information Systems Security Professional (CISSP) common body of knowledge.
- Our synchronous live online platform.
- A seasoned experienced professional adjunct instructor cadre. The cadre did not simply teach from a textbook but years of hands on experience. That depth and breadth of knowledge making it a rewarding and meaningful experience for our students.
- Expansion into the professional development space with the above all amalgamated together making Capitol the institution that could have owned IA education.
- The potential to offer our live courses in any time zone supporting student availabilities around the world.
- A point most do not know any longer, Capitol College (a former name of Capitol Technology University) wrote some of the original synchronous learning platform before I began teaching here. We were pioneers in synchronous education which is why it was a strong point of our IA and business programs. We offered what only a few institutions did.