Stanford CIS

Zoom Inside: The Case for Cybersecurity Clinics and What They Can Teach Your Firm

By Scott Shackelford on

Indiana is known for several things—the Indy 500, Hoosiers basketball, Notre Dame football, and corn. Cybersecurity does not typically make that shortlist, but perhaps it should. Owing to a vibrant cybersecurity startup scene, the cutting edge supply chain cybersecurity work being done at the Naval Surface Warfare Center Crane Division (the third largest naval installation in the world), and innovations at Indiana University (IU), to name a few, Indiana institutions are beginning to make some important progress on thorny cybersecurity risk management topics with practical relevance.

Recently IU has embarked on a series of interdisciplinary cybersecurity initiatives. These include an array of cybersecurity certificate programs, and a new MS in Cybersecurity Risk Management, which features required coursework from Secure Computing, Enterprise Risk Management, and Law, as well as an applied capstone consulting project (or cybersecurity clinic) for a real world client.

How a Cybersecurity Clinic Works

There are many varieties of cybersecurity clinics being tried around the world—Malaysia, for example, is already experimenting with this notion at the national level—but here a cybersecurity clinic may be defined as an interprofessional team of computer science, law, and business students that conduct a supervised cybersecurity consulting project for a client focused on instilling technical, legal, and managerial cybersecurity best practices. These clinics are principally concerned with enhancing the cybersecurity preparedness of underserved clients, including local governments, small businesses, K-12 school corporations, and critical infrastructure providers. This approach stands in contrast to existing stand-alone legal clinics focused on particular issues such as privacy or cyber law. Instead, the type of interdisciplinary cybersecurity clinic on which IU is focusing recognizes that effective cybersecurity risk management requires considering cybersecurity from a more holistic perspective.

In 2015, IU, in partnership with the Indiana Office of Technology, launched a pilot program with the town of Speedway, Indiana (home of the Indy 500). In Speedway, an interdisciplinary team of IU graduate Law, Business, and Informatics students assessed our client’s supervisory control and data acquisition (SCADA) vulnerabilities, generated a more comprehensive incident response plan, analyzed Speedway’s potential liability exposure in the event of a data breach, and revised their employee handbook’s privacy policies. In particular, the students:

Read the full piece at Security Roundtable.