News / May 2022

Citizen Clinic Leaders in Lawfare: “How to Start a Cybersecurity Clinic”

Cybersecurity clinics, like clinics in law and medicine, train university students to provide digital security assistance to outside organizations with limited resources. Cybersecurity clinics provide the students with valuable real-world experience while providing vital support to their public interest clients. Yet the process of starting and operating a cybersecurity clinic can be daunting.

In an article on Lawfare, “How to Start a Cybersecurity Clinic,” four founding members of the Consortium of Cybersecurity Clinics — including the leaders of UC Berkeley’s Citizen Clinic, a pioneer in the cybersecurity clinic field — provide an overview of key steps to guide other universities in launching their own cybersecurity clinics.

The article was co-authored by Ann Cleaveland, Executive Director of the UC Berkeley Center for Long-Term Cybersecurity, Gregory J. Bott, the Marilyn Hewson Chair Professor of Cyber Security in the Department of Information Systems, Statistics, and Management Science at the University of Alabama, Lisa Ho, Academic Director of the UC Berkeley School of Information’s Master of Information and Cybersecurity (MICS) program and Director of the Citizen Clinic Public Interest Cybersecurity Practicum, and Matthew Hudnall, Deputy Director for the Institute of Data & Analytics (IDA) in the Culverhouse College of Business at the University of Alabama and Assistant Professor in Management Information Systems.

“We are among the founding members of a growing and international Consortium of Cybersecurity Clinics committed to expanding the number of cybersecurity clinics that serve the public good and to sharing resources among clinic practitioners,” the authors wrote. “This post describes key considerations for new cybersecurity clinics, drawing on the combined expertise of clinics operating at Indiana University, Massachusetts Institute of Technology, University of Alabama, and University of California, Berkeley, among others.”

The full article can be found on Lawfare. Among the key points highlighted in the piece:

There is no one-size-fits-all approach to cybersecurity clinics: “Some of the clinics in the consortium teach undergraduates, and others offer graduate-level courses,” the authors explained. “Some clinics have their roots in computer science departments, and others draw students from urban planning, law, public policy, business and other disciplines. Clinics also have different specialties and areas of expertise.”

Strategic planning is key: Before launching a clinic, faculty should invest time to define the clinic’s target clients and services. “Faculty interested in launching a clinic should factor in at least one academic term to plan and/or prototype a clinic before it will be up and running,” the authors wrote. “Central to strategic planning is the determination of which services to provide to clients and the scope of those services…. Decision criteria include the risk tolerance of the client and clinic, the needs of the clients, the skill level of clinic practitioners—both faculty and students, and available tools.”

Invest time to develop an appropriate course structure and curriculum: Clinics will have smaller class sizes (ranging from 15 to 40 students per academic term), usually with one or two faculty and staff advisers or mentors,” the authors wrote. “Successful clinics also implement mechanisms for prequalifying the students who will participate in client engagements. Clients need to be confident that the students conducting cybersecurity assistance have a standard of knowledge, skills and motivation before the engagement begins. Strong clinic curricula include coaching in relationship management skills that prepare students for client interactions and for the reality of future cybersecurity roles.”

Focus on forming effective client relationships: “Clinic leaders should put in place mechanisms to create shared expectations between clinic and client, ensuring sustainability for client organizations,” the article explains. “At the end of the day, cybersecurity clinics make an impact on cyber resilience only if they have effective relationships with their clients. Onboarding and offboarding of clients are critical components of effectiveness.”

Measure effectiveness to improve outcomes: “Clinics would ideally have mechanisms for evaluating the effectiveness of their cybersecurity assistance as a component of offboarding and follow-up,” the authors wrote. “Many clinics use post-engagement surveys and exit interviews to better understand how effective they have been at helping clients reduce cyber vulnerabilities.”

Replicating the model to expand impact: University-based cybersecurity clinics are valuable because they are filling the pipeline for cybersecurity talent while providing assistance to public interest clients, the authors explained, but “any one clinic can make only a finite contribution. To generate the impact to which we aspire, university-based cybersecurity clinics need to be replicated in every U.S. state, serve every region and provide specialized technical assistance to many kinds of underserved clients. We hope the resources and ‘how-to’ advice we offer here reduce the start-up barriers for others.”

Read the full article on Lawfare.