What is it going to take to address current and future IT security staffing needs? One answer: Attracting young, bright minds that are up for the challenges ahead, says Winnie Callahan of the University of Southern California.
By 2015, the United States will require 700,000 new cybersecurity professionals, according to the National Institute of Standards and Technology. This is just one of the many reasons why USC's Viterbi School recently announced its new master's degree in cybersecurity, which debuts this fall.
Callahan, director for business, education, government and health innovations at USC Viterbi's Information Sciences Institute, recognizes the need to attract the next generation of cybersecurity professionals.
"The need is huge," she says in an interview with Information Security Media Group [transcript below]. "The way in which we will meet that need is to reach out and recruit the best and brightest in terms of students."
Callahan says the ideal candidates are those who recognize the importance of the challenges presented by information security, and are ready to tackle them and contribute.
"We're looking for those types of people that would like to be able to contribute and know what they're doing is important," she says.
Job salaries may be an influencer in drawing people to information security. But there's more to it, Callahan says. "People are looking for a place where they can make a difference."
Those who have a desire and curiosity to work with technology and be creative are prime candidates, Callahan says, but growing future generations comes with reaching down and educating younger students, in elementary, junior and high school levels.
If the younger generation isn't taught about the opportunities early on, they may dismiss it. "If a young person doesn't see something exciting that they can do in some of these harder courses, they kind of self-eliminate," Callahan says.
In an interview about USC's new master's program, Callahan discusses:
- The genesis of this new degree program and what makes it unique;
- How this program will help address IT security staffing needs;
- Metrics to gauge the program's success.
Callahan joined the University of Southern California's Information Sciences Institute in January 2009 as director for business, education, government and health innovation, with the responsibility for building partnerships, spearheading initiatives and identifying opportunities for growth that will enhance economic expansion and promote the nation's future. In her role, she seeks to augment ISI's accomplishments and reputation for computer-based communication, artificial intelligence and dynamic complex systems by collaborating with entities whose missions rely on taking impactful applied research solutions and technological adaptation directly into the market. Previously, Callahan served as executive director of the University of Nebraska's Peter Kiewit Institute.
USC's Master's in Cybersecurity
TOM FIELD: The big news is that the Viterbi School has recently announced its master's in cybersecurity. Tell me: Why is the time right now for this program?
WINNIE CALLAHAN: One need only listen to the news or pick up a paper to understand that the nation is having tremendous challenges as it relates to cybersecurity issues. As a result of that, being able to help provide new cyber professionals that can go into the workforce, into business, industry or into governmental agencies, is critical because, quite frankly, theoretical background is only a part of the equation. More significant is having an operational side and being able to understand the intricacies of cybersecurity both from a foundational level, but the day-to-day operation, and need to be able to secure assets and be able to address the types of threats that the nation is faced with.
FIELD: What can you tell about the genesis of specifically the master's program?
CALLAHAN: This master's program has come from being extremely well-informed by a variety of professionals over the last 15 years. In working with groups like U.S. Strategic Command and the National Security Agency, in talking with people that are involved in critical infrastructure, industries like power, transportation etc., there's a real need to have professionals coming online that understand the playing field and have a real strong foundation in being able to address sophisticated adversaries and advanced persistent threats that we're facing as a nation.
Courses, Subject Matter
FIELD: What can you tell me about the courses and the subject matter that are going to be a part of this master's program? The master's program debuts in the fall, is that correct?
CALLAHAN: It does. The type of program and the courses that we've put together I think are pretty unique as we look across the nation. We chose to go to a master's of cybersecurity rather than a master of science in cybersecurity, and by doing it this way we're able to set the requirements for people entering this program to come to us with a background in computer science, computer engineering, software engineering, mathematical analytics, and those courses that would put them in good stead to be cyber professionals at the highest level. By doing that, we could make all of our classes directly cyber-focused rather than starting with four to six courses in comp-sci and then finishing a master's with maybe only four classes that are focused directly on cyber. This way, the master's program addresses cyber specifically. That makes it very, very strong.
In addition to having the focus in that area, we're able to have hands-on experience, balance the theory with the operational side, and allow the people to participate in directed research and in internships that prepare them to go into their new position the first day and be able to compete.
Next-Gen Pros: The Greatest Need
FIELD: You spoke up front about the need for cybersecurity professionals. It's certainly something we all recognized. But from USC's perspective, what do you see as the greatest need for this next generation of pros and how are you going to help meet that need?
CALLAHAN: I'll just regress a half second and indicate that even the National Institute of Standards and Technology has come out and said that, by 2015, we have to have 700,000 cyber professionals just in the United States. The need is huge. The way in which we will meet that need is to reach out and recruit the best and brightest in terms of students. We want them to be obviously patriotic. The grand challenges of engineering set at the national level and globally addresses cyber as one of the main grand challenges, and bright young minds and professionals that have been in the game for a while recognize the importance of the challenges that they're being faced with and, quite frankly, they like challenge and like to be contributing.
We're looking for those types of people that would like to be able to contribute and know what they're doing is important. Dare I say, there's quite a bit of money to be made in these careers, and it tends to be one of those fields that has job security because the need is not ending. It's growing and so it's a great career field for people to get into.
Attracting Cybersecurity Pros
FIELD: How are we going to attract the right people to the field to fill these open positions? Is it going to be simply a matter of money?
CALLAHAN: Money may be a part of it. But I think really bright minds like challenges and they're looking for a place where they can contribute and make a difference. The newest generations obviously have been raised with technology being just an extension of their hand literally. Consequently, people that come in with curiosity, those that enjoy the gaming side of things, the ones that enjoy the technology itself and have a desire to come up with something just a little different or a little more creative - that's where we need to begin to attract.
But I don't have to tell you: If we address only today's problems without reaching down and looking at young people in elementary, junior and senior high school, showing them the opportunities the fields of engineering and IT would allow them to play in, then we're not going to solve the problem going forward. Unfortunately, if a young person doesn't kind of see something exciting that they can do in some of these harder courses, they kind of self-eliminate as they go into junior and senior high by saying, "I'm never going to need Calculus. I'm not going to need advanced algebra or other courses. I'm just going to take the easy route; those are kind of hard." If we're able to show them at a younger age what they could do with degrees and how they could participate, and, yes, how much money they could make, then they aren't as prone to take the easy route and then find out in senior high school, "I would love to go into this field but I would almost have to go take high school over again because I didn't take the classes I needed to enter engineering or technology fields."
Women in Information Security
FIELD: Traditionally, we've had a hard time attracting women to engineering, technology and information security. What can we do differently there?
CALLAHAN: I think that the tide could turn there by reaching into the organizations and schools that are beginning to educate at a younger age women and minorities. I will tell you that one of the strengths at USC - I was blown away by it, because nationally about 15 percent of the engineers today are female - in terms of the schools, USC is approaching 40 percent in that category and they really work at it. We know for example that the really bright minds and the females, as an example, really like role models and they react well to that. They like to be put in internships where they can try a career opportunity on for size. I think we have to do that in a more concerted way and put young women in touch with those that are already in fields so they can see, "Yes, I can do this." The fact that the president and the nation is addressing science, technology and engineering as areas of focus is certainly a very timely collision if you will with some of the things that we're trying to do and certainly it's no accident.
Private Sector Assistance
FIELD: We recognize that no educational institution can get by without assistance from the private sector. What can you tell me about USC and your unique needs from the private sector to make sure that your new master's program really is successful? What do you need most?
CALLAHAN: We need their participation with us. ... I was recruited to USC to build a cyber program from some of the work that I had done at the University of Nebraska. To be very honest, the secret to success with our cyber program there and with our cyber program here will clearly be the partners from private industry that we're working with. That gives us not only places for internships to take place, but it gives us resources to bring into work with the students and with the professors that are delivering the courses.
But almost more importantly, it keeps our instruction relevant. We can't do what we did five years or ten years back. We have to be relevant to the industry and to the needs today. In fact, yesterday on a trip in Boston, I talked with a CIO of a major corporation and he indicated that he was so awestruck by the courses that we have laid out for this program and the fact that we've listened to the needs expressed by leaders in this area across the nation. He said, "You really listened and you're designing what we actually need." He sat there and gave me two more needs that he has for his corporation and he said, "So you're telling me you would put that into your program and you would build us classes to meet those particular needs?" I said, "Yes, sir." He said, "This is really refreshing. I'm really excited about this."
I'll give you a case in point. A couple of years back I spent some time working with the CIO of the Air Force. At that time, General Bill Lord sent a team out to USC and they spent a day or two with us out here. They came from all over the country. They sat around a table and rolled their sleeves up and we talked about the needs for cyber professionals and what should be in those classes. We do that with companies as well.
In another example, we've worked with Union Pacific Railroad for a long time. They said at one point, "We'll hire every student you graduate." Why? Because we were working with them in an iterative way to be sure what we were delivering would meet the needs that they expressed. That's the way this program has been built.
There's another key element to this program. Who's going to teach the classes? Who do you bring in? I'm so excited to share with you a couple of the people that we brought to USC to work with the people that are here. One is Dr. Blaine Burnham. Burnham came out of more than a decade at the NSA. In his capacity there, he worked with schools around the country from NSA helping to fund the build-up of some of the first cyber programs - one being Naval Postgraduate School - and then helping to plan what went into those courses. He also helped Georgia Tech get its program in place. He has been on both sides - the academic side and the operational side. He's a perfect person to bring in. He's a legend. Think of students that can come in and learn from someone that understands the balance between the theory and the operational side.
A second person that we brought in is Dr. Roger Schell. Schell, a retired Air Force colonel who went into technology - actually taught at Naval Postgraduate School - has been renowned and was taken this past year into the National Cyber Security Hall of Fame as one of the first 11 indoctrinated. He came here because he said, "Winnie, we're going to build it right. I want to be a part of it." So there's another person.
We brought in Lyndon Pierson, lead scientist from Sandia National Labs, [who's] very strong in network operation-centric challenges as it relates both to hardware and to software.
Then you combine that with the strong breadth of research capabilities that USC ISI has. They were one of the original universities that stood up ARPANET. They've worked extensively with the community and with government, and actually have secure capabilities right at ISI. It provides a very unique setting and cutting-edge research. We have a cyber range here where people can emulate systems and actually watch what happens in a system when an attack occurs and how you can mitigate it. We've got a lot of the right pieces and right expertise. To be able to build this program from the ground up based on the requirements that the experts have shared with us, I feel very confident about what we're putting out there.
Measuring Program's Success
FIELD: Ultimately, how will the new program's success be measured?
CALLAHAN: There are a couple of ways, not the least of which is where our graduates are employed. In previous efforts that I've been a part of, we had a tremendous track record of placing students where they competed with the very best in the nation for job opportunities. When those customers come back and want more and more of your graduates, you know you're doing something right.
Another piece is obviously the attractiveness of the program to professionals that are already working in the field, but want to get more education so that they can go up in the corporations where they're currently employed. They'll recognize this program as providing what they need, not just theory, and so we will know quite handily the success of the program.
Another thing I would point out to you is we have built this around the best-of-breed model. By that I mean that we as a university - and you can pick any company or any university - no one owns all the cyber assets that they need, but around the nation there are some recognized experts. I've mentioned a few that we've been able to acquire to work directly with us, but we've also built up a consortium around the nation that we can reach back to where we have experts in certain areas related to cyber that we can tap that have agreed to work with us. They will come teach, serve as resource and help develop course work. That enables us to be able to respond very quickly to a request from a company to be able to meet their needs and to provide the instruction that they need short term. We're pretty excited about that. It's a very unique approach.
Entering the Information Security Profession
FIELD: For those who might be interested in entering the information security field now, what one piece of advice would you offer to them?
CALLAHAN: I would say quickly apply. Get yourself into a program. When you're looking to decide where you're going to go, be very cautious to make sure that the program that you enter isn't just theoretically based, that the courses that you take, be it undergraduate or graduate level, you're getting enough real cybersecurity types of courses and information assurance focus so that when you leave your program you really are hirable and you can go in and begin to make a difference.
Cybersecurity today is not a spectator's sport. You're either all in or you're marginal. With people coming into a program, you want to be sure that you have had a program that gives you tremendous hands-on opportunity and a chance to go through everything, from policy assurance to distributed systems and secure systems, engineering to forensics, applied cryptology, etc. But you can't get enough, and so you want a program that's offering the most for the time that you're going to spend and the money you're going to invest. I kind of think USC is one of the places where you just cannot go wrong.