Career Q&AExpert Advice on Certification, Job Opportunities and More
Q: What is the role of certification in information security?
Northcutt: Certification means that someone meets a minimum standard. That is all certification is able to do. So, the important thing to do is establish where we want those standards to be and at what level in the job. Obviously, an entry-level person would meet a lesser minimum standard than a senior person, responsible for the architecture, or the incident response, forensic response in an organization. One of the problems that the industry has had is we are jumping all over the least common denominator. For instance, the military is requiring certification for everyone with hands-on IT responsibilities. That is good. But, the military is primarily choosing the Security Plus, which was designed for entry-level, but they are using it for people who have greater responsibilities than entry-level, and that's bad.
Q: What is your opinion of the state of the education offered by colleges and universities these days in information security?
Northcutt: Well, academia has historically taught theory. They teach you how to think. This is wonderful. The problem is, again, it doesn't, in general, produce the folks that people like Steve Katz is looking for at Citicorp. I really am amazed, because one of the frontrunners in information security, years ago, when I was cutting my teeth, was Purdue, of course, under Gene Spafford, and he was just adamant that these people left with hardcore technical skills. And during that whole period of time, the late 80's and very early 90's, if you could get a Purdue grad with a masters in information security, you rocked. I mean, it was a good thing. And, I'm amazed more colleges have not copied off their paper. And so, you have a lot of relatively weak programs. In fact, I've been looking at a number of the programs, where they are just essentially certificates. You still get a degree, but you take a course out of the computer science, artificial intelligence, this, that, and the other thing. But none of that prepares you to deal with Eastern European or Russian hackers, Brazilian hackers, who are doing it for the money. They are very serious, they are very disciplined, and absolutely none of it prepares you for the Chinese military operative who knows exactly what they are doing, and they are mining for information. So, I think the colleges and universities have a bit of work ahead of them if they are going to produce people that can actually do the job. On the other hand, let's be honest, technical skills perish very quickly. And so if colleges totally focus on technical skills, and not the critical thinking, not the research, they will produce people that can't grow. They will be good for a year or two.
Dr. Eugene Spafford, Professor of Computer Science and Electrical Engineering, at Purdue University and Director of the Center for Education and Research and Security, shares his thoughts here with us on the focus of CISO's, shortage of trained professionals in information security and career advice to candidates wanting to venture in the field-
Q: What according to you should chief information security officer, the CEO of companies focus their time and energy on within information security?
Dr. Eugene Spafford: I have spoken with several, and their concerns clearly are how to know that they're spending the right amount, and what is it really going to do for business if they do or don't spend on certain things? I think the first thing that needs to get across to many of these people is that security is not a return on investment kind of expenditure. It isn't an investment that produces returns. It is an infrastructure cost. It is a cost of doing business the same as providing heat and lights and the guard at front lobby are all part of infrastructure expenses. And you have to invest in appropriate amounts of security to maintain the viability of the organization, but to promote public trust and employee comfort. Both of which are important for the bottom line. If the public doesn't believe that you're going to protect their information appropriately, that you are not behaving in an ethical manner, then they are likely to eventually take their business elsewhere no matter how immediate the crisis are. Government is likely to penalize you as an organization if you haven't kept appropriate records, and we've seen over the last decade the increase of legislation in this arena and certainly employees given the choice in today's market where we have far more opportunities than candidates are going to take their business where they feel more comfortable, where they feel that they're doing something more ethical, or where they just feel better about the protection of their own information. So I talk to you people at the C level. I stress that the investment isn't expected to produce a tangible return but it's to create an environment where customers and employees and other entities are more comfortable doing business with a company because they realize they take care of privacy and security and value quality.
Q: How severe is the shortage for trained professionals in information security?
Spafford: The shortage is right now that maybe two or three potential positions exist for each person with appropriate training if they're willing to relocate and if they're willing to learn some new systems. The problems probably are going to get worse, though, because we don't have the defenses in place and as more businesses come online, as we do more government work online and fewer students are going into computing than are really needed the shortage is going to increase.
Q: What advice would you give somebody thinking of starting this career? Where would they want to go for school or what type of major should they look at? Will a business or computer science student also be interested in this major?
Spafford: There are a number of different ways to approach this. Certainly computer science, computer engineering and business are three potential approaches, depending on the aspects that one is interested in. But we're also seeing some programs coming through criminology for the whole area of cyber forensics and cyber law enforcement as one arena. I've seen some people coming through education schools and information technology programs, but that also have very good grounding. It really depends on whether you're interested in applications in a particular area or management or in research and that really should be the guide.