Richard Swart on Information Security Education Programs
RICHARD SWART: Yes. I did this research in cooperation with the Center for Systems Security and Information Assurance, which is a consortium of about 120 universities mostly on the East Coast. And what we realized was a gap between the expectations of industry in terms of the skill levels that recent graduates should have and the type of training that universities were providing. So we did a parallel set of surveys where we were able to ask specific questions to both industry leaders and to professors to gauge how they were preparing students to enter the information security field and to try to identify where there was a mismatch between what the professors were doing and what the industry needed.
ALAN ZAPANTA (ISMG): So in doing this survey, can you explain further your findings and offer some suggestions on how to bridge the gap for both universities and students?
RICHARD SWART: Yes. Thereâ€™s several compelling findings. The first one is that despite a significant increase in the number of information security programs over past five years -- it went from maybe a handful to about 75 programs that are currently certified by the NSA -- the majority of those programs are dominated by computer science and computer engineering faculty. And theyâ€™re dealing with very technical issues such as encryption, cryptography, PKI systems, algorithms, coding issues; but thereâ€™s minimal to no participation in most of these programs by business faculty. So issues like business impact analysis, security management, risk analysis, those sort of issues are not being addressed in these curriculums at all in the majority of cases.
Thereâ€™s also, I would say, a five- to six-year gap between the needs of most organizations and what some programs are doing. Thereâ€™s a couple of leading edge programs like Purdue University and Carnegie Mellon are exceptional, but the majority of programs are still teaching fundamentals of computer security as it would have been taught in the 1990â€™s, not recognizing todayâ€™s regulatory environment or the incredible pressure that companies are under.
In terms of specific suggestions, I would say that it would be helpful for the universities to recognize that the major concerns of companies are not the things that theyâ€™re teaching. Companies are asking -- and this is a top five list -- for security management as their number one priority, and then advanced network administration mostly dealing with active directory issues, vulnerability assessments, advanced network and enterprise security architecture training, and then training and instant response and disaster recovery. Those are the skills that corporations are asking for, but, unfortunately, the majority of those topics are being taught at a minimal to nonexistent level in most programs with the exception of some of the network administration classes.
ALAN ZAPANTA (ISMG): What can business do to help bridge that gap between whatâ€™s taught and whatâ€™s expected? Would you say that internships would help bring forward the management compliance and business expectations that you just described?
RICHARD SWART: Thatâ€™s an interesting question, Alan. Thereâ€™s actually two interesting finds that we found. First was that many companies perceive there actually is an adequate supply of entry-level security professionals, people just finishing their bachelorâ€™s degrees; but they said that only 3 percent of universities are doing a minimal or any job at all preparing mid-level practitioners, such as people with their MBAs or graduate degrees. And so it seems like the greatest gap is not the young student just starting out in their career because these companies are providing in-house training and vendor training. What the gap seems to be is in the advanced training that youâ€™d expect for an MBA student. And specifically, what we found is that smaller schools located in communities of less than 250,000 people seem to be more nimble and they are responding to industry needs. In fact, they say the primary driver for their security programs is trying to meet industry needs. Larger schools in metropolitan areas donâ€™t seem to be effected by industry demands.
So if youâ€™re a company owner or an executive in a community or you have a branch office near one of these college towns or smaller schools, I would approach the administration of that school, the senior faculty, and talk about what your companyâ€™s needs are. Many times, the academicians simply are not aware of what the companies need. Internships are useful for providing basic skill training, but itâ€™s very unusual to find an internship in an MBA or a Ph.D. program or in advanced programs. So, unfortunately, I think the businesses are going to have to be more proactive in reaching out to the campuses and educating the faculty and not relying upon student internships; although, that certainly has an important role, especially in the undergraduate level.
ALAN ZAPANTA (ISMG): So what would you say are the key factors that you identified that shape a universityâ€™s curriculumâ€™s effectiveness?
RICHARD SWART: Iâ€™d say the primary driver of effectiveness is whether the university is preparing students to meet the current security threat environment that involves an entity access and management concerns; it involves regulatory compliance; it involves dealing with bot nets and the rise of very sophisticated distributed denial of service attacks. Companies are saying that we need people to help us re-architect our security solutions, but primarily, theyâ€™re concerned with alignment between business objectives and business needs and security needs.
Security used to exist in a silo. They were the network engineers or they were the security specialists, and they would worry about intrusion detection and installing your PKI systems, but now businesses are clamoring for people that are articulate and able to explain the need for security to business executives and the top management. They also need to be able to show or rely on security investments and have a good understanding of security metrics. And the whole issue around privacy, security, and customer safety certainly has emerged in the last few years. And with almost, Iâ€™d say, maybe two or three exceptions, the vast majority of schools are not directly teaching those skills.
So an effective curriculum would be one which, while providing the fundamentals of network security and network administration and the fundamentals of cryptography and the key skills that everyone needs to understand, it has to focus on the new issues; it has to have security management; it has to have how do you initiate and proactively manage effective security programs that receives the support of the top management of the organization. You also, as a security manager, must be able to talk to your developers. The old model used to be build, deploy, and secure. Howard Schmidt talks about this in all of his speeches. What needs to be now is you build, secure, and then deploy. And that mindset needs to be pervasive. And so whether youâ€™re in software engineering or an MBA program, MIS, an effective curriculum will be one that drills that into their students from the very beginning. You cannot ethically or responsibly release a product that has not been secured into the marketplace anymore.
ALAN ZAPANTA (ISMG): What were other key findings you were able to draw there the surveyâ€™s results?
RICHARD SWART: Well, we found that the majority of programs are still teaching security as it existed several years ago. The primary things that they are teaching are network administration, intrusion detection, some Linux and Unix administration, network architecture; some are still teaching mainframe. What they are not teaching are these other sets of skills. Theyâ€™re not teaching the management, the governance, the compliance initiatives, the risk analysis, the risk management. We are also finding that the vast majority of these programs do not have professors that themselves were trained in security. Only, I think, 14 percent of the schools had faculty who were trained -- who had received security certifications such as a CISSP or a CISM. And thatâ€™s a huge concern because many of these faculty are essentially retraining themselves or retooling themselves to become security faculty, but they lack the industry experience and they lack the certification. So what they are essentially teaching is within their comfort zone.
So one significant need is for industry to reach out to these professors and to faculty members and to offer them some training and some boot camps and job shadowing or even an opportunity to come work for a company for the summer and observe how security is managed and what the function actually looks like within a corporation. Without that opportunity for faculty to observe and interact, unfortunately, itâ€™s going to take several years for the curriculum to sort of drift into a more appropriate method of teaching. Academia turns very slowly, but the smaller schools would be responsive if business is willing to not just explain the need, but also provide some support to train their faculty members. Vendors, of course, should reach out to faculty and offer to provide some that same training.
ALAN ZAPANTA (ISMG): Well, weâ€™re running out of time. So Iâ€™d like to wrap this up. But before I do, real quick: Are there any parting words youâ€™d like to share for the student aspiring to break into the information security industry given the findings that youâ€™ve had through your research?
RICHARD SWART: Yes. I would say that if you are considering getting into this field, itâ€™s an excellent time to do so. Our survey also asked companies about their anticipated hiring. And it seems like the trend over the last several years has been to provide additional training to existing staff. So a network engineer or a network administrator would be send to it a boot camp or to a vendor training, and they would add security roles and responsibilities onto that job. What the employers are telling us now is that theyâ€™re going to go hiring dedicated security professionals, people that thatâ€™s their sole focus in the organization. And they say thereâ€™s going to be a two and a half fold increase between the openings in 2006 when this survey was done and the expected openings in 2007 -- whatever a two and a half fold increase would be. So the key skills that you need to focus on are a solid technology foundation, whether thatâ€™s computer science, information technology, information systems. But if you are a student outside of business, such as an information technology student, I would strongly encourage that student to consider getting a management training. An ideal combination would probably be a technology-focused undergraduate degree followed by an MBA -- something that provides the business skills and the business acumen, which would allow the person to then sell and manage security within an organization. I would not expect to be able to have a long-term career in security just with the technical education anymore.
ALAN ZAPANTA (ISMG): Thank you for your parting words, Richard; for taking the time to speak with us on these issues. Once again, this is ALAN ZAPANTA and Richard Swart and an Information Security Media Group podcast.