Archive for December, 2008

The Current State of Information Security Education

Saturday, December 13th, 2008

There is a lot of debate in the field about the best path for Information Security education beyond a Bachelor’s degree. What is the best way to distinguish yourself in the field and advance your capabilities? Until recently, certifications were the only viable option, and the CISSP has certainly set itself apart as the front-runner. Whether you agree with the value of the CISSP or not, you can’t deny that employers and clients expect this certification as proof of a basic level of knowledge. The lack of a certification says more than having one these days.

So what about all the emerging graduate programs that focus on information security? In my case, both my undergraduate (Georgia Tech) and graduate (Northeastern University) programs have been recognized by the NSA as National Centers of Academic Excellence in Information Assurance, and Northeastern has even been recognized for its excellence in IA research. So are this government standard and the associated programs really filling the industry’s need for qualified security professionals?

Gene Spafford at Purdue University recently wrote a blog entry on the CERIAS site questioning the value of the NSA certification of IA programs. The IA program at Purdue is well recognized in the field for its excellence in advanced security education including its PhD program. I never thought I would hear so many of my colleagues considering Masters degrees in IA let alone PhD programs, and many of the best are looking at Purdue. I used to think you only pursued a PhD program if you wanted to be a researcher or a college professor, but the bar is being raised with the recent flood of Masters level security professionals.

Given Purdue’s well established excellence in the field, it is concerning that they have chosen to drop out of the NSA program that many of their staff helped to develop. The issues Gene Spafford points out are absolutely a concern. Especially when you are relying on a government agency to define a curriculum guide for educators, you are always going to be behind the times. I also agree, that the distinction had a lot more merit when there were only a handful of institutions on the list, versus now when they are over 90. There needs to be distinction for the best of the best that is driven by current industry demands. Program objectives and the focus of the curriculum need to be strongly influenced by established executives and professionals who can’t find qualified candidates to fill critical positions in their organizations.

One example I saw in my graduate program was the battle between the administration and the students over what to include in the Systems and Networking Security course. The professor assigned to the course had a very traditional Computer Science focus. The way I describe it is that the professor was teaching out of the ACM magazine and the students were expecting topics out of the Information Security magazine. Theories of computer science and in-depth analysis of algorithms have their place, but just aren’t practical for these types of programs given the breadth of the security field. They are so many topics like Risk Management and Security Governance that only get addressed in passing while students are expected to spend an entire semester studying Cryptography. The balance is just off!

Even with an “Applied” Cryptography course, it seems like a poor balance to have this be a required class. If we are trying to groom the executives and professionals of the future, why would we spend 14 weeks studying cryptography when the industry mantra is “don’t develop your own crypto”? Does it really take an entire semester to teach the basics of applying crypto? I think it should be an elective or part of a fundamentals class at most. When do students learn how to build a security program, how to promote security objectives in a corporate environment, how to present valuable metrics, and how to integrate security into the SDLC? We need to include the skills I use everyday to build and mature a corporate security program. One of the more cutting edge courses I took at Northeastern was an elective on Critical Infrastructure Protection that the students updated throughout the course with more topical articles and a better balance of focus on infrastructure sectors.

As these programs evolve, I look forward to a greater focus on engaging advisory boards representing industry leaders, and diverging from the traditional theoretical Computer Science curriculum.