Archive for February, 2009

Security Education vs. Security Training

Sunday, February 1st, 2009

Programs like the one I attended for grad school pride themselves on filling the industry’s need for security professionals who can communicate at a C-level, but also have the technical exposure to understand the latest threats and solutions. However, in my experience these programs get so lost in academia that they lose sight of the relevant skills the industry is demanding. They put so much emphasis on metrics like the number of PhDs they have on their staff, and ignore the insights of active professionals who are living and breathing security governance in real organizations on a daily basis. With the shortage of worthwhile PhD programs and even fewer doctorate level security folks with any experience outside the theoretical, how can these academics hope to possibly educate the next generation of security professionals and executives?

I my experience a PhD in this field is only useful if you want to be a security researcher or professor. Getting a PhD in Computer Science or more specifically Information Security, only signifies to me that you have successfully completed one major research project on a very narrow topic. What does this really prove?

For me, the focus on security research is meaningless to my own career goals. I would much rather attend a program whose instructors work fulltime in the field and are recruited for their capability as educators. A great example of this actually comes from outside the traditional academic world, the SANS Institute.  SANS is recognized as the leader in security skills training, because they take the best professionals, practionners, and sometimes researchers who have a passion for teaching. SANS builds the curriculum around technical skills that are essential in today’s environment. On the downside, I am actually not a big fan of SANS trying to offer a Masters degree program. I am a huge proponent of how they recruit and vet their instructors, but SANS provides security training, not education. They are going to flood the market with “Masters” level security practionners just like University of Phoenix has done for Information Technology. In my opinion this is going to dilute the achievements of those of us who have gotten Masters degrees from brick and mortar universities in addition to technical certifications from SANS and others.

Its hard to find a balance between the overly academic programs that are usually just a spin-off of the Computer Science program, and the skills-based training programs like SANS classes. You can find many of the best mixes in the Continuing Education Masters programs at Universities. Whichever program you choose, make sure that you are learning not just security technology, but also how to build and run a security program. Otherwise you will never rise above a security engineering position.