Wanted: More Schools for Security Pros

[William Knowles <wk () C4I ORG>]

http://www.businessweek.com/bwdaily/dnflash/nov2000/nf20001128_281.htm

By Alex Salkever
NOVEMBER 28, 2000

Not nearly enough is being done to train information-security experts,
and U.S. companies face a staffing shortfall that will likely grow
ever larger.

Hetal Patel is a hacker headhunter. An associate at PPS Information
Systems Staffing in Baltimore, Patel caters to the booming trade in
information-security specialists. Trouble is, these days there aren't
enough hackers out there interested in honest work. So the frantic
campaign is on at companies large and small to try to shore up their
information-security defenses.

That means lots of business for everyone from the firewall engineers
and intrusion-detection specialists who man the perimeters to
programmers with expertise in cryptography algorithms. "It's very
tough to find the engineers because there is so much competition,"
Patel says.

TALENT SHORTFALL.  How shallow is the labor pool? According to Al
Decker, CEO of information-security consultancy Fiderus, the U.S.
alone will face a shortfall of between 50,000 and 75,000 security
professionals in the next few years. And that talent deficit could
well grow even larger as millions of new devices from desktop PCs to
wired PDAs come online in the next few years.

"There is generally a lack of good talent and skill across all
technological specialties. It's especially acute in information
security," says Mike Rothman, CEO of SHYM Technology, a maker of
secure-digital-certificate software. Small wonder computer-security
salaries have leaped 50% in the past 12 months.

Unfortunately, very little is being done to educate and train
information-security experts. Too bad, because a government-business
partnership could reap big benefits in a hurry by providing more money
to educational institutions for information-security curriculums. "We
have seen some money targeted for research. We have seen very little
money targeted specifically for education," says Matt Bishop, a
computer-science professor and information-security specialist at the
University of California at Davis.

QUIRKS AND PITFALLS.  Bishop's lament is well-founded. Although
precise figures for spending on information-security education are
hard to come by, the handful of U.S. academic programs with an
information-security emphasis turn out fewer than 200 graduates each
year, and at the current rate, demand for security experts will vastly
outstrip supply. Only 14 universities have been recognized for
information-security expertise by the National Security Agency. But
some of those schools don't even offer an official curriculum in
information security. And while big companies have often funded
research in chip design or biotechnology, they've stayed away from
information security, even though some of the biggest research
companies, such as IBM, have active information-security practices.

One top program, the International Information Systems Security
Certifications Consortium Inc., has issued only 3,000 of its Certified
Information System Security Professional certificates over the past
four years. Furthermore, most certification programs don't attack the
problem at its root: They "teach you to work well with one particular
type of equipment, but move someone trained in Microsoft to a Unix
system, and they can fumble," says Bishop. "In a university, you don't
study how to do it on a specific system. You study what are the
principles underlying everything."

An understanding of those principles has become more important for
security execs, particularly because of the increasingly complex
technologies that mix multiple protocols and devices, each with their
own quirks and pitfalls. "Twenty-five years ago, it was easy for me to
comprehend security," says Fiderus' Decker." I had one operating
system, I had one security product. As long as I could make those two
mesh, I had it all covered. As we move into new technologies such as
wireless, the security gets more complex," Decker says.

"LEARNING UNDER FIRE."  Of course, some information-security
practitioners question whether enough expertise can be garnered in a
classroom environment. Bishop himself agrees that to achieve true
mastery, book learning and lab time must be combined with real-world
experience shoring up networks. "There is a big difference between
academic learning and learning under fire. The point is, you have to
do both. If you learn simply under fire, you learn a set of tricks and
tools that work under a certain environment," Bishop says.

Already companies are taking matters into their own hands. Rothman
says SHYM Technology now grabs smart people and then just trains them
in the necessary programming skills, rather than holding out for the
perfect skill set to appear on a resume. Decker and Fiderus have
announced the formation of the Fiderus Institute, whose intensive
information-security program the company will offer to outsiders and
also use as a recruiting tool as Fiderus tries to double its size to
150 employees over the next few months.

But these are stopgap measures. To end the information-security-talent
drought, the field has to gain its place at the academic table, just
as computer science did in the 1960s and 1970s. That acceptance will
come only with money for academic programs. Until then,
information-security training will continue to be a patchwork of the
relative few with formal training and the self-taught.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".