Gene Spafford on IT Security Education
While infosec profession has grown dramatically, the formal curriculum in college education still needs improvement. (Part of the What Happens Next security predictions series.)
By Dr. Gene Spafford
November 17, 2008 — CSO — The majority of programs at colleges and universities around the country are certainly doing a good job of training people to go into positions in IT. In fact, we have a greater demand among employers for students than we have students to fill positions. That said, there are some areas where we lack students who graduate with the right amount of expertise and focus. IT security and cyber forensics are areas where we have a critical need for workers in the field.
Computer science has been undergoing a transition over the last few years in academia. We've gone from teaching fundamentals for construction and systems to focusing more on all the places where computing can make a difference. The transition has been more to concepts at higher levels, with languages and graphics and network computation, than we saw five years ago. Before, computer science was focused more on program solutions around individual host computers and only some distributed computation. Now we are seeing more and more with large scale networks, cloud computing, Google apps, just to name a few. The field is shifting in that direction.
The security implications of these things are not known, or are being dismissed. The companies pushing these solutions are more interested in the business case than in the possible negatives. For instance, there are some interesting issues related to privacy of information that is stored and calculated remotely -- companies that have access to that data may be able to use it in marketing, which means more profit for them. They aren't motivated to find new ways to protect it.
Universities don't often have a financial interest in a particular technology. Thus, they are often in a better position to compare technologies, find flaws, look at unusual extensions, and otherwise explore the issues.
There are now areas of specialization that need more concentration at the machine level -- lower level network protocol, assembly language and analysis. But these areas are not part of the core curriculum anymore and often not even offered as electives because so few students are interested in these machines-level areas. Interest waned because for many schools, the kinds of employers that court students, that pay the most, and where student interest lies, require that higher level skill set. If you are Google, Yahoo, Amazon or Ebay, you want students that can do high-level, network-level programming and handle web-design issues. This creates a problem for students who need lower-level knowledge as a specialization area. If someone is going into a field that needs to do real-time control in aircraft, or needs to do forensic analysis of malware for criminal activity, they need a very different skill set.