Advanced degrees in information security are popping up with increasing frequency, but are they worth the time? Cynthia Phillips at Brandeis says yes, reports Dan Kaplan.
When the director of emerging technologies at Cloudmark, an anti-spam vendor, attends East Coast meetings, he most often is introduced as Dr. O'Donnell. Take that same meeting and move it 3,000 miles west, and he's Adam.
This difference in salutation is not insignificant in O'Donnell's mind. In fact, the 29-year-old says it reflects the way in which American corporations disagree over what carries more weight: education or experience.
“The West Coast mentality is much more focused on who you've worked for and what you've invented, rather than credentials, certifications and degrees,” says O'Donnell, who earned his bachelor's, master's and doctorate degrees from Drexel University in Philadelphia and now works out of northern California as Cloudmark's director of emerging technologies.
Clearly, experience and education are the key criteria when judging an employment application, but in recent years there has been a noticeable shift toward the latter when it comes to assessing information security job candidates.
A number of factors have propelled IT security into the academic mainstream: increasingly vulnerable software and applications; financially motivated and widely publicized data breaches; and the realization that IT is a business enabler.
IT security is no longer some obscure discipline reserved for specialists or those who fell into the position one day when the boss caught on to the dangers lurking on the internet. In the not too distant future, security professionals will not stumble into their current roles by chance. They are taking calculated steps to reach it. Or if they are already doing it, they are getting more education so they can become better at it.
“People started saying that this is a real career, so people have gone to college,” says Lee Kushner, president of Freehold, N.J.-based L.J. Kushner & Associates, an executive recruiting firm. “Security passes the cocktail hour test now.”
Brandeis University in Waltham, Mass., is one of the schools taking advantage of a growing demand for higher education in the field of IT security study.
This fall, the liberal arts institution is unveiling a master's degree track in information assurance. The program is aimed at working professionals. It includes 10 courses – four required and six electives – that were created based on US-CERT's IT Security Essential Body of Knowledge, which spans 14 areas of competency.
Cynthia Phillips, program director of the Division of Graduate Professional Studies at Brandeis, says the information assurance master's program grew out of conversations she had with another professor.
The pair noticed that Brandeis already was offering a few security-related classes, so why not lump them together and get a master's offering in place?
“We're always being asked to come up with new programs,” she says.
Phillips says that as security becomes more integral to an organization and more hires in the space are made, businesses will be looking for candidates who have an educational background – not just certifications.
“I think the degree has so much more meaning to it,” she says. “It indicates a different level of commitment. It indicates the ability to do the work, rather than just sit in a training program. To an employer, it says this person is capable of doing this level of work. Companies are looking for these things. They're looking for employees who have advanced degrees. There are some companies that insist employees have bachelor's degrees and work on master's degrees.”
In fact, most graduate students at Brandeis are reimbursed by their employers for the courses they take, Phillips says. (With courses running at $2,025 a pop, it should be noted, the university stands to make out quite well.)
Phillips, who worked for small software developers for 20 years before she began teaching in 1986 at Lesley University in Cambridge, Mass., remembers how IT professional used to be trained. It wasn't nearly as formalized.
She says there were two types of individuals who gravitated to the IT field: the person who graduated college with a general degree, maybe communications sciences, and the person who was self-taught.
In most cases, the security professionals of today came into the fold through some other route. Either way, neither the graduate nor the self-learner understood how IT could enable business, Phillips said. At least not then.
“Businesses are now realizing they can use IT as a competitive advantage to have efficient and effective business practices,” she says. “There's all of these viruses and those types of things. Then, you have the regulations to which companies need to adhere. Companies need employees who have this type of background.”
Still, even though there is increased interest in the field, a significant gap in skills exists. According to a February study performed by the Computing Technology Industry Association (CompTIA), which polled 3,500 organizations in North America, Europe and Asia, security topped the list of important technology skills.
But only 57 percent of respondents said their IT employees are proficient in these skills. Enter an institution such as Brandeis.
The required classes cover the core subject matters: information assurance foundations, cryptography, access control, compliance and network security.
The electives include an array of more technical tracks, such as Linux administration, Perl programming, TCP/IP and securing applications and web services.
Meanwhile, those who wish to pursue a more management-oriented track can choose from courses such as risk management, legal and ethical practices and leadership, team building and decision making.
The management concentration option is a sign of the times, says Phillips. More businesses are leveraging IT to enable business. As a result, security practitioners are required to understand how their jobs affect the bottom line.
“It's obvious that companies need people who have both the hard skills and the soft skills, the technical background and the management background, to deal with a lot of this security stuff that is happening right now,” Phillips says.
Dennis Devlin, the newly appointed chief information security officer at Brandeis, says the business teachings will offer great benefit for students who may seek a leadership position within a security department.
“You have to be able to influence other people's behaviors and, in many cases, behaviors over which you have little or no direct authority,” he says. “It's really hard to get a seat at the table with senior leadership if you can't speak their language and speak in terms of business risk and not just in technology terms.”
Additional learning “centers”
While colleges and universities increasingly are taking advantage of this new educational pursuit, instruction in the field of IT security study is nothing new. Since 1998, the National Security Agency has operated a program known as The National Centers of Academic Excellence in Information Assurance Education, now also overseen by the U.S. Department of Homeland Security.
The centers were designed in response to Presidential Decision Directive 63, a white paper published in 1998 under the Clinton administration that detailed policy to protect the nation's critical infrastructure.
The centers were created to educate students on how to achieve that, says Christine Nickell, chief of the National Information Assurance Education Training and Program Office.
In 1999, the first seven schools received accreditation as Centers of Excellence. Now there are 93 schools – plus another 17 solely focused on research.
“Our nation is truly network dependent,” Nickell says. “We aren't going to have the option of the old paper world that we used to have. People really do need to understand and protect their piece of the action, so to speak.”
Aside from the recognition of being designated a Center of Excellence, both college and student can fiscally benefit from the arrangement.
Students who attend these schools are eligible to apply for scholarships from the Department of Defense, Nickell says. One such aid program is known as “year-for-year,” in which students receive a year of free tuition in exchange for pledging to work in a government agency for at least a year when they graduate.
In addition to the $5 million in scholarships that the Department of Defense disperses to accredited schools, these institutions are also eligible to receive grants to fund faculty, labs and curriculum expenses, Nickell says.
Meanwhile, some colleges are offering IT security courses for undergraduates in hopes of getting them on the payroll -- at a reasonable salary.
The University of Missouri in Columbia offers nine security-related classes across three different schools – business, medicine and engineering – to reach a broad base of undergrads.
“Our primary goal was to try to hire students to work for us on a part-time basis who already had this knowledge and experience under their belt,” says Beth Chancellor, associate chief information officer at the University of Missouri.
And while the university, recently designated a Center of Excellence, has not yet used the program as a recruiting tool for prospective students, officials do realize the benefit for pupils once they graduate. For instance, Chancellor says students applying for auditing positions could go to PricewaterhouseCoopers for an interview and tell them about this learning and experience they have.
The school is partnering with IBM, as part of its Academic Initiative program. Big Blue is providing the University of Missouri with a free auditing tool – IBM Rational AppScan – to check programs for vulnerable code. The program is a worthwhile undertaking for IBM, says Danny Allan, director of security research for the Rational Software group.
“Specifically, there are requirements when students come out of college to build high-end code,” he says. “This helps them understand how to build security into the software development lifecycle. It is no longer information at rest that is the primary target.”
Experience still important
Despite a significant uptick in academic courses, experience still counts when trying to attain an IT security post. After all, the job always has at least some technical aspect to it – and what better way to learn something technical than from real-world experience?
But Paul Kocher, president and chief scientist of Cryptography Research, provider of secure chips, says he has had a difficult time finding qualified engineers.
He places at least part of the blame on the erosion of math instruction at the elementary, middle and high school level. Teachers, he says, aren't doing enough to get children excited about math.
“The vast majority of people want to avoid math,” Kocher says.
But once he finds a viable candidate, he prefers experience.
“I'm not interested in certifications and credentials,” he says. “It's more about what projects have they done.”
“There's no textbook that will tell you how to build a secure chip,” Kocher adds. “Academic institutions typically don't have the most leading-edge engineering projects going on. There's no way you're going to get expertise building hardware with a million dollar budget in a university setting. The best place to learn is on a really good engineering team.”
Cloudmark's O'Donnell earned his master's degree in computer engineering and his doctorate in electrical engineering – broader topics that he says helped prepare him for a variety of possible jobs.
“I would not give up the experience of gaining my PhD,” O'Donnell says. “It taught me how to think rigorously and analytically about a wide variety of problems. The more education you get, the more you learn to learn. It shows you're able to engage in a multi-year project that may not have any financial payoff – and take it to completion.”
He recommends that people pursue advanced degrees because they want to, because they have a thirst for knowledge, not because they want to spice up their résumé. O'Donnell admits, though, that he initially returned to school during the dot-com bubble burst because he was worried about the economy and whether he could score a job with just a bachelor's degree.
Kushner, the recruiter, admits that many job seekers either have or are considering earning advanced degrees in hopes of “retooling” their careers and to distinguish them from the pack. Though, he warns, being educated at a respected school will help someone stand out, it will not be a silver bullet.
As proof, Kushner refers to one of his clients, who prefers Ivy League-educated placements. Another client, a self-taught executive who worked his way up on his own skills, prefers experience. “He might even look down at someone with education,” Kushner says.
The moral, Kushner says, is that beauty is in the eye of the beholder.
“The career path of an information security professional has many ways to achieve success and none of them have been blueprinted,” he says. “It's too immature of a profession.”
In other words, O'Donnell better get used to being greeted as Dr. and as Adam for some time to come.
Certifications: Keep teaching freshEven though more colleges are offering tracks in information security and assurance, certifications offered by bodies such as (ISC)2 and the SANS Institute will remain valuable, say industry experts.
The two can complement one another, especially as college instruction becomes outdated the further one is from graduation.
Adam O'Donnell, the director of emerging technologies at Cloudmark, a San Francisco-based provider of email security, says it is difficult to codify information security teachings into coursework because the industry changes so quickly.
“Five years ago, the main thing people were screaming about was code-level assurance against buffer overflows,” says O'Donnell, who has a doctorate from Drexel University in Philadelphia. “Nowadays the primary problem seems to be financial fraud through a variety of means.”
Howard Schmidt, former White House cybersecurity adviser, who now serves as a security strategist for (ISC)2, says continuing professional education credits that are required to retain popular certifications, such as the CISSP and SSCP, are key to keeping expertise fresh.
“Had it not been for my professional training and recertification, I probably would have forgotten a lot of what I learned in college,” says Schmidt, who earned his bachelor's degree in business administration and master's in organization management from the University of Phoenix. -- Dan Kaplan