Hands-on initiatives designed to hook students on security are gaining steam, says software engineer Alex Levinson. Dan Kaplan reports.

When Alex Levinson graduated near the top of his class in January 2009 from Heald College in San Francisco, carrying an associate’s degree in computer networking with a concentration in information security, he fielded a surprisingly large number of employment offers in an economy that was on the fast track to the worst recession in more than 70 years.

Most of the offers were for positions like system or network administrator, decent entry-level posts for someone interested in IT. Levinson gave each some thought, but ultimately decided that a nine-to-five job wasn’t for him, not yet at least. “There were reasonable offers at the time,” Levinson, now 22, says. “But I just felt like I needed more.”

Months removed from the start of the financial crisis, the opportunities thrown Levinson’s way were telling of an industry in desperate need of young, motivated and highly skilled information security professionals, especially as organizations rely on computer networks in levels never thought possible.

Positions in information security fall under the STEM (science, engineering, technology and math) umbrella. These fields, according to the U.S. Department of Commerce, are paid higher than other industries, are less likely to experience joblessness and are essential to the nation’s competitiveness. Yet, studies show that fewer students are choosing to major in these areas, and the ones who do take longer to graduate.

Experts have attributed this to a number of factors, among them the belief that more and more IT jobs will be outsourced, a prevailing attitude among adolescents that science is too difficult a discipline on which to concentrate, a failure by high schools to adequately prepare pupils for these courses at the next level and a lack of understanding by colleges to place an emphasis on STEM student research, collaboration and support – rather than mere survival in class tracks known for their dog-eat-dog style of competition.

A profession, challenged

Security faces a more uphill climb than other STEM-related fields. According to a 2010 report from the Center for Strategic and International Studies, there are only about 1,000 individuals in the United States with the specialized security skills to defend cyber space, both at the public and private level. There needs to be at least 10,000.

Despite the rise of government-recognized National Centers of Academic Excellence in Information Assurance Education, which exist at more than 100 colleges across the country, many institutions treat security as a subset of a computer science degree.

“I think modern security education is so new that it’s still in a rapidly evolving phase,” says Mark Stamp, an associate professor at San Jose State University in California. “Just a few years ago, most graduates from computing-related programs would never have had a security course. Today, I don’t know what the exact percentage is, but I’m sure it’s more than half. And that number certainly is growing.”

Yet, while more colleges and universities seem to recognize the need to offer courses related to information security, many curricula appear to be a hodgepodge of subject matter, proof that academic institutions still don’t consider the discipline worthy of standalone status.

“Because it’s a new and unsettled part of the curriculum, a lot of different things are taught in security courses,” Stamp says. “Having written a book, I’ve spent quite a bit of time looking at various courses. The material taught varies widely – from high-level managerial platitudes to hardcore cryptography and everything in between. That is, security is often not treated as a coherent topic in its own right.”

This is a systemic weakness, Stamp says, that may be impacting the amount of skilled human capital making its way from lecture halls into the server room.

“I believe that computer science students should have an in-depth understanding of security, not just a surface-level overview,” he says. “The computer science students of today will be building the world’s critical infrastructure of tomorrow, and security mistakes can be costly. We don’t let people design bridges unless they know what they’re doing.”

Some educators have pushed for colleges to offer more specific courses in security that not only home in on a specialty topic, but break down the taboo that instructors cannot teach certain lessons. In particular, George Ledin, a computer science professor at Sonoma State University in California, wants more schools to offer classes that center on a tactical understanding of malware, and thus go beyond regurgitating an oral history of malicious code. This, however, often is stymied by underpaid, overworked professors who may not be as familiar with more narrow computer science topics and may be discouraged to ask students to think like a criminal. But Ledin says instructors must get past this.

“Let’s suppose you’re going to a medical school,” Ledin says. “You’re going to learn everything about the worse possible diseases. Likewise, if you’re a law student, you would benefit from learning how to break contracts. We need to know how to program malware in order to anticipate what people in the shadows are doing. If hackers can do it, why can’t computer science graduates do it?”

Healthy competition

After graduating with his associate’s, Levinson found that he was left craving more. In March of 2009, he got in his car and drove 2,700 miles to Western New York, where he matriculated at the Rochester Institute of Technology (RIT) to complete his degree. He started out as an applied networking and systems administration major, but quickly changed to information security and forensics. “I was good at it,” Levinson recalls of his decision to switch majors. “I noticed it was something that could keep me up.”

Levinson had the luxury of being accepted and enrolling into a program that offers a detailed information security curriculum. As early as a few years ago, his only path for additional security education may have been through a certification program. “We’re just getting to the point where the wealth of knowledge is getting large enough where [students] can expand their mind within the collegiate level,” he says. While at RIT, Levinson also had the opportunity to perform research, such as studying a controversial iPhone file that recorded the geographical locations of users. Still, while he was becoming well versed in defensive security strategies, he sought more action – in a word, competition.

In 2010, he saw a campus flier announcing the National Collegiate Cyber Defense Competition, a three-day event that asks teams to manage and protect a mock corporate network. Levinson and his fellow RIT teammates finished third out of nine regionally. He immediately was hooked. “Cyber security as a sport?” Levinson recalls. “It was crazy.”

That summer, he joined the big leagues when he earned a spot in the annual U.S. Cyber Challenge, launched in 2009 by the Center for Strategic and International Studies, and now run by the nonprofit Center for Internet Security (CIS). Not surprisingly, Levinson won a spot in the competition – held in three states that summer and featuring 55 participants – by using some hacker talent. “[My friend and I] brute forced the [qualifier online] quiz until we figured out which answers we got wrong,” he says. “We kept getting two questions wrong.”

The finals were held in Brooklyn and included four days of SANS Institute training leading up to a capture-the-flag competition, which pitted four teams of four against each other. This time, the contest asked the participants to play the role of the bad guy. Levinson’s team – which called itself “APT” in a tongue-and-cheek homage to the oft-overused advanced persistent threat buzzword – was able to successfully infiltrate a credit card database of a mock company, which helped it win the grand prize.

“There’s a difference between trying to write an answer on a test about information security and being in a room and entering it on a keyboard while under pressure,” Levinson says. “At a lot of colleges, you go in and take tests and read books. But there’s something to be said for the hands-on, live-under-fire exercises.”

The competition ended with a networking event and career fair, featuring a number of government agencies and corporations looking to hire. Levinson now works as a security software engineer at Zynga, the world’s largest social game developer. “The connections that got me here wouldn’t have happened without competitive cyber security,” he says.

Mike Matonis, Levinson’s teammate, has since parlayed his victory into a job with CIS as a computer emergency response team analyst. He says the U.S. Cyber Challenge helps to break down the barriers that often prevent students from attending college, such as exorbitant costs, poor high school grades or a lack of accessibility to certain educational topics. In other words, if successful, these competitions may enable a whole new set of people to catapult into careers in information security.

“There are a lot of extremely capable and very talented people who haven’t done level-three calculus or can’t articulate or argue an abstract, complex encryption algorithm,” Matonis, 22, says. The competition allows for a quantitative assessment of someone’s skill set, something educational upbringing may not be able to offer, he adds.

“The whole competition side of it is important on a level that academia hasn’t gotten to yet,” Levinson says. “My experience tells me that doing simulation, competition and application of skill in a live environment is a really good indicator of where their skill set is at, where their talent lies.”

And it may also encourage some teenagers and young adults to reconsider their career paths. “They may have been destined to become real hackers,” says Will Pelgrin, chief executive of CIS and the former CISO of the state of New York. “This helps that generation [to] not go down the wrong path. There’s a moral compass to this.”

The hands-on nature of these challenges is not going unnoticed in the academic world. A number of colleges are getting on board with making security learning more active, including Pace University in New York – which just launched a new cyber  security institute – all the way down to community colleges, like Hagerstown in Maryland, which recently announced the receipt of a $650,000 grant from the National Science Foundation.

Job description

Of course, better preparing the next wave of information security professionals is all well and good, unless they enter a workforce which doesn’t exactly know where they belong. Joyce Brocaglia, president and CEO of headhunter Alta Associates, says this is a real problem, especially as baby boomers retire or enter management positions.

“We don’t fill any easy roles,” Brocaglia says, adding that it’s difficult to find exactly the right person for specialized security positions. “Security people have specialized needs, but HR doesn’t understand the distinction between general technology and someone who understands security.”

San Jose University’s Stamp agrees. “Companies often don’t have a lot of expertise in security, so they are not quite sure what they want in a candidate, and they may not be able to effectively evaluate a potential employee,” he says. “This is changing for the better, but based on feedback I get from former students, it still seems to be an issue, undoubtedly more so with smaller and/or start-up companies.”

“Many of the agencies said they did not have a problem finding and hiring cyber security personnel, but were having challenges finding people with highly technical skills,” says Gregory Wilshusen, director of information security issues at GAO. One government-led initiative, to be led by the federal Office of Personnel Management, is trying to create a common taxonomy for cyber security professionals that will enable iring agencies to match roles to competencies. Feedback was being sought as of press time.

Despite the challenges the information security industry faces to not only attract talent, but also match it with appropriate positions, the emergence of initiatives such as the U.S. Cyber  Challenge may be arriving at a critical moment. One need not look farther than Levinson to spot a success story. “My job is a dream come true,” he says.


Attracting talent: More chic than geek

Reaching students at an early age – and then providing them with the economic means to continue their education – are two key components to bolstering the cyber security workforce.

Not coincidentally, those are the two primary goals of the (ISC)2 Foundation, the charitable arm of the nonprofit security certification provider.

As part of the Safe and Secure Online program, (ISC)2 members are encouraged to deliver the program’s presentation within their community, either at home or in the classroom. Then, there is the scholarship program, which not only helps to fund the educations of graduate and post-graduate students but also some undergraduates, such as the winners of the U.S. Cyber Challenge.

Julie Peeler, director of the foundation, says the Safe and Secure program initially began as an attempt to teach children ages 7 to 14 how to navigate safely across the web, but quickly turned into an initiative to cultivate the next generation of security professionals.

“What ended up happening just organically is that the volunteers were asked over and over again about their profession,” she says, adding that part of the work involves dissolving the myth for kids that IT security is, pardon the phrase, a dorky job.

 “I think we need to dispel the ‘geek’ notion,” Peeler says. “I can say that as long as I’ve been working in this industry, I don’t think I’ve ever met a geek.” – Dan Kaplan

(ISC)² Safe and Secure Online volunteer Tim Wilson (left) works with students at Lessness Heath Primary School in Erith Road, Belvedere, U.K.