A Superior (infosec) Education

Many, maybe even most, of today’s top-level infosecurity professionals began – and may complete – their careers without having earned a university degree in their field. There’s a simple reason for that: information security degrees didn’t exist in the UK until 1992, when Fred Piper began setting up Royal Holloway’s MSc program. The first intake was only seven students. Since then, the program has grown to accommodate 150 to 200 students per year, with almost 2000 graduates having earned MScs or PhDs. Royal Holloway has been joined by a couple of dozen degree programs around the UK.

Justifiable Fees?

Still, given the rising cost of university education and the speed of change in the profession, anyone contemplating a degree has to ask: How essential is a degree for today’s aspiring infosecurity professionals?

The simple answer academics give is that a degree can make a big difference to the depth of your understanding of the field, especially since today’s beginners have far more established knowledge and practice to learn than today’s mid and late-career veterans. Twenty years ago, you might have moved into security because you were the only person in the company who had ever configured a firewall and go on to learn new technologies and practices as they were developed to counteract new threats. Today, those skills are just a tiny piece of a much larger field.

Allan Boardman, who has a long history in the financial industry and sits on the main board of ISACA, says an academic grounding is important, though he agrees that today’s mid-career infosecurity professionals are far more likely to have CISSP or CISM qualifications.

“A university degree gives a deeper understanding of the technology involved”, he says, adding that although you still need hands-on experience, the degree can help speed advancement. “Because it’s a young career, a lot of people who have done the university degree are maybe in their 30s and 40s, and see it as an extra string to their bow in moving their career forward.”

Boardman compares a degree in information security to doing an MBA, which also tends to be undertaken after some years of work, and adds that anyone aiming at management-level positions should incorporate risk management. It’s likely, however, that over time, degree study will take place earlier in a professional’s information security career.

Avoiding a Catch 22

“For people new to the industry”, says Piper, “there’s now a chance to get qualifications and basic knowledge. Many banks tell me they would love to have our graduates with three years’ experience.” The institute was formed, he says, to avoid the old conundrum: you can’t get a job without experience and you can’t get experience without a job.

Most infosecurity degree courses are at the graduate level, largely because they need a foundation (usually computer science) to build on. The BCS notes that the IT degrees it accredits include information security; outside that group you need to study the syllabus to be sure.

The newest entrant into this field within the UK is City University, which specializes in designing courses to fill gaps in existing fields. Security is one such: they surveyed existing courses and asked CIOs what they felt was missing, says Kevin Jones, the course director for City’s new Masters in Information Security and Risk course. They found many good, well-established programs, from Piper’s Royal Holloway Group and the labs at Oxford and Cambridge to more specialized offerings such as Glamorgan (forensics and legal) and De Montfort. City’s program, says Jones, will serve people who already have qualifications such as CISSP and are aiming to become CISOs.

“Most people at that level felt they were missing the kind of people who could integrate technology issues with business issues in the security space and manage the whole domain in a way that it’s not easy to get the right people to do today”, Jones explains. “So we realized it was a unique opportunity for the kind of course we put together – not the in-the-trenches security folk, but the people who have to make the higher-level executive decisions about security, taking into account what needs to be done technically but also balancing the organization’s business needs.

Tried and Tested

The focus of the course mirrors Jones’ own career experience: he began with training in formal methods and systems modeling but moved on to work in Silicon Valley start-ups, where for the last 20 years he has often been the person who had to manage practical security. “So I’m a user of this stuff and also a formalist interested in modeling things – to model where you can prove properties and reason about things. And the two worlds are disjoint, so bringing them together is interesting to me.”

Like Jones, John Walker, now a professor at Nottingham Trent School of Infomatics, is a relatively rare example of someone in the older generation of security professionals whose career began with formal training. In Walker’s case, the organization was the RAF which, he says, “recognized early on that IT security was really important”. Accordingly, the RAF was one of very few organizations that had two levels of security courses. “It was the old days of the Orange Book and really understanding Department of Defense security from the ground up”, he says. “I think it’s been an advantage”, he contemplates.

Even so, Walker says, it’s necessary to have both. “Theory and practice sometimes go in two different directions. The danger with theoretical exercises is that they don’t fit the real world. You have to look at your own (personal) objectives, at what you’re doing the degree for – delivering solutions into businesses and organizations.” Nottingham Trent, he says, provides both academic rigor and practical experience by maintaining close links with a number of organizations.

What may be more difficult, says Walker, is figuring out what to study. “You have to start with what your objective is going to be”, he advises. “It’s really important to do a degree that offers academic underpinning for that discipline and give the skills to go with it that will make you an employable operative from the very early days of your career.”

Walker also recommends taking advantage of ISACA’s student membership and framework, attend chapter meetings to see what senior peers are discussing, and, he says, “get immersed.”

The Stateside Story

The story is similar in the US, where the location of one of the oldest and best-respected programs in computer security is at Purdue University in West Lafayette, Indiana. There, Gene Spafford is the executive director of CERIAS, the Center for Education and Research in Information Assurance and Security and the specialist on security and privacy for the Association for Computing Machinerys’ (USACM) public policy committee. A key to CERIAS’ program is its interdisciplinary nature: faculty from 18 different departments treat security issues as systemic problems.

“If you have no computers, you have no computer crime – but that’s also true if you have no people”, Spafford says. “We try to address the full spectrum of the problem. That hasn’t caught on yet in a lot of places. They’re still teaching as if learning to code without some common errors or install anti-virus will solve the security problem. It’s wrong both historically and technically.”

Even in the current economic climate, Spafford says that his graduates have no trouble finding employment – and the academic grounding they receive prepares them better for a long career in a fast-changing industry. When he started 25 years ago, for example, a Cray XMP was the fastest supercomputer on the planet. It’s now easily outstripped by two iPhones.

“Those of us who have been working in the area for a while see that having a good grounding in computer science, business, and management skills are prerequisites for being good at whatever area of security you’re going into.” Higher-end positions, he says, require a deeper knowledge of how systems are organized, the next set of new disruptive technologies, and future vulnerabilities than can be gained by simply learning to deploy current technologies. “We need both”, he adds, referring to “people to plug the holes and turn the dials” and people “to understand more complex architectures and the underlying protocols.”