Careers & People

9/29/2017
10:30 AM
Chaim Sanders
Chaim Sanders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Analyzing Cybersecurity's Fractured Educational Ecosystem

We have surprisingly little data on how to evaluate infosec job candidates academic qualifications. That needs to change.

Every day, a common scenario plays out across the US. An information security employer receives a resume from a recent graduate and looks at the student's academic qualifications. Folks in human resources then invariably start muttering to themselves, "Does this individual have the necessary qualifications to be a…?" (fill in the blank: penetration tester, security operations center analyst, developer, contractor).

In an industry where hard data is respected above all else, we have surprisingly little data on how to evaluate candidate qualifications. The only issue experts seem to agree on is that there is a major infosec skills shortage — although even here, there is disagreement on exact numbers (Cyberseek cites 746,858 currently employed, but Frost and Sullivan reports 1,692,000 currently employed). This means that when employers are trying to find usable guidance, rankings, or even certifications to assist in determining the quality of an academic program, and by proxy, the students and job candidates they produce, they're out of luck.

The problem stems from the origins of security in academia. At different institutions, security-related classes emerged over the years in various disciplines, including computer science (CS), information systems (IS), and information technology (IT), as a tangent discipline in the service of broader departmental goals and curricula. In most cases, security education is still maintained within these disciplines. This program diversity makes it difficult for a single evaluation criterion to emerge that is general, yet still useful, within this diluted environment. Indeed, unlike CS, IT, and IS, there currently are no widely adopted academic accreditations for computing security at all.

Don't Give Up  
The National Security Agency has three primary designations that institutions can apply for that will deem them as a Center of Academic Excellence (CAE). Currently, these designations are offered in three distinct areas: cyber defense (CD), cyber operations (CO), and research (R).

Nearly 170 academic institutions maintain at least one of the three National Security Agency designations listed above, but only the CAE-CD and CAE-CO maintain curricular requirements. On the surface, these designations may seem to be exactly what is needed; however, there are also some concerns with simply seeking out NSA-designated institutions. Due to the need to designate security programs that may be housed in CS, IS, IT, or dedicated computing security programs, the CAE-CD requirements are broad and primarily focused on defensive topics. As a result, these designations act more like a minimum barrier to entry in the area of infosec education and don't provide a comparative criterion or any mapping to job functions. Moreover, they were initially created with the NSA's goals and needs in mind, not necessarily matching those of an enterprise or more general security operation.

Indeed, this broadness, until recently, extended to the designation itself. Prior to a recent revision, the NSA CAE-CD designation was given at the institution level and not for a specific program. This meant that although institutions might have obtained this, they did not have to provide students a way to take the required courses, thereby making such a designation useless as an evaluation criterion. This highlights that just because a student attends a designated institution doesn't mean they will receive the desired education.

The CAE-CO is a newer, more offensively focused, and also more stringent designation. However, it highlights one of the potential problems with the system as a whole. The NSA represents a unique employer, the Department of Defense, and has adapted the designation requirements to include aspects not often used or needed in industry. An example of this would be the CAE-CO requirements for Just War Theory. Most industry security professionals would agree that this is not part of their day-to-day responsibilities. None of the NSA designations focus on nongovernmental, industry requirements, particularly for roles such as penetration testing. And, without industry outreach, there doesn't appear to be any solution on the near-term horizon.

It is important to note that accreditations alone will never totally solve this problem. There are other criteria that play a role in effective infosec programs. Faculty quality, extracurricular activities, and continuous communication within the industry, including internships, are all contributing factors to the overall student experience and their ultimate success within a program. This is where that infosec employer can find their edge; while most companies won't be able to provide the grants and scholarships that the government does, they have the opportunity to serve as advisers to academic programs offering their feedback in exchange for mutually beneficial, hands-on internships. Using this vehicle, employers may be able to get the influence and data they need to make informed decisions about the quality or academic programs, accreditations, and, ultimately, mission-critical new hires for their teams.

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Chaim Sanders is the Security Lead at ZeroFOX, which provides comprehensive social media protection for enterprises. Outside of ZeroFOX, he teaches for the computing security department at the Rochester Institute of Technology. His areas of interest include Web security, with ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
csanders
50%
50%
csanders,
User Rank: Author
10/2/2017 | 5:54:53 PM
Re: The c-Watch Program
Thanks Jane,

I've been party to an institution working with NICE before. It's a great idea and we need to see wider adoption and more interaction from both small and large companies to make sure it makes sense. On the other hand 30 institutions is great, and i'd take a bet that they are probably 30 of the (subjectivly) better institutions out there. If only we can find a good way to entice more institutions to join.
cybersavior
0%
100%
cybersavior,
User Rank: Strategist
10/2/2017 | 9:45:09 AM
For consideration
Don't let the temptation to join the dark side be lost on you.  If you're a skilled, experienced cybersecurity professional there is probably a lot more to gain in blackhatting versus legitimate cybersecurity vocation. 

Cyber crime is exceedingly profitable and the prospect of a crafty and equipped cyber thief being caught, successfully prosecuted and encarcerated are like being struck by lightning.  
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
10/2/2017 | 9:23:16 AM
Re: The c-Watch Program
About time. Cybersecurity is a relatively NEW field for education and career aim, was not so about a decade ago when everything was MICROSOFT and before that NOVELL was the gold standard.   
jenshadus
100%
0%
jenshadus,
User Rank: Strategist
10/2/2017 | 7:40:50 AM
Good Timing
Searching and finding good candidates is difficult.  Experience counts for a lot.  The Certified Information Systems Security Professional (CISSP) is supposed to provide proof of the qualification because a) you have to have 5 years experience doing security work, and b) you get the certificate showing that you have indeed, worked in the security area.  But as the article mentions, the discipline is hard to package cyber security into a single discipline because it involves so many different disciplines and b) determining what courses would meet cyber security requirements.  One would need to be an expert in many areas, much like getting you degree in CS or IS.  There are schools that are now offering a concentration in cyber security but may be generalists, rather than giving students the option of going for a degree for DoD/Fed or commercial.  I'm surprised banks and credit card companies don't get more involved.  I would think they have the most to lose.
CTIN_Global
100%
0%
CTIN_Global,
User Rank: Apprentice
9/29/2017 | 3:13:00 PM
The c-Watch Program
Good points Chaim.  

The folks over at NIST that are running the National Initiative for Cybersecurity Education (NICE) have been trying to address the need for better mapping between academic curriculum and industry workforce needs with their NICE Cybersecurity Workforce Framework.  As more universities and colleges become aware of this framework I expect we'll see more alignment between training goals, coursework and hiring practices.  

Also, the not-for-profit, the Cyber Resilience Institute ran a nationwide virtual Internship program over the summer with over 30 Universities participating. The capstone included a Pop-up, Event-Based Security Operations Center.  Out of that the c-Watch program has emerged.  This is a national virtual program open to undergraduates and graduates that are seeking Internship opportunities.  I expect this will also grow pretty quickly and, through this, students will have better access to internship opportunities.  

Jane Ginn, MSIA, MRP
Cyber Threat Intelligence Network, Inc.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.