Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/24/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Public Vs. Private: Is A Prestigious Infosec College Degree Worth It?

Today's graduates coming into the information security industry from private universities aren't ready for the workforce.

I’m a big believer in taking security lessons from the analog world, including advice from someone many might consider the most unlikely of people – American rapper Eminem.  Eminem can teach us a lot about information security, especially with respect to the security leaders of tomorrow.

Consider “Lose Yourself,” Eminen’s hit song about taking advantage of the moment:

 Look, if you had, one shot, or one opportunity

To seize everything you ever wanted. In one moment

Would you capture it, or just let it slip?

What does that have to do with educating information security professionals? During the course of my travels, I regularly receive two pieces of feedback related to staffing and talent: It is difficult to find people with the right skills to fill open positions; and, there is more work to do than the number of positions we have to fill.

People, including me, often address the second point through solutions like automation, orchestration, improved workflow and operational efficiency.  I’ve written a fair bit on a number of these topics in the past, as have several others in the field. But it’s far more difficult to solve the cybersecurity skills gap problem.

Sure, I hear a lot of talk about the lack of skilled security professionals. But as for how to address this challenge?  That is something that is almost never discussed.  Perhaps we feel helpless or merely accept it as an unchangeable fact. One way to approach this issue is to “grow” our own.  By that I mean looking for analytical people, providing them the opportunity to gain experience on the job, and turning them into security professionals over a period of time. 

A better way

It seems obvious to me that if we are looking for the next generation of security professionals and security leaders, we should be looking at universities. After all, universities are where young people go to learn the skills that will carry them through their adult professional lives.  Unfortunately, many universities disagree with me on that. 

Let me elaborate by sharing a story. From time to time, university students reach out to me to ask a few questions or discuss a few information security-related issues. I’m always happy to speak with them, as I see it as a great way to try and encourage young people to pursue a career in our field.

Recently, a student at a prestigious private university approached me with this type of request.  The student was looking to perform research for his thesis on current challenges and future directions in information security. The student seemed to be intelligent, well-mannered, and an astute listener. Unfortunately, it was evident from our discussion that this prestigious private university had not prepared the student with any practical exposure to information security involving real-world scenarios and operational problems. 

Something as simple as spending a few hours or days with information security professionals on the job could bring students such relevant experiences.  And what about actively integrating such experiences into the academic curriculum to give students a more focused base from which to invest their creative energies.

Public v. private

Contrast this to public universities that I’ve had the privilege to work with as an advisor and/or speaker, such as University of Colorado Boulder and the University of Maryland. Visits to those universities and discussions with students show that the education they are receiving around information security is far more practical and applicable to the world in which we live.  It’s no surprise that this is the case. Industry experts are consulted regarding the curriculum, experienced practitioners are often invited to speak or meet with students, and classroom and lab environments contain real-world assignments and equipment.

Private universities will tell you that they need to stay true to their research focus, and that they need to be able to recruit faculty fitting to such a prestigious institution. I certainly get an earful of messaging along those lines from my alma mater. That may very well be the case, but allow me to ask a simple question. If a university is going to take $250,000 from hard working families, shouldn’t it produce information security graduates qualified for the positions of today and the leadership roles of tomorrow?  I think most of us in the profession would agree that we need universities to help us out a bit more in that endeavor.  The graduates we’re getting today, particularly from private universities, aren’t ready for the workforce.

Let’s take another look at Eminem’s lyrics in this context. Universities have one shot. One opportunity. One moment. The experience a young person has at university and the skills he or she learns will shape his or her entire adult professional life. If I were a university looking to educate the information security leaders of tomorrow, I would ask myself one question: Will we capture the opportunity, or just let it slip?

More on this topic:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
dfunk1
50%
50%
dfunk1,
User Rank: Strategist
2/25/2016 | 9:25:53 AM
Public Vs. Private
I think that, perhaps counter-intuitively, that there is a lot more competition for the dollars with the Public schools than the Private.  With the Private schools, the students go for the name, and mom and dad pay.  With the Public schools, a significant slice of the student population is paying their own way (either their own money, or hard-earned benifits from work), are doing the school after work, and they are VERY interested in results, and they have a better idea of how the work world works than the average High School senior.  Those students have very high expectations, and will leave in a second if they are not being met.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/24/2016 | 11:04:11 PM
public vs private
I'm sure, as with most cases, it depends on the specific public or private universities, but the point is well taken; a quality information-security education (or other education, for that matter) can easily be had for pennies on the dollar from a public university.

Or for free from a private university via edX, for that matter (as long as you don't care about the degree).
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.