Creating the New Cybersecurity Pro

As the Samuel B. Eckert Professor of Computer Science at Cornell University, Fred Schneider thinks a lot about the future of the IT profession, including the demands on business and government to recruit specialists with information security skills. A handicap in producing those with needed IT security skills is a shortage of academics to provide the training, says Schneider, a member of the federal government's Information Security and Privacy Advisory Board and co-chair of Microsoft's Trustworthy Computing Academic Advisory Board.

Schneider, in an interview with GovInfoSecurity.com (transcript below), contends that to produce not only the teachers, but the practitioners themselves, American universities need to create innovative graduate-level programs that provide training that encompasses not just an understanding of IT security technologies, but an understanding of why the technology is needed as well.

The solution to our nation's cybersecurity challenges is not entirely technical, Schneider says. "Simply educating a group of people about how to fix the top 20 vulnerabilities in web-facing application is just a short-term fix," he said. "In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making and understanding about business models."

In the interview, Schneider also discusses the impact of government-backed academic and scientific research on developing new approaches to cybersecurity.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Schneider spoke with Eric Chabrow, GovInfosecurity.com managing editor.

ERIC CHABROW: Before a House committee in June, you and other experts testified of a shortage of qualified expert educators to teach undergraduate and graduate level cybersecurity. How serious is this shortage and what does that mean to the training of future cybersecurity professionals to work in government and the private sector?

FRED SCHNEIDER: The shortage is significant. I estimate that in order to do a good job of teaching a college graduate there is probably two or three courses you would like to cover for sure and that means two or more cybersecurity experts on a faculty. Today probably there is at most one at all but say 20 universities. That means that many graduates aren't getting exposure to material they need and there aren't people there to teach them.

CHABROW: Are you aware of any kind of studies that quantify this shortage or is this just from your own observations?

SCHNEIDER: I know of no studies. The National Academy issued a report about a year ago that gives some data. The basis of my data is information about how many people are being funded for research in cybersecurity by the federal government. Most of the money comes from National Science Foundation and some of it comes from Department of Defense, and the program managers are generally willing to tell how many different PIs (principal investigators) they are funding and I am basing my calculations on that.

CHABROW: You have discussed the idea of a cybersecurity professional degree that would involve more than training students in technology of information security. Please explain the curricula for such a program and why non-technical course must be incorporated into it?

SCHNEIDER: Technical content is an important ingredient, but I have come to appreciate that the solution to our nation's cybersecurity problems are not entirely technological. If you build technology without understanding the policy context in which it is going to be deployed, there is a significant risk that you worry about the wrong problems or something in a way that it is unlikely to be adopted. I think you have only to look at the kinds of laws that are getting passed to appreciate that policy makers who try to make law ignorant of technology are likely to get it wrong.

Both sides of the house need expertise in the other's area. That suggests to me that simply educating a group of people about how to fix the top 20 vulnerabilities in web-facing application is just a short-term fix. In the longer term, when you make cybersecurity technology decisions, you want to make it within the context of things like knowing its effect on privacy, knowing whether the economics of the situation support the kinds of changes you are making, and understanding about business models, whether this consistent with the business model or not.