Infosec Careers: The New Demands

Students Need to Show New Approach, Commitment

By , December 22, 2011.
Infosec Careers: The New Demands


See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

he information security job market continues to shift into highly specialized areas, including incident response, investigations and architecture, says Eugene Spafford, noted professor at Purdue University. So how do students need to prepare themselves for these new career paths?

"They're going to have to spend a little more time with hands-on learning ... than perhaps has been the case at some institutions," says Spafford in an interview with Information Security Media Group's Tom Field [transcript below]. "Actually being able to operate some of the technology is going to be important."

A large goal for students and institutions alike is developing a cultural way of learning, rather than simply studying for tests and doing projects. "These students are going to have to get into the habit of reading the news, reading the industry news and being prepared to go to conferences or training sessions to continue to hone their skills," he says.

The field is advancing rapidly, Spafford acknowledges, and a higher-education setting can't cover it all. Students must take it upon themselves to continue their education and further develop the skills needed to work in emerging areas. "There's a real commitment here to be a professional rather than simply a student," Spafford says.

In an exclusive interview on the state of security education, Spafford discusses:

  • Where education has made strides;
  • Where programs still need to make improvement;
  • How today's students need to evolve to fill tomorrow's jobs.

Spafford is a professor with an appointment in computer science at Purdue University, where he has served on the faculty since 1987. He is also a professor of philosophy, a professor of communication and a professor of electrical and computer engineering. He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.

Infosec Hot Topics

TOM FIELD: It's been a busy year. We've seen any number of hacking incidents and data breaches in the news on a daily basis. What do you find are the hot topics top of mind for you these days?

EUGENE SPAFFORD: I have a couple that are of concern. One is that we're now beginning to see more and more attacks on critical infrastructure systems, data and command-control systems that aren't normally programmed or protected the way some of our typical desktops and servers are. We've seen an uptick in various kinds of fraud, particularly here in the holiday season and difficult economic times where we're seeing more of that. Apparently, there's a little bit more activity going on in shall we say the nation-state space, first evidenced by Stuxnet, Duqu and possibly some other kinds of activities that, given some of the international tensions, may be more prominent in the coming year.

FIELD: How do you find these topics trickling into the education environment?

SPAFFORD: In large part they haven't yet. These are all emerging activities. Fraud certainly has been ongoing activity, but these have not traditionally found their way into the regular curriculum in most places. In particular, the protection of SCADA real-time control systems hasn't been something that's been traditionally taught in courses, and you won't find very many textbooks or laboratory materials about how to build in these protections. In fact, the community that builds those generally doesn't overlap with the community that builds the regular computing systems.

In the area of some of the nation-state issues that has been discussed, there are some discussions in some educational materials, but the issues are much more complex and involve kinds of discussions about politics, economics and law that again are generally not covered in the typical computer science/computer security kind of textbooks or courseware.

And the issues of increased fraud really touch on some things that have been traditionally taught but the new mechanisms that are used in search engines, in social engineering and in various kinds of identity documents are constantly evolving and it's difficult for many instructors who aren't following this carefully to keep up with it.

FIELD: Do you see these as oversights in the education curriculum or just something that we need to address as the threats evolve?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE New Approach to DDOS Protection

Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of...

Latest Tweets and Mentions

ARTICLE New Approach to DDOS Protection

Attacks are larger, adversaries more diverse, and damage is broader. These are characteristics of...

The ISMG Network