"They're going to have to spend a little more time with hands-on learning ... than perhaps has been the case at some institutions," says Spafford in an interview with Information Security Media Group's Tom Field [transcript below]. "Actually being able to operate some of the technology is going to be important."
A large goal for students and institutions alike is developing a cultural way of learning, rather than simply studying for tests and doing projects. "These students are going to have to get into the habit of reading the news, reading the industry news and being prepared to go to conferences or training sessions to continue to hone their skills," he says.
The field is advancing rapidly, Spafford acknowledges, and a higher-education setting can't cover it all. Students must take it upon themselves to continue their education and further develop the skills needed to work in emerging areas. "There's a real commitment here to be a professional rather than simply a student," Spafford says.
In an exclusive interview on the state of security education, Spafford discusses:
- Where education has made strides;
- Where programs still need to make improvement;
- How today's students need to evolve to fill tomorrow's jobs.
Spafford is a professor with an appointment in computer science at Purdue University, where he has served on the faculty since 1987. He is also a professor of philosophy, a professor of communication and a professor of electrical and computer engineering. He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.
Infosec Hot Topics
TOM FIELD: It's been a busy year. We've seen any number of hacking incidents and data breaches in the news on a daily basis. What do you find are the hot topics top of mind for you these days?
EUGENE SPAFFORD: I have a couple that are of concern. One is that we're now beginning to see more and more attacks on critical infrastructure systems, data and command-control systems that aren't normally programmed or protected the way some of our typical desktops and servers are. We've seen an uptick in various kinds of fraud, particularly here in the holiday season and difficult economic times where we're seeing more of that. Apparently, there's a little bit more activity going on in shall we say the nation-state space, first evidenced by Stuxnet, Duqu and possibly some other kinds of activities that, given some of the international tensions, may be more prominent in the coming year.
FIELD: How do you find these topics trickling into the education environment?
SPAFFORD: In large part they haven't yet. These are all emerging activities. Fraud certainly has been ongoing activity, but these have not traditionally found their way into the regular curriculum in most places. In particular, the protection of SCADA real-time control systems hasn't been something that's been traditionally taught in courses, and you won't find very many textbooks or laboratory materials about how to build in these protections. In fact, the community that builds those generally doesn't overlap with the community that builds the regular computing systems.
In the area of some of the nation-state issues that has been discussed, there are some discussions in some educational materials, but the issues are much more complex and involve kinds of discussions about politics, economics and law that again are generally not covered in the typical computer science/computer security kind of textbooks or courseware.
And the issues of increased fraud really touch on some things that have been traditionally taught but the new mechanisms that are used in search engines, in social engineering and in various kinds of identity documents are constantly evolving and it's difficult for many instructors who aren't following this carefully to keep up with it.
FIELD: Do you see these as oversights in the education curriculum or just something that we need to address as the threats evolve?
SPAFFORD: We're still playing catch-up I think in the educational environment. There are some places that where the researchers and instructors are involved in some of the lead-against conferences and working with industry, they're aware of these issues and are able to bring some of it in the classrooms, but that isn't a large number. The majority of places where we're teaching information security concepts, secure programming and some of the other issues are still being done by faculty who had limited exposure in the area and are having to use existing educational materials, many of which were developed in years past before some of these issues were well understood. We have a lag in the system that's going to be difficult to catch up in the next couple of years, and I'm not really sure what the best way to address this is because we still need to focus on getting some of the fundamentals right and that's still not being done.
State of Infosec Education
FIELD: It's a perfect time to ask you the question that I've asked you each year at this time. How would you describe the state of information security education as we go into a new year?
SPAFFORD: I think it's better than last year. It has gotten more attention in many institutions. There's more material that's available online. We've seen a surge in student applications, not only in security but in IT-related fields and technology in general. This has been a steady issue of concern politically and publicly in the U.S. and other countries about how we need to expand our STEM education and work force. The economy has also shown that this is an area where there's growth, so students are headed there. That's all very promising.
The U.S. in particular has an initiative called NICE, which is a national initiative to increase infosec cyber education. So there's greater emphasis there, and that's more than simply on the college and post-graduate level, but also reaching down in the K-12 level.
In general I think the prospects are positive, but this is also balanced with the fact that most educational institutions still do not have adequate resources to build environments that have current state-of-the-art equipment for students to work with hands-on. Most educational institutions in the country are stressed right now because of economic issues, and with infosec education an elective at most places, this is likely to undergo more stress in some of the more core academic issues in the coming year.
FIELD: You've touched on this to some extent, but where would you say that educational institutions have made the biggest strides in improving information security education?
SPAFFORD: I would say that I'm seeing more institutions include elements of security and privacy discussions in regular courses. Having speakers come in to play, having a little bit more opportunity to offer electives in this area have increased the awareness among students. Therefore, we have begun to make some inroads on getting all students aware that this is an issue and providing them with at least some opportunities to observe and discuss some of the basic properties.
Areas for Improvement
FIELD: Where do you see the need to make the most significant improvements?
SPAFFORD: There are many, unfortunately, and it's difficult to say which ones are the highest priority. There are two that I think I see most commonly. One, first of all, is a lack of good, complete and sound educational materials, more than simply textbooks. This would include laboratory exercises covered with software, self-contained kinds of exercises that could be used by instructors who may not have deep expertise in the area, which is going to be true at many of the educational institutions, to convey some of the basic concepts to students. The problem here is that the people who are perhaps best able to create these are so busy with other things that they're not likely to have much time to be able to put these together.
The second area is one that I mentioned earlier, which is simply giving students access to state-of-the-art hardware and software. We have literally thousands of educational institutions around the country where students might be learning some of these technologies and techniques, but there are perhaps only a few dozen that have some current, commercial technology in place, because this is not something that's easily funded in the current economic client. Nor are many vendors in a position to provide their products to large numbers of educational institutions, so our students are very often getting a good education but they have to undergo additional training once they get out in the workplace to really understand how to apply it to current technology.
FIELD: To generalize, how outdated would you say the curriculum and the technology are at many institutions?
SPAFFORD: On average, they're probably several years - five years or so - behind, maybe more. It's difficult to say because I haven't been able to do any kind of large-scale survey, but talking with colleagues and visiting various institutions reveal some have only what software and technology they can download off the Internet for free, which tends to be rather old software. There are some places that do have state-of-the-art network-monitoring equipment, firewalls, intrusion and extrusion prevention and so on. But the numbers there are small and much smaller than they should be if we're actually going to be producing a confident work force.
FIELD: How do you see information security jobs evolving now to face the types of advanced threats you discussed earlier?
SPAFFORD: The kinds of positions that students are going into are becoming increasingly specialized. Incident response, investigation, architecture and operations are four areas that are certainly becoming distinct. We're also seeing an increasing interest in individuals who understand the privacy aspects of security, and that may also become somewhat of a specialization area. All of this is because there's simply too much material really to pack into one degree program if we're looking at a higher-education environment in its current form.
There are so many different problems and circumstances that generally students are able to pick an area and focus on it, or else they get a very general education that's going to require additional training afterward. The market is very strong. Pretty much anybody who gets a good grounding in any of these areas from a regular institution is going to have no difficulty finding employment, assuming that they're willing to relocate. But at the same time, we simply don't have the resources to produce all the students and all the graduates who are necessary to fill all of these areas.
FIELD: To fill these areas, how do the students have to evolve to step up and play these new, more-advanced roles?
SPAFFORD: They're going to have to spend a little more time with hands-on learning in some cases than perhaps has been the case at some institutions, because actually being able to operate some of the technology is going to be important. But more importantly I think is something that hasn't been a case for perhaps a decade or so. We're going to have to develop more of a cultural way of learning and more than simply studying for tests, cramming for tests or doing projects while in classes. These students are going to have to get into the habit of reading the news, reading the industry news and being prepared to go to conferences or training sessions to continue to hone their skills. The field is advancing rapidly. We can't teach it all in a higher-education setting, and so anyone who's going to work in this field must become a life-long student and be very focused on that rather than simply putting in 9-5 or 9-8 or whatever hours they have and then kicking back for the rest of the day. There's a real commitment here to be a professional rather than simply a student.
Advice for Job Seekers
FIELD: That's a good point. You know, I'm probably to blame as much as anybody for telling people how many jobs are out there, that security is lucrative and this is the place to go. We've hyped this up a lot. For somebody wanting to enter the information security profession in 2012, what would you sit down and offer them for advice?
SPAFFORD: I would suggest to them to think of two paths here. One is they could certainly get a job in the area where they are effectively a technician, where they go to work, do some things and then go home. But the real value chance for advancement and chance to make a difference is in treating this really as a profession and that gets to my earlier answer. It's very similar to what one might encounter in becoming a doctor, lawyer or college professor, where you have to devote yourself to life-long education and development and continuing to hone your skills. Part of being a professional is to actually continue to improve in what you're doing, rather than treating it simply as a job. I have made a distinction in the past in talking with you between training and education. I think it's time to also make the distinction between having a job and being part of a profession. Training will get you a job. Education - especially ongoing education - is part of being a professional and that's where I think the future really lies for many people in this field.