Whether it’s news of yet another retailer hacking or Edward Snowden — via videoconference at the South by Southwest conference in Austin, Texas — calling for developers and cryptographers to improve privacy tools, we’ve all been through an ad hoc course in the importance of security.
But what if you — whether middle management, filling out college applications, or geeking out in high school — really want to learn about cybersecurity? Where do you turn to learn about an occupation so relatively new?
As it turns out, you have no shortage of options. There are undergraduate and graduate courses, community college offerings, certificate and online programs, and even summer camps. There are brand new academic curricula and shiny, state-of-the-art spaces, like Cal Poly’s Cybersecurity Center, which opened in January. But be prepared to study more than computer science; the overwhelming consensus is that to be a cybersecurity ace, you’ll need skills far beyond the technical.
National Cyber Security Alliance Executive Director Michael Kaiser said the field is still very young and that current cybersecurity leaders are largely self-taught, because a decade ago, “There was no place to get an education. The really big gap,” he added, “is that the networks are getting bigger and more robust. How do we find people to protect them?”
Cybersecurity, also called IT security, includes cryptography, forensics, wireless security, secure software development, and embedded systems. There are countless jobs, from the high-level government official protecting massive networks all the way down to the person working to protect private data at small and medium businesses.
Ethan Oberman, CEO of the cloud technology company Spideroak, said every software developer he has on staff is a security developer. “They have to have some understanding of security to be successful in their job,” he said. “If they don’t understand how our privacy works, they won’t be able to write code for us.”
Academic training is important, especially in areas of cryptography, Oberman said. But the trick is putting that into practice in the real world, where the risks and technologies are constantly changing.
Cyber-skills and soft skills
Though academic institutions generally move like molasses compared to more nimble, digital startups, Carnegie Mellon University is one that got a head start, hiring cybersecurity faculty before the Sept. 11, 2001 terrorist attacks and launching its CyLab in 2003.
Today, the school offers three cybersecurity graduate degrees, including one with an internship in Silicon Valley. Dena Haritos Tsamitis, director of CMU’s Information Networking Institute, said her security students are in great demand and generally receive between one and five offers upon graduation.
“We see students get $150,000 signing bonuses at a startup,” she said. “A lot of the salaries — right out of graduate school — are higher than those of our faculty.” CMU offers training in one of the biggest growth areas these days — reverse engineering, or cyber-offense, a highly specialized skill set that is particularly in demand at agencies such as the NSA.
CMU is one school among 50 participating in the federal government’s CyberCorps: Scholarship for Service program that provides a couple years of tuition in exchange for the same amount of time working for a government agency. Many go to the NSA and the military, but even the Library of Congress needs a cybersecurity expert. Last year, there were 188 graduates in the program.
Diana Burley, a professor who runs the SFS program at George Washington University, said cybersecurity education is hardly limited to computer science.
“The things we typically call soft skills — teamwork, writing, communication — are increasingly important, and we also want to make sure they are augmenting their [security] courses with an understanding of policy and business,” Burley said. In May, GWU is launching a special cybersecurity doctorate program in the Graduate School of Education & Human Development for managers who want to marry technical skills with a broader understanding of staffing and implementation.
The cybersecurity field is sometimes compared to medicine — not only because there are so many areas of specialty, but because there is a growing trend of a hospital-like residency for security newbies, and a tremendous interest in young professionals getting out-of-classroom experience as part of their training.
Kaiser said the academic training is important — and community colleges play a critical role because they are more tied into what jobs local companies need to fill — but “graduates need to have practical experience. “There’s a lot of emphasis on internships and lab work,” he said, “so they get trained in real life.”
He said larger companies are more likely to do their training in-house, whereas startups might expect new hires to hit the ground running. “People who do the big security inside companies will tell you they need people who almost have a liberal arts degree,” he said. “It’s a conflict, blending the technical skills with the communication and teamwork skills. But the technical skills can be taught.”
Some employers look for (ISC)²’s CISSP [Certified Information Systems Security Professional] certification. Others tend to steer clear of résumés with that accreditation. In order to earn the CISSP, candidates must have worked for five years in one of 10 areas, including cryptography, access control, or software development security.
And the SANS Institute offers short intensive cybersecurity courses, in a classroom or over the Internet, for folks who want to learn a single skill, such as smartphone forensics or securing Linux/Unix.
Some of the next generation of security professionals might be signing up for CyberSecurity Summer Camp in Northern Virginia this summer. (Some NoVa high schools offer cybersecurity instruction and allow students to take related courses at Northern Virginia Community College.) At the week-long camp, Northrop Grumman cyber-experts will cover areas such as computer forensics, cybersecurity fundamentals and cyber-ethics.
Ernest L. McDuffie, lead for the National Initiative for Cybersecurity Education, said ethics is an increasingly important part of cybersecurity training, as is cultural anthropology. After all, it’s important to understand what’s in the mind of the bad guys, where in the world they are lurking, and the implications of a counterattack if you’re hacked.
“To do defense well,” he said, “you need to understand the mindset of the offense.”