Higher ed can't meet info security demand

More than half the undergraduates enrolled in the management of information systems degree program at Western Connecticut State University in Danbury are taking the information security track, according to Marie Wright, associate professor of management information systems.

The university first offered the information security track in 1999. Ninety percent of undergraduate MIS students now take at least one information security course, she said.

"When we started this, I don't think we anticipated the intense student demand for the course and the program," said Wright, who teaches two introductory classes and believes demand could support two more.

Western Connecticut and Norwalk Community College in Norwalk, Conn., are planning a joint computer security degree program that is on track to launch this fall. Students will earn an associate's degree in computer science at Norwalk, and then move to Western Connecticut, where they will earn a bachelor's degree in management information systems with a specialization in information security. Wright expects the program will be an immediate success.

"Security has been a growing concern for a long time, and it has been magnified since Sept. 11. Having undergraduates walk out with a solid foundation is a win-win situation for students and businesses," Wright said.

Two recent studies have highlighted the importance of information security professionals. The annual IT work-force study released in May by the Information Technology Association of America, Arlington, Va., noted information security skills are especially critical for network designers and administrators.

The annual Computer Crime and Security Survey, conducted with the FBI and released in April by the Computer Security Institute in San Francisco, found that 90 percent of 503 computer security professionals ? primarily in large corporations and government agencies ? had identified information security breaches in the last 12 months. Forty-three percent were willing or able to identify their resulting financial losses, which surpassed $455 million.

Colleges and universities are essential to continued development of the information security work force, said Alan Paller, director of research for the SANS Institute, Bethesda, Md., which provides technical training and tests skills through the Global Information Assurance Certification program.

"[Colleges] are the only ones local enough to do it and keep their costs low enough," Paller said. Organizations such as SANS, he said, can take students to the next level after they have substantial on-the-job experience.

But educators say they don't have the resources to meet demand.

"All the universities working together can't turn out the number of graduates to meet the demands of our government and industry," said Allan Berg, deputy director of the Commonwealth Information Security Center at James Madison University in Harrisonburg, Va. JMU is one of 36 schools named a center of academic excellence in information assurance education by the National Security Agency. The $9 million security center was established May 24 by Gov. James Gilmore to help combat attacks on computer systems.

"You have a shortage of faculty across the board, and a lot of folks that get advanced degrees get snapped up by industry," Berg said. Many professionals who could teach instead choose to make more money in industry, he said.

"We are one of those organizations snatching up their graduates," said Steve Hutchens, director of security solutions for the global public sector business of Unisys Corp., Blue Bell, Pa.

Hutchens said Unisys is interested in candidates with college degrees, and prefers information security programs such as JMU's.

The company also tends to recruit individuals who are certified, Hutchens said. In addition to the SANS Institute, the International Information Systems Security Certification Consortium Inc., Framingham, Mass., also provides information security certification. Many information security professionals hold certifications from both SANS and (ISC)2.

"We've actually seen [requests for proposal] over the last several months that have specified the contractor must provide people with one of these certifications," Hutchens said.

Employers hiring these newly minted graduates say on-the-job experience is just as important, if not more important, than education. Wright said most students in the Western Connecticut program complete internships in their junior and senior years.

"If they don't have experience, it doesn't matter if they have a Ph.D. In our situation, it may be more advantageous to hire someone who has worked for 10 years with a firewall the customer has," said Randy Richmond, group manager for Verizon federal network systems.

Ryan Wagner, a senior computer science major at the Massachusetts Institute of Technology in Cambridge, Mass., is doing his best to get experience before leaving academia. He'll stay at MIT next year to pursue a master's degree, and afterward wants to work in computer security.

Through an on-campus internship, Wagner is learning to add crytography to a computer program developed at MIT.

"I've had to learn C, about the Unix operating system, and about cryptography, and be comfortable enough with it that I can implement it properly," he said. Wagner recognized that hands-on experience is essential.

"You can [just] read a book ? and then leave a gaping hole in what would otherwise have been a secure program," he said.