Security and Risk Management Strategies Blog

Blogger: Trent Henry

There's a lot of cool stuff out there.

I'd known for a long time that my alma mater had lectures and other educational podcasts freely available on iTunes, but late last week I ran across iTunesU (www.apple.com/education/itunesu/) for the first time. A treasure trove of learning materials, one could spend a lifetime exploring anthropology to zoology. (Well, maybe not quite that much content is available yet, but it's on the way....)

Being the faithful Cardinal, I browsed offerings from The Farm and quickly ran across "Forty Years of Computer Science: A Retrospective" with luminaries like John McCarthy and Don Knuth (the latter of whom endeared himself to me when once asked how to pronounce his typesetting program TeX, he answered, "you know you've pronounced it correctly if there is spittle on your monitor afterward.") These are amazing people who have contributed amazing things to computing. And many other lectures in Science & Technology are similarly intriguing.

But then it occurred to me: where's information security?

I poked around iTunes a bit more and found no academic treatment of the topic, although there were a few (non-iTunesU) podcasts on the subject. So I broadened my search a bit. I went to the Open Courseware Consortium (ocwconsortium.org) to see what free college-level educational materials were available for our discipline. Looking at the offerings from member organizations, I found a few courses, all from MIT:

• MIT: "Network and Computer Security"
• MIT: "Cryptography and Cryptanalysis"
• MIT: "Selected Topics in Cryptography"
• MIT: "Advanced Topics in Cryptography"

Given the plethora of other topics, that's an awfully small list. Is this just weird happenstance, or is it a more general indication that information protection isn't given much of a place at the higher-ed table?

I knew that UC Davis's computer security lab and Purdue's CERIAS were strong degree-granting programs, so after researching their sites a bit more I learned about the NSA's "National IA Education & Training Program" (www.nsa.gov/ia/academia/), which maintains a list of Centers of Academic Excellence in information assurance. They reference over 80 programs across the United States. That was comforting. It shows that some amount of educational focus is going on. Still, looking more carefully, I found that although universities like Georgia Tech and Johns Hopkins actually grant degrees, many of the schools only offer courses as a small multidisciplinary extension to other programs.  My concern returned.

Perhaps, like system administration, information protection is viewed more as art than science. Is it OK for practitioners to pursue undergraduate CS degrees with limited exposure to infosec, and then get on-the-job security training over time? Or, just as likely, is information protection well served when someone receives an entirely non-technical degree and then haphazardly finds their way to this field? My own journey was certainly circuitous. I planned to study International Relations and enter the diplomatic corps, but computer science drew me in, and I coupled it with sociology/education to create an interdisciplinary degree (I was going to be all about educational software--it didn't happen). But a stint in network engineering turned me on to security, and I haven't looked back. I don't think my story is all that unique. And I'm not sure this ad-hoc approach is the best way to further our domain.

I'm not saying that all security practitioners should have degrees in information assurance/security/protection/whatever. Rather, I'm arguing that we should call for improved education programs in this discipline, to provide the next generation of practitioners and researchers essential background. In other words, information protection should be taught as a primary area of study. This call is not only to academics; it goes out to the private sector as well. Although the US Department of Homeland Security offers a DHS Scholarship and Fellowship Program (www.orau.gov/dhsed), the only vendor support I could find was Symantec's ongoing Graduate Fellowship program, in which they fund select candidates' research endeavors. We need much more of this type of support from the vendor community.

In short, it's time to put educational resources and rigor behind information protection. It's important stuff. And we should see that reflected in students and practitioners of the future.

(Bonus blog question; Given the ostensible link between information protection and computer science, how many security-related Turing-Award recipients have there been? [You have to look beyond the obvious 2002 award to RSA namesakes Ron Rivest, Adi Shamir, and Len Adleman...])