Given the number of publicised high-profile security exploits, it is not unreasonable to expect that everyone involved in IT would be aware of the need to address security fundamentals, yet this does not seem to be the case. Dr Iain Millar, associate partner at Citihub, is also a volunteer member of the (ISC)2 EMEA advisory board where he is spearheading efforts to create stronger ties between the information security profession and academia. Much of this effort is aimed at understanding how to encourage academia to play a more significant role in ensuring security is appreciated within IT.
“In my role as an IT consultant, I am in constant discussion with IT development and operations professionals about information security and IT security issues. Frequently, I am surprised by a lack of appreciation for the fundamentals of IT security,” says Millar. “It was understandable when web applications were in their infancy, but this is no longer true. At least part of the concern stems from the lack of security fundamentals within the academic grounding given to undergraduates prior to entering the IT industry.”
“Overall, only a limited number of organisations feel they can take graduates to fill IT security roles because they have little confidence in inexperienced professionals,” Millar. “Supervisory costs are high and there is a good risk that graduates will move on once trained, leaving companies without an adequate return on their investment.”
“Something I find particularly disturbing is the fact that where these programs do exist, computing graduates are often not differentiated from other graduates in the recruitment process,” he adds.
Gaps in security fundamentals are being recognised by industry and they are often shouted about, describes Millar. However, the industry now needs to develop a better understanding of how to support an academic effort to fill those gaps.
“Clearly higher education in the field of computing must adapt to meet the new security challenges being faced today,” he says. “Many academics I meet say that computing courses already cover a broad range of subjects. Including security would require a better understanding of the value of the subject area to allow prioritisation against other topics during the reaccreditation of the courses.”
“Furthermore, we insist in the profession that it is important to embed security basics within core curriculum from the undergraduate level. To do this, we need to define what constitutes those basics. Security is a broad subject area and we haven't yet taken the time to articulate our expectations around how much security knowledge is enough for an IT graduate.”
Millar points out that given the attention security now receives from the industry and government, many in academia are keen to learn more from the profession. “The door is open. We have a real opportunity to move on from shouting about our concerns to facing the challenge together. ”
Royal Holloway to launch undergraduate computer science course with security focus in 2014
Recently, we have seen a spate of government funding make its way to select universities including the University of Oxford and Royal Holloway, University of London to enable them to set up centres for doctoral training in cyber security. These grants emanate from the £650 million earmarked in November 2011 to support the National Cyber Security Programme. Commenting on this development, Prof. Keith Martin, director of the information security group at Royal Holloway, says: “We are delighted that the money has finally come through. It will fund 30 PhD scholarships. Historically, we are the forerunners in cyber security education and our collaborative approach encompassing the government and industry has enabled us to deliver skills and research expertise that makes a practical contribution to improving security.”
Driven by the government's focus on developing security specialists to deal with the growing cyber security challenges, some government funding is currently going into doctoral programmes. Royal Holloway however, also recognises the importance of cyber security skills at a foundational level and seeing a gap in the educational offering, has plans to offer an undergraduate computer science programme with a cyber security focus. The course is to be officially launched in 2014.
“There are not many existing undergraduate computer science courses with a strong focus on security,” adds Martin. “While there are some existing undergraduate programmes focused entirely on specialist areas such as network security and forensics, we believe that cyber security skills are best built upon a more traditional foundation discipline such as computer science. Our view is that employers are likely to prefer this type of security graduate to one with a narrower range of skills.”
Numerous students today complete undergraduate degrees with substantial debt and further study is often not an option for many without financial support. Unfortunately, as yet the government has no concrete plans to offer funding for undergraduate or masters-level courses in cyber security. “There is definitely a role for undergraduate and masters-level government funding. As a priority we would like to see masters-level scholarships made available to encourage students to specialise in security after they have acquired a more foundational degree in a core discipline,” he says.
Interestingly, Martin believes that in due course, cyber security may well be a subject covered within the syllabus of not just technical programmes, but even other subjects such as geography. Time will tell, but for the moment, more needs to be done to bolster the security element in computer science courses – it is one missing piece in the puzzle. Perhaps more universities should seriously consider offering security courses at this level. In doing so, they will significantly contribute to developing the security workforce that we so desperately need.
Top security drivers vary among vertical industries
According to the (ISC)2 2013 Global Information Security Workforce Study, conducted by Frost & Sullivan damage to an organisation's reputation is the chief business concern driving information security as identified by 83 per cent of information security professionals who participated in the study. This is followed by breach of law and regulation (75%) and service downtime (74%). Other chief concerns included customer privacy violation (71%), theft of intellectual property (58%) and the threat of law suits (47%).
Top priorities do vary among vertical industries. Sixty-three per cent of banking, insurance and finance respondents selected damage to the organisation's reputation as top priority; while in healthcare 59 per cent chose customer privacy violations as top priority. In construction, health and safety was a top priority for 57 per cent respondents and in telecom & media 50 per cent view service downtime as the top priority.
In association with (ISC)2