Forgot your password?
typodupeerror
Education Government United States Your Rights Online

US Not Training Enough Cybersecurity Experts 112

Posted by CmdrTaco
from the just-pay-them-more dept.
graychase writes "Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding. 'Look at all the great football and basketball programs. They're all on scholarships. They're not playing for fun — they're playing for money.'"
This discussion has been archived. No new comments can be posted.

US Not Training Enough Cybersecurity Experts

Comments Filter:
  • Training? (Score:4, Interesting)

    by WrongSizeGlass (838941) on Thursday March 25, 2010 @12:04PM (#31612042)
    Shouldn't they be recruiting them from the trenches or simply luring script kiddies into the evil clutches of our federal government with promises of "no bedtimes", "free games, pizza & soda" and "no one here will make fun of you because everyone here will be like you"?
    • by santax (1541065)
      Yes unfortunate for some very bad people high up there in the ranks, the guys clever enough to do that job often have ethic values. (that prohibit them from doing evil. But I could have stopped after ethic values.)
    • Offer hookers and machine guns.
      • by ryantmer (1748734)

        Offer hookers and machine guns.

        And THIS hot bitch poster.

        And if you complete a tour of active duty - ANOTHER bag of weed!

    • by jhoegl (638955)
      I agree, the movie Hackers is a great representation of Cyber Security Experts.
    • by rhythmx (744978)
      I've seen the NSA recruiting at Defcon and making it a point to say that you would still be accepted even if you had drug convictions. Playing to the crowd for sure :P
  • Nice try... (Score:1, Troll)

    by couchslug (175151)

    Nice try, but the public prefer jock-sniffing to everything else.

    Besides, why train more people and drive down the wages of those who had the initiative to learn on their own? Businesses exist to fuck over their employees, so said employees should not dilute their advantage.

    Your only "job security" is hoarding knowledge.

    • Did you seriously just go so far socialist that you came back to capitalist from the other side? Who the hell mods something this retarded Insightful?

      Let me splain. No, is too much. Let me sum up. Businesses exist to make money. Period. Employees are paid to help the business do that. Businesses owe their employees nothing aside from the pay they've earned. Employees owe the businesses nothing aside from the work they're paid for.

      If your employer tells you to train Bob to not be such a noobass i

      • by stonewolf (234392)

        you are correct. But, there is another way of looking at it that most people don't seem to understand.

        Let me try this on you. If my job is doing X for company Y. That is my job and I get paid for it. If the boss comes in and tells me to train JimBob DumbAss to do my job I have a perfect right to say "no". I also have the right to say, "what is it worth to you?" And, if the boss says something like, "you get to keep you job". You have a perfect right to say "fuck you" and walk away.

        I've had a few lessons on

        • I hope you realize that I am not disagreeing with you. I am just pointing some details I feel you left out.

          Yep, cheers.

          The bosses respect and value people who refuse to be treated as serfs.

          Goes beyond bosses. Nobody respects weakness.

          When you treat your employees the way you describe, then they will treat your company the way I did.

          I just gave the baseline. Violate it at your own peril, from either side of the equation, as your boss should have known. What you can negotiate beyond that is between the two of you.

  • by Skyshadow (508) * on Thursday March 25, 2010 @12:07PM (#31612080) Homepage
    We'll just recruit our cybersecurity from the obvious source: China.

    I, er, hear they may have some relevant experience.
  • No problem (Score:3, Funny)

    by oldspewey (1303305) on Thursday March 25, 2010 @12:07PM (#31612082)
    I'm sure the US can just hire some of those well-trained and eager Chinese cybersecurity experts who seem friendly and anxious to come across on H1 visa.
  • by rindeee (530084) on Thursday March 25, 2010 @12:08PM (#31612124)
    Working in the industry and hiring new Cyber talent on a weekly basis, I'd say that the author's aren't looking in the right place. We find the best, most talented folks are coming out of the military. These ladies and gentlemen are very disciplined, highly trained and have real (very real) experience not only within the ranks of military cyber operations, but most also have a good deal of experience in the intelligence community. They all have a great deal of experience (and preference) with open source tools, but understand the proper application and integration of COTS products as well. Anyway, my two cents.
    • Re: (Score:3, Interesting)

      by Anonymous Coward

      That might be the case, but it's equally as hard to find a cyber security job. I graduated from a Center of Excellence with a Master's in Computer Security and Information Assurance. Due to the scholarship I've been working with DoD and I've gained my clearance through them. I've sent job applications to NSA, DHS, ARL, NRL, DARPA, etc. and have not heard one response aside from DHS saying I wasn't the most qualified candidate. I even have my 8570 certifications now for IAT 2. Everything is so C&A f

      • Look at contractors working for the government. In my experience that is where a lot of the jobs are. I know where I work, they are always looking for talent.
      • Just add Cantonese or Mandarin to your list of qualifications and you should be able to get a good cybersecurity job in a snap.
      • Yup, security doesn't directly generate revenue, so it's often left way, way down the priorities list for management. That's assuming they even know enough about cybersecurity to know if they're hiring the right person should they decide it's a good idea.
      • by chill (34294)

        CISSP, CISM, CISA certifications help. But right now, a lot of them are focusing on EXPERIENCE, not college degrees.

      • Search for "2210", "1550", or similar "interdisciplinary" cyber jobs within DHS NPPD:
        JobID=86515922 JobTitle=INTERDISCIPLINARY+(CYBER) [usajobs.gov]
        JobID=86667657 JobTitle=INTERDISCIPLINARY+(CYBER) [usajobs.gov]
        JobID=86642799 JobTitle=INTERDISCIPLINARY+(CYBER) [usajobs.gov]
        • Re: (Score:1, Informative)

          by Anonymous Coward

          DHS is one of the worst organizations at hiring out of College. Everyone is hyping the college programs, but they won't hire out of them due to a lack of experience. I'm already technically a 1550 but still don't have the experience to transition to an organization like DHS to do the cyber jobs.

    • Re: (Score:3, Interesting)

      The best, most talented aren't coming out of the military. The military has some stringent guidelines on physical health and background that a lot of people don't make the grade for, but nonetheless are well-suited for the work. Anyone with asthma, short-sighted, or is gay, or bad credit, etc., are all ineligible for military work. I should know -- I am one of those "cyber security" experts, and I did look into joining the military, but was ruled ineligible. The talent pool that the military can recruit fro

    • by Simulant (528590)

          Most importantly for you, probably, is that they already have expensive clearances. A clearance appears to be worth more than experience to many defense contractors.

    • by centuren (106470) on Thursday March 25, 2010 @01:49PM (#31614150) Homepage Journal

      The whole statement seems to show a wildly inaccurate perspective on how education and industry go together:

      "Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding.

      Universities do not turn out experts, period. If one needs more national security experts, the place to look isn't for upcoming graduates from Harvard's "Department of National Security", because no such thing exists. Hopefully, 4-year degrees in cybersecurity don't/won't exist, either. Universities educate students, giving them knowledge and skills to put them in a situation where they can be trained into these rolls. I went to an engineering school, and the CIA had a booth at the job fair every year, and 3 or 4 of my friends interned with the NSA, at least one of whom accepted a job there after he finished his graduate degree(s).

      Richard Marshall's statement seems absurd; if they need more cybersecurity experts then they should recruit and train more people. With today's unemployment rate, it's not like there aren't people with the education out there looking for jobs. If you want more experts, hire people and train them. Scholarships might put more inexperienced graduates into the hiring pool, but does nothing to produce more cybersecurity experts. People in Marshall's position need to start realizing that companies and agencies alike invest in developing employees when it comes to jobs as specific as cybersecurity. Just throwing more certification graduates into the world isn't likely to improve anything.

    • by rhythmx (744978)
      We have had a request out for a Security Researcher with a clearance for over a year now. Not a single candidate with a military background has come through yet with the right skillset for exploitation development. The Military is only cranking out operations people, which aren't really that hard to come by.
  • All it takes... (Score:3, Insightful)

    by garyisabusyguy (732330) on Thursday March 25, 2010 @12:09PM (#31612128)

    ...is state subsidized computer "crime" education.

    Israel has had state sponsored training for decades and looky looky they have plenty of forensic experts...

    In the US we threaten anybody that touches these tools with prison and let the mpaa sue Professors that attempt to study anything remotely like security.

    • You think we can get AIPAC to help us out with that? They do a lot of work with Israel already...
  • by HockeyPuck (141947) on Thursday March 25, 2010 @12:09PM (#31612142)

    Starting salary at IBM is about $50k.
    Additional Compensation:
    ---Employee Stock Purchase Plan.
    ---401k
    ---Options (maybe)
        Pre-requisites: Atleast 4 years of college, optional advanced degrees. Experience with security and engineering solutions.

    Starting Salary of Lebron James: ~$4m per year.
    Additional Compensation:
    ---$90m Nike Contract
          Pre-requisites: Ability to dribble and score with a basketball better than any other kid in high school.

    Which would you choose?

    • Sure... sure... However, IBM has about 400,000 employees, probably bringin on a few thousand out of each graduating class.

      There is usually only one or two 'Lebrons' that show up in a graduating class.

      IF we taught mathmatics and statistics to our children, then the choice to go with the (relatively) certain tech job over the (totally) unlikely NBA career would be obvious.

      Unfortunately we don't, and our youth suffer as a result

      btw, anybody seen 'Hoop Dreams'?

      • by Grishnakh (216268)

        Sure... sure... However, IBM has about 400,000 employees, probably bringin on a few thousand out of each graduating class.

        And how many of those are foreign nationals? Only a portion of IBM's employee base is engineers and programmers; many more are marketing people, HR people, finance people, sales people, managers, executives, etc. Of those that are engineers and programmers, I'd guess most of them are foreign nationals, and these days, most of them physically live in India. This isn't helpful for a US

      • Sure... sure... However, IBM has about 400,000 employees, probably bringin on a few thousand out of each graduating class.

        There is usually only one or two 'Lebrons' that show up in a graduating class.

        IF we taught mathmatics and statistics to our children, then the choice to go with the (relatively) certain tech job over the (totally) unlikely NBA career would be obvious.

        Unfortunately we don't, and our youth suffer as a result

        btw, anybody seen 'Hoop Dreams'?

        These days, IBM only really hires sales staff and in the US. There are a few legacy technical employees, and a few technical contractors, but they have essentially announced that all new technical staff will be overseas.

        I'd say your chances of playing professional b-ball are about as good as your chances of getting hired as an engineer at Big Blue.

    • by Skyshadow (508) * on Thursday March 25, 2010 @12:22PM (#31612408) Homepage
      Lebron James is one of the best basketball players ever to live, not just some run-of-the-mill pickup player.

      Let's make a slightly more appropriate comparison: Samuel Palmisano, CEO of IBM, made $1.8 million last year, plus a bonus of $4.75 million and $13.5 million in stock options. So really, the top performers in tech don't really do so poorly either, especially considering that their career is probably a bit longer than Lebron's.

      • True, but Lebron's job is way better at attracting slutty hotties. Gotta have your priorities.
        • Once you're at the level of Palmisano, it doesn't fucking matter. It's the difference between 100,000 slutty hotties and 1,000. It's still far more than you're capable of taking advantage of.

          And the longevity argument is probably even more applicable here, since even assuming James manages his money well, in 10 years he will have no more sex appeal than Palmisano.

          • by Grishnakh (216268)

            Except that no true engineers or programmers get to the level of Palmisano. Only sociopathic manager-types can rise up the ranks like that. So this really isn't a valid comparison. With very, very few exceptions, CEOs are not former engineers (and those that are, were never really serious engineers anyway; they hopped into the management track as soon as they could). If you want to be another Palmisano, you need to get an MBA degree, not a EE/CpE/CS degree.

            • Well, no, but a high-end IT salary is more than sufficient for most purposes so long as you aren't a total dick. (And even then, you're in pretty good shape.)

              You can't sleep with a different chick each night, but if your angle is hedonistic abuse of wealth, you'll do alright.

              • by Grishnakh (216268)

                Yes, a high-end IT salary isn't bad, but there's a lot of other jobs where you can get the same money with much less education. THAT's why kids don't bother with it, unless they really like computers.

                I'm a software engineer myself. The reason I went into this career is because I've been obsessed with computers and electronics since I was 8, and also because it pays decently and beats doing a lot of other mind-numbing jobs. Most people aren't that interested in a subject like that, and are looking at thin

      • by bughunter (10093)

        I believe the point was more about influence on the career choices of youth, not statistical likelihood.

    • Re: (Score:1, Interesting)

      by Anonymous Coward
      I see your point but the contrast isn't always that stark.

      I recently quit my job as an IT Manager for a large resort. I was expelled from school in the 8th grade and never got a GED. When I quit I was making $50k. Never a day of college in my life.

      There is a small cache of people out there that hold many things higher on the ladder than money that also put their convictions into practice..... of course, if I would have had a wife and children, I probably wouldn't have made the decision to quit--- just for
      • Let me see if I understand what you are saying. Because you achieved a measure of success (and to be honest, $50K per year doesn't sound overly generous to me, but maybe some of this is location -- the cost of living in Alaska is rather high) due to some combination of hard work, natural talent and good timing, you felt guilty because you were making more money than people twice your age who were doing more *physical* work than you were. With all due respect, I think you were missing a couple of very impo
    • by Bigbutt (65939)

      Well, considering most folks don't really work for IBM (most are contractors subject to dismissal at a moment's notice), I'd go with Basketball.

      [John]

    • by chill (34294) on Thursday March 25, 2010 @01:30PM (#31613726) Journal

      Compare apples to apples. Here is an oldie, but a goodie:

      Michael Jordan having 'retired,' with $40 million in
      endorsements, makes $178,100 a day, working or not.

      If he sleeps 7 hours a night, he makes $52,000 every
      night while visions of sugarplums dance in his head.

      If he goes to see a movie, it'll cost him $7.00, but
      he'll make $18,550 while he's there.

      If he decides to have a 5-minute egg, he'll make
      $618 while boiling it.

      He makes $7,415/hour more than minimum wage.

      If he wanted to save up for a new Acura NSX
      ($90,000) it would take him a whole 12 hours.

      If someone were to hand him his salary and
      endorsement money, they would have to do it
      at the rate of $2.00 every second.

      He'll probably pay around $200 for a nice round
      of golf, but will be reimbursed $33,390 for
      that round.

      He'll make about $19.60 while watching the 100- meter dash in the
      Olympics, and about $15,600 during the Boston Marathon .

      This year, he'll make more than twice as much
      as all U.S. past Presidents for all of their
      terms combined.

      Amazing isn't it?

      However...
      If Jordan saves 100% of his income for the next
      500 years, he'll still have less than Bill Gates has
      at this very moment.

      Game over. Nerd wins .....

      * * *

      Now compare your average mid-level technical employee vs the jock who majored in sports and see what is what.

      • by Tablizer (95088)

        If he decides to have a 5-minute egg, [Jordan will] make
        $618 while boiling it.

        Curious, that's about how much it costs me to replace the damaged stove when I try.
           

    • by timeOday (582209)
      I don't believe the starting salary at IBM for a technical position could be only about $50K, is it?

      That's what it was 11 years ago when I interviewed there.

  • If the universities fail to produce enough security experts, ISC2 [isc2.org] is happy to convert your tech support guy into a CISSP for the low rate of $600, and $200 a year thereafter! If you order now, you can also get a CAP certification along with a free toaster.
  • by Admodieus (918728) <john@misczLIONak.net minus cat> on Thursday March 25, 2010 @12:26PM (#31612478)
    At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.
    • by chill (34294)

      And there lies the biggest problem. The majority of people have been so brainwashed to think college and university education is the answer, they don't know where else to look much less how to learn. It is not just you, it is also some of the idiots doing the hiring.

      I'll let you in on a little secret. In the IT world and especially security, experience counts for much, much more than any degree. Degrees get you past HR bots and substitute for experience only in kids coming right out of college who ONLY

      • by pnutjam (523990)
        Yeah, but you better have that bachelor's degree too. I have an AS, with 10 years of experience. I am very good and very dedicated.

        However, many if not most organizations around here (midwest) will not even interview someone without a bachelor's degree.

        I tend toward IT in non IT companies.
        • by chill (34294)

          Yeah, you have to backdoor the system. "It isn't what you know, it is who you know." The Bachelors gets you past the know-nothing HR screening person. You need to find another way to do that. Join a couple industry trade groups, like AITP and network your ass off.

          Me == AA degree, 20 years XP, currently working my ass of on 2 $100K+ jobs, 1st and 3rd shift.

    • Re: (Score:3, Insightful)

      by centuren (106470)

      At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.

      I don't really feel that having a lot more is appropriate. I'd rather see people with degrees in Computer Science go into network security then see people graduate with a specialty in Network Security. When I think "Cyber Security Expert" I think of someone who, say, writes custom kernel patches, works in the field of cryptography, or writes packet-level intrusion detection tools. These are all security things, but they don't need security courses given in university to match them. Knowing how to patch a sy

    • They actually offered a "computer security" course at the University from which I earned my Bachelor's Degree. Unfortunately, the "computer security" course they offered was a monumental waste of time. We spent almost the entire semester learning about encryption algorithms (RSA, DSA, etc.) and coding these algorithms. While it certainly is important to understand encryption, there is a *lot* more to computer security than being able to implement an RSA encryption algorithm.
  • by Anonymous Coward

    Unless the US government is planning on becoming a university booster, then I would expect that sports programs will continue to get the scholarships. He is right, they are playing for money... college sports is big bucks for the school.

    • This, this, a million times this. The schools aren't going to offer cybersecurity scholarships unless they can make that money back somehow. If the DoHS wants more cybersecurity experts, they're going to have to provide those massive scholarships themselves.
  • It's hard to learn (Score:5, Insightful)

    by Anonymous Coward on Thursday March 25, 2010 @12:31PM (#31612556)

    when the government and industry decide to move away from making systems and software increasingly more secure and instead focus on draconian laws with punitive sentences that start at a decade for benign acts regardless of intent or whether you informed the target of their weakness and how to correct it.

    Security through sentencing.

    • Meh...hacking into other peoples' systems without prior permission is kind of a big deal, in my opinion. However, I have always thought it would be fun to have some kind of cracking LAN party. Bring your laptop (or whatever), with the understanding that others at the party *will* be trying to break into it. Last one owned wins. Then when it's all over, everyone tells everyone else what they did to break into the box and what the owner of the box could have done to make it more secure. When you're done,
  • How are cybersecurity experts really trained? In universities? Private industry is on the cutting edge of computing, not academia.

    So, what about private industry? Would anyone really want their son, daughter, nephew or niece to to go into any field that would prepare them to be cybersecurity experts? Outside of jobs that require security clearances, it seems that there is a pretty good chance of getting offshored or at least oursourced. Who wants that kind of job security?

    Funny, despite all the comments uni

  • Cyber Corps (Score:1, Informative)

    by Anonymous Coward

    The Gov has had this program going for over 10 years:
    "The Federal Cyber Corps Program
    The Cyber Corps Program is open to students currently completing their junior year of undergraduate school or first-year of graduate school. In addition to a stipend of approximately $1,000 per month, the Program pays for each student's tuition for two years, room and board, and travel to conferences.

    After one year of training, students complete a summer internship in a federal agency, learning first-hand about computer sec

  • There are lots of people out there interested in cyber security. "Hackers" are in all the movies and are kind of cool. But the ability to become a legitimate security expert is limited, partly because the government which hires tons of people to perform physical investigations and fire guns, has failed to keep up with the times. Look at the military, for example. If you want to be a well paid cyber security expert, or even an important one, you basically have to go into the private sector. You're sure never

  • Universities are lagging not just in security tech but systems tech in general, and systems administration in particular. Network engineering training programs do a a much better job, and software engineering programs do a fair job addressing security. The missing component is systems administration.

    Security is only as good as its weakest link. If you are focused on communications, or focused on code, and ignore the larger picture (i.e., systems) vulnerabilities will be inevitable.

    Another problem is fina

  • There are plenty of people graduating with computer security degrees these days; I'm one of them. There are quite a few programs already offered by various colleges to attract more security students to their program. RIT, for example, offers what essentially amounts to a free ride for anyone who is willing to work for the NSA after they get out. I live in Texas, so I know from personal experience that Texas A&M, UTSA, and a plethora of smaller universities and community colleges are cranking out secu
  • One problem with IT in general, and especially its little niche subfields, is the lack of formal training. Skilled trades get apprenticeships to teach newbies the ropes on the job. Professions like medicine, pharmacy, engineering, etc. have standard accredited training and licensure requirements.

    We have none of that. The field is still so wild-westy that vendors largely control training and education. Universities provide grads a CS or a "vocational" IT degree, but it's all theory. Lots of us didn't even go

  • by Animats (122034) on Thursday March 25, 2010 @01:10PM (#31613302) Homepage

    Of course people aren't going into this field. Look who's in charge.

    This Richard Marshall, "Director of Global Cyber Security Management, Departent (sic) of Homeland Security", is a lawyer. From LinkedIn, his undergraduate degree, from The Citadel, is in history, English & political science. He then went to Creighton and Georgetown University law schools.

    The last person in that job who knew what he was doing was Amit Yoran [wikipedia.org], who had a computer science degree. He kept saying that Microsoft operating systems were the big problem, and was sidelined for that. He was replaced by Cisco's lobbyist.

    What we have now is a lawyer making policy recommendations that effectively mean doing nothing. That's "Homeland Security".

  • If we don't have enough cybersecurity experts, why are we passing a law requiring licensing, which will only bar more people from the field?

  • I'm pretty sure... (Score:3, Informative)

    by Blue6 (975702) on Thursday March 25, 2010 @02:24PM (#31614774)
    Most of these stories are puff pieces done for or due to the FUD big consulting companies like CSC, Lockheed, Northup put out to the Bureaucrats in order to keep billing rates high. I have over 10 years of networking experience and a MS in Info Sec from a DHS sponsored school. I have applied multiple times to various positions and have never received a response back.
  • You have to define Cyber Security. Do you mean Code Hacking, Network Sniffing, Biometric Algorithm Creation, new Theoretical Application Creation, Compliance Program Expert, Firewall Manager, etc. Each different job requires a different skill set. If you want someone that can do all of these, then you have to pay the proper salary for that person, wait 10 years after they graduate so they have the skills to do each of those jobs, etc. Currently the Cyber jobs I look for want all of those things, plus 10
  • DHS has lots of Cybersecurity job postings.

    Here's the catch:

    If you have spent the last 20years of your post-college professional IT life working in different combinations over time of systems administrator, network engineer, IT project manager, programmer on security, security-ish, and non-security projects and day-to-day IT work, then the you - the 40+ year old - are deemed to be to fucking old to take a new job at DHS/USGOV as as an IT Security Specialist.

    So, that cuts the pool of those available to USGOV

  • why not use the hackers in jail to work for gov so they can help us and not just take up lockup space?

  • About 20% of the best people I know employed as Security Researchers did not even graduate high school, including myself. I see this trending downward as more and more schools now have something of a security curriculum, but its still very much an industry of self-motivated voodoo programming. Universities have always been decent at training operational security people (configuring/monitoring security appliances and policy issues), but I've yet to hear of a school with a good program on vulnerability discov

  • My company simply outsourced IT security to Nigeri~a &'`~7;% GET V1AGRa Fr33!

Never say you know a man until you have divided an inheritance with him.

Working...