US Not Training Enough Cybersecurity Experts 112
graychase writes "Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding. 'Look at all the great football and basketball programs. They're all on scholarships. They're not playing for fun — they're playing for money.'"
All it takes... (Score:3, Insightful)
...is state subsidized computer "crime" education.
Israel has had state sponsored training for decades and looky looky they have plenty of forensic experts...
In the US we threaten anybody that touches these tools with prison and let the mpaa sue Professors that attempt to study anything remotely like security.
Yeah, it's about the money (Score:5, Insightful)
Starting salary at IBM is about $50k.
Additional Compensation:
---Employee Stock Purchase Plan.
---401k
---Options (maybe)
Pre-requisites: Atleast 4 years of college, optional advanced degrees. Experience with security and engineering solutions.
Starting Salary of Lebron James: ~$4m per year.
Additional Compensation:
---$90m Nike Contract
Pre-requisites: Ability to dribble and score with a basketball better than any other kid in high school.
Which would you choose?
Re:Yeah, it's about the money (Score:4, Insightful)
Let's make a slightly more appropriate comparison: Samuel Palmisano, CEO of IBM, made $1.8 million last year, plus a bonus of $4.75 million and $13.5 million in stock options. So really, the top performers in tech don't really do so poorly either, especially considering that their career is probably a bit longer than Lebron's.
Sports = Big bucks... for the school (Score:1, Insightful)
Unless the US government is planning on becoming a university booster, then I would expect that sports programs will continue to get the scholarships. He is right, they are playing for money... college sports is big bucks for the school.
It's hard to learn (Score:5, Insightful)
when the government and industry decide to move away from making systems and software increasingly more secure and instead focus on draconian laws with punitive sentences that start at a decade for benign acts regardless of intent or whether you informed the target of their weakness and how to correct it.
Security through sentencing.
Richard Marshall is a lawyer (Score:3, Insightful)
Of course people aren't going into this field. Look who's in charge.
This Richard Marshall, "Director of Global Cyber Security Management, Departent (sic) of Homeland Security", is a lawyer. From LinkedIn, his undergraduate degree, from The Citadel, is in history, English & political science. He then went to Creighton and Georgetown University law schools.
The last person in that job who knew what he was doing was Amit Yoran [wikipedia.org], who had a computer science degree. He kept saying that Microsoft operating systems were the big problem, and was sidelined for that. He was replaced by Cisco's lobbyist.
What we have now is a lawyer making policy recommendations that effectively mean doing nothing. That's "Homeland Security".
Re:Training? (Score:3, Insightful)
Exactly. There is NEVER a such thing as a "shortage" of workers (unless a massive plague has struck, perhaps). There's only a "shortage" because the employers don't want to pay enough for people to want to enter the field. Many technical fields require significant education and experience, and this takes many years to build up to; if they're not going to pay enough to make it worthwhile, no one's going to bother entering the field. And if they're constantly firing people every time there's a downturn, making that career extremely unstable, then they need to pay EVEN MORE to get people to come back to it for the short periods where they're hiring instead of firing.
Re:They're not seeing a primary source. (Score:4, Insightful)
The whole statement seems to show a wildly inaccurate perspective on how education and industry go together:
"Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding.
Universities do not turn out experts, period. If one needs more national security experts, the place to look isn't for upcoming graduates from Harvard's "Department of National Security", because no such thing exists. Hopefully, 4-year degrees in cybersecurity don't/won't exist, either. Universities educate students, giving them knowledge and skills to put them in a situation where they can be trained into these rolls. I went to an engineering school, and the CIA had a booth at the job fair every year, and 3 or 4 of my friends interned with the NSA, at least one of whom accepted a job there after he finished his graduate degree(s).
Richard Marshall's statement seems absurd; if they need more cybersecurity experts then they should recruit and train more people. With today's unemployment rate, it's not like there aren't people with the education out there looking for jobs. If you want more experts, hire people and train them. Scholarships might put more inexperienced graduates into the hiring pool, but does nothing to produce more cybersecurity experts. People in Marshall's position need to start realizing that companies and agencies alike invest in developing employees when it comes to jobs as specific as cybersecurity. Just throwing more certification graduates into the world isn't likely to improve anything.
Re:Universities aren't taking it seriously either (Score:3, Insightful)
At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.
I don't really feel that having a lot more is appropriate. I'd rather see people with degrees in Computer Science go into network security then see people graduate with a specialty in Network Security. When I think "Cyber Security Expert" I think of someone who, say, writes custom kernel patches, works in the field of cryptography, or writes packet-level intrusion detection tools. These are all security things, but they don't need security courses given in university to match them. Knowing how to patch a system to be more secure is a result of knowing how those systems work on that base level. Cryptography means studying lots of math. Communication and authentication handlers is again, understanding how it's handled in the OS.
The problem with network security courses at school, is they either have to be offered late in your program, or be largely superficial. If you're interested in the field, I'd talk to some people in the industry (I hear the government is recruiting), and ask what you should be studying. Recruiters, specifically, as they'll be able to say what they look for in a graduate's skill set.