Every day, a common scenario plays out across the US. An information security employer receives a resume from a recent graduate and looks at the student’s academic qualifications. Folks in human resources then invariably start muttering to themselves, “Does this individual have the necessary qualifications to be a…?” (fill in the blank: penetration tester, security operations center analyst, developer, contractor).
In an industry where hard data is respected above all else, we have surprisingly little data on how to evaluate candidate qualifications. The only issue experts seem to agree on is that there is a major infosec skills shortage — although even here, there is disagreement on exact numbers (Cyberseek cites 746,858 currently employed, but Frost and Sullivan reports 1,692,000 currently employed). This means that when employers are trying to find usable guidance, rankings, or even certifications to assist in determining the quality of an academic program, and by proxy, the students and job candidates they produce, they’re out of luck.
The problem stems from the origins of security in academia. At different institutions, security-related classes emerged over the years in various disciplines, including computer science (CS), information systems (IS), and information technology (IT), as a tangent discipline in the service of broader departmental goals and curricula. In most cases, security education is still maintained within these disciplines. This program diversity makes it difficult for a single evaluation criterion to emerge that is general, yet still useful, within this diluted environment. Indeed, unlike CS, IT, and IS, there currently are no widely adopted academic accreditations for computing security at all.
Don’t Give Up
The National Security Agency has three primary designations that institutions can apply for that will deem them as a Center of Academic Excellence (CAE). Currently, these designations are offered in three distinct areas: cyber defense (CD), cyber operations (CO), and research (R).
Nearly 170 academic institutions maintain at least one of the three National Security Agency designations, but only the CAE-CD and CAE-CO maintain curricular requirements. On the surface, these designations may seem to be exactly what is needed; however, there are also some concerns with simply seeking out NSA-designated institutions. Due to the need to designate security programs that may be housed in CS, IS, IT, or dedicated Computing Security programs, the CAE-CD requirements are broad and primarily focused on defensive topics. As a result, these designations act more like a minimum barrier to entry in the area of infosec education and don’t provide a comparative criterion or any mapping to job functions. Moreover, they were initially created with the NSA’s goals and needs in mind, not necessarily matching those of an enterprise or more general security operation.
Indeed, this broadness, until recently, extended to the designation itself. Prior to a recent revision, the NSA CAE-CD designation was given at the institution level and not for a specific program. This meant that although institutions might have obtained this, they did not have to provide students a way to take the required courses, thereby making such a designation useless as an evaluation criterion. This highlights that just because a student attends a designated institution doesn’t mean they will receive the desired education.
The CAE-CO is a newer, more offensively focused, and also more stringent designation. However, it highlights one of the potential problems with the system as a whole. The NSA represents a unique employer, the Department of Defense, and has adapted the designation requirements to include aspects not often used or needed in industry. An example of this would be the CAE-CO requirements for Just War Theory. Most industry security professionals would agree that this is not part of their day-to-day responsibilities. None of the NSA designations focus on nongovernmental, industry requirements, particularly for roles such as penetration testing. And, without industry outreach, there doesn’t appear to be any solution on the near-term horizon.
It is important to note that accreditations alone will never totally solve this problem. There are other criteria that play a role in effective infosec programs. Faculty quality, extracurricular activities, and continuous communication within the industry, including internships, are all contributing factors to the overall student experience and their ultimate success within a program. This is where that infosec employer can find their edge; while most companies won’t be able to provide the grants and scholarships that the government does, they have the opportunity to serve as advisers to academic programs offering their feedback in exchange for mutually beneficial, hands-on internships. Using this vehicle, employers may be able to get the influence and data they need to make informed decisions about the quality or academic programs, accreditations, and, ultimately, mission-critical new hires for their teams.