Information Security Programs
By Dan Morrill
If you ever have the chance, it is well worth your time to go through the information provided about the Masters of Information security programs at various colleges.
If you take a very good look at them, and work on trying to figure out what they are actually trying to teach, you might just walk away either disappointed that there are not more real world information, or that these programs are doing the right thing.
Realistically what I would like to see in an information security program are those things that make sense in a real world situation. The closest program is the SANS Masters of Information Security degree, but most of the degree program is based on the individual SANS classes, and there is no mention of accreditation on their web site. If they are not accredited, (and I could have missed this, if they are accredited let me know), then this falls into the "junk degree" program. It might look good on a resume, but the program has not been vetted and approved by any of the national education accreditation processes. This can leave the student in Limbo when it comes to using the degree to advance their career.
What would make a real world information security degree?
There are limitations on time, usually a masters program runs for 2 years, for a grand total of 8 classes over 4 terms per year, so there are 16 classes to play with. 15 if you give credit for a masters thesis, which is generally a good idea to write to demonstrate learning.
Of all the skills out there, with terrorism, war fare, hacking, disaster recovery, web 2.0, hacking, and all the rest of it, the idea of working within a time limitation becomes difficult to work out what makes a great information security degree program. The more emphasis areas, the more expense to the school, the more over head, the less likely that the school will be successful. That is a very real issue, schools even no-profits or not for profit need to make enough money to run their programs, and some programs will be more popular than others. Money goes into a general pool, where popular programs help subsidize less popular programs.
What I would like to see.
I would like to see at least one track that covers auditing, real auditing, one class each in network, database, web servers, and operating systems. That would take up 2 terms (assuming 2 classes per term), but is desperately needed in the commercial market. We have many people running around running scanning systems on networks, but they have no idea how to interpret the results. They have no idea how to take the results and provide solutions, tell fact from fiction, or test the results to see if they really are an "oh my god" kind of issue that must be fixed. Rather we are presented with a dull bland report telling us how insecure we are, but offers no solutions, no way to tie back to regulation specific to the industry, nor the risks that are presented by a verified exploit.
I would like to see at least a series of classes that covers secure code writing for the Internet. PHP, Java, Ruby on Rails, C#, C++, stored procedures that interact with the web service, the manifest file and how to limit the number of calls, the dangers, liabilities, and limitations of each code set. That would be 7 classes in total, or about 1 year of class alone.
I would like to see hacking following along right after the secure code for web services, tearing apart bad bank, or bad store. Looking at other web applications, learning how to debug them, knowing what the information is telling the programmer and the security engineer. Using common tools to find out problems like SpiDynamics tools, browser plugins, and generally learning what happens when you do not write good software for a dangerous environment. That would be at least 4 classes, or of a year.
I would like to see a series on policies, HIPAA, SOX, IT ethics (separate from the random and meaningless ethics classes seen lately), privacy, intellectual property issues, management, information security policies at the local level that need to reflect the legal and regulatory landscape we live in. This alone could take a year of class, but need to cram it into 4 classes to even hope to meet the 2 year limit on a masters degree.
I am over the 2 year limit already, but we still have not touched on enough. We don't have time for IPS systems, disaster recovery, backups, cyber warfare, terrorism, malware, crime, identity theft, IDS systems, management systems, budget, managing information security, and a whole host of other things that a security engineer or manager needs to know about. There is no room for leadership, managing difficult employees, managing developers, working with anything to do with project management.
In other words, there is not enough time to teach in a masters program (or even a bachelors program) all the things that a good security engineer needs to know to make a real difference in their organization. That is a distinct limitation in the educational program, it also means that the good security engineer needs to be a life long learner, and willing to pick up learning when and where it is available to them.
About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
archives | advertising info | news headlines | newsletters | comments/feedback | submit article