Enterprises may prefer to find their security officers and administrators within the confines of their rank and file. But that internal growth path still has to emanate from a foundation of higher education, in most cases.
Educational opportunities abound for those seeking a career in IT security, whether they are coming from industry or starting out in an undergraduate program at a community college or a four-year institution.
Even the federal government is loosening its previously tight purse strings and funneling millions of dollars for scholarships and grants in an effort to breed a generation of information assurance officers.
"There is an insatiable demand for more people who have an understanding of information assurance," said Allan Berg, administrative director of the information security program at James Madison University in Harrisonburg, Va.
James Madison University is a charter school in the National Security Agency's Centers of Academic Excellence in Information Assurance program. Currently, 36 colleges and universities have been designated as centers of academic excellence, with as many as 20 more expected to be granted that status in this spring. The program grew out of a directive issued by the Clinton administration in 1998; its aim is to promote higher education in information assurance and spur growth in the numbers of IT security professionals.
Colleges and universities that are recognized by the program are encouraged to flaunt the designation for publicity's sake. More tangibly, they are eligible to apply for scholarships and grants from the Department of Defense and other federal sources.
The federal government has been especially active in promoting careers in IT security post-Code Red and post-September 11. One year ago, the House of Representatives passed a bill that would funnel $800 million during the next five years to universities and research groups working on security projects. In particular, the bill creates research and education grants at the National Science Foundation and the National Institute of Standards and Technology.
The National Science Foundation money is disbursed to Centers of Academic Excellence and to non-member schools as a capacity-building initiative, said Marie Wright, an associate professor of management information systems at Western Connecticut State University. Wright said $11 million was awarded in 2002 and $16 million is expected this year.
"The demand for security individuals is great in industry today," Wright said. "But those companies may be reluctant to advertise for help because they may be admitting to a security problem. But there are plenty of jobs out there, many opportunities in government."
Industry isn't the only driver. Computer science students are often driven toward security tracks and are looking for programs like those offered at James Madison, Western Connecticut and other public institutions. Some private schools like West Point, the Naval Postgraduate School and the Air Force Institute of Technology are also centers of academic excellence.
"The NSA program has grown tremendously since 1999," Wright said. "Before there was any funding tied to them, it was nice to get a center of academic excellence designation. In 2000, funding was tied to the NSA program [from the National Science Foundation and the Department of Defense's Information Assurance Scholarship Program], and that certainly drove a lot of interest. Colleges don't have a lot of money and, when money is tight, we are forever looking for other sources of money. When funding was tied to the NSA program, that boosted the number of applicants."
In an effort to expose potential security officers to the practice, someone who receives scholarship aid is required to serve a period of time with the Department of Defense as a civilian employee or as a member of one of the armed forces.
Enterprises, meanwhile, are sending IT pros back to school for security training. Many prefer to hire security officers from within, entrusting a known entity with a company's most precious assets.
"Companies are willing to pay for those with certified skills," said James Madison's Berg. "Companies want people who understand corporate politics as well as the technical side, especially if you want to move up the corporate ladder [to become a security officer]. They must understand what they are protecting and understand the loss and profit equation."
Berg said that security professionals must have a working knowledge of enterprise management of large deployments of people and technology, especially in multinational firms that are virtually boundless.
"If I were to describe the perfect security officer, they would be a person who understands security fundamentals, has a good mixture of attitude, diplomacy, patience, attention to detail is critical, tenacious looking at abstract problems and be able to anticipate and persevere," Berg said. "We're talking about a person steeped in information security, technology, physical security, cybersecurity, and an understanding of business acumen. I suggest they take business and accounting courses, in addition to the security curriculum."
This is the second of a three-part look into IT security careers. Click here for part one.
FOR MORE INFORMATION:
- FEEDBACK: Is your company sending you to school to become a security officer or admin?
Send your thoughts to News Editor Michael S. Mimoso.