Recognizing that individuals proficient in computer security are in high demand, colleges and universities have begun producing students with degrees in information assurance. When compared with other disciplines that have been in existence for 150 or more years at the institution, information assurance training programs are seen as the “new kids” on the academic block. The first schools to teach security courses began doing so in the 1990s, and they started offering degree programs in 2000. At approximately the same time, 1999, the government, specifically the National Security Agency, created the Centers of Academic Excellence (CAE) program as a way to entice a larger number of universities to produce security professionals. In 2000, seven schools met the government’s criteria and were designated as charter CAE schools; Iowa State University was one of the original seven. Since that time the number of CAE schools has grown to more than 150 schools that range from two-year colleges to research-focused institutions.
Due to the diversity of topics and specialties in security, as well as the now large number of institutions producing graduates, students in information assurance (IA) come from a wide and varied background. They may earn their IA degrees at two-year or four-year institutions and may have backgrounds in departments of computer science, computer engineering, business, math and/or political science, depending upon the program. Because of the wide variety of disciplines that claim IA as their own and produce graduates, businesses and industries that are in the market to hire security professionals need to have clear understanding of what they want that employee’s role to be and what type of graduate holds those skills.
There is not a common curriculum that all IA students take. Further, because we are not consistent in what we teach, an IA graduate is not equal across all levels of four-year schools, nor between two-year and four-year schools. IA graduates who come from business backgrounds may be well-versed in IA policies and procedures, while those with backgrounds in engineering may approach IA from a technical design perspective. Likewise, those who have completed an MS or Ph.D. could approach IA in a very theoretical and/or algorithmic manner, while those with an A.S. or A.A.S. provide a very applied and architectural perspective. As an attempt to help business and industry clarify their thinking about hiring security professionals, we offer the following classification of levels of IA professionals.
- Information Technology (IT) security technicians: These IA graduates are produced by community colleges and four-year institutions that focus on the application of technology to provide security needs at the everyday level. They are the folks that work in the trenches of IT support and implement policies and procedures that others have created.
- Information Technology (IT) security professionals: These IA graduates are produced by four-year and research schools. They have foundational skills in areas such as computer science or computer engineering coupled with IA training. These graduates are able to technically work on computer and network systems, as well as understand and develop the theoretical and/or policy level of security.
- Security professionals: While IT security professionals can be included in this group, it is a much larger grouping that includes IA graduates are produced by four-year and research schools with broader, and less technical, backgrounds. IA students with a political science or business background are equipped to write or enforce security policies, such as auditors who are responsible for overseeing that security practices are undertaken in corporations. These individuals would be hard pressed to develop the technical plans or implement them, but are able to see how security needs to be addressed at a corporate level.
- Security researchers/engineers: These students are produced by research schools and have often earned an advanced degree (i.e. MS or Ph.D). These IA graduates are developing the newest technologies for future product development. For example, they are the design engineers integrating the security technologies into products, or the mathematicians developing the newest cryptographic algorithm. These students also are hired to perform basic security research, or to enter an academic career.
Businesses and industries need to be aware of the capabilities of the students at the colleges and universities they recruit from. By knowing the focus of the IA program at a specific institution, companies can ensure they will be getting the type of security professional they need. In addition to knowing the focus of the information assurance training program and the type of students being produced, companies would be well-served to know the department’s approach to information assurance training.
Colleges and universities are in the business of preparing students for lifelong learning and not just providing technical training, therefore, there is some debate about the discipline of IA and how it fits into academia. Because the discipline of IA is a mere two decades old and focuses on tangible problems, some classical computing departments consider IA to be applied and not a real science. It becomes a second-class degree and the faculty specializing in considered second-class citizens. Departments are reluctant to hire faculty to specifically teach in IA, especially at the research institutions. They only hire researchers who conduct more theoretical security research. This makes it difficult for many research-focused universities to handle the demands from students or employers and leads to the production of security researchers/engineers. This leaves a gap in the production of security professionals (groups 2 and 3).
It is clear that colleges and universities are working hard to meet the needs of companies. However, we as educators need to better articulate what we are producing and universities need to recognize the importance for providing graduates that meet the needs of all industries, including those individuals that research institutions view as “too applied.”
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education. Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.