"We're Not Getting Enough Education to the Right People"
We asked Eugene "Spaf" Spafford, noted professor from Purdue University, for his insights. "I still have some reservations," says Spafford, who says simply: "We don't have enough qualified people entering the field."
In an exclusive interview, Spafford discusses:
- The single biggest influence on Information Assurance education this year;
- What encourages/discourages him most;
- Factors that could most improve education.
Spafford is a professor with an appointment in Computer Science at Purdue University, where he has served on the faculty since 1987. He is also a professor of Philosophy, a professor of Communication and a professor of Electrical and Computer Engineering. He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.
Spaf (as he is known to his friends, colleagues and students) is Executive Director of the Purdue Center for Education and Research in Information Assurance and Security, and was the founder and director of the (superseded) COAST Laboratory.
TOM FIELD: What's the state of information assurance education in 2010?
Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking today with Professor Eugene Spafford ("Spaf") of Purdue University. Gene, thanks so much for joining me today.
PROFESSOR EUGENE SPAFFORD: Happy to talk to you.
FIELD: Gene, the school year is just about over. What would you say has been the single biggest influence on information assurance education this year?
SPAFFORD: I really can't pick one thing that I would say dominates all of the rest, but perhaps the renewed focus in the United States by the Administration on issues of cybersecurity making its way into several high level remarks by the President, the formation of the Cyber Command, and many of the talks that Howard Schmidt, the new Cyber Czar has made, and some of the action in Congress. All of those together have added a new emphasis on the need for cybersecurity education.
FIELD: Given that, what would you say is the state of information assurance education? I know when we spoke a year ago you had, frankly, some reservations.
SPAFFORD: I still have some reservations. I believe that we have made very little progress over the last year. The educational arena is still stretched over a very wide spectrum, from very practical hands-on certification forms of training through very advanced research oriented education. The enterprise is still lacking in enough good materials, teaching materials, education materials, standardization and so on. Most of the traditional educational arenas do not have access to typical commercial products that are in use, so our students seldom get an opportunity to learn using real equipment. And there is a great deal of jockeying going on among the for-profit institutions, for-profit educational offerings, to try to position themselves as the best or the most important or the best certification without any real underlying fundamentals to back that sort of claim up.
FIELD: So, Gene a two-part question for you, and the first part of it would be: What encourages you the most when you look at information assurance education and the possibilities?
SPAFFORD: I think I'm most encouraged by the growing awareness I have seen from industry and government that education in this area is needed. They are putting more emphasis on this. They are more willing to help support some of the educational initiatives that are going on, and I find that very promising because I believe that that will lead to an improvement in the field.
FIELD: So, the flip side of that has to be what discourages you the most -- not from the possibilities, necessarily, but from the realities?
SPAFFORD: I think what discourages me most is that we don't have enough qualified people going into the field. In a part that is because of the definition of the field. People that are going into intensive computing-oriented programs, for instance, may be much more interested in end user experience and graphics technologies and interface database and so on. We have a very small number of students compared to the need who are going through the program, and this tends to push it to be more specialized instead of something that is being taught to all students. So in sum, I don't think we are getting enough education to the right people, and we aren't getting enough people getting an in-depth education in this arena.
FIELD: Now, Gene, that surprises me to some extent because the government has done such a good job marketing the possibilities and saying that it needs 1,000 cybersecurity professionals. Why isn't that bringing the right people and encouraging the right level of education?
SPAFFORD: The people that we need to work in this field have to have a certain background in computing and supporting areas of logic. They have to be able to do read and write well. They have to be aware of the context. Information security education isn't simply learning how to write the programs or plug in wires; it requires a much broader education. So not everyone is suitable for that, and of the ones who are suitable, there are many other professional career choices, some of which may be of more interest to them and some they may believe require less effort or offer greater long-term security.
It is also the case that the government is interested in very particular kinds of people who are U.S. citizens, who have lifestyles that aren't going to be questionable and other such issues, and that also tends to reduce the pool a little bit.
FIELD: Now, you've talked in the past about your particular desire to not have individuals see that they can sort of get into information security through the dark side, so to speak. Has the bar been raised on this profession in a lot of different ways, including education?
SPAFFORD: It has, and we are beginning to see some differentiation occur in different paths through the field. Those who are performing research and development versus those who are in a more operation capacity. We are beginning to see some stratification of skills and balance. We are also seeing some differentiation for those who are involved in investigation and forensics.
I am not quite sure how that is going to evolve, but the recognition that those are different skill sets and require different kinds of education has not yet really permeated the field, but it is going to as time goes on, I believe, because there is simply so much material that might need to be learned to cover all of them.
FIELD: So, Gene, what advice would you offer to both the public and the private sectors, as well to the schools, about how we can collectively raise the bar on information assurance education and bring the right people into the right field?
SPAFFORD: I think the problem that we have is partly one of awareness that the problems that we are seeing are widespread and continuing, and the threat is increasing, so we will have interesting career paths here for people interested in this field -- that it isn't something that we are going to outsource to places elsewhere in the world where there may be, at least for the moment, temporarily cheaper labor costs or materials costs.
So this is a valid career path, and this is an area of interest and challenge that will go on for some time, and we need to start pushing that awareness now toward the level of the education system, so at the K through 12 level, studying computing in general as a field is not viewed as a vocational skill, but is actually a mathematical and science specialization area.
FIELD: Gene, I asked you up front about the single biggest influence on education this year and you spoke of the conversation, the talk we have about cybersecurity. As you look ahead to the next year, the next school year in particular, what single fact do you think is going to influence the state of information assurance education then?
SPAFFORD: I suspect that over the next few years, issues of the economy are going to have the biggest impact. As organizations decide what they are going to do for budgets, as the government tries to curb back spending, as many schools will have to make hard choices as to which courses to offer and perhaps even departments that need to be trimmed. And on the professional side, many organizations having to cut back on training budgets -- security as an area is an attractive target for mangers to try to trim because if no problem has occurred yet, it is questioned as to why the money is being spent. It is paradoxical in a sense that one doesn't realize the value of this until a problem has already occurred.
So, I am worried that if informed individuals aren't involved in providing the budgets and doing the calculations that there will be undue cuts made in the training and education and awareness issues that are necessary to really support this field continuing to grow.
FIELD: Gene, one last question for you about the students that you see year in and year out. We talked about the bar being raised on the profession; what is different about the students that come to you now versus those that maybe came to you a decade ago?
SPAFFORD: The students that I see now have often, not always, had some prior exposure to information security or computer security issues, and they have taken a course or read a book or two on the field prior to reaching the classes at the level that we teach at the university.
Ten years ago, much of that literature was not as accessible, and usually when students enrolled in some of these courses it was because they were interested in exploring it, not because they had had prior reading and prior experience in it.
FIELD: Well, Gene, I appreciate your time and your insight today. Thank you so much, and I wish you an enjoyable summer.
SPAFFORD: Thank you, and you, too.
FIELD: We have been talking with Eugene Spafford with Purdue University. For Information Security Media Group, I'm Tom Field. Thank you very much.