Spaf on Security Education in 2011Interview with Prof. Eugene Spafford of Purdue University
Gene Spafford is optimistic. Having shared his reservations about the state of information assurance education in previous interviews, "Spaf," as he's known to students and colleagues, has positive vibes about 2011.
"There appears to be a little more focus from both industry and government," Spafford says. "There's a greater demand for well-trained students. There appears to be greater attention on resources being brought to bear on developing education programs."
The trends are positive, he says. "We're moving in the right direction."
That said, Spafford still feels there has been more talk than action.
"We haven't seen industry step forward and provide equipment," he says. "We haven't seen them provide, really, the training into higher education or provide the kinds of things that would allow people to affordably retrain from industry. We haven't seen government provide funding to increase the number of students going through programs or to increase the resources and classrooms to get the training. So that is a problem."
In an exclusive interview on career trends for 2011, Spafford discusses:
- The forces shaping information assurance education;
- How the national focus on cybersecurity impacts the schools;
- What's necessary in 2011 from businesses, government, schools - and students.
Spafford is a professor with an appointment in Computer Science at Purdue University, where he has served on the faculty since 1987. He is also a professor of Philosophy, a professor of Communication and a professor of Electrical and Computer Engineering. He serves on a number of advisory and editorial boards. Spafford's current research interests are primarily in the areas of information security, computer crime investigation and information ethics. He is generally recognized as one of the senior leaders in the field of computing.
He is Executive Director of the Purdue Center for Education and Research in Information Assurance and Security, and was the founder and director of the (superseded) COAST Laboratory.
TOM FIELD: So in terms of information assurance education, what are your thoughts? Are we better off as we head into 2011 than we were a year ago coming into 2010?
EUGENE SPAFFORD: I think overall we're perhaps a little bit better, a little bit better off. We have a little bit more emphasis on the field. It is clear that there are some greater needs, a little bit more attention on what is going on.
State of Information Assurance EducationFIELD: What is the difference today, for better or for worse, in information assurance education than we've seen over say the past five years?
SPAFFORD: There appears to be a little bit more focus both from industry and government on the need for students getting some education in this arena. There is a greater demand for some well-trained students. There appears to be some greater attention being placed on resources being brought to bear to develop educational programs. We haven't seem them filter into the education environment yet, so I wouldn't say that the resources are there, but there is greater attention and a little bit more hope going on. There has been a little bit more movement in that direction, so the trend is positive and there is greater awareness. So we're moving in the right direction.
FIELD: Well that is something that I wanted to ask you about because we hear an awful lot about a national emphasis on cybersecurity, but how does that trickle down to education?
SPAFFORD: Well, over the last year or so, I've seen a number of high level and medium level workshops. There have been conferences and a number of people talking about how best to integrate information into the curriculum. How do we teach this information? People in industry have stepped forward expressing a strong commitment to hire people in this area. We've had people in Washington talking about need for putting in resources, so the awareness has increased and that is good.
What we haven't really seen yet are resources. We haven't seen industry step forward and provide equipment. We haven't seen them provide, really, the training into higher education or provide the kinds of things that would allow people to affordably retrain from industry. We haven't seen government provide funding to increase the number of students going through programs or to increase the resources and classrooms to get the training. So that is a problem. And I'm not sure when we might see that, given some of the current budget blows and some of the political maneuvering going on over the budget.
So the awareness is there, but the resources to back it up may be a problem.
Characteristics of Today's StudentsFIELD: Gene, let's talk about students entering the field today. It strikes me that they are more technologically savvy than any that we've seen, and certainly social media has made them more connected than any we've seen. How do you characterize people that are coming into information assurance and education now?
SPAFFORD: Interesting mix. We have students who are much more comfortable with the technology. They seem to be much more familiar with how components can be used. They are much more comfortable with adopting new technology. However, at the same time, they are also much more accepting of privacy-invasive forms of technology, less aware of some of the dangers of new and untested technologies, and not as aware of some of the low level issues of how technology works. So they are very familiar with high level web applications for instance, but relatively ignorant of low level issues of how those web technologies are implemented or how low level issues of wireless actually behave and therefore where some of the vulnerabilities might exist in those technologies.
Government, Industry, EducationFIELD: Now you talked about the three sectors that really need to work together, education, business, and government. As we look to 2011, where does each of those sectors really need to step up to give us the increment of growth we want to see. Education, business, government -- what do they have to do?
SPAFFORD: Well, I think education is certainly moving in the right direction. It is willing to participate. We have an interest in providing the kinds of education necessary. A lot of that has to do with getting the students necessary to educate, to fill the roles, and having the employers at the back end willing to hire them. Education really can't manufacture the students or the jobs to put those students into, and so that is really a concern.
Business at the back end has to be willing to hire students and to state a preference where students who get the kind of training that is going to demonstrate that they understand how to produce quality code, take issues of privacy and security into account rather than simply doing the sort of quick and flashy web programming that often leads to security problems and privacy violations. It's easy to hire students who know how to do something where you're not really quick and very flashy at the front end, but it takes a lot of effort to train them how to do things correctly, and we need to have business show a preference for that kind of student. For the ones who are involved in the security businesses, we need to partner some with the educational sector and make sure that we do have the appropriate kinds of equipment, security equipment and software to train the students, so that they are getting the right background.
And from the government side, instead of imposing regulations about what students should have, it would be a much better approach to make sure that we have the resources necessary to be educating the students. Unfortunately, over the last year there were a number of bills introduced into Congress that we're talking about imposing training regulations but weren't providing the necessary resources to help build up the education infrastructure. That really is going to have to come first, and I'm hoping that the next Congress is in the position to actually be providing resources for education across the board rather than trying to build in new regulations.
Advice for Launching a Career in 2011FIELD: Gene, a last question for you. For someone entering the field today, and looking towards 2011 as a way to launch an information security career, what advice would you give them?
SPAFFORD: I think the advice I would give is similar to what I've been giving over the past few years. The focus really on anyone going into this area is: Focus on how to build and understand quality software. Don't focus simply on security, but understand how to build software that works that is robust that doesn't have errors. That the goal isn't going to be building something that is the first one done or the fastest to finish, but something that is going to be solid, something that you can take pride in and is going to continue to work. Craftsmanship is always valuable, and that is building a skill set that is going to last for a long time and going to be valuable in the long run, rather than just learning how to slap something together. This is a field that is going to continue to grow and have value over the years, and investing the time up front is going to be well worth it in the long run.