While most of us give little thought to how our personal and professional data is secured or whether malicious or mischievous perpetrators are trying to get their hands on it, legions of information security professionals working behind the scenes do the worrying for us and try mightily to thwart threats.
Industry insiders emphasize that, as new technologies and violators emerge at every turn, hiring the right kind of talent is becoming much more important, which makes a recent University of Houston (UH) designation by the National Security Agency and Department of Homeland Security much more significant. At the 13th Colloquium for Information Systems Security Education in Seattle last month, the university was named a national center of academic excellence in information assurance education.
The designation means much to UH College of Technology instructional associate professor Edward Crowley, who headed up the application process.
“At UH, the quest for academic excellence in information security began in 2002. Since then, the curriculum has continued to evolve and improve thanks, in part, to input from the National Security Agency, as well as the FBI, Secret Service and the Houston Police Department’s computer forensics group,” Crowley said.
The need for these behind-the-scenes and battle-ready information security experts should not be underestimated, said Michael Gibson, who heads the information and logistics technology department. “You can do more damage with a computer than you can with bullets. Think about all of the systems that run our traffic, our power grid, our energy-distribution channels,” he said.
Crowley points to recent events such as Lockheed Martin’s loss of F-35 fighter project data, Virginia’s loss of personal health information, cyber attacks in Estonia and Georgia as well as the growing risk of identity theft.
Last month the Partnership for Public Service, a Washington-based advocacy group focused on government service, issued a report detailing serious problems within the professional community charged with protecting the government’s networks. Its authors made several recommendations to the Obama administration, emphasizing that the safety of the nation requires building “a vibrant, highly trained and dedicated federal cyber-security work force.”
Anne M. Rogers, director of information safeguards for Waste Management in Houston, lauds UH’s approach. “One reason we have cyber security problems is that people have focused mainly on software features and functions without considering security. That led to a lot of buggy software – things built with inherent vulnerabilities. These systems may do wonderful things, but, if data leaks out or hackers easily get in and out of them, we lose,” she said. “So, it’s really important to build and assess for integrity, security and adequate control.”
UH’s technology project management information systems security graduate degree program serves both UH students and non-degree-seekers who want information-assurance training. Five to 10 students complete the program each year, and Gibson expects the designation to increase demand for the curriculum.
Many of those enrolled already are information technology professionals who aim to climb the corporate ladder or join the government work force at more advanced grades. Others, like alumnus Chad Van Zandt, move straight into the program after finishing undergraduate work.
After getting his degree in information systems in 2004, Van Zandt enrolled in the technology project management graduate program and soon after began working as an intern at Houston’s Gray Hat Research Corp. Upon graduation in 2006 ------------------with his information assurance certification, he was promoted to executive director of educational services and consulting for the company in California.
“This is a relevant, cutting-edge program that helps shape its graduates to become formidable figures in the security technology field,” he said. “To say the valuable knowledge and experience gained from this program has played a vital role in my career development would be an understatement.”
While career advancement is possible without the certification, Gibson said, those who do obtain it are more likely to enter into the work force at a higher rung and rise more quickly. “If you look across the global regulatory world, there’s less and less tolerance for inappropriate information handling,” explained Rogers, whose company has hired two graduates of the UH program. “As everything goes electronic, they’re hiring the best people to go to battle.”
Paul Williams, chief technology officer for Gray Hat Research Corp., said he looks for “the heroes of tomorrow” when hiring for his company and its clients, because true information assurance requires getting ahead of the curve and seeing the big picture.
“What the industry is looking for is the geniuses – this middle layer where expertise is so lacking,” he said. “At the high end, enterprise security really is rocket science. We have clients that have 50,000 computers in the world – in 21 time zones – and tens of thousands of employees. It’s a million times harder to secure those computers than just one. They need people who will ask: ‘How do we cost-effectively change the paradigm of this company so that we can do more with this money?’ We’re talking about using what you have today to mitigate the greatest risk.”
Elizabeth Anderson-Fletcher, associate vice president for research operations, said the designation supports faculty efforts to contribute to Department of Defense and Department of Homeland Security research programs. “Examples of potential cyber security research projects would include the research and testing of procedures in the secure use of Internet-enabled supervisory control and data acquisition, or SCADA, systems that monitor, coordinate and control critical infrastructure in the energy sector. In health care, cyber security becomes a major concern as we move to the digitization of patient medical records,” she said.
The four NSA-certified courses offered at UH include Principles of Information Security, Enterprise Security: Incident Response/Corp. Forensics, Applied Cryptography and Secure Communications, and Information Security Risk Analysis and Management. The training standards embedded in the courses are a part of the Information Assurance Courseware Evaluation (IACE) Program established by the Committee on National Security Systems (CNSS).
Each institution designated as a center of excellence in information assurance education must recertify its courses and submit an application for renewal as a center of excellence every five years.