US Not Training Enough Cybersecurity Experts

graychase writes "Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding. 'Look at all the great football and basketball programs. They're all on scholarships. They're not playing for fun — they're playing for money.'"

Training?

[WrongSizeGlass]

Shouldn't they be recruiting them from the trenches or simply luring script kiddies into the evil clutches of our federal government with promises of "no bedtimes", "free games, pizza & soda" and "no one here will make fun of you because everyone here will be like you"?

Re:Training?

[Grishnakh]

Exactly. There is NEVER a such thing as a "shortage" of workers (unless a massive plague has struck, perhaps). There's only a "shortage" because the employers don't want to pay enough for people to want to enter the field. Many technical fields require significant education and experience, and this takes many years to build up to; if they're not going to pay enough to make it worthwhile, no one's going to bother entering the field. And if they're constantly firing people every time there's a downturn, making that career extremely unstable, then they need to pay EVEN MORE to get people to come back to it for the short periods where they're hiring instead of firing.

Easy solution

[Skyshadow]

We'll just recruit our cybersecurity from the obvious source: China.

I, er, hear they may have some relevant experience.

No problem

[oldspewey]

I'm sure the US can just hire some of those well-trained and eager Chinese cybersecurity experts who seem friendly and anxious to come across on H1 visa.

They're not seeing a primary source.

[rindeee]

Working in the industry and hiring new Cyber talent on a weekly basis, I'd say that the author's aren't looking in the right place. We find the best, most talented folks are coming out of the military. These ladies and gentlemen are very disciplined, highly trained and have real (very real) experience not only within the ranks of military cyber operations, but most also have a good deal of experience in the intelligence community. They all have a great deal of experience (and preference) with open source tools, but understand the proper application and integration of COTS products as well. Anyway, my two cents.

Re:They're not seeing a primary source.

That might be the case, but it's equally as hard to find a cyber security job. I graduated from a Center of Excellence with a Master's in Computer Security and Information Assurance. Due to the scholarship I've been working with DoD and I've gained my clearance through them. I've sent job applications to NSA, DHS, ARL, NRL, DARPA, etc. and have not heard one response aside from DHS saying I wasn't the most qualified candidate. I even have my 8570 certifications now for IAT 2. Everything is so C&A focused it's a bear to find any real cyber security work - I've certainly been trying to move toward it. Maybe I'm doing it wrong, but from my experience the job positions just aren't there, regardless of need.

Re:They're not seeing a primary source.

[dremspider]

Look at contractors working for the government. In my experience that is where a lot of the jobs are. I know where I work, they are always looking for talent.

Re:They're not seeing a primary source.

[girlintraining]

The best, most talented aren't coming out of the military. The military has some stringent guidelines on physical health and background that a lot of people don't make the grade for, but nonetheless are well-suited for the work. Anyone with asthma, short-sighted, or is gay, or bad credit, etc., are all ineligible for military work. I should know -- I am one of those "cyber security" experts, and I did look into joining the military, but was ruled ineligible. The talent pool that the military can recruit from is significantly smaller than total pool size.

And as anyone in IT will tell you, overspecialization can kill your career; You need to remain flexible, continually expanding your skillset, and often find yourself in peripheral fields because a job isn't available in your field of choice. Many of us wind up taking help desk positions when five years ago we would have been network administrators, simply because of consolidation, outsourcing, and the fact that IT in general does poorly in a recessionary economy. A lot of that talent we had moved into other fields that have better job security, and they are no longer trained to current requirements. This is a side-effect of capitalism and is neither good nor bad, but it does shrink the pool size.

If the Department of Homeland Security wants more people to choose from, they need to either lower their requirements to what the job actually requires, or they need to consider liasoning with the Department of Commerce, trade, etc., and funding IT projects that will bring people back into the field and increase the pool of currently-trained and available workers, or they raise the amount they're willing to pay, offer training, etc.; Like the medical field does. The Department of Homeland Security needs to offer a career path, not just a job, in that scenario. Otherwise, what's the point?

Re:They're not seeing a primary source.

[girlintraining]

More bullshit. The military doesn't care if you have bad-credit, even has a system for helping you manage debt. They will accept people with asthma provided they can still handle the physical training, and short-sighted only gets your disqualified if you are almost blind. Plenty of military personnel wear glasses and the military will often pay for corrective surgery if you want it.

Enlistment standards.

Bad credit: "Any recruit who's monthly consumer debts (not counting debts which can be deferred, such as student loans) exceeds 40 percent of his/her anticipated military pay is ineligible for enlistment."

Asthma: Disqualifying.

Short-sighted: Having eye surgery can disqualify you, actually. Also, being short-sighted can disqualify you, if your vision can't be corrected to within 20/40. Even if vision can be corrected, a wide variety of common eye problems can disqualify you, including night-blindness.

Someday you will learn that you can't take your limited experiences of the world and turn them into overly broad statements of fact about entire processes and organizations.

Hugs and kisses.

Re:They're not seeing a primary source.

[centuren]

The whole statement seems to show a wildly inaccurate perspective on how education and industry go together:

"Homeland Security's cybersecurity director, Richard Marshall, warns that universities aren't turning out enough cybersecurity experts and urges greater scholarship funding.

Universities do not turn out experts, period. If one needs more national security experts, the place to look isn't for upcoming graduates from Harvard's "Department of National Security", because no such thing exists. Hopefully, 4-year degrees in cybersecurity don't/won't exist, either. Universities educate students, giving them knowledge and skills to put them in a situation where they can be trained into these rolls. I went to an engineering school, and the CIA had a booth at the job fair every year, and 3 or 4 of my friends interned with the NSA, at least one of whom accepted a job there after he finished his graduate degree(s).

Richard Marshall's statement seems absurd; if they need more cybersecurity experts then they should recruit and train more people. With today's unemployment rate, it's not like there aren't people with the education out there looking for jobs. If you want more experts, hire people and train them. Scholarships might put more inexperienced graduates into the hiring pool, but does nothing to produce more cybersecurity experts. People in Marshall's position need to start realizing that companies and agencies alike invest in developing employees when it comes to jobs as specific as cybersecurity. Just throwing more certification graduates into the world isn't likely to improve anything.

All it takes...

[garyisabusyguy]

...is state subsidized computer "crime" education.

Israel has had state sponsored training for decades and looky looky they have plenty of forensic experts...

In the US we threaten anybody that touches these tools with prison and let the mpaa sue Professors that attempt to study anything remotely like security.

Yeah, it's about the money

[HockeyPuck]

Starting salary at IBM is about $50k.
Additional Compensation:
---Employee Stock Purchase Plan.
---401k
---Options (maybe)
    Pre-requisites: Atleast 4 years of college, optional advanced degrees. Experience with security and engineering solutions.

Starting Salary of Lebron James: ~$4m per year.
Additional Compensation:
---$90m Nike Contract
      Pre-requisites: Ability to dribble and score with a basketball better than any other kid in high school.

Which would you choose?

Re:Yeah, it's about the money

[Skyshadow]

Lebron James is one of the best basketball players ever to live, not just some run-of-the-mill pickup player.

Let's make a slightly more appropriate comparison: Samuel Palmisano, CEO of IBM, made $1.8 million last year, plus a bonus of $4.75 million and $13.5 million in stock options. So really, the top performers in tech don't really do so poorly either, especially considering that their career is probably a bit longer than Lebron's.

Re:Yeah, it's about the money

[chill]

Compare apples to apples. Here is an oldie, but a goodie:

Michael Jordan having 'retired,' with $40 million in
endorsements, makes $178,100 a day, working or not.

If he sleeps 7 hours a night, he makes $52,000 every
night while visions of sugarplums dance in his head.

If he goes to see a movie, it'll cost him $7.00, but
he'll make $18,550 while he's there.

If he decides to have a 5-minute egg, he'll make
$618 while boiling it.

He makes $7,415/hour more than minimum wage.

If he wanted to save up for a new Acura NSX
($90,000) it would take him a whole 12 hours.

If someone were to hand him his salary and
endorsement money, they would have to do it
at the rate of $2.00 every second.

He'll probably pay around $200 for a nice round
of golf, but will be reimbursed $33,390 for
that round.

He'll make about $19.60 while watching the 100- meter dash in the
Olympics, and about $15,600 during the Boston Marathon .

This year, he'll make more than twice as much
as all U.S. past Presidents for all of their
terms combined.

Amazing isn't it?

However...
If Jordan saves 100% of his income for the next
500 years, he'll still have less than Bill Gates has
at this very moment.

Game over. Nerd wins .....

* * *

Now compare your average mid-level technical employee vs the jock who majored in sports and see what is what.

Universities aren't taking it seriously either

[Admodieus]

At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.

Re:Universities aren't taking it seriously either

[centuren]

At my current university, there are two undergraduate networking courses and one undergraduate security course. There's one network course in the graduate curriculum, but that's meant as a recap of the two undergrad ones if you didn't get your undergrad here. I would love to load up on network and security classes, but there's simply none being offered.

I don't really feel that having a lot more is appropriate. I'd rather see people with degrees in Computer Science go into network security then see people graduate with a specialty in Network Security. When I think "Cyber Security Expert" I think of someone who, say, writes custom kernel patches, works in the field of cryptography, or writes packet-level intrusion detection tools. These are all security things, but they don't need security courses given in university to match them. Knowing how to patch a system to be more secure is a result of knowing how those systems work on that base level. Cryptography means studying lots of math. Communication and authentication handlers is again, understanding how it's handled in the OS.

The problem with network security courses at school, is they either have to be offered late in your program, or be largely superficial. If you're interested in the field, I'd talk to some people in the industry (I hear the government is recruiting), and ask what you should be studying. Recruiters, specifically, as they'll be able to say what they look for in a graduate's skill set.

It's hard to learn

when the government and industry decide to move away from making systems and software increasingly more secure and instead focus on draconian laws with punitive sentences that start at a decade for benign acts regardless of intent or whether you informed the target of their weakness and how to correct it.

Security through sentencing.

Richard Marshall is a lawyer

[Animats]

Of course people aren't going into this field. Look who's in charge.

This Richard Marshall, "Director of Global Cyber Security Management, Departent (sic) of Homeland Security", is a lawyer. From LinkedIn, his undergraduate degree, from The Citadel, is in history, English & political science. He then went to Creighton and Georgetown University law schools.

The last person in that job who knew what he was doing was Amit Yoran, who had a computer science degree. He kept saying that Microsoft operating systems were the big problem, and was sidelined for that. He was replaced by Cisco's lobbyist.

What we have now is a lawyer making policy recommendations that effectively mean doing nothing. That's "Homeland Security".

I'm pretty sure...

[Blue6]

Most of these stories are puff pieces done for or due to the FUD big consulting companies like CSC, Lockheed, Northup put out to the Bureaucrats in order to keep billing rates high. I have over 10 years of networking experience and a MS in Info Sec from a DHS sponsored school. I have applied multiple times to various positions and have never received a response back.