About two weeks ago Rafal Los (aka Wh1t3Rabbit) posted a blog entry pondering the question of who is responsible for security; the business people or the security team? While I don't want to rehash a lot of what has been already said in his great blog post, I do want to bring up a point that was made during this awesome conversation (you should definitely read his blog post if you get a chance). Out of all the colleges in the US how many of them provide a course relating to network/web security? The answer is much less than you think. With all of the IT security professionals out there you would think that there would be some undergraduate and graduate courses in network and web security that deal with many of the issues plaguing businesses today. The sad truth is that rarely do such courses exist, and the ones that do don't seem to carry the education of students far enough. There are two issues which I see here that relate directly back to the Business vs. Security post; why are IT students the only one taking security courses when it is a common problem across all areas of study and how do we fix the lack of education in this area?
The first issue poses probably the greatest threat today because anyone outside of the "IT realm" tends to not understand why security is important (some people in the realm don't understand it either). When you look at the number of businesses in the US you will see that most of them don't have anything to do with IT. You have financial companies, real estate, retail, construction, and many more. The one thing they all have in common however is the fact that IT and computers are ubiquitous in the business world. People use web applications, Google, email, Microsoft Office, and tons of different applications and utilities to conduct business. So if more "business" people are exposed to IT why should the security professionals be the only ones responsible for understanding how it works? I'm not saying every single person should have formal IT security background, but a single course on security wouldn't kill anyone. In fact, I would go as far as to say that requiring a single course on security would decrease the amount of compromised accounts and identity theft in the US because of the higher level of education that students would be armed with. A "Business Security" course could explain to users the dangers of visiting any link that pops up in their email, or why the corporate ban on Facebook is actually imposed on them (there are many different topics that could be covered). We should stop relying on the security professionals and customized education programs of companies to train and educate users because it isn't working. This concept really doesn't work for smaller businesses that can't even afford to develop or implement such programs. We need students entering the workforce to be more educated about security to help protect the companies that they go work for when they graduate. Just because you are an English or History major doesn't mean you won't be touching a computer for the rest of your professional career. Why have we all been accepting of the fact that security is an "IT" related function?
The second issue here stems directly from the lack of choices those wanting to learn about security face. If an undergraduate in computer science or information systems major wants to enter the information security field they will be hard pressed to find anything that will really help them build a solid foundation in this area. The standard two courses that colleges offer are usually cryptography and a general network security course that touches lightly on a few different areas. While these are both good courses there is nothing currently available that will show students how to program securely, defend a network, implement services securely, or become a penetration tester. These are all topics that many IT professionals should know regardless if you are a security professional, developer, or system administrator. Most people you find in these roles today have been hired there from other positions they have held where they *hopefully* have gained some experience in these areas. There are many security professionals today that are so under qualified in the role that they are in, and yet we wonder why major corporations and people's personal data is hacked and stolen all the time?! Seriously though can you really blame the "security guys"? What training is available to them? Someone posed a question in a forum I'm a member of which asked for a recommendation on a training course. This person said their boss wanted the entire IT team to go to a security class on defending a network for system administrators (or something related). Do you know that after a week of suggestions and replies that there really was nothing available for them to attend? The current offerings deal with basic entry level security (like the Security+ classes) or hard core penetration testing (like CEH and SANS). What happened to providing quality education or education at all for that matter?!
I think that both of these problems are serious areas that need to be addressed before you can really answer the question Business vs. Security. If each person in the business had at least *some* knowledge of IT security and security professionals where better trained, companies would have an easier time defending themselves and not have to waste so much time on risk management and remediation from hacks. Companies would also benefit from not having to spend so much on customized training programs, security products, and audits which would in turn increase their bottom line. Seriously...find me a CEO who wouldn't be happy about that!
Security should be part of the Quality process.
ReplyDeleteIt isn't a separate issue that only those "in-the-know" should be involved in.
Modern programming courses that don't cover best practices, SQL injections are doing a disservice to the profession at large.
When learning to drive, you are simultaneously taught to obey road signs, use your mirrors etc. So why can't other fields of study teach the security best practices relevant to their field.
At my university CompSci course (1990's):
- The Database courses never taught anything outside functional based stuff - nothing about deploying, hardening, setup.
- The Software Engineering course only focused on functionals and with a tiny bit on non-functionals (mainly metrics)
- The Programming course (Pascal, then Java) only focused on functionals - make it look pretty...
- The OS course; the only one that covered some security, mainly cos it was Unix based.
- The other thing was that none of the other groups ever seemed to interact with the others - already silo'd into their little cliques...
Until the colleges take security seriously and embed the relevant security elements into the existing courses, we'll continue to have sub-standard developers, dba, network engineers, etc.
Acesoftech is a leading PHP training center which provides best training in Kolkata and Surat. The company provides training in such a way that its easy to learn and complete job oriented. We provide live PHP training.
ReplyDeleteAs an adjunct faculty at a local college, I think I understand why academic institutions tend to stay away from offering disciplines in Security as a degree.
ReplyDeleteMastering security as "trade" takes years to learn, not to mention you have to eat, sleep, and breathe security in order to keep pace with how fast exploits evolve and change.
Especially security knowledge is an asset as well as a risk. I think you know where I am going with this.
Academic and business institutions alike tend to feel uneasy in front of security professionals.