On the front lines
- July 1, 2009
Cyber threats to U.S. businesses are bad — and getting worse. It’s not enough for businesses to ask their IT people to take on extra security tasks. And don’t think about cutting corners, even in a recession, says Sushil Jajodia, a longtime information security specialist who now is director of the Center for Secure Information Systems at George Mason University.
“In the old days … so long as you created a backup, people felt from a business point of view that they were covered,” he says. “But now we’re doing everything on the Web, and everything that’s relevant to businesses is online. If the bad guys get in and start deleting data or stealing data or corrupting data, your business could be gone overnight.”
Less than two decades after joining the business landscape, the Internet has become the proverbial double-edged sword. The Web has enabled businesses to transform and improve their operations, but hackers are no longer attention-seeking teenagers out to cause mischief. Instead they are international gangsters, con men, cyberterrorists and even disgruntled, laid-off employees, motivated by financial gain or malice.
One of the most chilling crimes took place this spring in Richmond when hackers broke into the Virginia Prescription Monitoring Database, deleted the records of 8 million patients, locked the backup files and demanded a ransom of $10 million in exchange for the password key to the backup records. The case is still under investigation, and the system remains offline. The spring also brought headlines about the hackers who managed to breach the U.S. electric grid, leaving behind computer programs that can allow them to disrupt service.
Nationwide, such crimes cost businesses $8 billion in the U.S. and up to $1 trillion worldwide. The nation’s vulnerability to cyber crime prompted President Barack Obama to announce plans in May to appoint a first-ever cyber-security czar to help protect the IT systems so critical to all aspects of society.
But businesses shouldn’t rely solely on the government to stop cyber attacks, says Jajodia. Companies need to step up. That means not only investing in the latest intrusion detection tools and authentication techniques but also hiring information security specialists who can devote all their time and energy to keeping ahead of the bad guys.
“Security is the big buzzword in IT right now,” says Lloyd Griffiths, dean of the Volgenau School of Information Technology and Engineering at GMU. “If you know about security, you’re much more likely to be able to get or hold onto a job.”
Study predicts more jobs in field
The 2008 Global Information Security Workforce Study says that the number of information security personnel worldwide likely will increase 10 percent annually for the foreseeable future. Worldwide, there were 1.66 million information security jobs in 2007. The study — conducted by analyst Frost and Sullivan and sponsored by the certification company (ISC) 2 — projects that number to reach nearly 2.7 million by 2012. The average salary in the U.S. for an information security specialist with five years of experience is $81,000.
Fortunately, supply is not a problem at the moment. Virginia schools have been offering degree programs, specialized coursework and certificate programs in IT security for some time. As security attacks have garnered more concern in business, government and the military, these programs are attracting more attention from college students and workers trying to upgrade their career prospects.
“Reports of cyber crime activities and theft of personal information and organization secrets have made the field more interesting to the students,” says M. Hossain Heydari, coordinator of the Graduate InfoSec Program at James Madison University. JMU is one of the original schools designated a Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security.
“It’s fun trying to find all the vulnerabilities in the system, to patch them and figure out how to secure it to keep the attackers out,” says Rachel Russell, 26, who recently obtained a bachelor’s degree in computer security and an information security certificate from JMU. She also was a member of the school’s Cyber Defense team, which competes in contests determining who is best at securing networks. “It’s extremely challenging, and I love a challenge.”
At Virginia Tech’s Pamplin College of Business, student demand has been so high in recent years that the school added an IT security module to its master of IT curriculum. At GMU, information security is one of the two most popular concentrations among students pursuing an undergraduate degree in IT. Griffiths says that the school is considering whether to add an actual information security undergraduate degree.
In fact, the range of educational opportunities in the field around the state is diverse:
• The University of Virginia offers a graduate certificate program in information security management at its Northern Virginia Center in Falls Church.
• Northern Virginia Community College has coursework in information security that can be used toward an associate’s degree in information systems or to obtain a career studies certificate in network security.
• Strayer University Online, based in Newington, offers a master’s degree in information security.
More than a degree
Still, says Tom Sheehan, director of Virginia Tech’s master’s IT program, obtaining an information security degree is not enough. “The field of information security, like the broader, but closely related field of software engineering, has more than its fair share of ‘PowerPoint engineers,’ which is a derogatory term for those who have mastered all of the buzzwords but none of the substance.”
Companies increasingly recognize that degrees do not automatically translate into well-qualified information security professionals. That is why many employers demand that job candidates have either a master’s degree or certification (or both). Certifications require candidates to take an exam proving their skills. Those who pass must adhere to a code of ethics and engage in continuing education to retain their certification.
The Department of Defense, for example, recently mandated that all information security personnel obtain a professional certification that meets international standards. The 2009 Cybersecurity Act, a bill recently introduced in Congress, would mandate certification for information security personnel in all federal agencies.
The extra effort is worth it, though. According to the Global Information Security Workforce Study, the average salary for a certified information security professional is $102,000, or more than $20,000 higher than for a noncertified specialist with the same level of experience.
Students who pursue information security are not relegated to simply installing anti-virus patches or managing user passwords. They can go to a number of other fields, including management, criminal investigation, secure tool development, security policy development or risk analysis. ManTech International, a Fairfax-based government contractor, for example, is looking for personnel who can work as cyber intelligence analysts, computer forensics specialists, security software engineers, network security engineers and vulnerability assessors/penetration testers.
Chris Kreider, a software developer for Ferguson Enterprises in Hampton Roads, says that security increasingly is recognized as critical to the job of creating applications, as hackers have become adept at exploiting vulnerabilities in software coding. The 25-year-old recently decided to obtain a master’s degree in IT from Virginia Tech but concentrated his studies in information security after his job area changed to include identity management tasks. “If you’re a developer who understands security, it definitely is a value-added skill that gives you a real edge,” he says.
Griffiths expects information security to continue to grow in popularity among students. “If I had the money, we could hire two or three new faculty right now and keep them fully occupied in information security,” he says, noting too that the school has started offering certification training and exam opportunities for students as a convenience to them. “This is an area that every type of organization is going to have to invest in eventually, whether it’s to safeguard medical records or energy supplies or financial transaction information. It is a need that will be constantly changing and always in demand.”