PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
Hetal Patel is a hacker headhunter. An associate at PPS Information Systems Staffing in Baltimore, Patel caters to the booming trade in information-security specialists. Trouble is, these days there aren't enough hackers out there interested in honest work. So the frantic campaign is on at companies large and small to try to shore up their information-security defenses.
That means lots of business for everyone from the firewall engineers and intrusion-detection specialists who man the perimeters to programmers with expertise in cryptography algorithms. "It's very tough to find the engineers because there is so much competition," Patel says.
TALENT SHORTFALL. How shallow is the labor pool? According to Al Decker, CEO of information-security consultancy Fiderus, the U.S. alone will face a shortfall of between 50,000 and 75,000 security professionals in the next few years. And that talent deficit could well grow even larger as millions of new devices from desktop PCs to wired PDAs come online in the next few years.
"There is generally a lack of good talent and skill across all technological specialties. It's especially acute in information security," says Mike Rothman, CEO of SHYM Technology, a maker of secure-digital-certificate software. Small wonder computer-security salaries have leaped 50% in the past 12 months.
Unfortunately, very little is being done to educate and train information-security experts. Too bad, because a government-business partnership could reap big benefits in a hurry by providing more money to educational institutions for information-security curriculums. "We have seen some money targeted for research. We have seen very little money targeted specifically for education," says Matt Bishop, a computer-science professor and information-security specialist at the University of California at Davis.
QUIRKS AND PITFALLS. Bishop's lament is well-founded. Although precise figures for spending on information-security education are hard to come by, the handful of U.S. academic programs with an information-security emphasis turn out fewer than 200 graduates each year, and at the current rate, demand for security experts will vastly outstrip supply. Only 14 universities have been recognized for information-security expertise by the National Security Agency. But some of those schools don't even offer an official curriculum in information security. And while big companies have often funded research in chip design or biotechnology, they've stayed away from information security, even though some of the biggest research companies, such as IBM, have active information-security practices.
One top program, the International Information Systems Security Certifications Consortium Inc., has issued only 3,000 of its Certified Information System Security Professional certificates over the past four years. Furthermore, most certification programs don't attack the problem at its root: They "teach you to work well with one particular type of equipment, but move someone trained in Microsoft to a Unix system, and they can fumble," says Bishop. "In a university, you don't study how to do it on a specific system. You study what are the principles underlying everything."
An understanding of those principles has become more important for security execs, particularly because of the increasingly complex technologies that mix multiple protocols and devices, each with their own quirks and pitfalls. "Twenty-five years ago, it was easy for me to comprehend security," says Fiderus' Decker." I had one operating system, I had one security product. As long as I could make those two mesh, I had it all covered. As we move into new technologies such as wireless, the security gets more complex," Decker says.
"LEARNING UNDER FIRE." Of course, some information-security practitioners question whether enough expertise can be garnered in a classroom environment. Bishop himself agrees that to achieve true mastery, book learning and lab time must be combined with real-world experience shoring up networks. "There is a big difference between academic learning and learning under fire. The point is, you have to do both. If you learn simply under fire, you learn a set of tricks and tools that work under a certain environment," Bishop says.
Already companies are taking matters into their own hands. Rothman says SHYM Technology now grabs smart people and then just trains them in the necessary programming skills, rather than holding out for the perfect skill set to appear on a resume. Decker and Fiderus have announced the formation of the Fiderus Institute, whose intensive information-security program the company will offer to outsiders and also use as a recruiting tool as Fiderus tries to double its size to 150 employees over the next few months.
But these are stopgap measures. To end the information-security-talent drought, the field has to gain its place at the academic table, just as computer science did in the 1960s and 1970s. That acceptance will come only with money for academic programs. Until then, information-security training will continue to be a patchwork of the relative few with formal training and the self-taught.
Salkever covers computer security issues twice a month in his Security Net column, only on BW Online Edited by Douglas Harbrecht
Copyright 2000, by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
