Thoughts on Security Degrees
Since our CISSP discussion has been thought-provoking, I imagine this might be interesting too. Last night I taught a lesson on network security monitoring to a graduate level forensics class at George Washington University. Earlier this week my friend Kevin Mandia asked me to step in when he was unavailable to teach. I spent 2 1/2 hours describing NSM theory, techniques, and tools, and concluded with a Sguil demo.
I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible to work with Vern Paxson, for example. I am not sure how useful another degree would be for me, at this point.
Computer security practitioners are often self-taught. This morning while perusing The Economist I came across the ultimate story of a successful self-taught technician. Those in the medical community may know the story that "Professor Christiaan Barnard performed the first human heart transplant." I learned in The Economist that Hamilton Naki, a self-trained and non-degree holder, performed half of the operation.
According to The Guardian, Mr. Naki led a team that spent 48 hours removing the donor's heart, and then placed it in Dr. Barnard's hands. Mr Naki learned to transplant organs by watching, then doing. He surpassed the technical skill of the trained physicians at his hospital, and Dr. Barnyard enlisted his help for the ground-breaking 1967 transplant operation.
A search for "Naki" at the South African hospital Web site that speaks glowingly of Dr. Barnard yields zero hits. It seems the same secrecy that kept Mr. Naki from receiving any credit inside his native country still persists, at least at the hospital where he worked for nearly 40 years on minimal pay and with no formal recognition.
What do you think about security degrees? Can you recommend any programs?
Update: It turns out that Hamilton Naki did not work with Dr. Barnard on the first human transplant. The 16 July 2005 issue of the Economist states:
"A source close to Mr Naki once asked him where he was when he first heard about the transplant. He replied that he had heard of it on the radio. Later, he apparently changed his story...
[H]is role was gradually embellished in post-apartheid, black-ruled South Africa. By the end, he himself came to believe it."
That's a shame.
I do not have any formal degree involving computer security. I have considered pursuing an advanced degree. It would be incredible to work with Vern Paxson, for example. I am not sure how useful another degree would be for me, at this point.
Computer security practitioners are often self-taught. This morning while perusing The Economist I came across the ultimate story of a successful self-taught technician. Those in the medical community may know the story that "Professor Christiaan Barnard performed the first human heart transplant." I learned in The Economist that Hamilton Naki, a self-trained and non-degree holder, performed half of the operation.
According to The Guardian, Mr. Naki led a team that spent 48 hours removing the donor's heart, and then placed it in Dr. Barnard's hands. Mr Naki learned to transplant organs by watching, then doing. He surpassed the technical skill of the trained physicians at his hospital, and Dr. Barnyard enlisted his help for the ground-breaking 1967 transplant operation.
A search for "Naki" at the South African hospital Web site that speaks glowingly of Dr. Barnard yields zero hits. It seems the same secrecy that kept Mr. Naki from receiving any credit inside his native country still persists, at least at the hospital where he worked for nearly 40 years on minimal pay and with no formal recognition.
What do you think about security degrees? Can you recommend any programs?
Update: It turns out that Hamilton Naki did not work with Dr. Barnard on the first human transplant. The 16 July 2005 issue of the Economist states:
"A source close to Mr Naki once asked him where he was when he first heard about the transplant. He replied that he had heard of it on the radio. Later, he apparently changed his story...
[H]is role was gradually embellished in post-apartheid, black-ruled South Africa. By the end, he himself came to believe it."
That's a shame.
Comments
I am very much in favor of a very broad but not necessarily deep knowledge. That's for a couple of reasons.
For one, security is about interconnected problems and systemic thinking (cf. Peter Senge's "The Fifth Discipline"). It is not helpful to have a very in-depth knowledge about one specific topic when all it takes is a hole in a separate part of your system to breach it.
Second, and related to the first reason, is the fact that a degree in a generic science like physics, chemistry, computer science seems more sensible to pursue because it gives the basics for the more specialized disciplines like information security. Information Security has a lot to do with computer science anyway. YMMV, as usual :)
Anyway, there are some efforts at explicit speciation. I have no direct experience with any of them, but maybe you should check out:
* the Center for Applied Cybersecurity Research @ Indiana University
* Ross Anderson's group @ Cambridge
* Citi @ Michigan
* CERIAS @ Purdue (not sure of it's current status)
* ISTS @ Dartmouth
Depending on your intellectual orientation, you may also want to see what various business schools have to offer. Given the situation with audit and reporting requirements, and the focus on governance issues, it'd surprise me if nobody has stepped up and created a focussed program addressing these things. Whether it is information security is an open question (speciation has yet to occur, recall).
There is a strong argument to be made against formal study of infosec as a discipline. That none of the major players has studied it as such proves that you don't need an "Infosec Degree" (whatever that is) to know your stuff. However, I personally think that formal study for someone who already has substantial training in another related field or who is an accomplished practitioner with the appropriate mindset (to wit: an academic one) makes a good deal of sense.
I hope it goes without saying that there is plenty of room for autodidacts. An infosec degree, I personally hope, does not become a credential. We have the CISSP, after all ;^).
I'm like you...I don't have a security degree. I do, however, have BSEE and MSEE degrees from accredited universities. I've also given presentations and taught my own, self-developed classes.
I'd like to hear from others here about the process of teaching courses at places like GWU and GMU...particularly GMU. I'd be very interested in something like this.
Thoughts? Comments? Recommendations?
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
However, when looking at formal education, the 'greed' of MONEY doesn't necessarily drive the train. The only program I've seen and support is the NSA CAEIAE program (http://www.nsa.gov/ia/academia/caeiae.cfm?MenuID=10.1.1.2). Schools must apply, be reviewed, and continue to upkeep their program for semi-annual reviews to maintain their status. This is probably the most 'vendor and greed neutral' forum available to 'judge' and individual's competence. As a manager, I'd be willing to bet that someone who comes from a formalized university CAEIAE program has a more objective understanding of Information Security than a person that can pass a language focused exam with multiple choice questions.
My two cents, but it's sad to see the industry (IT in general) set hiring criteria on what single or multiple tests a person has taken, rather than an individual's work experience and formal education. Let's face it, there may be a 'few' doctors that can perform open-heart surgery without an education, but I truly believe they are in the minority. Society hasn't formed 'medical board' examinations without motivation. I believe security certifications started out with good intentions, but ultimately succumb to the driving factor of MONEY. However, an accredited 'university' holds more credibility in formal 'education'; much more than an organization that simply 'backs' one or two 'industry' security certifications and rakes in multi-millions of dollars each year. I would venture to guess that these 'non-profit organization' financial statements show a much higher revenue than say....George Mason University :-).
Just for grins...ask an officially endorsed training provider how much of their gross income (from training programs focused to these 'security certifications') has to be handed over to the founding 'body'...I think you'll be quite surprised.
Although the technical skills can be learned entirely on one's own, a university education provides much more. Exposure to research, interaction with experienced professors and scientist, and breadth of study being the most prominent.
Not to mention it shows that you've given up (at least) four years of your life for something you enjoy and find important.
But for someone like you who is well into his career, I don't think it would add much to your resume. You've already proven yourself as a respected infosec professional. Is it really worth your time and money? Maybe if you're interested in doing more academic research. If, however, your focus will be on entrepreneurship for the forseeable future, then probably not.
If you decide to get an advanced degree, put yourself completely into it. Set aside enough money such that you won't have to consult full-time and can focus on your research.
Good luck!