Security Education: Meeting Business Needs - Interview with Dr. Peter Stephenson of Norwich University
That said, job opportunities for information security students abound - in both the private and public sectors.
In an exclusive interview, Dr. Peter Stephenson, CISO at Norwich University, discusses:
Stephenson is a writer, consultant, researcher and lecturer on information assurance and risk, digital investigation and forensics on large-scale computer networks. He has lectured extensively on digital investigation and security and has written or contributed to 14 books and several hundred articles, in major national and international trade, technical and scientific publications. He is the Associate program director in the Master of Science in Information Assurance program at Norwich University and is a research professor at the National Center for the Study of Counter-Terrorism and Cyber Crime, also at Norwich.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is information security education. I am pleased to be talking with Dr. Peter Stephenson, Norwich University's Chief Information Security Officer as well as Associate Program Director for the school's Master of Science and Information Assurance Program, and he is the Chairman of the Computing Department in the School of Business and Management.
Dr. Stephenson, that's quite a title.
PETER STEPHENSON: Well, you know, it's how I keep the blank space clear on my business card.
FIELD: Peter, tell us a little bit about your information security program and the type of students that it attracts now.
STEPHENSON: Well, when we talk about our program we have to sort of split it into the Masters Program and the undergraduate program. The master's program is actually a little easier to describe because being an online program it attracts students from literally all over the world. Our students in the master's program have to be in the business already or in a similar business, so they can be in IT, they can be an auditor, or they could be in information assurance. We do get a fair number of military students because we are, after all, a military school.
The undergrad classes are a little bit different because there is a mix of information assurance and computer science. Our information assurance students tend to tilt a bit toward the policy side, but we do have some that are most interested in the technology. So we are in the process of making some distinctions between those two kinds of students.
Most of the students in the master's program join us because they are looking for advancement to higher job responsibility; often information security officer's responsibility. Our students in the undergrad school are very often looking at military career or careers in government agencies.
FIELD: Very good. So how are these programs structured to prepare these students to seek this career once they graduate?
STEPHENSON: Well again, we'll make the distinction between graduate and undergraduate. The graduate students already have their careers because they are mid-career adults, so they already have that taken care of.
Our undergrads though, we have a number of things that we do specifically for them. One is we have some longstanding relationships with military organizations, and that can be within the DOD or it can actually be soldiers, sailors, marines and airmen.
So what we do with that is we specifically target them to be able to step into a career in one of those organizations by such things as grant competitions for National Science Foundation, which is a scholarship for service program. They give back for the time that they get their scholarships. If it is military service, Army, Air Force, Navy or Marines then they may be on an ROTC scholarship.
For our civilian students they also have a tendency to gravitate towards those DOD possibilities and with that they can go directly into a government agency or with a contractor and we work very hard to ensure that our students have internship opportunities with either government agencies or contractors.
A few just go out into the world, and so we look for internship opportunities there in the private sector too.
FIELD: Have you found that with the economic situation that these opportunities have constricted at all?
STEPHENSON: In the government, strangely enough, they have not, and it has been the other direction. I was attending a National Science Foundation conference two weeks ago with four of our students who are scholarship students, and every single one of those students got at least one job offer from a government agency and some got more than one.
The worse the economy gets, the greater the need for the kinds of people that we teach. The bad guys get "badder," and so the good guys have to be more prevalent and the government seems to recognize that.
There is an estimate that there are going to be something like 2,400 new jobs just in information assurance in just the Department of Defense and Homeland Security over the next five years; 1,500 of those will be in NSA.
FIELD: Now let me ask you a question I think might be appropriate for your graduate program. How do you help students who want to transition from other fields who have had mature careers and want to get into information security?
STEPHENSON: Well, they come to us largely in two groups. Either they come from an audit background, typically an IT audit background, or they come from an IT background where they have actually been in the IT shop. And all of these individuals have touched information assurance in their jobs, at least enough to know that they want to transition into that field.
The way we manage that is the first seminar, and our seminars are 11 weeks long and the master's program is 18 months and consists of six seminars. The first seminar we conduct is intended to provide a solid foundation for someone who is not an information assurance professional when they enter the program, but has the kind of background that allows them to be one with the proper education.
We take professionals who have been in the program a long time, perhaps is certified already, and they begin with seminar two; they skip the first seminar. So we provide that grounding.
We have had students during their time in the program get promoted, get transferred into information assurance jobs and some have either been laid off or have left their jobs and almost immediately been picked up in an information assurance job. So whatever we are doing, it seems to be working.
FIELD: Very good. We talked a bit about the economy, how would you say that the recession in general has impacted information security education?
STEPHENSON: It has been hard. In the graduate program, we find that companies now who were paying for a full education are now asking the students to share that cost, or they are taking it away all together. One of the automotive companies, for example, was giving some of our students a full ride and in the middle of the program took it away.
In the undergrad program, the problem is in getting student loans and in getting scholarships. A large percentage of students here, and at every university, are there with some kind of financial aid, whether it is a student loan or a scholarship or something of that nature. They are not paying the full ride themselves, and when money gets tight, students and their parents are forced to make some very, very difficult decisions.
FIELD: Now I've covered education and business for a long time, and one of the things I am always aware of is sort of the give and take and the sort of "necessary tension" between education and the private sector, because you've always got the private sector saying the schools are not giving us what we need, and the schools saying the private sector is not telling us what they need. What do you find that you need most from the private sector now?
STEPHENSON: Well, one of the things that we have found is that because we participate in the National Science Foundation Scholarship for Service Program (or what they call the cyber corps) we found we have learned a lot about what an employer really wants because our students are required by the terms of the scholarship to do internships with a government agency while they are at school, and then they are required to take--it's a two year scholarship, so they are required to take two years of service with a government agency.
So we have to monitor that closely, and that is part of the requirements, and we have learned a lot about what government agencies want to see in students, so we apply that to how we prepare our students. And the ones that go into the private sector, we help them apply those same principles. To give you an idea, a major consulting company (one of the top maybe three or four in technology in the country) regularly takes our undergrad students as interns. This past year we had--this past summer we had two, three students go over there. Three students went to work for them, and two of them are graduating this year, and one is graduating next December, and all three of them have job offers.
FIELD: Very good.
STEPHENSON: So it is working.
FIELD: Peter, what do you offer uniquely to the private sector from your programs?
STEPHENSON: Our students are rather unique, especially our undergrad students. Because we are a military school, there is a very strong desire on the part of our students to serve. Now we are not 100% military. About a third of our students are civilians, and about two-thirds are in the Core of Cadets. So you would think that there would be a dichotomy between the civilians and the cadets, but it turns out for the most part there isn't.
Our students have this strong desire to serve, and employers pick that up whether they are public sector or private sector. The students are willing to learn. They come into an internship or a new job with a rather unique perspective and the perspective is that they are there to work, and they are not there to sit around and maybe shuffle some papers or work in the mailroom. They are there to get down into a project, and we found that employers who take the students on as interns greatly appreciate that attitude, and they let the students do more than they would normally allow a student to do, and it has always been successful.
I have been with this program now for almost five years between the master's and the bachelor's degrees, and I can count on one hand with plenty of fingers left over failures we have had in that context.
FIELD: That is very good. Last piece of advice from you is some insight; for someone that wants to either start or transition into an information security career right now, what one piece of advice would you give to them?
STEPHENSON: Don't underestimate what you are getting yourself into. It sounds awfully glamorous. There are--and pilots experience this--there are days of boredom punctuated by moments of terror. In our job, you do a lot of fairly routine work. It is not the same thing all the time, there are huge amounts of variety in what we do, but when we are forced to deal with a crisis, it is a crisis that happens very quickly and needs to be dealt with very quickly because things move very rapidly in cyberspace.
So my advice is that if you want to get into an information security career, be aware of what you are getting yourself into. Have a very good mix of both technical and managerial and policy experience or education because there is no one area of information security that is isolated from any other.
FIELD: Very good. Peter I want to thank you for your time and your insight today.
STEPHENSON: Well it was a pleasure to do it, and I hope it is useful to your listeners.
FIELD: We've been talking with Dr. Peter Stephenson from Norwich University. For Information Security Media Group, I'm Tom Field. Thank you very much.