Diverse cyber security work force must have technical expertise, flair for problem-solving
Attacks on government, corporate, and individual computers have exposed the vulnerabilities of an increasingly networked world, while revelations of widespread government surveillance cause many to wonder whether personal privacy is a thing of the past. Cyber threats have been called the United States’ greatest security problem—as highlighted by the recent Sony hack. The cyber security profession offers solutions, and not all of them are technical.
As in past times of national crises, the United States faces a shortage of people with a particular set of advanced technical skills. According to a 2014 study by the Ponemon Institute, an information security and privacy research center, the demand for cyber security professionals in both the public and private sectors far exceeds the supply. There is a need for people with expertise in computer science, math, programming, electrical engineering, and logic, but also for people with a range of technical and nontechnical problem-solving skills.
Cyber security is a young, rapidly evolving field that encompasses many different jobs and roles. A 2010 Bureau of Labor Statistics report estimated that there were about 72,670 people in the "information security analysts" job category, which does not include all cyber security positions. The need-much greater than demand, which is actual job openings-for cyber security professionals in the United States is staggering, considering there are about 6 million businesses and 90,000 local governments and school districts, all of which must, to some degree, protect their data and their networks.
Does the cyber security job boom mean opportunities for women? Eugene Spafford, PhD, professor of computer science at Purdue University, believes inclusion in the field of cyber security is a must, and that attracting and retaining women is crucial to finding the kind of technical talent needed. He says when women get shut out or leave the field, their strengths are lost and the profession suffers. Dr. Spafford, who is also executive director of Purdue's Center for Education and Research in Information Assurance and Security, said, "If you have women on the design team, you're more likely to get discussion about privacy side effects and human/ computer interface. Having a diversity of views and experience always leads to better results."
Jeremy Epstein, longtime board member of Applied Computer Security Associates (ACSA), agrees. ACSA is a 30-year-old nonprofit organization whose mission is to improve understanding of the theory and practice of cyber security. It sponsors cyber security research conferences, including ACSAC (Annual Computer Security Applications Conference) and NSPW (New Security Paradigms Workshop). Epstein, who has been a cyber security professional for 25 years, said, "Women are historically very underrepresented in computer science and in computer security. When I started in computer security 25 years ago, the field was 20% to 30% women. Now it's between 5% and 10%. That's obviously going in the wrong direction."
Troubled by this trend, Epstein persuaded ACSA's board to fund scholarships for women who want to study cyber security and need financial help.
The first scholarships were awarded in 2012. Since then, ACSA has been able to increase the number of awards it makes by partnering with HP and the Computer Research Association's Committee on the Status of Women in Computing Research (CRA-W). For the academic year 2014-2015, there are 11 scholarship winners, both undergraduate and master's degree candidates, from colleges and universities across the United States.
The National Science Foundation (NSF) also has awards for cyber security education, including the CyberCorps Scholarships for Service (SFS) program, which offers full scholarships to students in academic cyber security programs. In addition, the NSF supports interdisciplinary, cyber security-related research and education programs, such as the NSF/Intel Partnership on Cyber-Physical Systems Security and Privacy (CPS-Security) and Secure and Trustworthy Cyberspace (SaTC).
In response to the demand for a larger, more highly skilled cyber security work force, a growing number of universities, and even some community colleges, are adding cyber security classes. With the help of a $200,000 NSF grant, the departments of electrical engineering and computer science at Cleveland State University and Case Western Reserve University (CWRU), both in Cleveland, are collaborating on an undergraduate cyber security curriculum. The sequence includes courses in hardware, software, and information security. The final exam for the hardware class is a hacking exercise in which students hack their classmates' computers and defend their own. Although controversial as a teaching method, hacking, which exploits a system's weaknesses, is one way to learn how to identify and remedy these weaknesses. CWRU Professor Swarup Bhunia, PhD, contends that hands-on, simulated attack-and-defense classes prepare students to come up with solutions to the specific security vulnerabilities they will encounter in the workplace.
Pablos Holman, an inventor, futurist, and hacker, said in a TedXMidwest talk, "Hackers have minds that are optimized for discovery." He pointed out that hackers methodically attempt to compromise every aspect of a system's defenses, "just to see what will fall into their laps." The hacking mind-set, however, can be applied in an ethical way to other kinds of problems. Holman is part of a multidisciplinary team of scientists at Intellectual Ventures Laboratories that is analyzing the lifecycle of the malaria parasite. By understanding every stage of malaria and looking for weaknesses, the team has come up with some novel ideas for controlling the disease, which kills hundreds of thousands of people annually, mostly children in Africa.