Cybersecurity: The New FrontierDickie George of the NSA on the State of Information Security Education
As Information Assurance Technical Director at NSA, George visits schools frequently, and the number one problem he sees is keeping professors and students up-to-date with the constantly evolving technology.
"The real problem that I see is technology is moving so fast that it's very difficult for even professionals whose jobs are to stay up with technology to do it, much less professors who are pulled between teaching and research," George says in an interview with BankInfoSecurity.com's Tom Field [transcript below].
There aren't enough deep security experts, George says, to fill all the holes in security, which is a problem that NSA is trying to solve along with the universities.
Regardless of the challenges, cybersecurity is a growing field and opportunities abound for those interested in entering the profession. "There's no place in America where there's more opportunity for you to take on meaningful work, challenging problems and really enjoy yourself," says George.
In an exclusive interview about the state of information security education today, George discusses:
- What works and what needs more work in education;
- How information security education has evolved;
- Advice to people looking to join the profession.
George began at the National Security Agency in August 1970 after graduating from Dartmouth College. He started in the Crypto-Math Intern Program, having tours in Research, the SIGINT Directorate, and the Information Assurance Directorate's [IAD] predecessor organization. Except for a tour in the Signals Intelligence Directorate [SID] and one at the Center for Communications Research in Princeton, he has worked in the IAD since 1973, and has served as the Technical Director of the IAD since 2003. As a technical leader, George works closely with teams and individuals giving advice and direction on specific, as well as general, technical questions; mentors; and serves on various technical boards. He serves as a liaison to the SID and R math communities.
TOM FIELD: It's been a couple of years since we've spoken. Tell us a little bit about your current work with education please.
DICKIE GEORGE: We're continuing our work with the Centers of Academic Excellence program here at NSA. We've expanded that significantly. I believe that we just had a fledgling CAE research program last time we talked, and that has really taken off. We have a number of schools that are doing phenomenal research in this area. We've also expanded down to the two-year schools in an effort to hit a different segment of the population that plays an important role in our cybersecurity. We're working significantly with the schools on developing new criteria, simplifying the re-certification criteria, updating the problem list that we share and also dealing with some over-substance issues like the curriculum.
State of Infosec EducationFIELD: Nobody sees the schools like you do. In your travels and your observations, how do you assess the state of information security education today?
GEORGE: That's a great question and it's one that I ask myself constantly. Not only what is the state, but how do we improve the state. It's spotty in a number of ways. When I go to schools and talk to professors, first of all they feel pressure in two directions. There is pressure from the students. The students want to learn the skills that will allow them to go out and get a job at the end of the year. The professors are more interested in teaching the solid foundation that will build the students into the researchers of the future, to make them people who can go out to teach. That balance between skills needed to do today's job and the solid foundation that you need to address tomorrow's issues is one that we're really trying to deal with. We need people that can step right in and deal with today's problems, but we also need people that will be able to look at tomorrow's problems.
We have schools that are doing a tremendous job in teaching hands-on skills and that's absolutely critical for today's students. Without the hands-on skills that you need to go out and really defend the net, you don't know how and you don't know what you're capable of doing what you need to do. We really need people to be concentrating on the hands-on skills. At the same time, they really need that balanced foundation that's going to allow them to understand tomorrow's problems. One of the big problems is the problem set today is so broad that you need a very broad curriculum to enable students to tackle all the problems. None of the faculties are really broad enough that they're deep in every area of today's problems, and that's a problem for us. We need to train everyone who comes here to some extent.
It's great working with the schools. With some of my favorite professors, I go and talk to them and say this would be a great course if you would teach it. They'll say, it would be great if we had a professor who knew that area, but we really aren't capable of teaching that right now. So they understand the problems. They have the same kinds of limits that we do. They can't add the faculty that they would like to add so they can cover the waterfront of security. It's a real problem for the country. It's a problem that we share not just with government, but we share with industry and academia. There aren't enough deep security experts to go around filling all the holes that we have, and that's a problem that we're trying to take on.
What Works, What Doesn'tFIELD: Let's dive into this a little bit. As you look around, what do you find that's working well within the education institutions?
GEORGE: A lot of the things that are working really well for us are our CAE program. It's working well in a number of ways. We have a couple of conferences a year where we get people together from the various schools. It's a really open community. They're sharing information. They're working together. They're collaborating like they never had before. I think that the CAE Program has really fostered us a spirit of community among the various schools. They see that I can't do this, but you can do that. And with the Internet today you can have virtual centers of excellence among numerous schools working today. That is a tremendous opportunity. I see schools taking advantage of that. Distance learning, the opportunities that the Internet gives us, is phenomenal. That's really working well.
FIELD: Flipside of that. What do you see that most needs work? You spoke about the trained professors themselves and that we need more trained professionals that can teach. What else do you see that really needs more work and attention?
GEORGE: Besides the numbers of people that know what's going on, we need to understand that there are various problems and we need people that are able to address those problems at all levels. From system administrators to professors in college, we need to make sure that we get the proper training. The real problem that I see is technology is moving so fast that it's very difficult for even professionals whose jobs are to stay up with technology to do it, much less professors who are pulled between teaching and research. It's extremely difficult for anyone to keep up with technology the way it's working today.
FIELD: Now you've spoken about the threat landscape, about the evolution of technology. Where have you seen the biggest changes in information security education?
GEORGE: The biggest changes in education have taken place in the last few years because there's now an understanding in universities that there wasn't ten years ago about how widespread targets are. Ten years ago people viewed someone else as the target. Maybe government is a target, possibly big industry is a target; but now people realize that individuals are targets, small industry is targeted, big industry is a target, federal government is targeted and it's a very, very real threat. The appreciation of the threat is a huge change.
Getting People Interested in InfosecFIELD: One of the common themes we hear is about the number of information security jobs that have opened, the number of professionals that we need in the public and the private sectors alike. In your opinion, how do we get more people into information security and make sure that we get the right people into the right roles?
GEORGE: That's a problem that we're trying to address, and unfortunately the way that we try to address that doesn't scale particularly well. What I have encouraged people to do everywhere I go is to understand that you don't take a senior in college and tell them that here's a job that they might be interested in. The important thing is to get to students early in their academic careers and it could be as freshman or sophomores in college; it's better if it's K-12. People need to understand that there are challenging problems and exciting jobs in this area, and there will be for years ahead. There's no field that has more opportunity than cybersecurity. That's really where it is.
Now the way I would like to tackle this is how back in the '60s we took on the space race, and it was such an exciting thing that it almost became a clichÃ©. You would say, well that's not "rocket science." Rocket science was the epitome of what you wanted people to be. I would like to have that in people's minds today. But that's not cybersecurity. It's not as catchy as "rocket science". I wish it was, but you want people to understand that this is the new frontier. Cybersecurity is where the country is at risk, and this is where we need people. There are challenging jobs, hard problems, great work, opportunities, teaching, working for the government, working for private industry; the opportunities are bound and it's really interesting work.
We need to drill that into people's heads early on. I have spoken at some camps that they have for middle schools and you can see their eyes light up when they understand that this technology that they love to play with they can play with for the rest of their lives and get paid for it. This could be a job. Just that realization, it makes them aware that there is a future in this. But that doesn't scale. It doesn't scale for me to go to every camp. That is something that we as security professionals all have a responsibility in, to let the students know that there's a future in this, and that is all we can do. The more we bring students into this, the better off we are. We really have to aim at the under-represented groups: women. There are nowhere near enough women in this field. If we are really hurting for cybersecurity professionals and we automatically exclude half the population, we are dooming ourselves to failure.
FIELD: A final question for you. What advice would you offer for someone that is looking to either start their career or even re-start their career today in information security?
GEORGE: I would tell them go for it. There's no place in America where there's more opportunity for you to take on meaningful work, challenging problems and really enjoy yourself. People love technology. Everyone loves technology. This is the latest technology. There's an opportunity to make a difference for the country; people today want to make a difference. You can go out, get a job, learn the technology, make yourself smarter, and make yourself better and the country safer. I would encourage anyone who thinks about this to just plunge in and take it on. In every school, down to the two-year schools, there are opportunities where you can learn while you're still working. Make yourself a better person; give yourself more opportunities in life. It's a no-brainer to me. If you want to do it, just do it.