Security education in crisis

The information technology industry has become saturated with 20-something

whiz kids who lack adequate training, education and professional discipline,

creating a significant knowledge deficit when it comes to information security,

a panel of top educators warned.

"We're in a real crisis in higher education," said John Knight, a computer

science professor at the University of Virginia. Graduate programs in computer

science and information security "are being decimated" by an IT industry

that is filling the growing worker shortage with college kids who have not

completed their degrees, he said.

Knight and three other educators from top computer science college programs

delivered their warnings July 24 to industry and government officials at

the Cyber Security Planning Summit, held in Pittsburgh and sponsored by

Carnegie Mellon University's Institute for Survivable Systems.

The lack of education and experience among many of industry's software

and security technicians is particularly troublesome given the complexities

of modern computer system architectures, according to Knight. "It is essential

that we regain intellectual control," he said.

Changes under way throughout higher education will challenge traditional

notions of education, said computer science professor Charles Reynolds of

James Madison University. These changes also may offer some answers to the

personnel problems facing industry and government.

"The traditional model of education is that education is not training,"

Reynolds said. However, this perspective is changing to a model based on

"education that is lifelong training," he said. The integration of work

and learning will characterize higher education in 2010 to 2020, he said,

adding that it will shift from being a teacher-centric experience to a student-centric

experience with the help of distance-learning technology.

Peter Freeman, dean of the College of Computing at the Georgia Institute

of Technology, said students who take jobs before they graduate from college

will in a few years lack the basic skills to continue their education and

take a long-term view of security research and development. "Information

security is not just a technical problem," he said.

Panel members agreed that a partnership of industry, academia and government

is urgently needed to change the way people think about information security.

"The problem we face is broader and deeper than the Internet and broader

and deeper than security," Knight said.