Ira Winkler is Wrong: Undergraduate Degrees in Information Assurance are Worthwhile | InfoSec Perception

Ira Winkler, a respected information assurance professional – and a long-time colleague starting in the early 1990s, when we were both involved with the National Computer Security Association – recently wrote, “Let’s scuttle cybersecurity bachelor’s degree programs.” (November 9, 2011, Computerworld). Since I was responsible for creating the original Bachelor of Science in Computer Security and information Assurance (BSCSIA) program at Norwich University, I’m well suited to present a friendly rebuttal of his analysis.

1          Computer security undergraduate degrees too specialised?

Winkler writes,

“In no other computing discipline do you have a specialized degree program. You do not earn a bachelor’s degree specifically in software engineering, computer graphics, artificial intelligence, database management, systems administration, Web applications programming or project management.”

Yes, you do. It took me 30 seconds with GOOGLE to find lots of useful links. For example, here’s the definition of the bachelor of science in software engineering from the National Center for Education Statistics CIP Code 14.0903.

“Definition: A program that prepares individuals to apply scientific and mathematical principles to the design, analysis, verification, validation, implementation, and maintenance of computer software systems using a variety of computer languages. Includes instruction in discrete mathematics, probability and statistics, computer science, managerial science, and applications to complex computer systems.”

The “AllEngineeringSchools” database provides easy access to links for colleagues and universities offering bachelor’s degrees in

  • Application Development
  • Database Management
  • Game & Simulation Programming
  • Game Programming
  • Health Informatics
  • Information Security And Forensics
  • Information Systems Management
  • Mobile Computing
  • Network Administration
  • Network Management
  • Project Management
  • Security
  • Software Engineering
  • Software Systems Engineering
  • Visual & Game Programming
  • Web Development.

So there are indeed specialized bachelor’s degrees in computer-science related areas, and one of those areas is information assurance.

2          “Why should there be a bachelor’s degree specific to cybersecurity?”

Winkler answers that a question himself:

“Security professionals need to function in a variety of disciplines. They can be called upon to evaluate software for security vulnerabilities, to determine whether a user interface is suffering from information leakage, to design secure databases, to secure operating systems, to assess and shore up the security of websites, to incorporate security requirements into new developments and so on. The person you ask to do all of those things needs to be well rounded.”

Then he stumbles:

“But a cybersecurity degree program offers many security classes at the expense of classes that would normally be required to get a general degree in computer science or information systems.”

That’s certainly not true of the BSCSIA at Norwich University. The curriculum is shown on our Web site as is that of the Bachelor of Science in Computer Science. Figure 1 shows the similarities and differences of the two programs:

Figure 1. Comparison of BSCS & BSCSIA programs at Norwich University.

Figure 2 shows the concentration requirements for the Forensics and the Advanced INFOSEC Concentrations:

Figure 2. Concentration Requirements for BSCSIA at Norwich University.

Figure 3 shows which courses are allowed to fulfil elective requirements in the BSCSIA program.

Figure 3. Electives permitted for BSCSIA concentraitons at Norwich University.

I fully agree with Winkler that “The best college degrees strive to help people have a broad understanding of not just their field, but culture in general.” Surely most security experts will agree that the Norwich BSCSIA degree is indeed a multidisciplinary program. Norwich BSCSIA graduates have consistently attained positions of responsibility in their organizations; our students are widely recognized as having a thorough foundation that allows them to listen, learn, analyse, and communicate at high levels of achievement.

3          Baccalaureate holders lack experience

Winkler writes,

“When you come right down to it, though, there is little in the world of information security that is more valuable than experience. And new graduates nearly always lack it to any significant degree.”

In the first place, the importance of experience does not vitiate academic preparation.

In the second place, although I cannot speak for other schools, I do know that many Norwich BSCSIA students have had excellent opportunities for real-world experience. For example, 15 students are currently (Fall 2011) taking a system administration course to qualify for their paid work in the Norwich University Center for Advanced Computing and Digital Forensics (NUCAC-DF).

Many (I don’t know exactly how many) students find work during the summers; they often use their experience to good effect in their job-hunting and in class. And since about three quarters of our students are Cadets in the Reserve Officer Training Corps (ROTC) at Norwich, many of them work in military assignments during their off-terms. I have had students who came back from assignments involving COMSEC in the US military and civilians who have worked on SIGINT with the National Security Agency (NSA). These students consistently contribute valuable insights to the other students based on their experience in real working environments.

In addition to self-arranged internships, we even have records of 14 students since 2000 who actually paid to take the IS410 “Computing Internship” course (Course Descriptions, page 278) formally so it could be added to their academic transcript. IS410 is routinely used to provide an academic vehicle for students who receive internships in private industry and government agencies:

Internships within CS/CSIA are designed to provide computing majors with the opportunity to apply and expand their knowledge within the computing discipline. The student must be a junior or senior at the time of enrollment[sic] and have good academic standing. The student must have the internship approved beforehand by a faculty member in CS/CSIA and have the written consent of the CS/CSIA Program Coordinator. In addition, a supervisor within the sponsoring organization must agree to provide a written description of the internship beforehand, and provide progress reports during and after the internship experience….

I don’t know how to quantify Ira Winkler’s assertion that “…new graduates nearly always lack it [experience] to any significant degree.” However, I try to avoid fuzzy phrases such as “nearly always” and “to any significant degree” in describing any phenomenon.

4          Professors’ Field Experience

On a secondary level, there is an indirect effect on our students from the field experience of our faculty. Every one of our computer security professors has real-world experience earning their living at what they teach. Some of the themes in all of the guidance our faculty include in their courses are

  • Study to make your learning a permanent part of how you look at the world, not just isolated information that you use to pass an exam and then forget.
  • Learn all the time: you can’t stop and sit on your behind in any profession and certainly not in the world of information technology and information assurance.
  • Information assurance is a servant to the organization: we help our colleagues achieve reasonable goals for protecting assets and stakeholders. We don’t dictate, we collaborate.
  • Security is a goal, not a state: you are facing moving, evolving threats.
  • When you start work, shut up and listen: don’t swagger around issuing arrogant commentaries. Only after you have earned the respect of your colleagues should you venture to make suggestions for improvement – politely!
  • Communicate clearly and simply – and respect word limits and deadlines in your professional assignments.

Finally, our Dean just informed us that every one of our fourth-year BSCSIA students now has a job offer, multiple job offers, or a signed contract of employment for their graduation in May 2012.

* * *

I hope that readers will find this analysis helpful in evaluating Mr Winkler’s comments – and that readers won’t be quite as depressed about the state of information assurance education as Mr Winkler is.