As part of RSA Conference’s dedication to importance of security education our own Cecilia Marinier spoke with Nasir Memon, Professor of Engineering and Associate Dean for Online Learning at New York University Tandon School of Engineering.
Memon has been an active member of the academic world promoting the importance of information security education since the late 1990s. Throughout this conversation you’ll hear about the evolution of security in the classroom, programs such as CyberCorp and his thoughts on how to fill the much-needed gap in talent across the information security landscape.
Cecilia: I want to start with some background of how you got into information security and how you started this program.
Nasir: When I first joined NYU in 1998, I was asked to teach a course in computer security, which was a graduate level course called Information Security and Privacy. I had done some work in cryptography and I happily took the challenge. When I started teaching the course, there were a couple of things I realized. The first was that the students very naturally became interested. Unlike some other subjects, I didn’t have to work hard to motivate them. They could see immediately why they needed to learn the subject. They could see the impact of failing to build secure systems. The second thing I realized was that you don’t teach or learn security by simply talking about it. You need to engage in hands-on activities that demonstrate how real systems can be made secure.
With that in mind, I asked one of the students in the class to help me build assignments. We started creating labs, and with my own research money I bought a few computers for these hands-on assignments. It went well. The student who helped me create the assignment now is the CSO of a very large bank, so, I guess it went really well. Students had a great learning experience and as time went by I thought: Perhaps I create an even better lab using virtualization, because many things could not be taught on the campus network; they need to be isolated. This was way back in ’99, before the cloud or virtual technologies were ubiquitous.
Cecilia: In 1999 and 2000, we were already five years into the Internet. (I mean Netscape was out there.) So, I’d like to think there had to have been some information security education had been going on aside from this lab. Were computer science courses discussing or mentioning security at all back then?
Nasir: To some extent. Perhaps in an operating systems or networking course there might be a little discussion about security. But it was very scattered. At that time, threats to Internet were viewed as the outcome of bored little kids writing viruses just for fun. Malicious action and actors were not viewed as a threat to our national security. Cybercrime was not really on the radar. However, by 2000 or 2001, there were people looking ahead at Purdue, Georgia Tech, and Tulsa. Their efforts helped start the CyberCorp program and President Clinton signed the order that created the CyberCorp program, essentially giving scholarships to students to pursue cyber security and in return they would go work for the government for two years after graduation.
Cecilia: Interesting! In the last five years I’ve noticed that there are a lot of Universities out there that are catching up or starting their own security program. So, now it’s almost as if we see a plethora of Universities getting more involved in the topic. So, can you kind of tell me a little bit about the transition in the last couple of years as you’ve seen it?
Nasir: The CyberCorp program and the large number of Universities that have started to offer security courses and programs, not just courses, is a good thing. People have become more and more aware of it. Of course, the quality varies from program to program, and sometimes the emphasis varies. Some programs focus more on policy or regulatory aspects, some on the managerial issues. Some focus on hard-core technology. Some focus on offense, some focus on defense. So, there’s been a big variety in terms of the focus and the quality. The Government support has been commendable, but one should also realize that - compared to the projections being made by industry of the need - it’s still a drop in the bucket. Over the fifteen years that the CyberCorp program has been going on, you probably have perhaps a few thousand students that have graduated, and they have influenced five times more, so maybe 10 thousand students have been influenced and graduated with cybersecurity degrees. But industry is talking about needing a million people. That’s two orders of magnitude higher. I don’t know what the solution is, but what we should understand that the Government’s efforts, though commendable, really still fall way short of what is needed.
Cecilia: If we are seeing a huge shortage, which is one of the reasons that the RSA Conference is involved in trying to build out and program to get more information out to High Schools too – to hopefully getting people interested in this field. What do you see, or how do you see the degrees differing? Do you think that people need to go to school for four years, or do you think that there’ll be a different way, like associates degrees or other kinds of means to get people in there and helping out quicker than the traditional four-year path?
Nasir: I think you need all of the above. You need credentials that can be obtained quickly and get you to speed to becoming a useful member in the cyber security workforce. At the same time, you need different types of people. You need people who are operational, who understand the basic tools, maybe understand certain techniques. But you also want people who understand the processes and are able to audit and then check for compliance and implement processes and things of that sort. You also need people who understand the technology very deeply, who know what’s going on under the hood and can create tomorrow’s protection mechanisms for the technology that changes rapidly.
At NYU, that is where we focus. It does take time to really educate a scientist or an engineer who will then become tomorrow’s Department of Defense leader. Another thing we look at, when we’re looking at cyber security, is that most of us – students and cyber security professionals -- are male. There are very few women who choose cyber security as a discipline. To combat this, around six years back, I started this summer camp for high school girls, high school teachers, women teachers, and women in cyber security. We now even have symposiums for women run by other schools as well as NYU. Although you are seeing more women in the field in the last few years, the fact still remains that there are very few women who will choose this as a career. And if you’re not attracting women, then you’re basically leaving out 50% of the population, so it makes your job of building a talent pool, or a talent pipeline, even harder. This is further complicated by the fact that many domestic students are not choosing STEM subjects for their undergraduate degrees.
There are more people who study psychology than computer science, yet we know that the world needs many more computer scientists than psychologists. So one needs to do something about that. Of course, people are looking at high schools. Another potential source of cyber security talent is one of my favorite programs, and I’m really proud of it. I call it the NYU Tandon Bridge to Computer Science and Cyber Security. Basically, we tell students: Hey, you did your undergrad in anthropology, or psychology, or biology, or economics, music, or whatever, and now you want to participate in this whole technology revolution that’s going on. But you find yourself locked out, in the sense that it’s hard for you to get into a good school like NYU, or and get admitted to a computer science program. This Bridge program is one semester and very intense. You have to work 30-40 hours a week. And it is very low cost. We don’t care where you came from, but if you do well – get at least a B+ -- we will admit you to our Masters Program as long as you pass your GRE.
I’m seeing two interesting things from this pilot.
The first is that a majority of the students are women because they were the ones who kind of turned away from computer science when they were in high school or they were told that computer science was not for them in high school. Now they find themselves either underemployed or unemployed or their employment is not really doing justice to their talent and to their potential. They’re more mature and they understand that this is something they can really excel in, but it’s hard for them to get into a good school.
The second thing I saw was that some of them really have a very high aptitude. I mean, I have a student who majored in sociology and she was working as a social worker, she interned for a senator, and then as she was doing social science, she understood that she needs some data science in order to be a better social scientist. Although she had never written a line of code in her life, she completed the Bridge, and now she has been in the Master’s Program for a year and she’s getting mostly A’s and A-‘s, going head to head with other graduate students who have completed bachelor degrees in computer science. So I think there is a good pool of students who have an aptitude for cyber security and it doesn’t require years of preparation as traditional engineering programs like electrical engineering might need. Students who have backgrounds in music and anthropology and English can become good computer scientists and they might even be good security professionals as well. I think we are missing out on this large pool of young people in our country who chose a non-technical discipline. We need to tap into them to fill in this shortage of cyber security professionals.