M. E. Kabay, PhD, CISSP-ISSMP
Professor of Computer Information Systems, School of Business & Management
Norwich University, Northfield VT
Professionals facing the worsening economy must weigh their options for career advancement carefully. What are the job prospects for information assurance (IA) professionals? Should practitioners be investing in training, certification, education, or combinations of these aids to advancement? There are grounds for predicting continued demand for IA professionals because of continued international pressures on intellectual property and national infrastructure; in addition, insider crime is likely to grow as the economy worsens. Employers are likely to continue valuing education, training, and certification as contributors to and markers of value in their employees and prospects. []
As the global economy continues its steep decline in 2009, new and established IA professionals must make hard choices about how to invest time and money in career advancement. They must compare the requirements for additional certification and for additional advanced degrees, and balance the costs and benefits of each. Those of us managing IA education programs are making the same comparisons, and are asking ourselves whether we are in for a period of retrenchment or of growth.
Several questions arise as we talk to prospects who are trying to decide whether to enter college-level educational programs:
A 2004 article on IA careers summarized the issues at that time and readers are invited to read it for background if they wish.[]
The first issue is whether we shall continue to see growth in demand for the IA professional in these straitened economic times. The commonplace assumption is that as the economy worsens, crime increases.
Unfortunately, trustworthy computer-crime statistics are notoriously difficult to acquire[], but the consensus of informed opinion is that “One of the unpleasant side effects of an economic downturn is an increase in crime.”[] In particular, reports Scott Campell, crimes against data are of special concern and well-run businesses are taking the threat seriously:
…Tom Amrhein, [is] director of information services at Forrester Construction in Rockville, Md.… “During a downturn, there is more potential for issues of breaches of confidentiality and breaches of security,” he said. “We’ve increased our awareness without having it seem authoritarian.”
Even without the economic downturn, computer crime and data theft has been on the rise. The 2007 report sponsored jointly by the National Counterintelligence Executive < http://www.ncix.gov/ > and the American Society for Industrial Security (ASIS) Foundation< http://www.asisonline.org/ >, “Trends in Proprietary Information Loss,”[] found that
Ben Levisohn, writing in January 2009, reported that white-collar crime experts generally agree that financial fraud and computer crime are likely to increase as the economy worsens:
During a Web conference conducted by Deloitte Financial Advisory Services’ Anti-Fraud Consulting Services, nearly two-thirds of 1,500 executives who chose to respond to a poll said they expected more frauds to be uncovered as the economic downturn continues. While that result could be skewed because of who was polled—they all had an interest in fraud going in—history backs them up.
Data from the National White Collar Crime Center show a spike in arrests for fraud and embezzlement during the two most recent recessions. Following the savings and loan crisis and the downturn in 1990, white-collar fraud arrests jumped 52% over the next two years; following the Internet bust in 2000, arrests jumped 25% in the following two years. “White-collar crime clearly upticks when there’s a downturn in the economy,” says Michael B. Himmel, a defense attorney specializing in white-collar crime at Lowenstein Sandler and a former federal prosecutor.[]
Economic hard times are also likely to increase international support for cybercrime; for example, an article from Computer Weekly in October 2008 included these generalities:
Politically motivated computer crime has been growing steadily since the late 1980s. The threat comes from both nation-states and individuals or groups with political agendas....
The threat is not limited to state secrets or the military but extends to commercial and economic interests and, therefore, industries such as finance, high technology, bio technology and telecommunications.[]
The threat from China, in particular, is serious. For a comprehensive summary of Chinese military strategy, including their information warfare capabilities, see the Annual Report to Congress: Military Power of the People’s Republic of China.[] A compilation of extracts from those studies bearing on information warfare capabilities, including industrial espionage activities, of the People’s Republic of China is also available.[]
A recent case of what is likely to be Chinese state-sponsored computer crime surfaced in March 2009 when researchers Shishir Nagaraja of the University of Illinois at Urbana-Champaign and Ross Anderson of Cambridge University published a report on “malware-based electronic surveillance of a political organisation by the agents of a nation state.”[] The abstract continues,
While malware attacks are not new, two aspects of this case make it worth serious study. First, it was a targeted surveillance attack designed to collect actionable intelligence for use by the police and security services of a repressive state, with potentially fatal consequences for those exposed. Second, the modus operandi combined social phishing with high-grade malware….
The worsening economic situation is likely to increase demand for IA personnel. The US Bureau of Labor Statistics (BLS) studies a wide range of professions and has valuable insights into the prospects for IA specialists.
The BLS report indicates that employment prospects in the US for computer support specialists in general seem good (or they did when the data were last updated, in April 2007):
Job growth among computer support specialists reflects the rapid evolution of technology…. Employment of network and computer systems administrators is expected to increase by 27 percent from 2006 to 2016, which is much faster than the average for all occupations. Computer networks have become an integral part of business, and demand for these workers will increase as firms continue to invest in new technologies. The wide use of electronic commerce and the increasing adoption of mobile technologies mean that more establishments will use the Internet to conduct business online. This growth translates into a need for systems administrators who can help organizations use technology to communicate with employees, clients, and consumers.[]
The BLS describes “computer security specialists” as follows:
In some organizations, computer security specialists may plan, coordinate, and implement the organization’s information security. These workers educate users about computer security, install security software, monitor networks for security breaches, respond to cyber attacks, and, in some cases, gather data and evidence to be used in prosecuting cyber crime….
Prospects for IA professionals are even better than for computer support personnel in general, according to the experts at the BLS:
Demand for computer security specialists will grow as businesses and government continue to invest heavily in “cyber security,” protecting vital computer networks and electronic infrastructures from attack. The information security field is expected to generate many new system administrator jobs over the next decade as firms across all industries place a high priority on safeguarding their data and systems.
The BLS section on “Training, Other Qualifications, and Advancement” of computer support personnel notes
A college degree is required for some computer support specialist positions, but certification and relevant experience may be sufficient for others. A bachelor’s degree is required for many network and computer systems administrator positions. For both occupations, strong analytical and communication skills are essential.
The subsection on “Education and training” begins
Due to the wide range of skills required, there are many paths of entry to a job as a computer support specialist or systems administrator. Training requirements for computer support specialist positions vary, but many employers prefer to hire applicants with some formal college education. A bachelor’s degree in computer science or information systems is a prerequisite for some jobs; other jobs, however, may require only a computer-related associate degree.
As technology continues to improve, computer support specialists and systems administrators must strive to acquire new skills. Many continuing education programs are provided by employers, hardware and software vendors, colleges and universities, and private training institutions. Professional development seminars offered by computing services firms also can enhance skills and advancement opportunities.
The introduction to the “Job Outlook” section starts with this comment:
Employment of computer support specialists and systems administrators is expected to increase much faster than the average. Job prospects should be best for those with a college degree and relevant experience.
In the subsection on job prospects, the BLS experts write
Job prospects should be best for college graduates who possess the latest technological skills, particularly graduates who have supplemented their formal education with relevant work experience. Employers will continue to seek computer specialists who possess strong fundamental computer skills combined with good interpersonal and communication skills. Due to the demand for computer support specialists and systems administrators over the next decade, those who have strong computer skills but do not have a college degree should continue to qualify for some entry-level positions.
Respected security experts Vic Maconachy and Sy Bosworth summarized the growing importance and availability of undergraduate and graduate education in IA as follows:
Information assurance, with public and private sector development of educational and training initiatives, has secured a required focus of study for future employees. It is a constantly changing field, wide open for continued new research. The governmental support and mandate of such initiatives will ensure that if any companies or universities were to lag in their adoption, there would be unfavorable consequences, aside from the presence of a serious shortcoming in their educational curriculum.
We can expect to see continued growth in information assurance education in colleges and universities worldwide.[]
A baccalaureate degree with a major or a concentration in IA provides an opportunity for in-depth, extended thought and practice involving fundamental concepts, terminology, applications and management of IA. The Norwich University BS in Computer Security and Information Assurance (BSCSIA) includes the following descriptive text on its home page:
Skills used in many areas
As an information assurance graduate, you can expect opportunities to use your skills in private industry, government, law enforcement, the military, health services and academia. You will be able to earn a living in a fascinating, ever-changing field using a wide range of computing skills and managerial skills.
Understanding more than just information security
You will be able to think through the many organizational and management issues as well the technical ones. Security today involves a wide range of challenges, including a grasp of business and management issues, good interpersonal skills, and a thorough grounding in the technology of computing and networking.
Doing your part to meet the needs of the nation
Information security is increasingly viewed as a necessary component of national security. If you decide to join the military after your graduation, you can aim for technically-demanding positions and perhaps get involved in signals intelligence (SIGINT), communications security (COMSEC), human intelligence (HUMINT), counter-intelligence (COINTEL), and information warfare (INFOWAR) activities and studies.[]
An advanced degree in IA extends the depth of study; for example, the Infosec Graduate Program at the Center for Education and Research in Information Assurance and Security (CERIAS) of Purdue University offers both MS and PhD programs with a number of interdisciplinary options that allow a tremendous range of choice for research-oriented students.[]
The management orientation of the Master of Science in Information Assurance (MSIA) program at Norwich University uses a model more similar to a classic course-centric Master of Business Administration (MBA) with the addition of a student-defined case study. The program introduction includes the following descriptive text:
Norwich University’s online Master of Science in Information Assurance program was created to develop management leaders in the field of information assurance. The program capitalizes on your IT experience while offering an in-depth study of information assurance challenges that exist beyond the boundaries of the data center. You graduate with a thorough understanding of the business, governance and policy issues that are the foundation for effective solutions to current and emerging security threats, and you will have developed the skills necessary to communicate those issues to other leaders in your organization.
Designed for busy working professionals, the coursework focuses on the integration of information security technologies with the business problems and opportunities of the real world - your own workplace. Graduates are prepared assume professional management responsibilities such as those of Chief Security Officers, Security Administrators and Chief Information Security Officers.[]
BLS note in their “Education and training” subsection of “Training, Other Qualifications, and Advancement” that
…for some jobs, relevant computer experience and certifications may substitute for formal education. For systems administrator jobs, many employers seek applicants with bachelor’s degrees, although not necessarily in a computer-related field.
A number of companies are becoming more flexible about requiring a college degree for support positions. In the absence of a degree, however, certification and practical experience are essential. Certification training programs, offered by a variety of vendors and product makers, may help some people to qualify for entry-level positions.
A recent summary of professional certification and training in IA explains
Sometimes students, professionals, and marketers use the terms “certificate” and “certification” interchangeably. In addition, academics and professionals sometimes differ in their interpretation of “accreditation.”
· A certificate is a “document providing official evidence: an official document that gives proof and details of something such as personal status, educational achievements, ownership, or authenticity.”….
· Certification, in this context, is the process (thus, a verb) of examining the work experience, knowledge and trustworthiness of a candidate for a particular certificate; confusingly, the certificate granted for qualified applicants is often referred to as a particular certification (and thus, a noun).
· “Accreditation” refers to the process of “officially recogniz[ing]” a person or organization as having met a standard or criterion. In information assurance, accreditation is carried out by official, industry- and government-recognized bodies.[]
Professor Urs Gattiker writes
Information assurance is an important area for training as well as for upgrading the skills of security officers. Without considering security and dependability issues, and without also understanding the development of secure and dependable applications and networks when attending IA training, graduates will be unprepared for the ever-increasing complexity they encounter at work. Accordingly, training and education must also address the managing of risks, reliability, dependability, and security of ever-more complex systems and not focus only on certification based on passing multiple-choice tests. Understanding concepts and being able to transfer them into various settings may be a better preparation for doing well as a security officer than acquiring too many tools and knowledge of facts.[]
In discussions with alumni of the Norwich MSIA program, it has become clear that almost all of the graduates who took the examination for the Certified Information Systems Security Professional (CISSP) certification[] – and the total as of 2009 was over 200 – passed the examination on their first try. The (ISC)² does not publish pass/fail rates, but many organizations and informal discussion with (ISC)² staff indicate that the failure rate is ~30%.
Additional resources are available from CyberDegrees.org, which runs a website for students interested in cyber security. Here are a few important features of the site:
Dr John Orlando, former Program Director for the Master of Science in Business Continuity Management (MSBC) degree at Norwich University < http://businesscontinuity.norwich.edu/ > and the former Program Director for the MSIA degree has often said that university degrees and professional certifications complement each other in the fields of IA and business continuity (BC). Writing specifically about the MSBC, he notes
As in most professions, early practitioners learned their craft through networking with other professionals. These professionals formed associations that defined the common body of knowledge, and provided training and certifications. With new standards such as BS25999, the profession has gained a clear conception of the competencies needed for the continuity professional. The time is ripe for higher education programs to provide academic credentials that will advance the careers of professionals and raise professional standards in business continuity. The Master of Science in Business Continuity Management degree does just that.[]
The questions posed at the start of this report were as follows:
Given the information provided in this paper, the answers seem justifiably to be as follows:
Prepared with a strong educational foundation and advanced degrees, and equipped with appropriate professional certifications and industry training, IA practitioners will flourish despite the difficult economic times ahead of us.
[] The author thanks Elizabeth Templeton, Administrative Director of the MSIA Program in the School of Graduate Studies at Norwich University, for her as-ever insightful and constructive editorial suggestions. All errors and omissions remain the responsibility of the author.
[] Kabay, M.
E. (2009). “Understanding Computer Crime Studies and Statistics v5.”
< http://www.mekabay.com/methodology/crime_stats_methods.pdf >. Retrieved 2009-03-29.
[] Campbell, S. (2009). “As Economy Worsens, Business Protection Gains Importance.” The Channel Wire (2009-01-30). < http://www.crn.com/security/213000081 >. Retrieved 2009-03-29.
[] Heffernan, R. J. (2007). Trends in Proprietary Information Loss: Survey Report. (August 2007) ASIS Foundation & National Counterintelligence Executive. < http://www.asisonline.org/newsroom/surveys/spi2.pdf >. Retrieved 2009-03-29.
B. (2009). “Experts Say Fraud Likely to Rise.” Business Week (2009-01-09).
< http://www.businessweek.com/bwdaily/dnflash/content/jan2009/db2009018_753877.htm > Retrieved 2009-03-29.
K. (2008). “How do we tackle political cyber-crime?” Computer Weekly (2008-09-28).
< http://www.computerweekly.com/Articles/2008/09/29/232486/how-do-we-tackle-political-cyber-crime.htm > Retrieved 2009-03-29.
[]Annual Report to Congress: Military Power of
the People’s Republic of China. US Department of Defense.
< http://www.defenselink.mil/pubs/china.html >. Retrieved 2009-03-29
[] Kabay, M. E. (2009). “US DoD Annual Estimates of Information Warfare Capabilities and Commitment of the PRC 2002-2009.” < http://www.mekabay.com/overviews/dod_prc_iw.pdf >. Retrieved 2009-03-29.
S. & R. Anderson (2009). “The snooping dragon: social-malware surveillance
of the Tibetan movement.” Technical
Report Number 746, University of Cambridge Computer Laboratory
(UCAM-CL-TR-746, ISSN 1476-2986). Abstract < http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.html
>; full text
< http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-746.pdf >. Retrieved 2009-03-29.
[] Engineering Degree (2012). “Computer Network, Systems and Database Administrators.” EngineeringDegree.net. Retrieved 2012-10-27. [Thanks to Victoria Lipnick for spotting a dead link in the previous version of this article and providing this replacement.]
[] Maconachy, V. & S. Bosworth (2009). “Undergraduate and graduate education in information assurance.” Chapter 75 in: Bosworth, S., M. E. Kabay & E. Whyne (2009), eds. Computer Security Handbook, 5th Edition. §75.5, p 75.12. Wiley (ISBN 978-0471716525). AMAZON < http://tinyurl.com/caoxqm >. Retrieved 2009-03-29.
University Computer Security and Information Assurance Program Overview
< http://www.norwich.edu/academics/business/infoAssurance/index.html >. Retrieved 2009-03-29.
University (2009). Infosec Graduate Program.
< http://www.cerias.purdue.edu/site/education/graduate_program/ >. Retrieved 2009-03-29.
University (2009). Welcome to the Information Assurance Program.
< http://infoassurance.norwich.edu/ >.Retrieved 2009-03-29.
[] Christian, C., M. E. Kabay, K. Henry & S.
Schneider (2009). “Professional certification and training in information
assurance.” Chapter 74 in: Bosworth, S., M. E. Kabay & E. Whyne (2009),
eds. Computer Security Handbook, 5th
Edition. §74.1.2, p 74.3. Wiley (ISBN 978-0471716525). AMAZON
< http://tinyurl.com/caoxqm >. Retrieved 2009-03-29.
[] Gattiker, U. (2009). “European graduate work in information assurance and the Bologna Declaration.” Chapter 76 in: Bosworth, S., M. E. Kabay & E. Whyne (2009), eds. Computer Security Handbook, 5th Edition. §76.15, p 76.16. Wiley (ISBN 978-0471716525). AMAZON < http://tinyurl.com/caoxqm >. Retrieved 2009-03-29.
[] (ISC)² (2009).
CISSP® -- Certified Information Systems Security Professional.
< http://www.isc2.org/cissp/default.aspx >. Retrieved 2009-03-29.
J. (2009). Message from the Director. Norwich University.
< http://businesscontinuity.norwich.edu/directors_message.php >. Retrieved 2009-03-29.