NTXISSACSC4 - What Should a College Information or Cyber Security Program Contain?

@NTXISSA #NTXISSACSC4
What Should a College
Information/Cyber Security Program
Contain?
Rick Brunner, Col USAF (Retired), EJD, MS, SCF, CISSP, ITIL
Enterprise Information/Application Security Architect & Consultant, Adjunct Faculty
Robert Half & Collin College
7 October 2016

Disclaimer
The views, thoughts, claims, or opinions in this presentation
are solely those of the presenter.
Nothing in this presentation represents the views, thoughts,
claims, or opinions of Collin College, Robert Half, United
States Air Force, the Air Force Reserves, the Department of
Defense, the Intelligence Community, or any prior
employer.

Objectives
• Discuss why you may want a cyber, information, or
information technology security career
• Discuss steps to know who you are and apply that to
potential security focus areas
• Discuss subjects, topics, items or characteristics that
should be offered or included as part of a cyber or
information security degree program
• Compare/contrast different programs within the DFW
area
• Suggest recommendations or options that one should
look at while in a program or when looking at entering a
program

Definitions
Term Meaning Source
Computer Security Measures and controls that ensure confidentiality, integrity, and availability of
the information processed and stored by a computer
CNSS 4009
Cyber Security The protection of information assets by addressing threats to information
processed, stored, and transported by internetworked information systems
ISACA Glossary
Information
Assurance
Measures that protect and defend information and information systems by
ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities
CNSS 4009
Information Security Ensures that within the enterprise, information is protected against disclosure
to unauthorized users (confidentiality), improper modification (integrity), and
non-access when required (availability)
ISACA Glossary
Information
Technology Security
Is the process of implementing measures and systems designed to securely
protect and safeguard information (business and personal data, voice
conversations, still images, motion pictures, multimedia presentations,
including those not yet conceived) utilizing various forms of technology
developed to create, store, use and exchange such information against any
unauthorized access, misuse, malfunction, modification, destruction, or
improper disclosure, thereby preserving the value, confidentiality, integrity,
availability, intended use and its ability to perform their permitted critical
functions.
SANS

100 Best Jobs
Title U.S News
Ranking
Median Income
($)
Unemployment Rate
(%)
Number of Jobs (2014-
2024)
Computer Systems Analyst 3 82,710 2.6 118,600
Software Developer 13 95,510 2.5 135,300
Statistician 17 79,990 4.0 10,100
Operations Research
Analyst
18 76,660 3.8 27,600
Web Developer 20 63,490 3.4 39,500
IT Manager 29 127,640 1.8 53,700
Information Security Analyst 34 88,890 1.4 14,800
Mathematician 35 103,720 4 700
Database Administrator 48 80,280 2.0 13,400
Computer Support
Specialist
60 61,830 3.3 13,600
Computer Systems
Administrator
67 75,790 2.0 30,200
Compliance Officer 94 64,950 1.0 8,700
Source: http://money.usnews.com/careers/best-jobs/rankings/the-100-best-jobs

Is a Cyber Security Degree Worth It?

The Cybersecurity Workforce Deficit
• Global cybersecurity workforce
shortfall range from one to two
million positions unfilled by 2019
• In 2015, about 209,000
cybersecurity jobs went unfilled in
the United States alone
Source: Hacking the Skills Shortage--A study of the international shortage in cybersecurity skills, Center for Strategic and International Studies
Report, Sponsored: McAfee, Part of Intel Security, 2016

“Know thyself.”
― Socrates

Worth it? What is "it"?
Increased knowledge? Almost certainly
Increased satisfaction with one's profession? Quite likely
Better job opportunities? For many career paths,
yes
Additional knowledge in other domains? Almost certainly
Better opportunities for networking and social
connectivity?
Possibly
Providing a basis for advanced degrees? Almost certainly
Reducing initial outlay of funds? Probably not
Providing a better basis to pursue your own startup? Not usually
https://www.quora.com/Is-a-computer-security-degree-worth-it Author: Gene Spafford

Worth it? What is "it"? (Continued)
Once you define "it" then an answer can be
more readily determined
• Highly dependent on your own talents, skills,
and dedication
https://www.quora.com/Is-a-computer-security-degree-worth-it Author: Gene Spafford

Who Are You
• What are your strengths
• StrengthsFinder - http://freestrengthstest.workuno.com/
• What did/are you enjoy(ing) the most
• What are your hobbies
• What are your Goals:
• Short (1 to 2 years)
• Mid (3 to 5 years)
• Long (Anything past 5 years)
• What are you passionate about, alternatively, what drives you
• What is your personality type
• DISC
• Myers Briggs
• What is your emotional intelligence level
• What got you here won’t get you there – Goldsmith

Match Your Strengths
• Find that niche or specialty area
• Match strengths and experience with a potential Security domain
Strengths Previous Careers Security Focus Areas
Inquisitive, Analytical Law enforcement, Military, IT Incident Response, Forensics
Attention to detail, Focus Technical writing, Legal Policy and Governance, Privacy
Outgoing, Communicator Education, Sales Security Training
Professional, Collect input Sales, Marketing Business Security, BCP, Strategy
Detail oriented, Problem solver Insurance, risk, tax Risk Assessment, Architect
Data driven, Organized Engineering Metrics and Reporting
Technical, Structured Clerical, High tech Technology administration
Source: Mr. Scott Preston, Vice President, Corporate Information Security, GM Financial

Source: http://www.cyberdegrees.org/jobs/

Take Action
• Research the Security focus area in detail
• Books, podcasts, trade organizations
• Incidents in the news, compliance regulations
• Use web resources such as http://www.cyberdegrees.org/jobs/
• Show competency
• Gain an industry certification
• Complete a college course
• Complete a college degree
• Create a Plan of Action and Milestones

@NTXISSA #NTXISSACSC4 15
Where are we now?
Where do we want to go?
How do we do that ?
What do we need to do to get
there?
What Do You Need to Do
Current
State
Gap
Analysis
Desired
State

Do You Really Need College Degree
• Employers insistence on a bachelor’s
degree as a baseline credential for
cybersecurity work
• Only 23% of respondents say education
programs are preparing students to
enter the industry
• A bachelor’s degree in a technical field
is ranked third among most effective
ways to acquire cybersecurity skills,
behind hands-on experience and
professional certifications
• A degree is a signal of general
competence rather than indicator of
relevant cybersecurity skills
Source: Hacking the Skills Shortage--A study of the international shortage in cybersecurity skills, Center for Strategic and International Studies
Report, Sponsored: McAfee, Part of Intel Security, 2016

Another View
Source: Understaffed and at Risk--Today’s IT Security Department, Independently conducted by Ponemon Institute LLC, Sponsored by HP Enterprise Security
Publication Date: February 2014

Do You Really Need College Degree
(Continued)
• Average cost of a 4-year degree (tuition, fees, room and board)
• State School—$78,000
• Texas Resident—$23,140/year
• Texas Nonresident—$32,738/year
(http://www.collegeforalltexans.com/apps/collegecosts.cfm?Type=1&Level=1)
• Private School—2X State School
• Average student loan debt
• $37,000/graduate
• Not reported for those that did not graduate
• Consumer Reports national survey on 1500 student loan borrowers:
• 44% left college; cutting back on daily living expenses in order to pay loan
• 28% delaying major goals like buying a house
• 37% put off saving for retirement
• 45% knowing what they know now, their college experience wasn’t worth the cost
Source: Having the College Money Talk, Consumer Reports, August 2016

Alternatives
• Professional Certifications & Programs
• Non-traditional
• 2-Year degrees

Professional Certifications & Programs
• A degree will only take you so far up the job ladder (3rd criteria behind
experience and certification)
• Professional Security certification is necessary (2nd criteria behind
experience )
• They come in all shapes and subjects – from forensics to intrusion to
ethical hacking
• Regardless of the topic or level:
• Can be used across jobs and organizations
• Consists of training and a final exam
• Must be renewed periodically (every 3 to 4 years)
• Need continuing education credits for reaccreditation
• They can be expensive and time-consuming
• An entry-level credential can take three to nine months to complete and set you
back $300-$600 for the exam
• They can lead to promotion, better job prospects and/or a raise
• SANS survey reported salary increases of up to 5% after accreditation
Source: http://www.cyberdegrees.org/resources/certifications/

15 Top-Paying Certifications for 2016
Rank Certification Granting
Organization
Average
Salary ($)
1 AWS Certified Solutions Architect - Associate AWS 125,871
2 Certified in Risk and Information Systems Control (CRISC) ISACA 122,954
3 Certified Information Security Manager (CISM) ISACA 122,291
4 Certified Information Systems Security Professional (CISSP) ISC2 121,923
5 Project Management Professional (PMP®) PMI 116,094
6 Certified Information Systems Auditor (CISA) ISACA 113,320
7 Cisco Certified Internetwork Expert (CCIE) Routing and Switching Cisco 112,858
8 Cisco Certified Network Associate (CCNA) Data Centerr Cisco 107,045
9 Cisco Certified Design Professional (CCDP) Cisco 105,008
10 Certified Ethical Hacker (CEH) EC-Council 103,297
11 Six Sigma Green Belt Council of Six
Sigma
Certification
102,594
12 Citrix Certified Professional - Virtualization (CCP-V) Citrix 102,138
13 Cisco Certified Networking Professional (CCNP) Security Cisco 101,414
14 ITIL® v3 Foundation APM Group
Limited
99,868
15 VMware Certified Professional 5 - Data Center Virtualization (VCP5-DCV) VMware 99,334
Source: https://www.globalknowledge.com/us-en/content/articles/top-paying-certifications/

How Do You Get Your Foot in the Door (Non-
Traditional)?
• There is no one true path to working in cyber security
• Train in general IT
• Many experts suggest that you begin with a job, internship or
apprenticeship in IT
• Focus your interests
• Employers suggest you focus on an area (e.g. networking security) and do it
well
• Think ahead 5-10 years to your “ultimate security career”
• Look for start IT jobs that will supply you with the right skills
• Gain practical experience
• Gain professional security certification
• Use http://www.cyberdegrees.org/resources/transitioning-from-
general-it/#starter web site as a resource in your journey
Source: http://www.cyberdegrees.org/resources/transitioning-from-general-it/#starter

“Education is the kindling of a
flame, not the filling of a
vessel.”
― Socrates

What is a Cyber Security Degree
• The cybersecurity career field is constantly growing and changing
• There are an increasing number of cybersecurity degree programs, and there are also many
degree programs that can lead to careers in the cybersecurity field
• Many of these degree programs fall within the five traditional sub-disciplines of computing:
• Computer Science
• Computer Engineering
• Information Systems
• Information Technology
• Software Engineering
• Other degree programs that can also lead you there include
• Business
• Science
• Law
• Engineering
• Criminal Justice
• Other degrees
Source: https://niccs.us-cert.gov/education/degree-programs

How Do You Choose a Program
• Look for interdisciplinary degree that includes computer
programming, probability and statistics, system
architecture, software engineering, secure systems design,
ethics, business, communication, technical writing,
teamwork, and so forth
• Where to begin
• 2-Year Programs
• 4-Year Programs
Source: http://www.cyberdegrees.org/listings/

2-Year Program
• A technical 2-Year program should include the following core knowledge units
(KU):
• Basic Data Analysis
• Basic Scripting or Introductory Programming
• Cyber Defense
• Cyber Threats
• Fundamental Security Design Principles
• Information Assurance Fundamentals
• Intro to Cryptography
• IT Systems Components
• Networking Concepts
• Policy, Legal, Ethics, and Compliance
• System Administration
• Look for courses that give you a lot of hands-on experience with real world
problems
Source: National NSA/DHS Centers of Academic Excellence in Information Assurance/Cyber Defense Knowledge Units,
https://www.iad.gov/NIETP/documents/Requirements/CAE_IA-CD_KU.pdf

Incorporating Cybersecurity into Existing Curricula (Science,
Technology, Engineering and Mathematics [STEM])
• Technical Dual Credit at Collin College
• Allen Independent School District (ISD)
• Prosper ISD
• Frisco ISD
• Wylie ISD
• Student completes program at Collin
• Associate of Applied Science (AAS)
• Certification
• 4-Year Programs
• University of Texas—Dallas (UTD)
• University of North Texas (UNT)

4-Year Program
• Should include all of the 2-Year program KUs and these
additional KUs:
• Databases
• Network Defense
• Networking Technology and Protocols
• Operating Systems Concepts
• Probability and Statistics
• Software Engineering
• Have advanced classes such as cloud computing, forensic
accounting, wireless sensor networks
• Look for courses that give you a lot of hands-on
experience with real world problems
Source: National NSA/DHS Centers of Academic Excellence in Information Assurance/Cyber Defense Knowledge Units,
https://www.iad.gov/NIETP/documents/Requirements/CAE_IA-CD_KU.pdf

What Else
• Have specific criteria for choosing a degree
program (cost/geography/commute etc.)
• Look for a program that provides best value
• Evaluating programs
• NSA/DHS Current National Centers of Academic Excellence
Designated Institutions
• Ponemon Institute Report—2014 Best Schools For Cybersecurity
• Use these when you’re deciding between schools

NSA/DHS Current National Centers of Academic
Excellence Designated Institutions
In addition to core knowledge units, the NSA/DHS also
insists that a program:
• Demonstrates outreach and collaboration
• Has a center for Information Assurance (IA) / Cyber Defense
(CD) education
• Fosters a robust and active IA/CD academic program
• Ensures IA/CD is a multidisciplinary science within the
institution
• Supports the practice of IA/CD throughout the institution
• Encourages student and faculty IA/CD research

2014 Best Schools For Cybersecurity
(Ponemon Institute Report)
Characteristics that set the best schools apart:
• Interdisciplinary program that cuts across different, but related fields – especially
computer science, engineering and management
• Designated by the NSA and DHS as a center of academic excellence in information
assurance education
• Curriculum addresses both technical and theoretical issues in cybersecurity
• Both undergraduate and graduate degree programs are offered
• A diverse student body, offering educational opportunities to women and members
of the military
• Faculty composed of leading practitioners and researchers in the field of
cybersecurity and information assurance
• Hands-on learning environment where students and faculty work together on
projects that address real life cybersecurity threats
• Emphasis on career and professional advancement
• Courses on management, information security policy and other related topics
essential to the effective governance of secure information systems
• Graduates of programs are placed in private and public sector positions
Source: http://www.cyberdegrees.org/listings/ and
http://www.ponemon.org/local/upload/file/2014%20Best%20Schools%20Report%20FINAL%202.pdf

2014 Best Schools For Cybersecurity
(Ponemon Institute Report)
Insistence on interdisciplinary studies
• Course work to include management, law, business, ethics,
probability and statistics, communications, technical writing, and
teamwork*
• A strong degree is going to prepare you for issues you’ll be
discussing with non-technical colleagues
Source: http://www.cyberdegrees.org/listings/ and
http://www.ponemon.org/local/upload/file/2014%20Best%20Schools%20Report%20FINAL%202.pdf
*Note: probability and statistics, communications, technical writing, and teamwork were added by presenter

National Hacking or Capture the Flag
Competitions
• Provide an effective channel to
identify talent and develop
cybersecurity skills
• Over three in five survey
respondents say national hacking
competitions play a key role in
developing cybersecurity talent
• Overall two in five respondents
cite hacking competitions as
among the most effective way to
acquire skills
Source: Hacking the Skills Shortage--A study of the international shortage in cybersecurity skills, Center for Strategic and
International Studies Report, Sponsored: McAfee, Part of Intel Security, 2016

National Collegiate Cyber Defense
Competition (CCDC)
• CCDC Events are designed to:
• Build a meaningful mechanism by which institutions of higher education may evaluate
their programs
• Provide an educational venue in which students are able to apply the theory and practical
skills they have learned in their course work
• Foster a spirit of teamwork, ethical behavior, and effective communication both within
and across teams
• Create interest and awareness among participating institutions and students
• Competition:
• Each team begins the competition with an identical set of hardware and software
• Team scored on their ability to detect and respond to outside threats, maintain availability
of existing services such as mail servers and web servers, respond to business requests
such as the addition or removal of additional services, and balance security needs
against business needs
• An automated scoring engine is used to verify the functionality and availability of each
team’s services on a periodic basis and traffic generators continuously feed simulated user
traffic into the competition network
• A volunteer red team provides the “external threat” all Internet-based services face and
allows the teams to match their defensive skills against live opponents
http://www.nationalccdc.org/index.php/competition/about-ccdc/mission

National Collegiate Cyber Defense
Competition(Continued)
• Demonstrates:
• “TEAM” Work
• Technical ability to counter/mitigate/minimize “real” world
attacks
• Teams understanding in maintaining “Business Services”
while under attack
• Results
• Many participants receive on the spot job offers from
business entities while at the competition
• Some are in the 6 figure range
• Many are in the high 5 figure range

Additional Presenter’s View
Source: http://www.texascisocouncil.org/resources

Additional Presenter’s View (Continued)
• Demonstrated technical writing and communications
capabilities
• Employed as summer hire or as part of an Internship
Program
• Perform volunteer work for a Charity
• Join InfraGard and local Chapter near your school
• Join (if possible):
• Information Systems Security Association and a local Chapter near
your school
• ISACA and a local Chapter near your school

“If you pursue a degree and take all the easy courses and blow
off some of the assignments, the degree may be worth a lot
less than if you pursue a more challenging path. If you live on
campus and get involved with some of the clubs and
organizations for students your experience will be very
different from someone who takes everything online.”
Gene Spafford

What about a Master’s Degree or
Higher?
• It depends
• Do your homework:
• Will the MS give you real technical skills
• Have you considered a Master’s in Computer Science or Technology
Management with a concentration in Information Security
• IT is continually changing – is your MS in Cyber Security going to be a helpful
qualification in 10 years
• Does gaining a Master’s increase your job opportunities
• Can you justify the cost of a degree (e.g. $30k) in terms of ROI? In other
words, will it significantly increase your earning power in the future
• If the answer to these questions is “no,” you may want to hold off
on the investment.
Source: http://www.cyberdegrees.org/listings/#Do_I_Need_a_Degree

Local Schools
University of
Dallas

Compare and Contrast
School 2-Year 4-Year
Technical
Dual Credit
Certificate
Program
Associates
of Applied
Science Bachelors Masters
Master of
Business
Administration PhD
DHS/NSA
Designated
Center of
Excellence
Collin College X X X X
Richland College X X X X
University of Texas
at Arlington X
University of Texas
at Dallas X X X X X X X
University of
North Texas X X X X X X X
University of
Dallas X X X X X
Southern
Methodist
University X X X X X
Western
Governors
University Texas X X X X

Conclusions
• Information/Cyber Security opportunities abound
• Information/Cyber Security is a relatively young field of
study
• College degree programs vary
• Work Experience and Professional Certifications remain
more important than a degree in the hiring decision
• A recognized college or graduate-level degree program is
essential or very important in the hiring decision
• Course work to include management, law, business, ethics,
probability and statistics, communications, technical writing,
and teamwork
A College Degree in Information/Cyber Security is worth it, but do your homework

Recommendations
• Define “it”
• Know your strengths and weaknesses
• Know yourself and where you like/want to go
• Do your homework
• Look at yourself objectively
• Identify actions you need to take in order to move
foreword
• Are you sure you want a Cybersecurity career

Recommendations (Continued)
• Professional Certification
• Current Employer
• Veterans
• GI Bill
• Federal Virtual Training Environment (FedVTE)
• Short courses at little to no cost
• College and Dual Credit students
• Plan on taking certification course/exam while in school
• Use ISC2 Associates Program to your advantage
• Check other certification organization requirements

• College
• Read “Having the College Money Talk” article, Consumer Reports, August
2016
• Use the information provided in presentation and further complete
“Compare and Contrast” slide in deciding which program is “right” for
“you”
• Get involved
• Clubs, organizations such as ISSA-NTX
• “Capture the Flag” exercises
• Collegiate Cyber Defense Competition
• Can lead to strong employment opportunities with potential lucrative salaries
• Ensure interdisciplinary program cuts across different, but related fields –
especially computer science, engineering, management, business, ethics,
probability and statistics, technical writing, communications
• Take the “hard” courses
• Use/take part in any internships with local industry and excel
• Summer hire programs
• Semester programs

• MS, MBA or PhD
• Based on you, your needs and wants
• Possible Financial Options
• The Hazlewood Act - State of Texas
• Veterans
• GI Bill
• Current employer
• https://www.cappex.com/ Finding Schools and Scholarships
• CyberCorps®: Scholarship for Service (SFS) https://niccs.us-
cert.gov/education/cybercorps-scholarship-service-sfs
• Has 2,300 graduates since 2000 with a 93% placement rate
• Specific School Programs
• Talk to people in the field

“The more I learn, the more I
realize how much I don't know.”
― Albert Einstein

@NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 48
Thank you

NTXISSACSC4 - What Should a College Information or Cyber Security Program Contain?

Recomendados

Recomendados

Más contenido relacionado

Destacado

Destacado (19)

Más de North Texas Chapter of the ISSA

Más de North Texas Chapter of the ISSA (20)

Último

Último (20)

NTXISSACSC4 - What Should a College Information or Cyber Security Program Contain?