Securing your future

If there was ever a time to consider IT training, then now’s that moment.

Brian Donovan, CEO of the IT Skills Hub, says in the group’s latest newsletter that “Preliminary results from our 2004 Market Monitor show a substantial upturn in the IT jobs market over the last six months, the first significant increase in demand for the ICT sector in three years.” Detailed results will apparently be released at about the time this article goes to press.

And one area that is apparently shining is e-security. The latest Australian Computer Society employment survey, released at the end of February, has security as one of the best performing “job responsibility” areas, with zero unemployment. (Similarly blessed areas include IT support, installers and implementers, network consultant and, interestingly, IT training. Worst performing were programmer and project officer/manager, both with nearly 20 percent unemployment.)

John Dowell, managing director of Monash IT (Monash Uni’s corporatised IT training centre) says, “We are seeing an increase in the number of business stakeholders realising that there is a skills gap, and that filling the skills gap is a corporate governance issue. They increasingly understand that security training must focus on policies and behaviours as well as technical skills.

“Buying a boxed solution and implementing it does not guarantee an organization's protection. IT managers and security officers must have the skills and knowledge to help them identify and prevent different kinds of attacks that might not be stopped by downloading the latest patch from Microsoft.”

Donovan adds that an increased focus on IT risk management “will force a more urgent response from the education sector to both address the need for IT risk management programs and to include security as a mandatory subject in IT qualifications”.

So what courses are available? A survey of tertiary and private course providers produced a mixed bag.

Security courses

Queensland University of Technology is prime candidate for the heaviest hitter on the block. Within the Faculty of Information Technology, the School of Software Engineering and Data Communications (SEDC) handles coursework programs, with the Information Security Research Centre looking after non-coursework education. The ISRC also handles industry-collaboration projects.

This mixture of education and research offers up a variety of potential avenues:

  • PhD focusing on any aspect of IT security.
  • Masters by Research focusing on any aspect of IT security.
  • Masters of Information Technology (for IT graduates), a coursework degree for students with an undergraduate IT degree (can specialise in IT security through subject choice).
  • Masters of Information Technology (for non-IT graduates), a coursework degree for students with an undergraduate degree in other than IT (can specialise in IT security through subject choice)
  • Honours program (can select dissertation in IT security).
  • Bachelor of Information Technology
  • Graduate Diploma of Information Technology for IT graduates
  • Graduate Diploma in IT for non-IT graduates
  • Individualised IT security training programs (as required) - often popular with particular industry groups and large organizations.
  • IT security collaboration projects with external organizations.
  • Many units derive from the ISRC’s leading position in e-security research specialization. Information security (in the BIT degree) and Information security management (in the MIT degree) are introductions to information security and are the most popular units and are part of most recommended courses of study. More advanced units cover security technologies; cryptographic fundamentals; advanced cryptology; trusted systems and networks; network security; and computer forensics, with these last two being the most popular.

    The FoIT at the University of Technology, Sydney is considering but does not currently offer a specialization or course in IT Security.

    David Wilson, associate dean (education) of the faculty, says, “Part of our deliberation is to consider possible certifications but no decisions have been made yet. We do teach IT security at various levels of detail in both undergraduate and postgraduate subjects within other programs.”

    On the humanities side, the law faculty at UTS offers an Introduction to Cybercrime, which looks at the motivations of cybercriminals, the legislative framework, issues facing companies and options for redress, basic of computer forensics and handling computer-based evidence. The course offers two computer lab components, one that exposes the students to common hacking tools, where to find them and how to use them, and a second where students practice computer forensic techniques. This year, students will be assessed on a forensic practical.

    The students so far are all enrolled in post-graduate law courses and are almost all lawyers of some description. However, the course may be taken by postgraduate students in IT or business.

    There are other IT law subjects at UTS, but not this semester. Lecturer Ajoy Ghosh says, “We are in the process of designing further subjects that build on Intro to Cybercrime, such as computer forensics and also e-discovery, which we hope to offer in 2005.”

    Monash University has no whole degree courses, although it offers individual security subjects in the Bachelor of Network Computing and the Master of Network Computing. These can be taken as single subjects rather than as part of the degree, although it is “not usual to do so”.

    Outside of the groves of academe, CompTIA has Security+, a vendor-neutral, industry-developed security certification for an individual with at least two years’ on-the-job networking experience. This covers industry-wide topics, including communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organization security. Members of the oversight committee for the course include some of the heavyweights in the field: the FBI; US Customs; National Institute for Standards and Technology, many educational institutions and most of the larger vendors.

    The ACS offers its Certified Membership of ACS - CMACS (e-security), which is expected to be available in the fourth quarter of 2004. There are two subjects in the specialization. They can be taken on their own but for students without prior postgraduate study experience it is strongly recommended that they first take one or both of the program's core subjects, IT Trends or Business Legal and Ethical Issues. The second of these courses covers the fundamentals of security.

    Dot Educate (or “.educate” for those who can’t spell dot) is focusing on providing network security training and wireless network security. Courses available are: Security+; securing wireless networks; and security for non-security professionals. They cover areas such as policy, administration, firewalls, implementation and integration, VPNs, security management and PKI.

    It also offers the ITAA Information Security Awareness Certification Program (I-ACert), which is designed to “help make information security matter to each individual in organization by raising awareness and ensuring individual accountability for knowledge of basic information security fundamentals”.

    At its core is a 30-minute, online assessment, covering eight fundamental information security topics ranging from best practices and Internet usage to passwords, malicious software, and handling of sensitive information. The test is administered through SkillsBench, the enterprise skills measurement system from Brainbench. This online platform provides the employee with immediate results upon completion of the test, and delivers aggregated test results by department or enterprise-wide to authorised administrators. Individuals who don't pass the test can use learning resources and re-test until they achieve passing scores.

    Insecure about security

    All providers agree that the current “insecure” environment, ranging from individual hackers, viruses, and Trojans, denials of service and information theft up to fears of international cyberterrorism, have had a significant impact on the education field.

    Lauren May, senior lecturer at QUT, says that “Demand for IT security training is continually increasing at an ever faster rate of growth. Employment demand far exceeds supply.”

    Danika Bakalich, regional director of CompTIA, agrees. “Globally, security training and certification growth has been explosive in recent years and continues to trend upward.” She warns that, “Neither technologies nor policies alone offer effective protection against theft and destruction of intellectual property."

    "All industries need a trained and effective IT workforce to combat hackers, attackers and security threats. Security professionals need certification, not training alone, to demonstrate these skills.”

    John Dowell, however, is not so bullish. “The number of people attending training courses is growing slowly, but [the numbers] are nowhere near as high as they should be. Companies in the US have realised the need for this kind of training, and we need to catch up to our US counterparts. Real security is a full-time job, not a downloaded patch from Microsoft.

    “Only by understanding consequences, both individual and organizational, will employees begin to change the behaviours that are often the root cause of security breaches (such as leaving computers logged on all night, leaving passwords in easy to find locations, and so on). Employees can only understand these consequences by being properly trained. When they begin to understand what behaviours can cause security breaches, and the consequences of these breaches, employees can begin to change these behaviours, playing an active role in protecting the company.

    “Companies’ best protection against loss of assets and productivity is an holistic approach, encompassing technical staff to manage and monitor threats, and employees who understand the risks and behave correctly to avoid these risks.”

    As a final word, Brian Donovan told Computerworld that, “in ICT generally, there has been a substantial uptake of nationally recognised training over the past four years, though there are claims of a reducing level of applications (not enrolments) for the higher education sector.

    “However, the issue of training in the area of e-security has not had the impetus of other areas until recently. … It is an indictment of us that security is still an elective subject in most IT undergraduate degree programs.”