Tech institute launches graduate level cybersecurity program

As the federal government received a fresh round of criticism for failing to make the security of the nation's computer infrastructure a priority, a technology institution announced new graduate degree programs in that area.

The SANS Technology Institute is offering Master of Science degrees in information security and information security management. The programs are intended to give IT security employees the necessary skills and qualifications for high-level jobs at corporations and government agencies.

The academic institution, which is affiliated with the Bethesda, Md.-based SANS Institute and was approved by the Maryland Higher Education Commission on Nov. 16, is accepting applicants for about 150 spots in the 31-credit-hour program, which is scheduled to begin in the fall of 2006.

Courses are intended to help students master critical security technologies while developing skills in communications, project management, persuasion, teaching and other areas critical to establishing IT security a key part of an organization's mission.

SANS has more than 54,000 alumni in 43 countries. About 16 percent of its graduates work for the government or government contractors.

Entry requires a 3.0 grade point average from an accredited college. A strong endorsement from the applicant's employer is needed to show that the person is going "to take on the mantle of security leadership in the future."

Tuition is about $28,000 for the two-year program, assuming the student is fully employed and is taking the courses on a part-time basis. A majority of the training occurs online, but three six- to seven-day residencies are required.

Alan Paller, director of research at the SANS Institute, said America's computers are "riddled by attackers," and security practices are not implemented correctly.

The new institute is seeking applicants who ultimately will be chief information officers and lead technology contracting groups, Paller said.

"Why can't the U.S. government, its contractors and financial organizations keep these things safe?" Paller said. "It's because management doesn't get it … it lacks the skill sets."

Paller said people are being put into jobs where they have no background in security. Our "computers have been terribly and deeply penetrated throughout the United States," he added.

Stephen Northcutt, president of the new technology institute, said the degree is going to be "extremely difficult to get." Most people who call themselves IT security professionals do not have the proper skills, he said.

"Take the average person in IT security and compare them to a CPA or a lawyer or a doctor," Northcutt said. "There's a lot of stringency involved in getting to their position that doesn't exist with IT security … we're a bunch of automobile mechanics. We think we know what we're doing."

Gregory Wilshusen, director of information security issues at the Government Accountability Office, said while he cannot comment specifically on the SANS program because he cannot be seen as giving an endorsement, programs that help to improve the technical capabilities as well as communications and management skills of those responsible for implementing information security policies would help to address one of the underlying causes of the agencies' poor IT security reviews.

In a report released Tuesday and called "National Agenda for Information Security in 2006", the Arlington, Va.-based Cyber Security Industry Alliance found that the government needs to demonstrate more leadership in protecting the country's information infrastructure.

Paul Kurtz, executive director of CSIA, said that the government has taken limited steps to improve the state of IT security, but there is little strategic direction or leadership from the executive branch in the area. Kurtz said that he thinks very highly of the SANS Institute and is pleased that it is sponsoring the new degrees.

Overall, the Bush administration and Congress scored a D grade or below on 7 of the group's 12 recommendations and earned a C grade of on four others.

An initial CSIA survey found that Americans are not confident about the networks' security. The networks earned a score of 58 out of 100 possible points on CSIA's Digital Confidence Index.

Drew Crockett, spokesman for House Government Reform Committee Chairman Tom Davis, R-Va., said that the committee is pleased to see the growing trend of educational institutions offering advance degrees in IT Security.

"The information security field is comprised of many talented individuals, but there are limited opportunities for formal training," Crockett said. "We need the best trained IT security personnel to safeguard federal systems and any additional education or training opportunity is a positive step."

Davis's Government Reform Committee issues annual cybersecurity grades to federal agencies and while some agencies are improving, seven agencies received F grades in 2004, the latest year for which scores are available.