What Should a College Information/Cyber Security Program Contain?
Do you really know what you want to do? Cyber Security sounds like it has a bright future, but does it, is it right for me, do I require a certification, which certification, is college the answer, how am I going to pay for college, what should I look for in a program, or what should I do. These and many more questions that will be raised, discussed, and alternatives will be provided in this presentation.
Many schools offer an Associates, Bachelors, Masters, and Doctor of Philosophy degrees or Certification programs in Cyber or Information Security. Some of these programs are within the Computer Science department or within their Business School. Businesses and Government organizations talk about shortage of qualified candidates to fill security positions.
No one program is perfect, but one should understand the options available that meets a person’s particular interest.
This presentation is meant for anyone just starting out in high school, college, just starting in the work force, or looking to advance their horizons.
The objectives of this presentation are as follows:
• Discuss why you may want a cyber, information, or information technology security career
• Discuss steps to know who you are and apply that to potential security focus areas
• Discuss subjects, topics, items or characteristics that should be offered or included as part of a cyber or information security degree program
• Compare/contrast different programs within the DFW area
• Suggest recommendations or options that one should look at while in a program or when looking at entering a program
Richard (Rick) Brunner has more than 40 years experience in information security and technology, specializing in secure systems/application design and development, system architectures, information risks and controls, testing, and strategy and program management. Rick’s past assignment was as an Assistant Vice President, Security Strategy and Architecture at GM Financial and has worked in Healthcare, Finance, Human Resources, Military, and Intelligence. Rick has 32 years of military service, both active and reserves, rising to the rank of Colonel (0-6). He holds an Executive Jurist Doctorate degree, concentration in Law and Technology from Concord Law School; Master of Science degree in Computer Science, concentration in Information Systems Security from James Madison University; and a Bachelor of Science degree in Mathematics and Computer Science from University of Texas at San Antonio. Rick is an Assistant Faculty member at Collin College, instructing courses in their cyber security program and is an active member of Collin’s Cyber Security Advisory Board. Rick holds the following certifications:
• Certified Information Systems Security Professional (CISSP) (Certification Number: 375658)
• SABSA Chartered Security Architect - Foundation Certificate (SCF) (License SCF14020703)
4. @NTXISSA #NTXISSACSC4
Definitions
Term Meaning Source
Computer Security Measures and controls that ensure confidentiality, integrity, and availability of
the information processed and stored by a computer
CNSS 4009
Cyber Security The protection of information assets by addressing threats to information
processed, stored, and transported by internetworked information systems
ISACA Glossary
Information
Assurance
Measures that protect and defend information and information systems by
ensuring their availability, integrity, authentication, confidentiality, and non-
repudiation. These measures include providing for restoration of information
systems by incorporating protection, detection, and reaction capabilities
CNSS 4009
Information Security Ensures that within the enterprise, information is protected against disclosure
to unauthorized users (confidentiality), improper modification (integrity), and
non-access when required (availability)
ISACA Glossary
Information
Technology Security
Is the process of implementing measures and systems designed to securely
protect and safeguard information (business and personal data, voice
conversations, still images, motion pictures, multimedia presentations,
including those not yet conceived) utilizing various forms of technology
developed to create, store, use and exchange such information against any
unauthorized access, misuse, malfunction, modification, destruction, or
improper disclosure, thereby preserving the value, confidentiality, integrity,
availability, intended use and its ability to perform their permitted critical
functions.
SANS
5. @NTXISSA #NTXISSACSC4
100 Best Jobs
Title U.S News
Ranking
Median Income
($)
Unemployment Rate
(%)
Number of Jobs (2014-
2024)
Computer Systems Analyst 3 82,710 2.6 118,600
Software Developer 13 95,510 2.5 135,300
Statistician 17 79,990 4.0 10,100
Operations Research
Analyst
18 76,660 3.8 27,600
Web Developer 20 63,490 3.4 39,500
IT Manager 29 127,640 1.8 53,700
Information Security Analyst 34 88,890 1.4 14,800
Mathematician 35 103,720 4 700
Database Administrator 48 80,280 2.0 13,400
Computer Support
Specialist
60 61,830 3.3 13,600
Computer Systems
Administrator
67 75,790 2.0 30,200
Compliance Officer 94 64,950 1.0 8,700
Source: http://money.usnews.com/careers/best-jobs/rankings/the-100-best-jobs
9. @NTXISSA #NTXISSACSC4
Worth it? What is "it"?
Increased knowledge? Almost certainly
Increased satisfaction with one's profession? Quite likely
Better job opportunities? For many career paths,
yes
Additional knowledge in other domains? Almost certainly
Better opportunities for networking and social
connectivity?
Possibly
Providing a basis for advanced degrees? Almost certainly
Reducing initial outlay of funds? Probably not
Providing a better basis to pursue your own startup? Not usually
https://www.quora.com/Is-a-computer-security-degree-worth-it Author: Gene Spafford
11. @NTXISSA #NTXISSACSC4
Who Are You
• What are your strengths
• StrengthsFinder - http://freestrengthstest.workuno.com/
• What did/are you enjoy(ing) the most
• What are your hobbies
• What are your Goals:
• Short (1 to 2 years)
• Mid (3 to 5 years)
• Long (Anything past 5 years)
• What are you passionate about, alternatively, what drives you
• What is your personality type
• DISC
• Myers Briggs
• What is your emotional intelligence level
• What got you here won’t get you there – Goldsmith
12. @NTXISSA #NTXISSACSC4
Match Your Strengths
• Find that niche or specialty area
• Match strengths and experience with a potential Security domain
Strengths Previous Careers Security Focus Areas
Inquisitive, Analytical Law enforcement, Military, IT Incident Response, Forensics
Attention to detail, Focus Technical writing, Legal Policy and Governance, Privacy
Outgoing, Communicator Education, Sales Security Training
Professional, Collect input Sales, Marketing Business Security, BCP, Strategy
Detail oriented, Problem solver Insurance, risk, tax Risk Assessment, Architect
Data driven, Organized Engineering Metrics and Reporting
Technical, Structured Clerical, High tech Technology administration
Source: Mr. Scott Preston, Vice President, Corporate Information Security, GM Financial
18. @NTXISSA #NTXISSACSC4
Do You Really Need College Degree
(Continued)
• Average cost of a 4-year degree (tuition, fees, room and board)
• State School—$78,000
• Texas Resident—$23,140/year
• Texas Nonresident—$32,738/year
(http://www.collegeforalltexans.com/apps/collegecosts.cfm?Type=1&Level=1)
• Private School—2X State School
• Average student loan debt
• $37,000/graduate
• Not reported for those that did not graduate
• Consumer Reports national survey on 1500 student loan borrowers:
• 44% left college; cutting back on daily living expenses in order to pay loan
• 28% delaying major goals like buying a house
• 37% put off saving for retirement
• 45% knowing what they know now, their college experience wasn’t worth the cost
Source: Having the College Money Talk, Consumer Reports, August 2016
20. @NTXISSA #NTXISSACSC4
Professional Certifications & Programs
• A degree will only take you so far up the job ladder (3rd criteria behind
experience and certification)
• Professional Security certification is necessary (2nd criteria behind
experience )
• They come in all shapes and subjects – from forensics to intrusion to
ethical hacking
• Regardless of the topic or level:
• Can be used across jobs and organizations
• Consists of training and a final exam
• Must be renewed periodically (every 3 to 4 years)
• Need continuing education credits for reaccreditation
• They can be expensive and time-consuming
• An entry-level credential can take three to nine months to complete and set you
back $300-$600 for the exam
• They can lead to promotion, better job prospects and/or a raise
• SANS survey reported salary increases of up to 5% after accreditation
Source: http://www.cyberdegrees.org/resources/certifications/
21. @NTXISSA #NTXISSACSC4
15 Top-Paying Certifications for 2016
Rank Certification Granting
Organization
Average
Salary ($)
1 AWS Certified Solutions Architect - Associate AWS 125,871
2 Certified in Risk and Information Systems Control (CRISC) ISACA 122,954
3 Certified Information Security Manager (CISM) ISACA 122,291
4 Certified Information Systems Security Professional (CISSP) ISC2 121,923
5 Project Management Professional (PMP®) PMI 116,094
6 Certified Information Systems Auditor (CISA) ISACA 113,320
7 Cisco Certified Internetwork Expert (CCIE) Routing and Switching Cisco 112,858
8 Cisco Certified Network Associate (CCNA) Data Centerr Cisco 107,045
9 Cisco Certified Design Professional (CCDP) Cisco 105,008
10 Certified Ethical Hacker (CEH) EC-Council 103,297
11 Six Sigma Green Belt Council of Six
Sigma
Certification
102,594
12 Citrix Certified Professional - Virtualization (CCP-V) Citrix 102,138
13 Cisco Certified Networking Professional (CCNP) Security Cisco 101,414
14 ITIL® v3 Foundation APM Group
Limited
99,868
15 VMware Certified Professional 5 - Data Center Virtualization (VCP5-DCV) VMware 99,334
Source: https://www.globalknowledge.com/us-en/content/articles/top-paying-certifications/
22. @NTXISSA #NTXISSACSC4
How Do You Get Your Foot in the Door (Non-
Traditional)?
• There is no one true path to working in cyber security
• Train in general IT
• Many experts suggest that you begin with a job, internship or
apprenticeship in IT
• Focus your interests
• Employers suggest you focus on an area (e.g. networking security) and do it
well
• Think ahead 5-10 years to your “ultimate security career”
• Look for start IT jobs that will supply you with the right skills
• Gain practical experience
• Gain professional security certification
• Use http://www.cyberdegrees.org/resources/transitioning-from-
general-it/#starter web site as a resource in your journey
Source: http://www.cyberdegrees.org/resources/transitioning-from-general-it/#starter
26. @NTXISSA #NTXISSACSC4
2-Year Program
• A technical 2-Year program should include the following core knowledge units
(KU):
• Basic Data Analysis
• Basic Scripting or Introductory Programming
• Cyber Defense
• Cyber Threats
• Fundamental Security Design Principles
• Information Assurance Fundamentals
• Intro to Cryptography
• IT Systems Components
• Networking Concepts
• Policy, Legal, Ethics, and Compliance
• System Administration
• Look for courses that give you a lot of hands-on experience with real world
problems
Source: National NSA/DHS Centers of Academic Excellence in Information Assurance/Cyber Defense Knowledge Units,
https://www.iad.gov/NIETP/documents/Requirements/CAE_IA-CD_KU.pdf
28. @NTXISSA #NTXISSACSC4
4-Year Program
• Should include all of the 2-Year program KUs and these
additional KUs:
• Databases
• Network Defense
• Networking Technology and Protocols
• Operating Systems Concepts
• Probability and Statistics
• Software Engineering
• Have advanced classes such as cloud computing, forensic
accounting, wireless sensor networks
• Look for courses that give you a lot of hands-on
experience with real world problems
Source: National NSA/DHS Centers of Academic Excellence in Information Assurance/Cyber Defense Knowledge Units,
https://www.iad.gov/NIETP/documents/Requirements/CAE_IA-CD_KU.pdf
31. @NTXISSA #NTXISSACSC4
2014 Best Schools For Cybersecurity
(Ponemon Institute Report)
Characteristics that set the best schools apart:
• Interdisciplinary program that cuts across different, but related fields – especially
computer science, engineering and management
• Designated by the NSA and DHS as a center of academic excellence in information
assurance education
• Curriculum addresses both technical and theoretical issues in cybersecurity
• Both undergraduate and graduate degree programs are offered
• A diverse student body, offering educational opportunities to women and members
of the military
• Faculty composed of leading practitioners and researchers in the field of
cybersecurity and information assurance
• Hands-on learning environment where students and faculty work together on
projects that address real life cybersecurity threats
• Emphasis on career and professional advancement
• Courses on management, information security policy and other related topics
essential to the effective governance of secure information systems
• Graduates of programs are placed in private and public sector positions
Source: http://www.cyberdegrees.org/listings/ and
http://www.ponemon.org/local/upload/file/2014%20Best%20Schools%20Report%20FINAL%202.pdf
34. @NTXISSA #NTXISSACSC4
National Collegiate Cyber Defense
Competition (CCDC)
• CCDC Events are designed to:
• Build a meaningful mechanism by which institutions of higher education may evaluate
their programs
• Provide an educational venue in which students are able to apply the theory and practical
skills they have learned in their course work
• Foster a spirit of teamwork, ethical behavior, and effective communication both within
and across teams
• Create interest and awareness among participating institutions and students
• Competition:
• Each team begins the competition with an identical set of hardware and software
• Team scored on their ability to detect and respond to outside threats, maintain availability
of existing services such as mail servers and web servers, respond to business requests
such as the addition or removal of additional services, and balance security needs
against business needs
• An automated scoring engine is used to verify the functionality and availability of each
team’s services on a periodic basis and traffic generators continuously feed simulated user
traffic into the competition network
• A volunteer red team provides the “external threat” all Internet-based services face and
allows the teams to match their defensive skills against live opponents
http://www.nationalccdc.org/index.php/competition/about-ccdc/mission
39. @NTXISSA #NTXISSACSC4
What about a Master’s Degree or
Higher?
• It depends
• Do your homework:
• Will the MS give you real technical skills
• Have you considered a Master’s in Computer Science or Technology
Management with a concentration in Information Security
• IT is continually changing – is your MS in Cyber Security going to be a helpful
qualification in 10 years
• Does gaining a Master’s increase your job opportunities
• Can you justify the cost of a degree (e.g. $30k) in terms of ROI? In other
words, will it significantly increase your earning power in the future
• If the answer to these questions is “no,” you may want to hold off
on the investment.
Source: http://www.cyberdegrees.org/listings/#Do_I_Need_a_Degree
42. @NTXISSA #NTXISSACSC4
Conclusions
• Information/Cyber Security opportunities abound
• Information/Cyber Security is a relatively young field of
study
• College degree programs vary
• Work Experience and Professional Certifications remain
more important than a degree in the hiring decision
• A recognized college or graduate-level degree program is
essential or very important in the hiring decision
• Course work to include management, law, business, ethics,
probability and statistics, communications, technical writing,
and teamwork
A College Degree in Information/Cyber Security is worth it, but do your homework
44. @NTXISSA #NTXISSACSC4
Recommendations (Continued)
• Professional Certification
• Current Employer
• Veterans
• GI Bill
• Federal Virtual Training Environment (FedVTE)
• Short courses at little to no cost
• College and Dual Credit students
• Plan on taking certification course/exam while in school
• Use ISC2 Associates Program to your advantage
• Check other certification organization requirements
45. @NTXISSA #NTXISSACSC4
Recommendations (Continued)
• College
• Read “Having the College Money Talk” article, Consumer Reports, August
2016
• Use the information provided in presentation and further complete
“Compare and Contrast” slide in deciding which program is “right” for
“you”
• Get involved
• Clubs, organizations such as ISSA-NTX
• “Capture the Flag” exercises
• Collegiate Cyber Defense Competition
• Can lead to strong employment opportunities with potential lucrative salaries
• Ensure interdisciplinary program cuts across different, but related fields –
especially computer science, engineering, management, business, ethics,
probability and statistics, technical writing, communications
• Take the “hard” courses
• Use/take part in any internships with local industry and excel
• Summer hire programs
• Semester programs
46. @NTXISSA #NTXISSACSC4
Recommendations (Continued)
• MS, MBA or PhD
• Based on you, your needs and wants
• Possible Financial Options
• The Hazlewood Act - State of Texas
• Veterans
• GI Bill
• Current employer
• https://www.cappex.com/ Finding Schools and Scholarships
• CyberCorps®: Scholarship for Service (SFS) https://niccs.us-
cert.gov/education/cybercorps-scholarship-service-sfs
• Has 2,300 graduates since 2000 with a 93% placement rate
• Specific School Programs
• Talk to people in the field
48. @NTXISSA #NTXISSACSC4@NTXISSA #NTXISSACSC4
The Collin College Engineering Department
Collin College Student Chapter of the North Texas ISSA
North Texas ISSA (Information Systems Security Association)
NTX ISSA Cyber Security Conference – October 7-8, 2016 48
Thank you