House Bill Would Put Money Into Security Recruiting

A cybersecurity bill that recently won approval in the U.S. House of Representatives is also winning the approval of IT experts. But in the short term, it won't fix the shortage of IT security professionals.

The Cyber Security Research and Development Act (HR 3394) would provide $878 million over five years to train IT security professionals to help make up for the current shortage of qualified professionals. The bill includes funding for the National Science Foundation and the National Institute of Standards and Technologies to support research and education in security at the college, graduate, and post-doctoral level. NIST would create grants for partnerships in industry and academia. It also hopes to entice senior researchers in other fields to move into IT security research.

Sen. John Edwards, D-Calif., introduced a similar bill in the Senate late last month. It would fund fellowships for doctoral degree candidates, create a sabbatical program to let top professors spend time at cybersecurity research centers, and provide more funding for related online coursework.

IT director and CIO Richard Entrup's reaction to the Congressional bills was "Wonderful! Hear, hear!" His New York law firm, Wilson, Elser, Moskowitz, Edelman & Dicker LLP, includes 550 attorneys across 16 offices. Its biggest security issue: the exchange of data with clients.

Most large law firms don't have a dedicated security officer. Those duties are often shared by the E-mail and network administrators. Unless schools make security studies more prominent, the situation isn't going to get any better, Entrup says.

Calling the House bill "a step in the right direction," Janet Kumpu, chief operating officer of Fortress Technologies Inc., a provider of security products and services, says she's pleased to see money earmarked for NIST. Upgrading the research capabilities at the agency is critical for companies such as Fortress that sell to the government and have to follow the standards and protocols that NIST designates, she says. This will provide more research positions that understaffed NIST needs in order to keep up with the work it does, Kumpu says.

Rep. Mike Honda, D-Calif., one of the authors of the House bill, spent much of the last year and a half visiting technology companies around Silicon Valley, trying to understand the IT security landscape. He's learned that the private sector has lots of tools--and lots more they'd like to develop--but most are beyond the grasp of the public sector. "Since Sept. 11, we know we have to make decisions quickly," Honda says. "The gnawing thought is that we have the information but can't put it together."

Interest in security has been on the rise for at least the last three years. Seven out of 10 business and IT professionals rated security as a high priority for business in the InformationWeek Research Global Security survey last August. The strong interest in security was attributed to concerns about security breaches such as the ILOVEYOU virus and the Nimda worm. The Sept. 11 terrorist attacks have since moved fears of cyberterrorism to center stage. For IT pros with strong security skills, it's the one area where competition for the best talent remains fierce, recruiting is cutthroat, and workers still command top dollar.

Conditions seem perfect for certification offerings in this area. IT training companies and trade groups are working to fill the void: Next fall, on a much accelerated schedule because of growing demand, computer trade association CompTIA will offer a beta version of a multiplatform security certification. The course will cover networking fundamentals as well as viruses, firewalls, user authorization, and encryption. Training company Global Knowledge and software company TruSecure are jumping in with a midlevel IT security certification that offers a similar security curriculum to CompTia but includes intrusion detection and VPN technology.

But certification alone may not suffice, particularly for high-end companies such as Fortress, where it took Ph.D.s and physicists to create the architecture necessary for its IT infrastructure offering. The challenge is to find people who understand security, and being a proficient developer isn't enough, Kumpu says. "What we need is the vision into what security requirements will be down the road, and that's hard to find," she says. "You need people who understand protocols and standards, people who can translate policy into solutions." For any company that depends on the government as a top customer, understanding the protocols marks the difference between a successful strategy and a company that's going out of business.

Kumpu's support of the House bill isn't without reservation: It's a long way from research to implementation. "Research is really the crème de la crème of technology but isn't necessarily practical," she says. "We need to go from research into developing products and services that can be implemented across a wide base."

The IT landscape Honda studied will continue to evolve and security needs will change with it. Supporters of his bill hope it will increase awareness of the need for more investment in security. "The need won't go away," Kumpu says. "It will only increase."

Photo courtesy of Newscom