Like other higher-education institutions throughout the country, Colorado State University and the University of Northern Colorado offer few courses dedicated to information security. Neither offers a degree program in the specialty.
Outside of public universities, more expensive options exist. Colorado Technical University offers bachelor’s degree programs in information security in Denver, Colorado Springs and Pueblo, as well as online. But students at CTU pay a range of $35,000 to $39,000 for a degree. By comparison, Colorado State resident undergraduates pay about $32,000 for tuition while UNC students pay $26,500.
Meanwhile, with demand high, unemployment in IT security remains low. In 2008, the Bureau of Labor Statistics said it expected employment of computer and information systems managers to have grown 17 percent by 2018, which is faster than average for all other occupations.
Dan Holt, general manager of HEIT, an information-security company in Fort Collins owned by Paducah, Ky.,-based Computer Services Inc., considers the lack of quality candidates “probably our biggest challenge.” Holt has talked about the problem to Colorado State.
“There’s a huge disconnect from what they’re teaching and what the workforce needs,” Holt said.
HEIT either hires people with information security work histories and builds their skills or provides on-the-job training for people with IT experience who enjoy the field.
But that training adds costs that make the company less competitive in the global marketplace, Holt said.
At the same time, online attacks have soared in recent years. More than 60 of the top 100 most-visited websites either hosted malicious content or contained content that redirected users from legitimate sites to malicious ones, security company Websense Inc. reported in 2009. Nearly 60 percent of data theft occurred over the Web.
ESoft, a Broomfield company that makes security software and hardware, detects 15,000 new viruses daily, CEO Mike Donnell said. That rate is five times greater than what eSoft saw two years ago.
“A lot of the threats that are out there today are the result of a lack of basic security training in programming,” he said.
Colorado State University offers a couple courses that integrate information security into math and business curricula, but the Computer Science department dedicates only one class entirely to the field, said Dan Massey, associate professor of Computer Science.
The university only recently began requiring computer science majors to take that semester-long information security course, which Massey teaches. Previously, the university offered no undergraduate-level information security course. The field is largely left out of other Computer Science courses.
“For somebody who really wants to work deeply in the area, that’s not enough,” he said.
Massey said several companies have approached the university saying they needed graduates with information security training. “You rarely get the opportunity to have industry come and say, ‘We want to hire more of your students.’”
As a stopgap, Chris Campbell, a junior in computer science at Colorado State who’s hoping for a career in computer security, said that he can approach professors like Massey for additional instruction in the field.
“Other than that, it is just one security class,” he said.
He also started a computer security club to help other students learn more about additional tools and utilities in the field.
At UNC, several courses are available for its Network Information Security Systems minor, but no degree programs, said Jay Lightfoot, professor of Computer Information Systems. The school does require students to take a class that includes instruction on guarding networks from attacks.
“We don’t have anything that’s specifically just computer security,” he said. “But there are several courses that have a very large chunk.”
Neither university plans to add to its information security curriculum. At UNC, not enough students are enrolled to justify that kind of addition, though faculty would like more courses, Lightfoot said. And, of course, if more courses were available, the more students that a university is likely to attract in any particular field.
“We don’t have our head in the sand about it, but there are limitations on how fast we can move,” Lightfoot said. “Even if everybody recognizes change is needed, it still takes a little while to get things in place.”
Despite a high level of student interest in the field, Colorado State also does not maintain enough faculty or equipment to add IT security courses, Massey said.
Going forward, solutions seem scarce. Executives and professors interviewed for this article said they have not heard of anyone leading the way in studying the matter. Lightfoot said he believes the state should try to promote an initiative that would improve information security education. Holt has offered funding for scholarship programs.
In the meantime, Joe Gersch, chief operating officer of Secure64, a Greenwood Village company that offers Domain Name System server software, said information technology specialists get their additional security education from certification training courses. Like Donnell at eSoft, Gersch has hired several Colorado State graduates.
Even if a degree program were to be developed at some point, university coursework isn’t likely to be enough, he said.
Gersch, a Ph.D. candidate in Colorado State’s Computer Science department, believes that students interested in the field should try to attend conferences such as the ones Black Hat and DEF CON host annually in Las Vegas.
“You don’t want to just go to classes,” he said. “That’s not enough. You want to know what’s happening in the real world.”
In the end, schools may not be able to stay ahead of the constantly evolving threats to networks because financial incentives keep criminals on the cutting edge, Donnell said.
But he’d still like to see more college-level education, such as first-year security programming courses. The company is accustomed to training its employees on the job and during internships, so Donnell is less concerned about the challenges of hiring people than with the gaping security holes.
“The real problem is the fundamental code that’s written in all applications in all computers lacks some really basic security architecture, which is what creates the challenge and the problem with network security,” he said.