While this statement is about how we develop and implement systems, a co-worker recently took it to the next level: "How do we bake information security into the next generation of computer professionals?"
Today, one of our great challenges is implementing a culture of attention to security.
We spend time and money developing security awareness programs. But rather than focusing on this retraining forever, let's also see what we can do now to influence our profession's future.
We are the first generation of formally recognized CISOs. Most of us are veterans of a lengthy struggle to get our career recognized as critical to the business. From an educational standpoint, there were no college courses offering specialized training in information security. Most of our education was through on-the-job training, study and networking with our peers.
What do we owe to both our profession and the next generation of CISOs? How do we ensure that adequate training opportunities exist to produce quality candidates? The answer is easy – get involved, give back.
Today, very few colleges offer anything other than elective courses in infosec. It has yet to become a widely accepted core element of computer science or IT degree programs. Here's what we should do:
- Start talking to a local technical college or university's management;
- Pick your alma mater or a local institution for which you can become a champion;
- Volunteer to serve on research or advisory boards;
- Teach or guest lecture;
- Fund information security research projects with the institution;
- Get your staff to meet with academia to share ideas.
It has been my experience that most educational institutions are hungry for this kind of interaction. It is through public/private cooperation that we can participate in curriculum development and planning, and ultimately affect the quality of our next generation of CISOs.
Contact your local and federal law enforcement directly or through organizations such as the Information Systems Security Association or InfraGard. Offer to host meetings at your facility, and use your contacts to facilitate experts to speak at these meetings.
Building these relationships is not only good for the profession – it's also good for relations between your organization and law enforcement.
Seek out and take the personal initiatives necessary to positively affect the future of the information security profession. Ultimately, we all benefit from each of our own efforts to "get involved and give back."