The new wave of teaching infosec

Healthy competition

After graduating with his associate's, Levinson found that he was left craving more. In March of 2009, he got in his car and drove 2700 miles to Western New York, where he matriculated at the Rochester Institute of Technology (RIT) to complete his degree.

He started out as an applied networking and systems administration major, but quickly changed to information security and forensics. “I was good at it,” Levinson recalls of his decision to switch majors. “I noticed it was something that could keep me up.”

Levinson had the luxury of being accepted and enrolling into a program that offers a detailed information security curriculum. As early as a few years ago, his only path for additional security education may have been through a certification program.

“We're just getting to the point where the wealth of knowledge is getting large enough where [students] can expand their mind within the collegiate level,” he says. While at RIT, Levinson also had the opportunity to perform research, such as studying a controversial iPhone file that recorded the geographical locations of users.

Still, while he was becoming well versed in defensive security strategies, he sought more action – in a word, competition.

In 2010, he saw a campus flier announcing the National Collegiate Cyber Defense Competition, a three-day event that asks teams to manage and protect a mock corporate network. Levinson and his fellow RIT teammates finished third out of nine regionally. He immediately was hooked. “Cyber security as a sport?” Levinson recalls. “It was crazy.”

That summer, he joined the big leagues when he earned a spot in the annual US Cyber Challenge, launched in 2009 by the Center for Strategic and International Studies, and now run by the nonprofit Center for Internet Security (CIS).

Not surprisingly, Levinson won a spot in the competition – held in three states that summer and featuring 55 participants – by using some hacker talent. “[My friend and I] brute forced the [qualifier online] quiz until we figured out which answers we got wrong,” he says. “We kept getting two questions wrong.”

The finals were held in Brooklyn and included four days of SANS Institute training leading up to a capture-the-flag competition, which pitted four teams of four against each other. This time, the contest asked the participants to play the role of the bad guy.

Levinson's team – which called itself “APT” in a tongue-and-cheek homage to the oft-overused advanced persistent threat buzzword – was able to successfully infiltrate a credit card database of a mock company, which helped it win the grand prize.

“There's a difference between trying to write an answer on a test about information security and being in a room and entering it on a keyboard while under pressure,” Levinson says. “At a lot of colleges, you go in and take tests and read books. But there's something to be said for the hands-on, live-under-fire exercises.”

The competition ended with a networking event and career fair, featuring a number of government agencies and corporations looking to hire. Levinson now works as a security software engineer at Zynga, the world's largest social game developer. “The connections that got me here wouldn't have happened without competitive cyber security,” he says.

Mike Matonis, Levinson's teammate, has since parlayed his victory into a job with CIS as a computer emergency response team analyst. He says the US Cyber Challenge helps to break down the barriers that often prevent students from attending college, such as exorbitant costs, poor high school grades or a lack of accessibility to certain educational topics. In other words, if successful, these competitions may enable a whole new set of people to catapult into careers in information security.

“There are a lot of extremely capable and very talented people who haven't done level-three calculus or can't articulate or argue an abstract, complex encryption algorithm,” Matonis, 22, says. The competition allows for a quantitative assessment of someone's skill set, something educational upbringing may not be able to offer, he adds.

“The whole competition side of it is important on a level that academia hasn't gotten to yet,” Levinson says. “My experience tells me that doing simulation, competition and application of skill in a live environment is a really good indicator of where their skill set is at, where their talent lies.”

And it may also encourage some teenagers and young adults to reconsider their career paths. “They may have been destined to become real hackers,” says Will Pelgrin, chief executive of CIS and the former CISO of the state of New York. “This helps that generation [to] not go down the wrong path. There's a moral compass to this.”

The hands-on nature of these challenges is not going unnoticed in the academic world. A number of colleges are getting on board with making security learning more active, including Pace University in New York – which just launched a new cyber  security institute – all the way down to community colleges, like Hagerstown in Maryland, which recently announced the receipt of a $650,000 grant from the National Science Foundation.

Job description

Of course, better preparing the next wave of information security professionals is all well and good, unless they enter a workforce which doesn't exactly know where they belong. Joyce Brocaglia, president and CEO of headhunter Alta Associates, says this is a real problem, especially as baby boomers retire or enter management positions.

“We don't fill any easy roles,” Brocaglia says, adding that it's difficult to find exactly the right person for specialized security positions. “Security people have specialized needs, but HR doesn't understand the distinction between general technology and someone who understands security.”

San Jose University's Stamp agrees. “Companies often don't have a lot of expertise in security, so they are not quite sure what they want in a candidate, and they may not be able to effectively evaluate a potential employee,” he says. “This is changing for the better, but based on feedback I get from former students, it still seems to be an issue, undoubtedly more so with smaller and/or start-up companies.”

“Many of the agencies said they did not have a problem finding and hiring cyber security personnel, but were having challenges finding people with highly technical skills,” says Gregory Wilshusen, director of information security issues at GAO.

One government-led initiative, to be led by the federal Office of Personnel Management, is trying to create a common taxonomy for cyber security professionals that will enable iring agencies to match roles to competencies. Feedback was being sought as of press time.

Despite the challenges the information security industry faces to not only attract talent, but also match it with appropriate positions, the emergence of initiatives such as the US Cyber Challenge may be arriving at a critical moment. One need not look farther than Levinson to spot a success story. “My job is a dream come true,” he says.

Next: Attracting talent: More chic than geek