I taught IPSec to my freshman platform class today. I love teaching this particular section of the book, because I usually expand it beyond the borders of what the chapter covers into a broader discussion of security. This time, as well as the last I assigned the McCumber cube paper (annex?) as a read and respond to lead up to it. It helps the discussion if the students have at least seen the source material. I opened today’s discussion by asking what the students thought of the paper. I had one student tell me that in researching his response, he talked to the industry professionals that he knows and they had never heard of McCumber or his ideas. Further, when asked, the same professionals could not articulate how they would plan for security of a system. The student wanted to know why this was case, given that I said McCumber provided the model for good security practices.
Though I never really gave much thought to the issue, the problem is endemic in the IT field. Certainly I see it in my daily dealings with my “service provider”. The solution however is glaringly clear, and came to me right away: Most likely they had never been taught it. In fact digging deeper, I would suggest that the way the IT security is taught is inherently flawed.
While I admit I have not done exhaustive research, my experience tells me that Security is generally given second billing or ignored in classes not directly dealing with the topic. It’s certainly true that the Platform technologies class I teach would be this way, were I to go directly from the book. (It basically says using IPSec will help you be more secure). When security is taught, more often than not, we teach the tools (the technology facet of the cube) and ignore policy and education. Even then, we don’t necessarily teach appropriate use of the tools, leaving IT professionals ill-equipped to deal with the realities of securing systems.
This holds true in every niche in the industry, from coders to database admins to network engineers, creating potentially dangerous knowledge deficiencies which increase risk exponentially. While specially trained IT security personnel can sometimes help to mitigate some of the danger, real world example after example shows that it’s usually not enough.
The solution is simple, though it will take a shift in the collective pedagogy of the field, and will move with the speed of academia. We need to teach security and security principles as core competencies across the IT discipline. Curricula should include the fundamentals of security as an integral part of technology rather than an overlay. At a minimum, all IT students, regardless of focus should have a dedicated security class early on in their academic careers. Education is one facet of the McCumber Cube. It should be applied to Information Technology professionals as much as any end-user, in fact more so. Early and often.
