Today we bring you another installment of our ongoing series "Application Security Education Spotlight". In this edition we speak with Dr. Mike Whitman of the Kennesaw State University. Dr. Whitman is the Program Coordinator for the BBA-Information Security and Assurance and teaches Information Security courses at the graduate and undergraduate level. He is also the Director of the KSU Center for Information Security Education.
Dr. Whitman is a prolific author of Information Security textbooks with over 9 titles in multiple editions. He works actively with the information security community and sponsors two major security-related activities through his Center - the Fall Information Security Curriculum Development Conference and the Southeast Collegiate Cyber Defense Competition.
1.Tell us a little about your experience prior to joining the Coles College:Mike: From 1998-2012, I was on the KSU faculty with the Computer Science and Information Systems Department in the College of Science and Mathematics, until the department split and the IS faculty merged with the former BISM faculty to create the new IS Department.
From 1994-1998 I was an assistant professor of Management Information Systems at the University of Nevada, Las Vegas. Prior to that I was completing my MBA and Ph.D. in Management Information Systems at Auburn University.
From about 1986-1990 I served as an Armored Cavalry Officer with the 2nd Armored Cavalry Regiment, in West Germany, where among my other duties, I served as an Automated Data Processing Systems Security Officer (ADPSSO).
2. How did you get involved in the information systems department?Mike: I was on the committee to transition the two IS groups, the BISM group and the former CSIS group, into the newly formed IS Department.
3. What do you find most rewarding about information security and assurance education?Mike: This is an innovative and cutting edge field. It’s always exciting to be on the forefront of a new discipline and to see it evolve. We started the ISA program in 2003 with just a few special topics courses, and now we have a bachelor’s degree, an undergraduate minor, a graduate concentration and two certificate programs. We are now pushing to make the entire BBA-ISA available online to those students who desire an online degree, without abandoning our current hybrid classroom/online approaches.
4. In a field that evolves so rapidly, what steps do you take to keep material current? Mike: It’s extremely difficult to keep abreast of the technical changes in the discipline. A good reading program is a must for anyone in this field. I’m subscribed to several reading lists, from industry and government sources. I constantly review the NIST Computer Security Resource Center Library at http://csrc.nist.gov. Attending infosec conferences, and reading the trade magazines helps immensely. Researching in the field also supports keeping current, but most of my efforts to maintain currency stem from the preparation work we do to write and update our textbooks.
5. How do you approach writing an Information Security text book?Mike: Writing a 500-700 page book is an extremely daunting task. I assert that I don’t write an entire book, I create a detailed outline, and then write a paragraph on one of the subjects, then another, and another, and before long I’ve written a chapter. Repeat as needed. If you stop to think of the big project once the outline is developed, you can easily get overwhelmed. But the true secret to an effective text is the quality and diversity of the author team. Each one of us brings something unique to the table, and builds on the strengths of our co-authors, while helping to overcome any weaknesses. After we all get together and agree on the outline, I tend to be the one to create the first, rough draft. My co-authors then provide additional details and content, improve the writing and flow of the document and add the mandatory end-of-chapter content, like review questions, hands-on exercises, etc. that really make it a textbook.
6. Why do you feel it is important to host 2 separate events (The Fall Infosec Curriculum Development Conference and the Southeast Collegiate Cyber Defense Competition) at Kennesaw State each year?Mike: These are really two distinctly different events aimed at different audiences. The Fall InfoSecCD conference is for faculty and students interested in pedagogical development and research in InfoSec. This is part of our DHS/NSA Centers of Academic Excellence in Information Assurance Education (CAEIAE) designation responsibilities to create and disseminate best practices in the teaching of information security.
The second event is more for the students, an intercollegiate competition focusing on the practice of information security. My Colleague Dr. Herb Mattord and I attended a presentation at a conference in 2005 where the faculty team from the University of Texas, San Antonio presented their vision of the competition, and make the offer that the first university to volunteer to host a regional competition in support of their national competition program could serve as the regional coordinators. We volunteered and hosted our first competition in 2006, and have pretty much been hosting it every year since. Student teams from throughout the Southeast (from the Carolinas, through to Mississippi) compete in a virtual qualifier to earn one of the eight slots for the regional on-site competition held here at KSU every spring.
7. What do you see as the biggest challenges facing information security education?Mike: Right now it’s industry support and buy-in. While we have a large number of organizations looking for our graduates, we find it difficult to find those industry partners willing to commit to providing resources to assist in their development. This includes sponsors for the events I mentioned earlier, as well as internships and cooperative study programs for the students. Those organizations that have provided support in the past tend to be on our “favored organizations” lists when students ask us which organization they should talk to during career fairs and job interviews.
Another challenge is keeping the technical materials current, as mentioned in the first question. The industry changes rapidly, in response to new threats. Good management practices tend to be more long-lived, but the technical approaches change and must be constantly reviewed and updated.
8. What advice do you have for students studying infosec?Mike:
- Be diverse. Even if you think you want to go into a particular sub-discipline you should be capable of working in multiple areas of security. You never know what your organization will need in the future.
- Be a manager and understand project management. Focus on both managerial and technical areas of security. All security technical implementations are managed as projects, and eventually most technical security professionals have the opportunity for career growth into management. By studying and understanding the management of information security (risk management, policy, contingency planning, etc.) you will be better prepared for the next phase of your career.
- Read everything you can get your hands on. A good readership program is a must. You don’t want to sit down in a meeting and be asked “Did you hear about…” and not have an answer. Whether it’s a new attack, virus, technology, or disaster, you want to be up-to-date on the field and its current events.
9. Additional Comments?Mike: Students interested in our degree programs should contact Dr. Herb Mattord, the BBA-ISA major, minor and certificate coordinator. Organizations interested in being more integrated with the development of future ISA graduates – including support and sponsorship of the conference and/or competition should contact me. We can both be reached at [email protected].
Thanks to Dr. Whitman for participating in our interview, you're an important mind in the infosec education community and we appriceate your time. Are you trying to build an information security program? Feel free to ask Mike further questions in the comments!
Do you run a similar information security program? If so let us know, we'd love to hear what you're up to (and perhaps feature you too!).