Low faculty salaries contribute to the shortage of trained security specialists.
In October 2000, Dr Eugene Spafford was given the NCSC (National Computer Security Center) Achievement Award for 2000 at the 23rd NISSC (National Information Systems Security Conference) in Baltimore. In his plenary address, Dr Spafford stated that universities are unable to compete with the salaries available to students graduating from INFOSEC (information security) programs. "We are eating our seed corn," said Dr Spafford. The reality of that statement hit me forcibly a few weeks ago when I was discussing salaries at a university where I may be an associate professor next year. A full professor -- the top rank in the teaching hierarchy -- earns a maximum salary of around $80,000. That's easily less than one half of the income such experts could earn in an equivalent industry position in research, development, and consulting. Some private universities can pay more, but not by much compared with the much wider range of salaries in industry.
Apologists for the low salaries claim that academics work only part of the year; however, all the professors I know work hard to stay up to date and to write papers and books.
Even the pay for adjunct instructors -- often drawn from industry -- is below par. For example, the university where I will teach pays $50 per contact hour (and nothing for preparation time, grading or help to students). Put these fees in context by recalling that in contrast, commercial teaching organizations typically pay instructors $1,000-$1,500 a day and those of us with higher demand for our time charge several times that (e.g., my fee for a one-day course is currently $7,000 plus expenses and travel time).
We are making a mistake by underpaying our academic colleagues. Teachers play much the same role in society as a valve does in a hydraulic system: they control the flow in the process. Without teachers we suffer from an inadequate supply of security specialists -- as many recent news stories about the state of INFOSEC will attest.
The blinkered response of industry to the shortage of security specialists has been to increase salaries -- the classic supply/demand reaction. Free-market ideologues insist that the market value of a university degree in INFOSEC should rise accordingly, much as the price of a medical degree or of an MBA is higher than the price of a Baccalaureate at the same university. With the rise in revenue from students should come an increase in salaries for professors to teach those courses -- or so the theorists would have us believe.
Alas, it's not so simple. Student fees are only one component of revenue for academic institutions, and faculty salaries are certainly not the only drain. Because money is fungible, ideal market forces are unable to influence faculty salaries directly.
The other problem is that we are in stuck in a stable-unsatisfactory social-feedback system (otherwise known as a Catch-22). Low faculty salaries contribute to the paucity of students trained in INFOSEC and therefore to higher salaries for those graduates who are so trained -- and so the gap between faculty salaries and industry salaries grows.
What about government intervention? Recent announcements of funding for Centers of Excellence in INFOSEC training will certainly help specific institutions. However, getting the grants depends in some measure on having established programs and qualified faculty, which in turn depend in part on getting the grants -- another Catch-22.
So where does all this leave us?
I think industry ought to fund endowed chairs at many universities for INFOSEC studies. An endowed chair draws a professor's salary in part from the interest on donated capital. Taking a conservative estimate of 5 percent return on investment and a generous allowance of 1 percent to be kept back to compensate for currency inflation, we could fund a $150,000 salary for a professor of INFOSEC with an endowment of $3,750,000. True, this amount wouldn't cover ancillary expenses and mandatory contributions to university overhead, but it would be a start.
Such a sum may seem astronomical to wage-earning peons like me (and perhaps most of my readers) but it is in the range of salaries and bonuses paid to quite a few top executives. Let's not even get into the question of baseball players, some of whom recently have gotten contracts in the tens of millions of dollars per year.
Perhaps only a few of the very largest corporations or the wealthiest individuals could afford such donations as a single payment, partly because shareholders and employees might object. However, there is nothing to stop businesses from banding together to contribute collectively to such a project.
I suggest that INFOSEC organizations promote nationwide fund-raising drives to endow chairs at suitable institutions. These organizations would probably not be able to supply funds themselves, but they could provide invaluable volunteer-power to canvass their members' employers.
Some respected candidate organizations -- both non-profit and for-profit -- include (in no particular order) the Information Systems Security Association (ISSA), the International Information Systems Security Certification Consortium (ISC)2, the Computer Security Institute, the MIS Training Institute, the High-Technology Crime Investigation Association (HTCIA), and various vendor consortia of ICSA Labs; and security subgroups in technology associations such as the Information Technology Association of America (ITAA), the Institute of Electrical and Electronic Engineers (IEEE), the Association for Computing Machinery (ACM) and various platform-specific associations such as the HP-oriented INTEREX and the Digital-Equipment-centered DECUS. Members of other bodies will surely want to get involved.
All of these organizations have either volunteer members or paying clients who are loyal to the aims and services provided. Some have corporate members who might be interested in supporting endowments. Most important, all of the people and organizations can go into their business and personal communities and look for funding not only from vendors in the INFOSEC arena but even in the wider community affected by the lack of enough INFOSEC teachers and researchers. Banks, e-commerce businesses (those that haven't failed in the market downturn), telecommunications companies, Internet service providers, manufacturers, insurance companies, transport companies, even health-care organizations -- all these enterprises would benefit from an improved supply of trained information-security graduates.
If anyone is interested in working towards such a project, contact me and I will put volunteers in touch with each other. Write to me at email@example.com with your comments and suggestions.
M.E. Kabay, PhD, CISSP, is security leader of the INFOSEC Group at AtomicTangerine, Inc. Copyright © 2001 M. E. Kabay. All rights reserved.