It’s hard to get through the day without reading a headline about cyber-security.
Last month Yahoo revealed that at least 500 million user accounts were hacked in 2014, a theft considered the biggest known data breach in history. An Oliver Stone-directed biopic about National Security Agency whistle-blower Edward Snowden is playing in cinemas. And a steady stream of leaked emails is shedding light on the backroom dealings of U.S. presidential candidate Hillary Clinton, who has accused Russian hackers of meddling in the election.
As the threat of cybercrime increases, so will jobs in the sector of security. Spending is expected to grow from US$22.45 billion this year to $101 billion by 2018 and reach $170 billion by 2020.
In response, Toronto-area post-secondary schools are beefing up their computer security offerings to attract students eyeing employment in the area.
“The fact that cyber-security came up in the presidential debate shows it is front of mind for a lot of people,” says Nicholas Johnston, a professor in Sheridan College’s school of applied computing. “So it’s natural that we’re seeing a bump in enrolment.
“As a field of study, it’s come into its own in the last decade or so,” he adds. “People have figured out how to monetize cybercrime so there are more attacks and breaches. That necessitates people with this skill set.”
Enrolment in Sheridan’s applied computing degree in information systems security, historically in the low 30s, has doubled last fall.
The undergrad program tends to attract students straight out of high school who are interested in technology but don’t want to go into areas such as programming or software development.
Courses cover penetration testing (in which students in labs hack into a system to learn its weaknesses or retrace a culprit’s methods), writing secure code, risk assessment, ethical hacking and digital forensics (a method of investigating cybercrime in a way that can hold up in court).
Graduates typically find jobs in consulting firms that service corporations and financial institutions, with starting salaries ranging from $60,000 to $80,000. Johnston knows a handful of alumni who, a few years out of school, are making well over six figures consulting for major organizations.
“I still see a lot of people going into roles where they are service providers,” he explains. “It’s an expensive operation to bring in-house because of the demand for jobs and salaries. If you’re a smaller company, you’re going to hire someone else to do security.”
In Canada, it is hard to grasp the complete picture. Although almost all U.S. states have passed laws mandating that companies, governments and educational institutions notify people of security breaches involving personal information, the Canadian government has yet to enact data breach reporting rules.
Proposed regulations were released in June as part of the federal Digital Privacy Act, but are not yet in force.
The newness of the field and the lack of regulations means many ethical hackers and organizations are unfamiliar with laws around the handling of evidence related to cybercrime.
In 2011, Ryerson University’s G. Raymond Chang School of Continuing Education launched a computer security and digital forensics certificate program, expecting to attract self-taught IT enthusiasts or “white-hat hackers.” Instead, another constituency showed up.
“In a word: cops,” says Alex Ferworn, academic coordinator for the Chang School program. “There’s a whole subculture within the security community of police officers who have been pushed into the field.”
The program ties together technology, how to attack and defend against digital attacks and maintain a chain of evidence so it will be compliant with Canadian law. For that reason, many of the 25-odd students who enroll in the program each term are from the law enforcement, government and insurance sectors.
Employers are increasingly demanding certification. There are several certifications that security experts can get to bolster their resumés, such as the certified information systems security professional (CISSP) or certified information security manager (CISM), but a certification for chief information officers does not exist yet. Thus, training becomes important since CIOs are legally required to maintain privacy and security.
Although it’s an online program, Ryerson’s – like Sheridan’s – has a contained lab where students can experiment on penetration techniques on a network that has not been connected to the net. They launch attacks in virtual environments and defend against attacks set up by the school. A lot of the work involves sleuthing through data logs and numbers.
York University is preparing to launch a continuing education program in November through its continuing studies school. The six courses are based on the CSSIP certification and cover encryption, secure software development, incident management – including forensics – and physical security.
As hackers target hospitals and electrical grids, the field becomes interconnected with wider security planning.
Cheol Joon Baek
Ed Dubrovsky, York University
“That is becoming a really key aspect of the field because of how much technology can influence our day-to-day lives,” says Ed Dubrovsky, a York instructor and the national security director for tech service provider OnX. “So it’s not as simple as saying you want to be in that field and then going out to find a job – although the market is starving for new resources and people.”
Once in the field, graduates have to contend with a constantly changing landscape. They will not only encounter new breaches, email scams and viruses, but all the new platforms and devices that companies are rushing to adopt.
After completing an undergrad in civil engineering at the U of T, Chandra Cureton switched into the IT sector and completed the Chang School certificate in hopes of breaking into IT investigations. She has since started an investigations service through the company Iridium ITI, a division of Onyx Investigations and Security. She mainly deals with salvaging data from busted and corrupted cellphones and computers, but previously investigated insurance fraud for consultancy King-Reed (now Canpro King-Reed).
“Breaking into the field where you can provide digital forensic services is hard because you’re dealing with lawyers, the police and evidence that could go to court,” she says. “To get your foot in that door, you need a lot more experience.”
Once she finished the certificate program, the enormity of the field suddenly hit her. Cureton mainly works on a lot of desktops and servers, but then there are tablets, mobile phones and other potential new devices that could come out with completely different back ends.
“You have to pick an area and focus on it. Otherwise you’ll never keep up on technological changes that keep happening,” she says. “That’s where the gap is: people say, ‘Ooh, this is a nifty new toy. I’m going to implement this in my business!’ When something goes wrong , there’s nobody who’s an expert in it yet to figure out how to fix it.”
“School was a great introduction,” she continues. “When it was done, I said, ‘This has been an amazing course. What do I need to learn now?’ My instructor said, ‘You have all the tools you need – now just do it.’ It was important to hear that because you just don’t know what you don’t know.”
Where to study: cyber-security
CARLETON UNIVERSITY (Ottawa) Computer and internet security: $10,281/year. carleton.ca
CONESTOGA COLLEGE (Kitchener) Computer application security, information technology security network: $6,326/year. conestogac.on.ca
DURHAM COLLEGE (Oshawa) Information systems security – computers and networking: $4,266/year. durhamcollege.ca
FANSHAWE COLLEGE (London/Woodstock) Cyber-security: $Not yet announced information security management: $2,050 online: $1,783/term. fanshawec.ca
FLEMING COLLEGE (Peterborough) Computer security and investigations: $3,855/semester. flemingcollege.ca
GEORGE BROWN COLLEGE (Toronto) Network and system security analysis: $11,325/three semesters. georgebrown.ca
GEORGIAN COLLEGE (Barrie) Information systems security: $13,667/program. georgiancollege.ca
HUMBER COLLEGE (Toronto, Lakeshore campus) Protention, Security and Investigation. Four-semester course, $3,740 for two semesters. humber.ca
MOHAWK COLLEGE (Hamilton) Computer systems technology – network engineering and security analyst: $2,836/year (plus fees). mohawkcollege.ca
RYERSON UNIVERSITY G. RAYMOND CHANGE SCHOOL OF CONTINUING EDUCATION (Toronto) Certificate in computer security and digital forensics: $793/per course, law for forensics professionals: $832/course. ce-online.ryerson.ca
SENECA COLLEGE (Toronto) Honours bachelor of technology – informatics and security (co-op): $8,037/semester. senecacollege.ca
SHERIDAN COLLEGE (Oakville) Honours bachelor of applied information sciences
(information systems security): $8,177/year. sheridancollege.ca
UNIVERSITY OF ONTARIO INSTITUTE OF TECHNOLOGY (Oshawa) Information technology – networking and information technology security, information technology security: $9,458/year. uoit.ca
UNIVERSITY OF TORONTO SCHOOL OF CONTINUING STUDIES (Toronto) Cyber-security management: $745/per course. rotman.utoronto.ca
UNIVERSITY OF WATERLOO (Waterloo) Bachelor of computer science: $12,972/year. uwaterloo.ca
WILFRID LAURIER UNIVERSITY (Waterloo) Honours bachelor of business administration: $8,162/year master of business administration: $28,609/program. wlu.ca
YORK UNIVERSITY (Toronto) Certificate in cyber-security fundamentals: $2,985/program certificate in advanced cyber-security: $3,885/program both programs at once: $6,270. yorku.ca/continue
kevinr@nowtoronto.com | @kevinritchie
