"A friend of mine was part of a team assigned to build a networking product. Just as they were finishing up someone asked, What about security? At that point, it was a little late to do much about the system's security architecture, so they ultimately rolled out the product with a sprinkling of security sugar. The customer, who didn't even know how to ask for security, was pleased and probably will be until disaster strikes. This is just one example of the insufficient attention paid to security engineering and the secure use of computers. Companies are often unaware of even the most rudimentary procedures for securing their systems, while in the computer industry careful security engineering is left in the dust of rapid release cycles. Although awareness is increasing about the need for better computer security, to actually move in that direction we need people who know what they want, people who can build secure systems, and people who can manage those systems so they stay secure. For three days last January, an international group met to discuss some of these issues at the First ACM Workshop on Education in Computer Security, held in Monterey, California. Representatives from 20 universities and a sprinkling of information systems security employers from industry and government were invited to attend based on position papers they had written. The group's task was to discuss ways to address the impending crisis in information security education. Among the questions addressed were articulating the diversity of information security education requirements for different careers and the need for training and retaining security experts in education."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/
IEEE Software (September/October 1997), v.14 no.5, p.110-111