Breaching the Norm in Cybersecurity Education
Cybersecurity should be a priority. In 2014, nearly half of all Americans had personal information exposed as result of cyber attacks which cost billions of dollars for the affected businesses. As our economic and social lives continue to shift increasingly into the digital realm, these breaches of privacy and property are a serious concern. Consumers should be asking themselves who is responsible for protecting them online and why compromises are so prevalent.
Computer security is a broad field, encompassing everything from hardware and software design to deployment of servers and system administration. So, one might expect that cybersecurity would be a focus of both electrical and computer science engineering programs, as well as a standalone degree option offered by universities that take tech seriously. But that couldn’t be further from the truth.
According to a 2016 study by CloudPassage, the majority of schools in the United States earned an “F” grade for incorporating security into their computer science programs. Not one of the top 10 universities requires even a single security course for graduation. Typically, one class is offered as an elective. In the best case, a school might have ten electives for CS undergraduates. Focused study on security is reserved for graduate programs, except at a handful of universities that do offer undergraduate degrees.
Let’s consider what this means for a moment: of all the developers building the websites and software that we trust every day, many have only had the opportunity to take one class on security, if they opted to. Surprised? “I wish I could say these results are shocking, but they’re not,” said Robert Thomas, CEO of CloudPassage. He goes on to point out that 200,000 cybersecurity jobs were open in the U.S. in 2015 and that cyber threats are only growing.
To prepare the professionals that will protect our cyber assets, we will need to take a different approach. While developers should be trained on the essentials of securing code from the ground up, we don’t need to be training every cybersecurity professional on software development. But that’s what happens when an undergraduate CS program is a prerequisite to the graduate level security programs that are available. Furthermore, these students are taking a few extra years to complete a Master’s degree and then finally enter the workforce.
While the need for change may be clear, universities are slow to do so. The problem is heightened by a lack of qualified teachers for cybersecurity courses, which makes sense given the great demand in industry. We can’t wait on our institutions of higher education to recognize and act on this deficiency — the threat is simply too urgent. What we need instead are fast tracks that put students directly into contact with the systems and they will be working with in their careers.
What might this look like? Taking inspiration from alternatives for computer science education like code bootcamps and academies, we could be offering short term, highly focused programs that aim to place participants directly into a certain cybersecurity position. Existing firms could offer internships, or even partner with universities to create and deliver the necessary curriculum. The businesses that need to hire security professionals could work together to make innovative new training programs a reality. And those are just a few ideas to start.
Creative problem solving is central to the spirit of technology, especially in the age of computers. Right now, we are faced by a massive and looming issue that affects everyone who relies on digital devices, regardless of how little they might understand the risk. We cannot depend on unresponsive institutions to keep up with the dynamic challenges of cybersecurity, and we cannot afford to neglect the inadequacy of cybersecurity education any longer.