Only three of the top 50 university computer science programs in the United States require students to take a cybersecurity course, and many don’t even offer a class on the subject, according to a recent study by CloudPassage, a cloud computing security company.
“You know the situation is bad when companies like Bloomberg, Facebook, Google, and Microsoft are creating their own cybersecurity programs to train employees,” says Ming Chow, senior lecturer in the computer science department at Tufts University, in Medford, Mass. Chow and IEEE Member Roy Wattanasin are working to prepare their students for the security issues they’re likely to face in the workplace. Wattanasin, a health care information security professional, teaches an online course through the Rabb School of Continuing Studies at Brandeis University, in Waltham, Mass.
“Students graduating from today’s computer science and engineering programs are not cutting it. They are not qualified to fill cybersecurity positions,” Chow says. A report from Cisco shows another 1 million cybersecurity jobs are being created this year worldwide. And more than 200,000 job openings in cybersecurity are going unfilled in the United States alone, according to the Federal Bureau of Labor Statistics.
Chow and Wattanasin gave a presentation called “The Cybersecurity Education Gap: What Do We Do Now?” at the 11th Hackers on Planet Earth (HOPE) conference in July. The Institute attended the biannual event organized by 2600 magazine.
ON THEIR OWN
Wattanasin’s class on health and medical information systems security is mandatory for Rabb School students. Others can take the class as an elective. “There are security breaches in the health care industry nearly every week,” Wattanasin says. More than 11 million health care records have been exposed this year, according to the HIPAA Journal.
“Security should always be integrated with the software when developing medical devices, health care software, and electronic medical record systems, and not bolted on at the end,” Wattanasin says.
One of the main problems with cybersecurity education, Wattanasin says, is there is no template for instructors to follow. Instructors have to create their own curricula, if they even cover the subject at all. When Wattanasin surveyed computer science programs with regard to cybersecurity at universities in the Boston area, he found that no two lessons within computer science courses were alike. And no school offered a course specifically on cybersecurity. Such fragmented education means employers don’t know what their would-be employees actually learned in school, he says.
“The cybersecurity field is so big,” he says. “Some students might have learned about risk assessments, others about theory, while still others were taught to search for vulnerabilities that can be exploited.”
Also, programs that do touch on cybersecurity often focus on the theoretical. They don’t deal with real-world lessons, he says, such as understanding how a hack on a major retailer or a hospital occurred and learning how to keep it from happening again. Because his course is geared toward working professionals, he has his students perform tasks related to their jobs, like having them conduct risk assessments of their organizations’ systems to point out vulnerabilities.
CLOSING THE GAP
The skills gap is so wide, he says, that employers are recruiting from other fields, like biology and law, to find talent. People in such fields, he points out, have learned skills required of cybersecurity professionals, such as problem-solving and finding flaws in human and legal systems, which can translate to computer systems.
But to get hired, those professionals must first be certified in cybersecurity by organizations, such as CERT, Cisco, Learning Tree, or the McAfee Institute. But earning the certifications could take as long as a year.
Some employers hire hackers, because they have proven they already know how to find vulnerabilities.
Many of today’s vulnerabilities have been around for 15 to 20 years, Chow says, yet universities still are not addressing them. That includes so-called cross-site scripting, a vulnerability typically found in Web applications that enables attackers to bypass access controls.
According to Chow, university programs are not teaching about such vulnerabilities because most instructors have never worked in cybersecurity. There is a disconnect between what they teach and the knowledge required in the real world, he says. He encourages teachers to spend time in industry building secure software. “Otherwise we’ll still be having this same conversation years down the road,” he says.
Chow is partnering with the Fletcher School of Law and Diplomacy and Tufts to create a joint program with computer science students. Future policymakers should understand the issues involved with cybersecurity, he says, and students developing computer programs should understand policy on cybersecurity. He points to the U.S. government asking technology companies to build back doors in their systems, and how that could be dangerous in terms of security.
Wattanasin suggests that if a university does not offer a course in cybersecurity, it should at least make its students aware of other learning opportunities, such as conferences, online courses, certification programs, or possible mentors who’s are cybersecurity experts. He points to free online videos on YouTube, often of papers presented at cybersecurity conferences. The IEEE Cybersecurity Initiative recently launched Try-CybSI, an interactive platform that allows people to experiment with cybersecurity code and data.
Chow and Wattanasin are cautiously optimistic. For one thing, the U.S. National Institute of Standards and Technology has launched NICE, the National Initiative for Cybersecurity Education, to help close the skills gap. Among its goals, it aims for cybersecurity to be covered in preuniversity classes to get students interested in the subject, and to improve cybersecurity education overall. It also plans to get people from underrepresented groups to consider the cybersecurity field.
“In the long term,” Chow says, initiatives like NICE could be “a game changer.”