Is Cybersecurity Education Failing?

shutterstock_251313145

There’s no doubt that tech pros with security expertise are highly sought after. Yet in the face of that demand, it seems that schools are having a hard time producing enough graduates to fill open security jobs.

A new study of 121 university programs, conducted by an independent consultant contracted by cloud-based security provider CloudPassage, found that not one of the top ten U.S. computer-science programs (as ranked by U.S. News & World Report in 2015) requires a single cybersecurity course for graduation. In fact, only one of the top 36 U.S. computer-science programs demands such a course (for those keeping score at home, that’s the computer-science program at the University of Michigan).

CloudPassage CEO Robert Thomas suggested that, when you consider how cyber-attacks are driven more by organized crime and hostile governments armed with sophisticated tools and lots of funding, the average IT organization is operating at a distinct disadvantage. “All you hear over and over again is how many open security position there are… Frankly, it’s only going to get worse.”

The U.S government alone is looking to hire 1,000 IT security workers by the end of June. Not only are such professionals hard to find—the government isn’t generally competitive when it comes to salaries. As a result, some pundits doubt that federal agencies will achieve that hiring goal.

Christopher Key, CEO of Verodin, a security start-up focused on automating the testing of security defenses, thinks it’s hard for IT security professionals to keep up with the latest trends, never mind universities and IT generalists. “We think organizations need to first think more about the effectiveness of the money they already spend on security,” he said. “They need to measure if they are actually getting better at providing IT security.”

The bigger issue is to what degree IT security issues have dampened the willingness of organizations to launch new digital initiatives. While becoming a “digital business” is clearly all the rage these days, there’s a lot security risk associated with such projects.

Greg Richey, director of professional services for Ingram Micro, an IT distributor that provides support for thousands of small to midsize IT services providers, hasn’t seen a slowdown in the number of projects launched to deal with potential vulnerabilities. The issue isn’t the number of security professionals, he thinks; it’s the quality.

“I can find plenty of IT security people,” he added. “Finding good IT security people is another matter.”

In the absence of well-qualified IT security professionals, there’s a lot of interest in IT security automation. That means the use of machine learning algorithms and other forms of artificial intelligence; PatternX, for example, uses A.I. to provide “virtual security analysts” that eliminate many of the lower-level tasks that human security analysts perform manually. But someone still needs to make sense of all those security reports to determine the true nature of a particular threat.

In the meantime, any tech professional who wants to expand the scope of their IT security skillset must commit to continuous education. The threats that need to be addressed evolve on a weekly basis, both in sophistication and lethality. It’s not a job segment for the faint of heart.

Image Credit: adike/Shutterstock.com

Comments

3 Responses to “Is Cybersecurity Education Failing?”

April 21, 2016 at 7:30 am, LR said:

As it should be. Aside from cryptography, what does cybersecurity have to do with computer science?

Reply

April 21, 2016 at 10:16 am, Ron Frechette said:

The real issue is the approach of the software/solution with understanding and implementing security. Example: Is the common code you are using, that was gotten from “open source resources” really clean of backdoor’s? This is specifically something that a CS student should be taught to look for and how to find. To push to have a job done quickly and cheaply is part of the risk assessment that is not really being done by Senior IT Managers (aka Finance driven). So when there is a breach/break-in is the Senior IT Manager who drove the Risk vs finance decision paying the price of their short shortsightedness?

Reply

August 13, 2016 at 9:01 pm, Brian B said:

How about the fact, that companies do not see the need to train people on staff for IT security. Every company is looking for people with a lot of experience IT Security. I have seen entry level IT Security jobs asking for 2 to 4 years experience. That is not entry level. Yes it is true some employees train in IT Security may leave that is just the nature of doing business.

Reply

Post a Comment

Your email address will not be published.