If recent headlines about attacks on our privacy make one thing clear, it’s that there is a lot of work to do in the world of cybersecurity. Whether it’s Verizon accidentally exposing the personal data of 14 million subscribers, thieves stealing details about the hacking tools used by the CIA, or a Russian computer whiz hacking into academic institutions around the world, the vulnerability of our digital world is in the news nearly every day. Even so, a close look at cybersecurity education at the university level reveals a gap between what students are learning and the kinds of skills employers are looking for in the workplace.
Nearly two-thirds of all Americans have been affected personally by some kind of data theft, according to a 2016 Pew Research Center survey, including fraudulent credit card charges, stolen sensitive information such as Social Security or financial account numbers, identity theft, and hijacked email accounts. U.S. companies and government agencies suffered 1,093 data breaches in 2016, according to the Identity Theft Resource Center, a nonprofit that helps identity theft victims resolve their cases. One out of four companies is expected to experience a breach in the next two years, research firm the Ponemon Institute said earlier this year. It’s no surprise that cybersecurity programs are popping up in colleges and universities around the country, filled with students interested in acquiring relevant and highly employable skills. At NYU’s Tandon School of Engineering, undergrads majoring in computer science or computer engineering have the option of minoring in cybersecurity. NYU, Columbia, and Pace all offer master’s programs in cybersecurity.
Yet it remains a relatively new field in academia, having arrived on campuses within the past five years. There still aren’t many schools offering specialized cybersecurity programs, and the majority of universities don’t require students to take security courses when enrolled in related programs, such as computer science, information systems, and engineering. For Columbia undergrads, none of the security courses — such as introduction to cryptography, security architecture and engineering, or secure software development — are core requirements. Similarly, students enrolled in computer science at CUNY’s City College study programming, operating systems, and databases. Computer security is offered as a theory and application elective. Without consistent accreditation or even agreement on what needs to be included in a cybersecurity curriculum, security experts warn, most of these programs are not doing nearly enough to prepare students to tackle the security challenges that await outside academy walls.
There are currently 137 institutions that the National Security Agency has designated as “Centers for Excellence in Cybersecurity Education and Research,” but only a quarter of these offer specialized cybersecurity programs at the undergraduate level. NYU has the NSA designation and offers a security minor and that master’s program; the New York Institute of Technology offers a network security concentration for undergraduates and a master of science in information, network, and computer security. Pace doesn’t offer a security concentration for undergraduate computer science and information science students, but offers it for information technology majors and master’s candidates.
CyberSeek, an interactive online career information tool run by the National Institute of Standards and Technology, estimates that there are currently about 300,000 unfilled security jobs in the United States. That number is expected to skyrocket to 3.5 million by 2021, according to CyberSeek’s estimates. If each NSA-accredited program graduates about 90 students each year, that’s about 12,300 newly minted cyber-defenders. To fill the expected number of job openings, these programs would need to graduate some 26,000 students annually, or more than double the current number.
“If we assumed — and I think it’s right to assume — that universities are a large source of computer security education employees, we’re currently able to produce around 50 percent of the requirement for what organizations really need and want,” said Chaim Sanders, an adjunct professor at the Rochester Institute of Technology and researcher at security company ZeroFox.
More worryingly, academic departments can’t seem to agree on what exactly these students should be studying. The field is still evolving and includes not just learning cryptography, but also writing software that is safe to use, protecting networks and computers (and mobile devices) from attackers, and addressing hardware vulnerabilities. While there is nothing wrong with specializing — after all, the skills to protect networks are different from those to write secure code or design secure devices — everyone is coming out with a different type of security foundation.
Because cybersecurity is intrinsically linked to computer science, engineering, and information systems, many institutions use these fields to establish the baseline curriculum. There is a problem with that approach, though. Accredited computer science degree programs follow Association for Computing Machinery curriculum guidelines, which require only three to nine lecture hours on security for a four-year computer science degree. A 2016 analysis by security company CloudPassage found that none of the top ten undergraduate computer science and engineering programs at American universities (as ranked by the U.S. News & World Report) required its students to take a cybersecurity course in order to graduate. The University of Michigan, ranked twelfth, was the only of the top thirty-six programs with a security requirement. The University of Alabama, unranked on this list, was the exception, as it requires students to complete three security classes as part of the information systems degree and four security classes for the computer science degree.
Locally, Pace University offers eight security electives. While Columbia University offers a computer security track within its graduate computer science degree, the only security electives offered to undergraduates are cryptography-related. “The curriculum guidelines that are there say these programs are supposed to teach security, but they’re not actually assessing the security knowledge that students are getting all that much,” said Rob Olson, a Rochester Institute lecturer who teaches programming, mobile security, and web app security and who presented with Sanders at this May’s Black Hat Briefings, a computer security conference.
Given that many schools rely on the NSA designation as a form of accreditation — that imprimatur qualifies schools to receive grants from the government for cybersecurity improvements — it’s not surprising that their programs are geared toward what the NSA requires of its workforce, which might not be applicable to the private sector. One of the NSA designations focuses on offensive capabilities, which would be useful for future NSA employees dealing with nation-state attacks, but not so much for private enterprise; if the school has the CAE Cyber Offense designation, those students will not have the kind of defensive skills employers are looking for. And while the Cyber Defense designation covers those skills, it requires students evaluating different programs to know, first, to look for those with the NSA stamp of approval, and second, to know the details of each designation. Students have to look at the coursework to see whether the program’s emphasis is on defensive security, offensive research, or policy, and to know the difference.
“There is no harm in knowing these things, but a typical consulting firm or security team may not need to know them for their daily jobs,” Sanders said, noting that more practical topics, such as cloud security, virtualization, and secure software development are all relegated to optional coursework. A well-grounded computer security program should cover fundamentals in security assurance, introductory cryptography, and system administration, Sanders said.
Unfortunately, there is negligible support from the industry to change the accreditation because of the impression that if it’s good enough for the NSA, it should be good enough for the basic enterprise. Universities don’t want to lead the way because it costs money and takes a lot of work to be accredited. As long as prospective employers and students don’t demand changes, there’s little incentive for schools to create guidelines that everyone can follow.
The other reason security education is so inconsistent across different institutions is that the curricula are designed to fit within the originating department, and a security track within an existing department will reflect the department’s original focus, Sanders said. If cybersecurity is being taught as part of an overall computer science program, it may include cryptography and application security, but an information technology program will emphasize network security and virtualization. If it is part of an engineering program, the focus will be on embedded systems, and an information science program will be policy-driven and emphasize compliance, risk analysis, and supply chain. When evaluating programs, students are left to navigate this maze on their own, to figure out what kind of training they will receive. The underlying foundation will determine the kind of instruction they will receive in software security, penetration testing, anomaly detection, or security economics and metrics.
“Some of the students who are coming out with these more historic versions of the accreditations and designations are maybe not as well prepared as some others,” Sanders added. “And it’s very difficult to determine which is which.”
As a result, even the best security programs tend to focus more on theory and less on practice. While some on-the-job training is to be expected, employers need a way to understand how effective the coursework was in preparing the student for real-world security challenges. One way universities can keep their curricula relevant is to work with alumni in the industry or develop deep industry partnerships with different companies to act as visiting lecturers, provide internships and mentoring, and get guidance on what kind of courses and skills are needed. Tech giant Intel, for example, worked with Cal Poly Pomona to build the PolySec Cyber Security Lab, where students can learn how to protect critical infrastructure such as smart grids and industrial control systems. Intel security experts also work with university professors around the country as part of the Intel Security Curriculum Program to develop security content. NYU has its Hacker in Residence, a security expert from the industry who curates some of the classes in the School of Engineering’s Department of Information Systems and Internet Security.
All of which is to say: Somewhat ironically, in order to bridge the gap between what gets taught in the classroom and what kind of skills employers are looking for, the rapidly expanding field of cybersecurity needs to break down barriers, not put them up. As Sanders put it, “There needs to be communication between academia and industry to better prepare students for the real world.”