The US alone has 210,000 cybersecurity jobs going unfulfilled, according to one recent estimate.
What’s more, the world’s next generation of programmers and IT pros are going to need a deep understanding of security, even if they aren’t “cybersecurity specialists.”
So, are they learning the security skills and mindsets they need? Not in the top universities in the United States, argues CloudPassage.
The topline claim from the company’s survey of 122 leading university computer science programs: US Universities Get “F” For Cybersecurity Education.
That’s a startling claim, so it’s worth exploring and reflecting on CloudPassage’s survey in a bit more detail.
CloudPassage’s research firm began by identifying the top 122 computer and information science programs in the United States, drawing on widely used lists from US News, Business Insider, and QS World. Next, it set standards for grading those programs. How many undergraduate courses in cybersecurity do they offer? How many are required for a student to earn a major in the field?
So, for example, to earn an “A,” a university would need to offer at least three courses in cybersecurity, and require computer or information science majors to take at least two. Not one of the nation’s top 50 programs met that standard; one school that did was the University of Alabama.
Conversely, eight of the top 50 universities offered and required no undergraduate courses in cybersecurity, thereby earning an “F” from CloudPassage. And no less than 28 of the top 50 programs earned miserable “D”s, by offering no more than three cybersecurity courses, while still requiring none.
CloudPassage didn’t discriminate in handing out these awful grades: “D”s or “Fs” showed up in Ivy League schools, legendary engineering and technical universities, highly respected public and private universities, you name it.
A smaller number of institutions did shine in CloudPassage’s survey – including Rochester Institute of Technology and Tuskegee University, each offering 10 security courses; DePaul with nine, and the University of Maryland with 8. (Fear the turtle! Sorry, inside joke there.)
So, what exactly does this mean? That’s harder to say. As CloudPassage CEO Robert Thomas says:
We […] need to train developers, at the very earliest stage of their education, to bake security into all new code. It’s not good enough to tack cybersecurity on as an afterthought anymore. This is especially true as more smart devices become Internet accessible and therefore potential avenues for threats.
And there’s the rub. It’s significant and troubling if top students can earn undergraduate degrees in computer and information science without ever taking security into account. But the research doesn’t answer another question: is security “baked into” the other courses they’re taking?
Do they learn cryptography and cryptanalysis in ways they’ll be able to use? Do their networking courses address access control, or firewalls, or secure protocol design, or penetration testing? Do their programming courses teach best practices for designing and writing more secure code, and testing security? Do their operating system courses discuss privilege control? Are their senior coding projects judged on security as well as other aspects of quality?
If so, they may be learning a good deal of cybersecurity, even though their transcripts never use the word.
Admittedly, that’s a big “if.” But it’s an important question, no matter that it’s harder to answer. So, too, is another question: How good are the cybersecurity courses that do exist?
Those questions aren’t answered by CloudPassage’s study. But maybe someone else will try to answer them in the future.
If nothing else, those “Ds” and “Fs” will get the attention of a whole lot of university deans and department heads. Which can only be a good thing for all of us.
Image of Teacher courtesy of Shutterstock.com
MrGutts
In some aspects you need to cut them some slack. Security has a crap ton of subjects and specialties within it. They can’t teach the kids everything they need to know, and in most cases its all theory until they get boots on the ground. The kids need to focus on a specialty and really need to WANT learn it outside of Universities that are stuck in the traditional ways..
Don’t get me started on the flock coming out of schools now are just looking for a paycheck because its the hot topic.
Bryan
You’re absolutely correct, but that’s why the education needs to start yesterday instead of tomorrow. If the introductory courses continue to lack even the tenets of basic security, in 2025 the current flock will be right where numerous Flash and JavaScript (and other) developers are now.
I suspect a lot of them would _like_ to be better at security–albeit when they’re reminded of security–but they’re simply not wired to think that way and will require a complete retooling of basic concepts in order to incorporate the mentality which should’ve been nurtured from the outset.
Wayne Andersen
So how many top security experts to you know that are willing to utilize their skills to earn a teacher’s salary?
Fred Kerby
There are a few institutions of higher learning that are committed to turning the tide. While it may not be a university, the SANS Technology Institute (www.sans.edu) is making a difference…
Disclaimer: I am a former instructor for the SANS organization ((www.sans.org).
Eric Pierce
related question: do US universities actually practice IT security (“in house”) in an effective way, or it is just another layer of mostly absurd, wasteful compliance bureaucracy that does more to advance careerism and ineffective administration? (rhetorical question)
Bryan
typo, third-to-last paragraph: “…no matter than it’s harder to answer.”
You’re right; that *is* a big “if.”
Good article,thanks Bill.
Paul Ducklin
Fixed, thanks. (That typo wasn’t Bill’s…it was introduced by me during the very final edit, heigh ho :-)
Sea Cure
“But the research doesn’t answer another question: is security “baked into” the other courses they’re taking?”
This reflects the Business School Question: are ethics “baked into” the other courses?
Security (and Ethics) can’t be an add-on. When do you teach it? At the beginning to prevent bad practices but before the area to which it is applied is understood? At the end when bad practices are already developed but the general field is better understood. Or is it baked in and then at a late stage some form of “audit” module is taken to teach how to check that good security practises (or ethics) have been applied (to the business not the course!)?
Karen Ribble
What do the universities noted in the article have in common? (Univ of AL, Rochester, DePaul and Univ of Maryland). They all are a National Center of Academic Excellence in cyber defense achieved thru NSA/DHS. The process to become a CAE-CD university is very rigorous proving that cyber security is embedded in your curriculum/academic program.
CAT123
I have been a part of two cyber security academic programs. This report concerns me if this is the national norm, because it is far from my experience. Students were educated on VPNs and Firewalls, Penetration Testing, Access Control, FTK/Data Recovery, Digital Crime and Law, Programming languages, Malware Analysis, Reverse Engineering, Information Security, Cellular and Wireless Securities, Kali Linux’s tools, and several Linux, Windows, and Apple operating systems and servers just to name a few of my program related courses. Students participated in several real-scenario based national competitions. There are many courses that have prepared me for the hands-on application, but ultimately it is what choose I do with the tools they gave me. Cyber Security is not something you take a few classes and master. That is why I love it! Ever evolving threatscapes, and never stagnate technology requires anyone in this industry to keep learning! If you are looking for a strong foundation I encourage you to audit some Cyber Security courses at Western Iowa Tech Community College, where they have an incredible hands on program, or Dakota State University which is a National Center of Academic Excellence in Cyber Operations through the NSA, and their enrollment is over 40% women. Neither of these programs were included in any of the research that sourced the basis for this article.