At this point, it’s almost common knowledge: the demand for qualified cybersecurity professionals far outweighs the supply.

According to IT industry association ISACA in its “State of Cybersecurity 2019” report, 58 percent of organizations have unfilled cybersecurity positions, and nearly 70 percent say their cybersecurity teams are understaffed. Additionally, CyberSeek, an initiative of the National Initiative for Cybersecurity Education and the National Institute of Standards and Technology, reports that as of mid-2018, there were more than 310,000 cybersecurity job openings.

In response to the growing demand for cybersecurity talent, both the public and private sectors have invested billions in professional development and training programs. But perhaps the most significant response has come from higher education. According to the U.S. Department of Education, in the 2017 academic year, 544 institutions of higher learning (including public, private and for-profit) offered nearly 600 undergraduate and/or graduate programs in cybersecurity, producing 7,500+ cybersecurity graduates.

As prospective cybersecurity students (and often their employers, who may subsidize tuition) consider the myriad of degree programs available, how can or should, they determine which program and institution best meets their needs?

Individual Decision Informed by Program and Institutional Characteristics

Prospective students should note a program best suited for one individual may not be for another.  These students should carefully consider his or her background, career goals, finances, and time constraints relating to existing job or family commitments.  

Prospective students should also look closely at the following four core characteristics, or “pillars,” of the institutions and their respective programs:          

  •  Awareness initiatives
  • Community relationships and outreach
  • Professional, industry-aware faculty
  • Ongoing curriculum development and improvement

Awareness Initiatives

As the threat landscape continues to evolve, it is easy for schools to focus on technical mitigation strategies only to leave out the human element, as well as the interdisciplinary impact of cybersecurity.  Specific strategies such as awareness programs should be implemented to address the human elements. Cybersecurity awareness programs can be either online or in-person initiatives that increase individuals understanding of potential cyber threats and mitigation strategies.

Implementing a strong cybersecurity awareness program addresses several factors. First, it demonstrates that cybersecurity is a key focus of the institution both within and outside the department itself. The infusion of cyber throughout the institution is key for without such support, resources to grow the program can be more elusive.

Awareness programs where passion and dedication are cultivated also provide opportunities to reinforce with students that the human elements of cybersecurity are a critical part of the equation, as important as technical elements. Student understanding of social engineering impacts early on is critical to creating a balanced cyber professional.

Finally, awareness programs also create interdisciplinary opportunities where cyber students and faculty can identify areas of collaboration with other disciplines. Prospective students should seek evidence of this, because cybersecurity in any organization should not be siloed, but integrated across all business functional units.

Community Relationships and Outreach

IT professionals understand an effective cybersecurity function must build and leverage relationships with their organizations’ external stakeholders. Likewise, an effective cybersecurity degree program must establish strong peer community relationships to ensure program sustainability.

Cybersecurity faculty members and students can present to and advise local groups, thereby strengthening their community ecosystem. Establishing relationships allow cybersecurity students to better understand and appreciate the cyber needs and challenges of businesses and government agencies in their community.  Institutions and their cybersecurity programs should support and engage community-based organizations such as chambers of commerce, technology councils, local Urban League chapters, and local high schools to spread cybersecurity awareness within the broader community.

Forming relationships with other educational institutions also facilitates the development of transfer pathways so that cyber students can better navigate their educational journey as they transition between degrees or schools.

Experienced Cybersecurity Faculty

Another important pillar of a successful post-secondary cybersecurity program: faculty. An institution’s ability to recruit experienced industry professionals with recognized academic credentials helps ensure that students will receive both cutting-edge, research-based knowledge of emerging threats and the very best countermeasures, along with real-world best practices.

Prospective students should seek institutions with programs committed to recruiting faculty from diverse industries, both public and private sector. The knowledge, insight, and expertise offered by these seasoned career cyber professionals are invaluable to students, providing them with a professional network and leg up in an increasingly competitive cyber job market.

In addition to hiring experienced faculty, institutions demonstrating faculty diversity show a commitment to bridging the demographic gap in underrepresented STEM populations.  Such recruitment helps strengthen the cybersecurity workforce while ensuring that larger segments of society can pursue technology careers, and especially cybersecurity opportunities.

Ongoing Curriculum Improvement

The final pillar of an effective cybersecurity academic program is a commitment to continuous curriculum improvement.

First and foremost, an institution’s cyber curriculum should be aligned with employer needs – and therefore should have an industry advisory board. The ability to recruit a wide variety of organizations to this group helps ensure the most balanced, comprehensive curriculum.

Institutions embracing the all-important industry relationship pillar will have more success in recruiting a mix of organizations -- small to large, and both public and private. Curriculum incorporating theory with hands-on opportunities allows students to acquire both knowledge and the practical application of skills coveted by employers. Classes focused around industry certifications provide prospective employers another opportunity to assess the candidate competencies.

An additional way both employers and employees can assess the outcomes of degree programs is to assess whether those programs have been reviewed and endorsed by credible, external organizations. Examples include the National Security Agency (NSA) and its Center of Academic Excellence designation, carried by many of our IT programs at American Public University System. Another is Accreditation Board for Engineering and Technology ABET accreditation, which provides post-secondary program quality assurances.

Bottom line: External designations provide both students and their prospective employers an additional chance to validate that an institution’s curriculum is developed around a commonly accepted methodology.

While many institutions like American Public University System have rapidly stood up undergraduate and graduate-level cybersecurity programs, helping increase the pipeline of skilled workers, today’s cybersecurity workforce remains woefully short-handed.

Fortunately, individuals looking to obtain a cybersecurity degree and pursue one the nation’s hottest career paths currently have more options than ever.  And while program selection is a personal choice, discerning students should ensure they evaluate degree programs by the four measures of excellence shared here. A program characterized by awareness initiatives, strong community relationships, a professionally experienced faculty, and a commitment to continual curriculum improvement is a cybersecurity program worthy of any prospective student’s short list. r

Dr. Kevin Harris is Program Director, Cybersecurity, Information Systems Security and Information Technology, at American Public University System.  He has more than 20 years of experience in the information technology field with positions ranging from systems analyst to CIO.