Is Cybersecurity Education Failing?
There’s no doubt that tech pros with security expertise are highly sought after. Yet in the face of that demand, it seems that schools are having a hard time producing enough graduates to fill open security jobs. A new study of 121 university programs, conducted by an independent consultant contracted by cloud-based security provider CloudPassage, found that not one of the top ten U.S. computer-science programs (as ranked by U.S. News & World Report in 2015) requires a single cybersecurity course for graduation. In fact, only one of the top 36 U.S. computer-science programs demands such a course (for those keeping score at home, that’s the computer-science program at the University of Michigan). CloudPassage CEO Robert Thomas suggested that, when you consider how cyber-attacks are driven more by organized crime and hostile governments armed with sophisticated tools and lots of funding, the average IT organization is operating at a distinct disadvantage. “All you hear over and over again is how many open security position there are… Frankly, it’s only going to get worse.” The U.S government alone is looking to hire 1,000 IT security workers by the end of June. Not only are such professionals hard to find—the government isn’t generally competitive when it comes to salaries. As a result, some pundits doubt that federal agencies will achieve that hiring goal. Christopher Key, CEO of Verodin, a security start-up focused on automating the testing of security defenses, thinks it’s hard for IT security professionals to keep up with the latest trends, never mind universities and IT generalists. “We think organizations need to first think more about the effectiveness of the money they already spend on security,” he said. “They need to measure if they are actually getting better at providing IT security.” The bigger issue is to what degree IT security issues have dampened the willingness of organizations to launch new digital initiatives. While becoming a “digital business” is clearly all the rage these days, there’s a lot security risk associated with such projects. Greg Richey, director of professional services for Ingram Micro, an IT distributor that provides support for thousands of small to midsize IT services providers, hasn’t seen a slowdown in the number of projects launched to deal with potential vulnerabilities. The issue isn’t the number of security professionals, he thinks; it’s the quality. “I can find plenty of IT security people,” he added. “Finding good IT security people is another matter.” In the absence of well-qualified IT security professionals, there’s a lot of interest in IT security automation. That means the use of machine learning algorithms and other forms of artificial intelligence; PatternX, for example, uses A.I. to provide “virtual security analysts” that eliminate many of the lower-level tasks that human security analysts perform manually. But someone still needs to make sense of all those security reports to determine the true nature of a particular threat. In the meantime, any tech professional who wants to expand the scope of their IT security skillset must commit to continuous education. The threats that need to be addressed evolve on a weekly basis, both in sophistication and lethality. It’s not a job segment for the faint of heart.