The explosive growth in the number, complexity, and impact of cyber threats in recent years has greatly increased the demand for highly skilled cybersecurity professionals to protect sensitive information and defend public and private information systems and networks. The 2013 (ISC)² Global Information Security Workforce Study projects there will be 4.2 million information security professionals by 2017, representing a compounded annual growth rate of 13.2%.
It’s encouraging that so many professionals are entering the market, but to overcome the global cybersecurity skills shortage and ensure a healthy future workforce, universities will need to scale their capabilities to meet the growing demand.
In response, academia has dramatically increased the number of centers and courses that focus on cybersecurity. For example, in the US, the NSA/DHS-sponsored National Centers of Academic Excellence alone have grown to over 160 institutions since their inception just over a decade ago. While some of these institutions have developed comprehensive academic programs around cybersecurity, others have merely added minor overlays that only touch on cybersecurity within their current curriculum. Ultimately, there remains a gap in helping prospective professionals move from their educational path into the workforce, with the instincts and skills that the market demands.
Keeping Pace
The reason for the imbalance between what traditional academic programs are able to deliver and what the current hiring needs of organizations call for is multifaceted and complex. “We feel that the real cause of any shortfall in supply of cybersecurity trainees is the fact that cybersecurity is not well understood as a career option among younger people seeking university degrees”, says Chez Ciechanowicz, course director for the Information Security Group at Royal Holloway, University of London. Along with an awareness problem, there are several additional challenges that hinder colleges and universities from playing a larger role in meeting today’s demand for cybersecurity expertise.
First, college and university degree programs are not inherently structured in such a way to provide graduates with current expertise rapidly enough and with content that is fresh enough to meet today’s demand. “What tends to happen is that industry looks very short-term and looks for specific ‘training’ rather than a good ‘education’, and this is particularly true in a fast-changing subject”, observes Kevin Jones, head of Computer Science and deputy dean for the School of Informatics at City University London.
The current cyber environment is more dynamic than traditional programs can accommodate, such that the pace of curricula updates for formal bachelor and master degree programs cannot keep up with the rapidly evolving cybersecurity requirements of public and private organizations. In some cases, there is a tension between long-term educational goals and short-term industry training needs.
Second, the design of cybersecurity degree programs is built on the foundation of computer science or information technology expertise to which cybersecurity skills and knowledge are then added. This generally results in cybersecurity degrees at the graduate level and increases the time required to attain recognized academic competence.
Finally, universities are torn by occasional conflicting signals of demand. On the one hand, government and industry regularly call for an increasingly skilled cybersecurity workforce. However, many of the students entering universities are wholly unaware of the opportunities in the field. This confusion can cause an imbalance between supply of courses and, ultimately, graduates that are in demand by industry.
Simple Solutions
Given the situation just described, what can institutions of higher learning do today to increase their contribution to the cybersecurity pipeline? They can begin by recognizing there is a major need for cybersecurity expertise today and that they play a vital role in filling this need.
One of the first ideas to consider is offering cybersecurity courses as part of undergraduate degree programs. Specifically, there should be increased course offerings for both associate and bachelor degree programs. These programs should be cutting-edge and used to recruit bright students graduating from secondary schools that are interested in pursuing technical career paths.
Cybersecurity curricula should be integrated into all computer science and information systems degrees. However, cybersecurity is a multidisciplinary problem that will require multifaceted solutions. To that end, it should not be relegated to solely technical fields in academia. Cybersecurity concepts and principles should be pushed out and incorporated into business, policy, health, psychology, international affairs, and other degree programs as well. These recommendations would result in earlier introduction of cybersecurity to computer science students as a formal discipline and could lead to an increased interest in pursuing this as a profession.
| "Cybersecurity is not well understood as a career option among younger people seeking university degrees" |
| Chez Ciechanowicz, Royal Holloway |
As for graduate-level cybersecurity programs, there should be a greater emphasis on security risk management and governance, particularly as these topics relate to enterprises. Increased focus on policy, priorities, governance, and principles – such as those expressed in National Institute of Standards and Technology (NIST) special publications – would provide students a comprehensive view of cybersecurity and increase the probability for graduate students to compete for top positions in the public and private sectors.
To meet the needs of personnel currently working in these positions, colleges and universities must continue to provide technical training as part of associate-level degree and certificate programs. In addition, technical training must be accompanied by courses in security management and governance to help students prepare for lower-level and mid-level supervisory positions. Courses offered by community colleges and online courses can help those currently in the workforce who have a desire to expand their technical qualifications with cybersecurity management skills.
To target students for an earlier introduction to cybersecurity, colleges and universities should seek partnership opportunities with local secondary schools, encouraging them to consider promoting cybersecurity as a career field and to foster students’ curiosity. This can be achieved with ongoing efforts to increase interest in science, technology, engineering, and math (STEM) education and by introducing the concept of cybersecurity courses being offered at the secondary school level.
Colleges and universities must collaborate with professional associations, industry, and government agencies to offer their students access to mentoring, internship, and job placement programs and to secure guest lecturers with expertise that will pique the interest of their students. These relationships will prove invaluable for both academia and industry.
At the Cutting Edge
Some programs have already instituted these measures and have achieved significant success with their graduates. Royal Holloway, University of London, introduced its first master’s degree program in information security back in 1992. Since the program’s inception, Royal Holloway has maintained close ties to public and private sector professionals to ensure that its program is responsive to industry needs.
“As a result, our master’s program has thrived and produced over 2,500 graduates in the past two decades”, Ciechanowicz proudly declares. Additionally, Royal Holloway was one of the universities recently announced as a Centre for Doctoral Training in cybersecurity to increase the number of PhDs in the field.
The Information Science College of Japan, founded in 1983, pioneered its department of information security in April 2004. In 2010, the school partnered with (ISC)² and introduced the (ISC)² CBK, a compendium of information security topics for the Systems Security Certified Practitioner (SSCP), into the curriculum for senior students studying information security. Ultimately, this will better prepare students as they study for international certification. This also marks the first time that the SSCP CBK has been introduced into the curriculum of a university or technical school.
Another example is WMG, an academic department of the University of Warwick and one of the world’s leading research groups. The master’s (MSc) in cybersecurity and management program’s enrollment is split between undergraduate students wanting to pursue a master’s course in the discipline and working students with experience who are looking for career advancement in the profession.
WMG has recently become an (ISC)² Academic Affiliate to support the entry of its MSc in cybersecurity and management graduates into the workforce. This agreement offers the opportunity for WMG students to become an Associate of (ISC)² and network with the organization’s 4,000-strong professional community in the UK.
Conversely, governments, professional organizations and industry are ramping up efforts to assist academia in this endeavor. The US federal government has implemented several initiatives, including the Centers of Academic Excellence, Comprehensive National Cybersecurity Initiative, and the National Initiative for Cybersecurity Education, all of which contain elements to expand and improve cybersecurity education. Across the Atlantic, the UK has launched several similar initiatives in recent years, including the Academic Centre’s of Excellence, the Centre for Doctoral Training, and the eSkills group to research the skills gap and provide recommended solutions. Professional groups play a role here as well, including (ISC)², which awarded 24 scholarships in 2012 to deserving information security students and faculty all over the world through our (ISC)² Foundation.
Colleges and universities, along with industry, have a significant role to play in preparing today’s cybersecurity workforce, as well as the one of the future. The need for skilled personnel who can assist public and private organizations in securing their critical information and information systems from sophisticated cyberattacks is far from fulfilled at the current time.
Industry must be involved in collaboration with academic institutions, while academic administrators must recognize the nature of cybersecurity workforce requirements and carefully consider the changes necessary to provide quality education in the discipline. As a result, institutions must design academic programs in cybersecurity that are attuned to the needs of varying student populations, and employ delivery means that are best suited for them, thereby ensuring they send out graduates who are better prepared to meet the complex cybersecurity needs of organizations.
Members of the Bureau include federal IT security experts from government and industry.