Universities Can’t Solve the Cyber Skills Gap Alone
One year after the successful launch of the 1957 Soviet satellite, Sputnik, the United States enacted major education reform and injected $1 billion into science and technology programs of traditional post-secondary institutions across the country under the National Defense Education Act. Along with the stars and stripes hanging motionless on the moon, buildings on countless campuses commemorate this exciting time in education history.
Today there is a similar need for a modern moonshot. We’re not only struggling to meet the hiring demands of American firms in cybersecurity, the world at large is also finding it hard to hire the right talent.
While a similar federal investment to NDEA in today’s cyber race would certainly help to address the skills gap, the improvements would need to go far beyond capital resources. Efforts in recent years, like the NSA’s Centers of Academic Excellence in Cyber Defense and Operations, are a step in the right direction but still have a ways to go towards standardizing the skills required by practitioners in the field. While it may suggest that universities can, and should do more to make incremental improvements, traditional universities are not designed to wholly address the cybersecurity skills gap, and additional models can help get us much closer to this generation’s moonshot goals.
Bachelor of Science (BS) Programs Are Adapted Instead of Engineered
One of the most significant criticisms of current cybersecurity degree programs at American institutions is that they are hardly cybersecurity degree programs at all. In an effort to meet student and market demands, match competitive institutions quickly while overcoming regulatory or accreditation speed bumps, and sometimes even due to plain inexperience, many schools have adapted well-established computer science programs into cybersecurity degrees. They typically start by omitting some major requirements from that field of study and then adding on fewer than 18 credits (approximately six classes) in cybersecurity specific content. That proportional change should be an area of concern. While there is a strong relationship between information technology and information security, the two are not the same, and there is more than enough area of study to compromise a much larger percentage of the core curriculum in BS degrees.
When considering the handful of added classes in current programs, the disparity from one BS program to another – even in the same part of the country or state – is perplexing. Universities aren’t in agreement as to what areas of knowledge constitute a solid baseline of understanding for cybersecurity professionals. Some focus on classes related to ethics and risk. Others dedicate crucial credits to “Red Team” training. The disparity between this and how, for instance, a pre-medical or pre-business student prepares for their future career of study and their first job in the market. How are universities expected to choose what is important under such a narrow aperture?
Master’s Programs Show a Lack of Direction
If you thought that Master’s programs would address the shortcomings of recycled BS programs, you’d be wrong. These programs also miss the mark.
For one, they’re short. The typical MS in Cybersecurity is 30 credits. For the majority of those programs reviewed (including top ranking programs) approximately 18 credits are part of a core curriculum and the remaining 12 credits can be used towards elective selections. Comparing this to, say, a JD or MBA program, it’s a significantly lower time commitment and content coverage. If these programs were specialized, 30 credits could be sufficient; but, for a general Master’s degree, graduate students are really only given an opportunity to scratch the surface for most topic areas.
Individuals who earn MS degrees in cybersecurity often run the risk of becoming overqualified on the education credentials but still fail to meet the required years of experience for many career paths. We have connected with dozens of students over the last few years who have earned their MS from high-ranking institutions, lured by the guarantee of jobs following their tassel flip only to be turned away as the skills gap widens.
Curriculum Isn’t Mapped to Real World Jobs
In addition to the disparity between university curriculums themselves, the fact remains that degree programs are not built with actual cybersecurity careers in mind. Given the broad range of content and roles under the cybersecurity umbrella (many of which we covered as part of our Cyber Roles series), it’s unfortunate that the majority of cybersecurity programs don’t directly prepare students for real world job roles. As an example, the day-to-day responsibilities in threat intelligence are vastly different from those of penetration testers. The daily tasks of incident responders are in significant contrast to someone in cybersecurity architecture. Yet, programs aren’t designed to place students directly into one of these roles. In fact, very few universities (or their career centers, at least) even know the types of cybersecurity jobs graduates can or should consider as they exit these degrees. Finally, the university promise of a good baseline grounding in cybersecurity principles falls flat against job demands for hands on learning and certifications of that learning – neither of which is typically provided in a degree offering.
Slow to React
Like managing a software installation, you never want to be too far behind the latest security patch. Universities are, by their very nature, always a few patches behind. It’s a lengthy process to get a potential new program submitted and approved, even when it’s just on paper. Unless you’re in a graduate program, most instructors are full-time professors and aren’t working as active practitioners. Even in grad-school, many adjunct professors are no longer actively practicing within a cybersecurity role. With threat actors constantly evolving, students can’t afford to be uneducated about the latest threats if they are to be successful in their careers.
However, universities often don’t have the ability to update curriculum significantly year-over-year, let alone from one semester to the next. In addition to a potential shortage of expertise and resources, degree programs take place (typically) over a four-year period due to accreditation rigor around program changes. Significant changes to improve the experience for incoming students can negatively impact currently enrolled students. Universities can only slowly iterate to try to keep up with the evolution of an industry that’s changing daily.
Hope is Not Lost
Students who are pursuing BS or MS degrees in cybersecurity from an accredited university can still make the most of it. Organizations are looking to hire candidates with the right mix of formal education, industry certifications, work experience, and skills. A degree can help, but students should work to find ways to to complement their education with certifications (the Security+, CEH, CISM and CISSP are a few of the most in-demand certs). Next, they should work to collect experience in the form of internships, volunteering, or even take advantage of local opportunities to engage in cybersecurity skills development like Capture the Flag (CTF) competitions. Finally, those reviewing or engaged in programs should complete research about which area of cybersecurity they would like to work in and connect with academic advisors and InfoSec mentors to map out the best curriculum for their desired career path versus a general degree.
What We’re Doing
We, like many other organizations close to the issue, often bring up the constantly widening skills gap in the cybersecurity industry. In fact, CyberVista’s mission is focused on finding solutions to address the skills gap to better serve individuals, organizations, and national security. We can attest – it’s not an easy problem to solve.
We help today’s universities by partnering to provide online certification training for the most in-demand certifications so students can graduate with degrees and their certifications. Plus, we are in the process of working with organizations to provide skills-based career pathing so that skills can be mapped directly to roles. If you’re unsatisfied with your organization’s ability to find adequate talent, we’d love to work with you to diagnose and remedy the problems.