- Only one of the top 36 U.S. computer science undergraduate programs requires a security course for graduation.
- Three of the top 10 university programs don't even offer an elective course in cybersecurity.
- Only one of the 121 schools researched require 3 or more cybersecurity classes for graduation.
The result is a massive cybersecurity skills gap among graduates who are entering the workforce without a basic understanding of secure coding, security engineering, and the secure software development lifecycle.
Impact on Software and Systems
Many computer science and engineering undergraduates opt for professions that build and deploy software and systems involving:
- Financial, health, or other confidential data
- Operation and control of complex systems (Internet of Things)
- Applications on a variety of platforms: cloud, mobile, web, embedded, and computers
The problem is that these novice graduates don't typically have the exposure, education, and skillsets for developing software and systems to withstand the onslaught of very clever cybercriminals. If the focus in school was on algorithms, functionality, and writing optimized code, the software engineer won't necessarily be prepared to meet the demands of modern software systems that need solid defenses.
This core issue helps shed light on why so many systems and applications are like Swiss cheese – many of the people that build and maintain these applications really don't have the knowledge to adequately secure what they build, deploy, and maintain.
Impact on Hiring Technical Workers
The shortage of skilled IT workers in the US cannot be overestimated. Some reports indicate there are over 200,000 unfilled cybersecurity jobs in the U.S. Cisco reported there are 1 million cybersecurity jobs available globally.
Businesses need to hire workers with cybersecurity skillsets to build and deploy secure software and systems. Because U.S. computer science and engineering undergraduates lack the appropriate levels of cybersecurity training, this means that organizations have a number of options available:
- Hire foreign nationals who already have the necessary cybersecurity skillsets
- Hire students who have gone on to get advanced degrees with the cybersecurity skillsets
- Hire the undergrads who don't have the cybersecurity skills and roll out an appsec training program to help them learn
There are pro’s and con’s to each of these options.
Hiring foreign nationals with the cybersecurity skillsets is a great way to bring in talented resources. However, there are challenges with visas and government bureaucracy, but many times these workers are less expensive than local talent.
Hiring students with advanced degrees in cybersecurity can bring needed talent into an organization and their impact can be immediately felt; however, there may tend to have academic cybersecurity exposure, rather than the practical cybersecurity experience needed to design, build, and stand up real systems. There is still a shortage of these qualified people.
Hiring undergrads who don't have cybersecurity skills can be turned into an opportunity by providing them with the specific, practical cybersecurity training they need for their job. This allows organizations to attract talented computer science and engineering graduates and then provide them with specialized and contextual training that builds a core competency where it's most needed. These types of workers are more readily available than foreign nationals with cybersecurity skills and people with advanced cybersecurity degrees. While there will be a slightly longer ramp-up time, in the long-term, they will have the specialized skills and likely the dedication needed to perform their specific job functions at a high level.
Alan Paller from SANS pithily noted:
SANS did a similar survey five years ago after Oracle's Mary Ann Davidson published a blog about how colleges (sic) professors were completely unresponsive to Oracle's request to ensure people learning programming also learned secure programming. Our survey found the heads of computer science departments to be uniformly disdainful of the need, saying employers should do that kind of "training." That's the equivalent of medical schools training surgeons but not teaching them about infections. Good "surgical outcomes;" but dead patients.
The US undergraduate curriculum is in a cybersecurity crisis. Security Innovation isn't exempt from this, and we've employed each of the three scenarios mentioned above to fill the skills gap. Security Innovation can help train and educate your workforce with real-world guidance about securely designing, coding, testing, and deploying secure applications.