The Paradox of STEM Training

In the technology industry, we’re faced with something of a paradox: On the one hand, statistics show that colleges and universities are pumping out STEM graduates at a prodigious rate. (Perhaps too prodigiously!) But on the other, we have negative unemployment rates in some STEM career paths. Where is the disconnect? In some cases the problem may be the academic environment itself.

I was recently talking with a colleague who was asked to lead a class on what programming is like in a professional environment. His method was very simple, and obvious to folks who have worked in a development department: The students were given a product requirement document and asked to create a product based on its specifications. The students were not enthusiastic and excited; they were irritated. They felt it was a poor exercise because it was unlike what they had come to expect in a class setting.

This reminded me of an academic conference I had attended many years ago, where students and teachers discussed their analysis of different malware. As I listened, I was agape with horror as the students described a two-month process of unpacking a sample. This was not some custom-made or complex packer; it was a very common one that could have been unpacked within seconds with freely available tools. I spoke with them after their presentation, and they were simply unaware of common tools that malware researchers use every day. Learning to work efficiently is every bit as much a part of becoming a malware analyst as developing technical chops.

The students in both of these stories were getting a technical education, but not one that prepared them to function effectively in a real-world environment. They were not getting a realistic introduction to what their potential career path would be like. I recall one interview with a candidate at a former employer who told me how much he enjoyed digging in and chasing down problems, sometimes getting lost in a task for days. With hundreds of thousands of new malware samples coming in every day, even with automation handling much of that, it’s a rare treat to spend more than a few minutes on any one piece of malware. After hearing his ideal work situation, I couldn’t help but think how disappointed he would be in the fast-paced malware detection and response group he was applying for.

Fixes

But this problem does have a solution. There are a couple of possibilities that could be helpful, both for prospective employers seeking employees or employees seeking to explore the possibilities in the field of information security.

The first is internships and mentoring, both of which give students a foot in the door and a peek into the working world of information security. Even if the internship is not in the exact type of work the student eventually wishes to do for a career, exposure to different corporate cultures and styles of work can be very informative.

Both possibilities have the potential to point the student to an area of specialization, or the experience could elucidate what types of courses would be most helpful to get him or her to where they want to be. And when it comes time to find employment, knowing people in your field already can be a huge asset.

There are countless local, national and international information security conferences throughout the year which can be great places to find both internships and people with whom you can connect for mentorship. Most major cities now have a BSides conference if you wish to start locally. Likewise, there are security Meetup groups in many cities where you can meet other people who share this interest.

Vocational training could also be helpful in addition to or instead of a degree program. Some employers may place great value on the persistence and general learning that earning a college degree demonstrates, so you should keep this in mind before opting to go for training over the traditional academic route. Other employers may also value the passion shown by people taking personal time to find training or education on their own. If you choose to go a non-traditional route, be prepared to demonstrate your work ethic and experience in some other way than a solid academic transcript.

The paradox of a negative employment rate in some STEM careers and the overabundance of STEM graduates is a classic case of quantity over quality. A flood of applicants with mismatched skills and expectations won’t solve the shortage. It is important for industry and academia to communicate realistic requirements to students so that they can be adequately prepared for employment, whatever route they take to getting the necessary skills.