• United States



Sarah K. White
Senior Writer

Cybersecurity skills aren’t taught in college

Dec 13, 20165 mins
CareersCybercrimeIT Jobs

Cybersecurity threats are increasing each year, but businesses report shortage of qualified candidates coming out of undergraduate programs. Preparing the next generation of cybersecurity experts won't be a quick fix, so business will need to get strategic.

Cybersecurity is a growing concern across the globe and businesses are eager to build secure products and keep corporate data safe. The only problem is that cybersecurity is a relatively new skill, and there just aren’t enough qualified candidates to go around.

When Intel and the Center for Strategic and International Studies (CSIS) surveyed 775 IT decision makers, 82 percent expressed a concern for the cybersecurity skills shortage. It’s reached a point where the government has created the National Initiative for Cybersecurity and Studies (NICS) to help address the growing need for cybersecurity professionals, starting by getting kids introduced to cybersecurity as early as middle school.

Part of the problem is that the landscape of cybersecurity is becoming increasingly complex at faster rates, which means that “what is learned today may not address tomorrow’s problems,” says Shawn Burke, Global CSO at Sungard Availability Services, a provider of technology in the financial services industry.

Hands on experience

Cybersecurity isn’t necessarily a focus in undergraduate information technology programs, says Michael Taylor, applications and product development lead at Rook Security, a managed security services provider. Taylor mentors college interns from cybersecurity programs at Purdue and Indiana University and says that one problem he notices is a lack of hands-on experience for students.

[ ALSO ON CSO: Why studying security in college is a waste of time ]

They might learn to code and develop apps, but he says that students aren’t taught to consider security throughout the development process. Instead, it’s introduced far later in the program. He suggests that this lack of experience holds students back from being able to “immediately contribute solid code to a team after graduation.”

“The average junior or senior student will have a good grasp of algorithms, data structures and other topics within computer science. What they are missing is the focus on how to make their programs durable, fault tolerant and secure,” he says.

Think like hackers

Taylor says students need to be taught to “think like hackers” to fully grasp creating secure applications. Thinking like hackers helps give students more insight into the people they’ll be responsible for thwarting in the future. And businesses should want professionals who can proactively address security, because it will ultimately save money down the line.

“The cost of remediating security vulnerabilities is far higher in production settings than in development or staging. Teaching developers how to program securely from an early stage helps to reduce data breaches and costs associated with resolving production issues,” says Taylor.

It’s also about building a creative approach to cybersecurity so students understand it’s not just about the technical aspects. The reality is that even with all the right “hard skills,” understanding how to prevent attacks that haven’t even happened yet requires out of the box thinking.

“While the individual may have a firm grasp of security technologies and concepts, they may not understand how to apply security logic within business context. Solutions have become more sophisticated, so we are needing more creativity and problem solving skills,” says Burke.

Embrace soft skills

When hiring a cybersecurity professional, it can be easy to get caught up in the technical skills. But you also want to consider soft skills, which aren’t necessarily taught in higher education programs. Since the biggest threat to security is usually other people, Fletcher Heisler, founder of online training site, White Hat Academy, and CTO at the non-profit organization Opportunity@Work, says cybersecurity pros need strong communication and interpersonal skills.

“In most cybersecurity roles, understanding what it takes to protect your organization with enforceable policies, training against social engineering attacks, and [implementing] relatively user-friendly systems is often even more important than any specific technical knowledge,” says Heisler.

Soft skills are also important for IT leaders to land sufficient budgets, effectively communicate threats and inform other key leaders on cybersecurity trends. It can also mean having empathy for end-users to ensure you always implement user-friendly systems that won’t bog down the less technically savvy employees, he says.

Tapping your talent pool

It will take a while for education to catch up to corporate security needs, but, in the meantime, there are other ways businesses can land the right talent. Oftentimes, the talent is already within your ranks, and all you need to do is “invest time and money” into those workers, says Heisler.

Employers should consider boot camps, seminars, workshops, part-time classes and professional development courses to get qualified workers up to speed on cybersecurity trends. It’s quickly becoming the norm, with industry experts suggesting that specialized training programs will be an integral part of future cybersecurity education.

Allison Berke, PhD, executive director of the Stanford Cyber Initiative, an initiative to bring cybersecurity into undergraduate, certificate and informal education programs, says that the students often drive the demand for programs. If they’re interested in machine learning, that will make its way into seminars, workshops and eventually the classroom. And part of that demand has also come in the form of online training and certification programs, which enable students and professionals to pick one specific skill to learn or improve.

“Last winter Kathryn Haun, a federal prosecutor with the DOJ, taught a course on digital currency and cybercrime in response to the Silk Road case, parts of which are still moving through the justice system. The future of education on rapidly changing technology is a mixture of traditional and online courses; seminars, workshops, and conferences; and student-led collaborations with industry and federal agencies to explore current problems,” she says.