Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

Re:It's been a while since I was a CS student.

[rakslice]

Although there are a lot of CS-level concepts you can teach someone that relate to security, when it comes to "IT security jobs" and the practical security issues that you're going to deal with in them, there is very little connection.

The analogy that I often use is: Would you expect a physicist to be able to fix your car? I like to think not. Or would a news outlet fall into a similar trap of publishing claims from some company looking for free a marketing opportunity that universities have a responsibility to teach their graduates auto repair?

At the very least I would expect a news outlet to catch on that "cybersecurity" is not a term that is actually used by many people that deal with the security of software and computer networks.

Yeah, this.

[aussersterne]

At least in the CS school I attended, I don't think there were many people that could have "fixed a computer" or "written an application," even amongst the faculty, really. Their job was to answer the question "Can this real-world phenomenon, problem, or pattern be usefully symbolically represented for processing, and if so, how, and with what consequences?" If they were able to answer this question, they'd then toss it over to engineers in the CE department for "Can you design for us an apparatus or a program that carries out this kind of symbolic representation in the interest of computation?"

Two very separate fields.

Re:What was the purpose of the study?

[geek]

You aren't being cynical. This is dead on. I work as a threat intelligence analyst and engineer for a fortune 500 IT department. We have a revolving door of products sold to us in just this way that our exec team falls for. The cyber security biz is rife with snake oil salesmen selling the latest and greatest. I showed my CSO just how bad it was by bringing him into 5 different vendor meetings where we were sold the same exact buzz word salad "They're already in you're network! The average detection takes 18 months!" etc etc.

Most of it is bullshit. Luckily I have a new CTO that gets it. Now maybe we can spend less money on vendors and contractors and more our existing personel.