Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

It's been a while since I was a CS student.

[aussersterne]

In fact, it's been decades.

But the academic in me wants to say that computer science is not the right place for courses about practical security. Those should be in IT departments, no?

Re:It's been a while since I was a CS student.

[Hunter-Killer]

Depends on the problem you intend to address.
Malware clean up, vuln scanning, thumb drive police--IT.
Sanitizing inputs, not storing sensitive data in plaintext--dev.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

Those should be in IT departments, no?

The IT department can handle deployed applications. Programmers still need to write application code to prevent security issues in the first place.

Re:It's been a while since I was a CS student.

No. Sanitizing inputs and encrypting sensitive data are still practical concerns, while a university program should be focused on theory. Trade schools or *gasp* on-the-job-training (i.e., apprenticeships) would be better places for it.

We won't let the med school graduate operate autonomously without going through a residency program, because during the course of their career, they could impact thousands of lives. The recent CS grad, on the other hand, is expected to hit the ground running in writing the medical software that will impact potentially millions of lives.

Re:It's been a while since I was a CS student.

[Darinbob]

Sanitizing inputs and such, that's programming, not computer science. Also if you want to be good at cyber security you need math. The subject is more of a graduate level one in many ways, though I agree familiarity with it is important. For the average student cyber security will be more of a rote memorization class rather than one that teaches real understanding of the topics.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

So why not teach it where the programmers are being taught, in a CE or IT department, rather than in CS, where there is relatively little work on "programming" as such?

Because when I think of the term "computer science," or more precisely the initials "CS," I believe it covers every aspect of computers from the pie in the sky theories to the power button. Apparently, this is a common misconception that many people outside the university system have.

To paraphrase Robert Kiyosaki of "Rich Dad, Poor Dad" fame: the higher you go for education degrees, the less you learn.

Translations: universities are pushing out specialists when this country need generalists.

Top 10 programs are for prepping for research

Why would it make sense for them to require a cybersecurity course? That's an implementation detail.

These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.

"Cybersecurity?"

Pretty sure you won'tt find that course in the curriculum of any serious computer science degree run by a math department. "Cybersecurity" would be something that a 15 year old on a bad 80s science fiction tv show would take at the "Academy".

System security is going to be integral with any serious computer science program. If you don't understand the basics you're not going to make it very far.

..Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

Uh, huh. CloudPassage... right...: "CloudPassage is the leader in software-defined security (SDSec) with a mission of addressing two top inhibitors to cloud infrastructure adoption—security and compliance."

Tell you what Robert, why don't you train your own employees to match your marketing goals, leave the actual computer science to the math departments of post secondary degree granting institutions. OK?

What was the purpose of the study?

[kuperman]

As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.

Looking at the article, the final paragraph explains some things:

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.

I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.

Alarming? Perhaps not.

[mlookaba]

"The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate."

This is an excellent example of tailoring a news story to fit a goal. One university (Alabama) requires three security classes to graduate, so that was picked as the benchmark, and obviously all other schools would fall short. Nothing newsworthy was imparted by that little bit of information.

Computer security certainly is an issue, but it won't be solved by college classes, for the same reason that time/date and character encoding issues will persist until the end of time. Sorry guys.

Computer Science vs. Software Engineering

[blindseer]

I believe that many misunderstand what computer science is and has been in the past. A "science" is a organized study of a field, typically the behavior and structure of the elements in that field. Therefore computer science is a rigorous study of how computers work, should work, could work in the future, and the physics and mathematics behind it. It's a field of applied math and physics. This also means many specializations within that field. One may want to study the mathematical difficulty of an encryption algorithm, or the ability to detect the information transmitted down a data path by an outside observer, both with implications on security but not necessarily a "cybersecurity" study.

Software engineering is the application of the engineering process to develop quality software. This includes a background in computer science to some extent but not to the rigor that a computer scientist might get. This would include the study of possible failure points and the means to mitigate them. In this field one might think that a class on "cybersecurity" should be taken since a quality software product should be secure, or one might assume that people would be taught that checking data inputs and outputs, and moving data in a way that could not be seen and/or altered by an outside entity as a basic premise of writing software correctly.

I took computer engineering in college some time ago. I'm now back in college part time because I realized that my education from then did not include a lot of things that have changed since then. One big change is that "software engineering" was not a common term or even a field of study then. My first time through college I had a lot of computer science students in my classes because there was a lot of crossover in course requirements between computer engineering and computer science. I realized real quick that while I was taking classes on the engineering process the computer science people were taking a foreign language. While I was taking a math course on numerical calculus the computer science students were taking history.

Computer science is a liberal arts program, or at least is in most every university I've seen, and therefore it meets the requirements of a typical liberal arts program. They study a wide variety of fields with an emphasis on the ways a computer works. If you want to see people learn how to write quality software then they need to get an engineering education.

Don't get me wrong, I've seen computer science majors write very good software, and I've seen engineers fail badly. I'm saying let computer science be computer science. If we make computer scientists take cybersecurity courses then we distract from people that take computer science to become historians, algorithm gurus, professors, and mathematicians. Roll cybersecurity into every software engineering class in a university. If a student declares a variable as globally accessible when it should not then that student should lose points on their assignment. If a student does not check the bounds of an input then dock points. If a student doesn't allocate and clear memory properly, points lost. Properly engineered software is inherently secure.

I think that a lack of a cybersecurity course requirement in computer science programs is not a bug, it's a feature. If you want to discuss the lack of cybersecurity in software engineering programs then I'll listen.