Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.

Re:"Cybersecurity?"

[__aaclcg7560]

You might be astonished how many "serious computer science programs" no longer teach the basics.

When I worked the Google help desk in 2008, I had to walk a newly hired CS graduate through the process of turning on his own PC. He was astonished that no one was standing around to turn on his computer like they do at the university computer lab. I'm always surprised by how little computer scientists know about hardware.

Re:It's been a while since I was a CS student.

[fuzzyfuzzyfungus]

Unfortunately, aside from the intervening decades having led to surprisingly little progress in deciding what 'CS' should actually include(in the sense of a degree, I assume that academic computer scientists have successfully held the line on the 'no, running windows update is not computer science' issue); people don't even have the decency to provide a cogent definition of what they are fretting about the presence or absence of in a CS curriculum.

'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?

As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.

There's little point to such a course.

[shess]

I'm entirely serious. I've been blessed to work with some of the best software engineers in industry for a few decades, now, and I have come to the conclusion that security is simply a very hard problem, right there with locking and storing data. Talented engineers routinely write themselves insecure code and defend their code when you point out the problems, right up until you describe how to break it. At the university level, very few students will have the experience necessary to understand security issues except as a theoretical problem which likely happens to other people. Industry would receive far more benefit from things like courses on code testing.

Re: It's been a while since I was a CS student.

I humbly disagree. Programming is applied computer science, in the same way engineering is an apppied science. We're expecting these CS graduates to go fourth and do something, and a good portion of that is in implementation.
Good engineers need to understand the limitations of their theoretical knowledge, and how to apply sound principals in a real world, practical manner. For instance, I've seen blueprints which required a weld at the bottom of a 6 tall square tube, which was 4 inches in diameter. When called on his design, the engineer did not understand this was impossible to do without basically inventing a machine and process to do it. This individual had Zero real world experience, or common sense. Seems this is not uncommon amongst other professions? Maybe apprenticeships need to be revisited?

Not wrong, but grads hired as programmers

[raymorris]

Absolutely computational theory is a different beast than most programming. HOWEVER, CS graduates don't generally work as theorists. They very often end up working as programmers, systems architects, etc. They come reasonably prepared- CS is certainly better preparation than my last two bosses had - one major in architecture and the other in electrical engineering. If we're going to teach them the fundamentals of programming and information engineering, we might include an awareness of security as part of those fundamentals.

Also, there's a lot of work to be done on the more theoretical side of security. Because programmers aren't perfect, wouldn't it be nice to have a provable sandbox, to know, based on mathematical proof, that no program run in some context X can possibly access a resource in some other context Y? How about proving that a set of library functions can't have buffer overflows, regardless of their input? Cryptology is of course all about theoretical, mathematical, "prove the computational complexity" type of thinking. It would be awesome to have an implementation of key exchange that's PROVEN correct.

Maybe infosec should not be it's own discipline?

[walterbyrd]

What I mean is, maybe infosec should be part of everything, instead of it's own specialization.

For example, maybe infosec should be part of software development class, and part of a database class, and part of a networking class, and so on?

Infosec to a network engineer is different than infosec to a java developer, which is also different from infosec to a system administrator.

Re:It's been a while since I was a CS student.

[__aaclcg7560]

In most situations, certificates are almost worthless, and most classes teach you information without context and that will be old in a few years.

If you're doing IT contract work, certificates are a checklist requirement for HR recruiters. As for my programming classes, I never learned a particular programming language but I do remember all the programming structures. I can write a program in pseudo code and then figure out the syntax of a programming language that I never worked with to implement the program.

I have noticed there are many problems that are hard enough that if someone has to ask how to do something, they shouldn't ever do it.

I had that problem with programming. I didn't understand it until I've taken all of my mathematic classes in college, worked in the industry for a decade, and then went back to college to learn programming.