Slashdot Mirror
Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes (darkreading.com)
Kelly Jackson Higgins, reporting for Dark Reading: A new study reveals that none of the top 10 U.S. university computer science and engineering program degrees requires students take a cybersecurity course. There's the cybersecurity skills gap, but a new study shows there's also a major cybersecurity education gap -- in the top U.S. undergraduate computer science and engineering programs. An analysis of the top 121 US university computer science and engineering programs by CloudPassage found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don't offer any cybersecurity courses at all. The alarming study also reveals that only one (University of Alabama) out of the 121 schools required three or more cybersecurity classes to graduate. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys," Robert Thomas, CEO of CloudPassage, told SCMagazine.com.
Why would it make sense for them to require a cybersecurity course? That's an implementation detail.
These "top 10 programs" are for preparation for entering graduate school and then going into either academic or industry research work on hard, cutting edge problems, like building new algorithms and so forth. Actually making use of the research and getting a product to market that's reliable and secure can be done by ordinary engineers.
Depends on the problem you intend to address.
Malware clean up, vuln scanning, thumb drive police--IT.
Sanitizing inputs, not storing sensitive data in plaintext--dev.
As a college professor and computer security researcher, this tidbit certainly caught my eye. There is a growing awareness of computer security and many schools will push the content throughout the curriculum. See the ACM's Computer Science Curricula 2013 for content areas and possible implementations.
Looking at the article, the final paragraph explains some things:
So, a company I've never heard of issues a press release that they did a "study" (i.e., hired a consultant to look through college course catalogs) that there is a lack in "cybersecurity education" (without actually testing what graduates of those programs know). And look, they are prepared to donate their niche market tools to any school that is willing to use them in required training courses.
I hate being so cynical, but this just reads as a PR move to gain publicity for a tech company.
You might be astonished how many "serious computer science programs" no longer teach the basics.
When I worked the Google help desk in 2008, I had to walk a newly hired CS graduate through the process of turning on his own PC. He was astonished that no one was standing around to turn on his computer like they do at the university computer lab. I'm always surprised by how little computer scientists know about hardware.
Unfortunately, aside from the intervening decades having led to surprisingly little progress in deciding what 'CS' should actually include(in the sense of a degree, I assume that academic computer scientists have successfully held the line on the 'no, running windows update is not computer science' issue); people don't even have the decency to provide a cogent definition of what they are fretting about the presence or absence of in a CS curriculum.
'Cybersecurity". Ok, aside from 'cyber' being a denizen of the worst areas of buzzword hell; do you mean "good software engineering practices with regard to sanitizing inputs"? "How to grovel through IDS logs 101"? "How to not fuck up handling cryptographic keys?" "Side Channels and how to be paranoid enough about them"?
As is so often the case, it sounds like somebody needs to solve the problem between the keyboard and the chair before we can even begin to have a meaningful chat about whatever they say the problem is.