Clutch spoke with Professor Ming Chow, a senior lecturer in the Department of Computer Science at Tufts University, about cybersecurity curriculum and the Information Security field labor gap.
Please introduce yourself and your background.
I am a senior lecturer at Tufts University. My primary appointment is in computer science and I recently had a secondary appointment with international relations. My area of work is in cybersecurity and policy. I got started in the field in 2004 right after I received my Masters in computer science. I have spoken at a number of big security conferences including DefCon and BSides and I’m also a mentor to many in the information security field.
A 2016 CloudPassage report found that only 3 of the top 50 Computer Science departments required a cybersecurity course. Why don’t more departments require a security course?
I’ve been very enamored with that report and that has been a big driver for me and for a number of my friends in information security. I’m not surprised at all that the number is that low.
Sarah Zatko did an intriguing study for a presentation on rethinking the world of security and undergraduate education at the ShmooCon and HOPE Conferences in 2015. She surveyed computer science department heads [and asked them] to choose which 5 subjects out of a list of 10 were the most important to the undergraduate core curriculum.
According to the professors, the top five fields were:
- Algorithm & data structures
- Software design
- Operating systems
- Programming languages
- Software architecture
Security was second to last, right before compilers.
Now it’s 2018 and the numbers, I would expect, are not that much different. There’s a saying that computer science education is usually 5-10 years behind the curve of what is out there in the professional industry. Computer science departments don’t even think that security is that important and many computer science curricula still do not even have a security course. Many people creating these curriculums have never worked in a professional environment before. The connection between academia and industry is generally pretty weak.
A recent report from The Herjavec Group and Cybersecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity positions globally by 2021. Why does this gap exist?
1. Lack of Knowledge Regarding Cybersecurity
The first reason is that there are so many computer science students that don’t know that cybersecurity is even a field. If you actually talk to students in computer science, where do most people aspire to work after graduation, from an undergrad perspective? Google, Microsoft, Facebook, Apple, Amazon, and similar companies are the usual suspects. Most computer science graduates will end up going to a tech company that builds software.
How can anyone know that this field exists when it’s rarely or not even mentioned in the curriculum? I’m also not sure if many faculty members or career service departments know that this labor gap exists.
2. Employment Requirements
The second reason is that there are a lot of employers that don’t know how to hire. There are a number of people out there who are learning cybersecurity in one way, shape, or form, either by going to clubs, boot camps, playing Capture the Flag games, taking extra classes, etc. But I know a number of people who have actually been turned down for positions because they don’t have certain certifications, such as the CISSP (Certified Information Systems Security Professional), or degrees.
If you have a degree in music, it doesn’t mean you can’t work in cybersecurity. Look no further than Peiter “Mudge” Zatko. [Mudge is a graduate of the Berklee College of Music and a network security expert who has worked for the Department and Defense, Google, and Stripe.] Cybersecurity is not just a technical field. Cybersecurity is a very broad field that encompasses many different areas, including law, psychology, and economics – the list goes on. It’s not just tech.
Cybersecurity is a very broad field that encompasses many different areas, including law, psychology, and economics – the list goes on.
3. Competition with Higher Paying Jobs
The third reason is a competition problem. Government agencies are desperate for cybersecurity professionals but they are having difficulty competing with the private sector in terms of payment. The government usually pays around $30,000 - $40,000 less than the private sector. It is hard to compete with Google, Facebook, and Microsoft, who all have a lot of money.
What are the ramifications of this labor gap?
The jobs are not getting filled. Recruiters have no choice but to hire laterally within the company and that person may or may not be the best person for the job. Another outcome is that there has been a spike in training programs for cybersecurity.
Are these boot camps doing a good job of preparing people to fill those positions?
I’m not sure. As you know, cybersecurity is a broad field. It’s not just tech. I see a lot of classes [bootcamps] focusing very heavily on one area of cybersecurity that is only a small part of the big picture. For example, I know of a few places that are offering courses in penetration testing - using tools to break into a system. That’s only a very small part of cybersecurity. Cybersecurity is not just about breaking into a system. Cybersecurity also includes fixing the system and building software securely and, most importantly, communicating with various parties and constituents, including upper management. Breaking in is one thing but you don’t see the other side of the picture
Last year Clutch released a report discussing a similar labor and education gap within cloud computing. Do you see a connection between ‘emerging technology fields’ and such a gap?
There is a lot of similarities between the two problems. My colleague, John Valentine [frm. Senior Director of US Partnerships, MassChallenge] told me that he hears from companies that our computer science grads are not prepared to build with today’s evolving platforms. Whether that is cloud, whether that is cybersecurity – this is the qualitative evidence that I hear over and over again. Students are just not exposed to the real world stuff.
In absence of the real world in the curriculum, are students looking for experiences elsewhere?
These days an internship is just as valuable, if not more valuable, than a college degree. I can’t emphasize that enough. It goes back to a very simple thing: there is no substitute for real world experience and good projects. People who have time to dabble and tinker with things like the emerging technologies will have a big leg-up than the ones who just do the bare minimum coursework. There is a reason why a lot of employers now look at side projects, competitions, and internships for hiring. Very few people have all three of those.
The 2017 Global Information Security Workforce Study found that women account for only 11 percent of the information security workforce. Can promoting women in male-dominated fields help close the labor gap? How can we reduce the barriers to entry?
This is a really big problem. In fact, it’s even worse than that. An organization called #brainbabe founded by Deidre Diamond found that only 1% of leaders in the cyber community are women and that 53% of women end up leaving the industry altogether.
Promoting women can help close the labor gap. One thing I take pride in is that my security courses are now almost 50/50 male/female, which is a lot better than it used to be. There’s a lot of talented women in tech and cybersecurity, but a lot of them have left because they had put up with sexism and harassment.
In order to reduce the barriers to entry, people need to learn about computer science early and often. There’s a wonderful article from Brian Krebs that explains why many hackers come from Russia. It’s because they start to grasp technology at a very early age. Many students in the US get their first exposure to computer science in an intro class their freshman or sophomore year of college. We need to teach tech and cybersecurity much earlier. We’re talking the elementary school level.
Why Cyber Matters
Clutch conducts research on companies in many technical and digital verticals. Why is it important for computer science students who want to work in different non-cyber fields - such as software development firms or UI/UX agencies - have a basic cybersecurity background?
We can’t open the news these days without seeing someone or some website getting broken or hacked. Most software engineers don’t know what basic security is. In the end what they’re doing is building broken products. If a software engineer is not educated in security and privacy, how can [consumers] trust the products that they're using?
If a software engineer is not educated in security and privacy, how can [consumers] trust the products that they're using?
UI/UX developers and designers should also have basic cybersecurity background – I can’t emphasize this enough. There are a number of problems in cybersecurity that have been caused because of UI/UX issues. Perfect examples are phishing, misspelled URLs, and missing encryption. A recent case is the false missile alert in Hawaii. Security and usability is a tough field. There’s a big conference on the topic called SOUPS [Symposium On Usable Privacy and Security]. There are also a number of different talks and papers written in this area, from anti-phishing training, Android app downloads (the permission model), personal knowledge questions, to fallback and authentication.
Every field has a connection with cybersecurity. That’s why at Tufts we’re creating an interdisciplinary program on cybersecurity and cyber policy. Right now it’s between the Engineering School and Fletcher [School of Law and Diplomacy] to tackle many of these problems. We anticipate that schools such as economics and psychology will be joining us in the near future as well.
Clutch’s Large Businesses Approach to Cybersecurity survey discussed how employees are a major security liability to every company. How can we shift the general public’s and professional workforce’s understanding of good cyber practices?
I don’t care whether you’re the CEO or whether you’re the mail person. Everyone now has an obligation for cybersecurity. As a society, we’ve gotten to a point in our lives where we are dependent on technology both personally and professionally. Throughout the last decade people have been taking technology for granted and [not investing the time to] understand how things work. Everyone has an obligation to understand basic technology and cybersecurity.