As we talk more and more about the skills shortage, we look at how career paths need to be defined and how the security professional needs to be an evangelist.
However is one of the problems that computer science university courses have not evolved to meet these needs? This isn’t intended as a dig at universities, but are they preparing students for a career in this industry? I talked with three noted university professors to understand how they are meeting this demand.
One of the most notable cyber security academics in the UK is Professor Fred Piper, who has now retired from his position at Royal Holloway University. He said that, 20 years ago, he could have stood up and said that without contradiction, Royal Holloway was the best university in the country doing cyber security, as it was the only one!
“We started it as an academic subject, now I am helping GCHQ for a masters in computer science in cyber security and there are at least 30 courses and universities, but you don’t need to be a research institution to offer good courses,” he said.
Piper admitted that you can find great expertise at different universities, and that if a course is purely technical then it is not the best as you have to consider the human, the user and the business considerations. “It has grown from a minority subject to the mainstream.”
Professor Alan Woodward from the Department of Computing at the University of Surrey said that it has an industrial advisory board which asks if subjects and modules are still relevant. He said: “That board rotates every couple of years with industry people who want to employ IT graduates or with skilled qualifications, and they ask ‘why are you teaching that?’ so it is constantly revisited.”
Woodward said that the course has been designed to be very applied and vocational, and while other courses “teach very esoteric subjects”, he agreed that a degree shouldn’t be purely vocational and should have academic element to it.
“When I look at the top ten universities, security is a major component in the top ten and a high percentage of graduates are employed. It matters where you did the degree and what you did,” he said. “We are number one as we give experience and do professional development and teach on how to deal with people, and the advisory board keep the university honest.”
Sadie Creese is Professor of cyber security in the Department of Computer Science at the University of Oxford. She said that the course has been developed to cover the hard and soft sides, with some people teaching ethics and criminology, a lot on the operations side and a lot on hard technical side so students have an education on both.
“The students come from a variety of backgrounds – some from computer science, some cyber security, some social sciences, and the aim of the game is a good education so when they start the research we have created people with a broader understanding of the cyber security challenge than you would have exiting any university environment,” she said.
“Last year we mainstreamed cyber risk into the MBA business school which I co-teach, and this has been hugely successful and we are looking at building it out and later this year launching executive education. We are now just launching new cyber security degrees, we are looking at how we put cyber risk into other parts of the portfolio
which is incredibly important.”
I asked Creese if it was important to cross the paths of education in order that computer science students got an idea of security as well as business skills. She said that aspects of computer and information security are taught as part of the under graduate programme, but the education they would get is different to what it teaches at the masters level.
“It is different in terms of content and the style of delivery, and we are in the business at the moment of attempting and tailoring the educational content to suit the needs of those who are taking the courses.”
Creese said that as cyber security is a very broad church, with a lot of relations between people, process, regulatory, international and national, personal, corporate and technology, she said that there are so many ways of seeing it. “What we are trying to do is refine it down to the right content and given the course and expectation of students, every time we do a broad review we get a warm response,” she said.
“We do think that people like to be engaged with in a broad way, and at least understand where their focus sits so if they are computer science students, it is quite important that they understand that the world doesn’t have unlimited resources and there is a business case which sits above purchasing of technologies.”
Piper welcomed moves by the likes of professional bodies such as CREST in trying to create professional body for cyber security, a concept that was unheard of 20 years ago.
“Then all people in leading jobs in information security who were self taught. Now it is recognised as a genuine career path with national standards and ethics of computing being put into school syllabuses,” he said.
Creese admitted that there is still some way to go in terms of evolving courses to make sure people get the operational context in terms of where the technology might sit, and equally people who have focused on management to better understand become better customers of the more technical side of the risk solutions.
“So we have a way to go but we have committed and consciously taken steps that broaden out the syllabuses that impact these issues.”
If we are to attract the best people to the careers in cyber security, it is one thing to show how battling malware can be a career, but another skillset is required to make the modern CISO.
