Last week, we published the results of a study we conducted on the state of cybersecurity education in American undergraduate university computer science programs. Our findings revealed that the majority of top-ranked universities in the U.S. are not prioritizing cybersecurity as a requirement for computer science undergrads.
Our goal in revealing this data was to shed some light on the appalling lack of resources available in the cybersecurity area, the increasing number of vacancies, and the apparent failure of the education system to help fill that void through mandatory cybersecurity content in computer science degree programs. We also hope that greater awareness will eventually lead to computer science graduates becoming more generally security conscious as they enter the workplace.
Since releasing the findings, we have received an outpouring of responses from professionals in the security field, government, students, and educators. We are thrilled that these conversations are gaining steam in news publications, on social media and in private forums.
Students have come forward to talk about how they feel underprepared for their careers. One student from a California university emailed us to say:
“At my university, they [offer] a single (one) elective cybersecurity-related course. I am an electrical engineering major, but I resolved to take this one, single course during my academic career. To do so, and to complete the necessary prerequisite chain for this one course, I have had to declare a minor in computer science and petition to have my course limit before graduation increased by over thirty units.
I’ve received resistance from some advisers on my goal, who suggest that if I were truly interested in cybersecurity I would change my major from EE to computer science, because security isn’t in the purview of electrical engineers — patently ridiculous if you stop for a moment to recall that the IoT is a ‘thing.’
In response to this and the general lack of cybersecurity education availability, I founded a campus student organization to promote its study and to provide an alternative place to pursue its study. We just competed at the Western Regional Collegiate Cyber and placed first in the network defense category.”
Top-Ranked University Response
Carnegie Mellon University also reached out to us to provide further details on their programs, which are more extensive than we understood to be available. Contrary to what was released in our study, Carnegie Mellon has two required courses at the undergraduate level that have large cybersecurity components, though they don’t cite cybersecurity in the title: “Introduction to Computer Systems for Electrical and Computer Engineers” and “Introduction to Computer Systems for Computer Scientists.” Further, Carnegie Mellon has seven elective cybersecurity courses for undergrads, where we only documented three in our research. They also noted that they have 43 graduate courses dedicated to cybersecurity which may be taken by undergraduates if they have taken the required set of prerequisite courses. There are also courses that are taught on a non-regular basis (e.g. every other year) that are not included in this number. So overall, Carnegie Mellon offers at least 50 courses in cybersecurity that undergraduates may take. We are glad that universities like Carnegie Mellon are coming forward to highlight their commitment to cybersecurity, and view them as a model for other universities to follow.
In fact, David Brumley, a professor of electrical and computer engineering at Carnegie Mellon and head of the school’s CyLab Security and Privacy Institute wrote an excellent article in the Wall Street Journal (“Hackers Can Be Our Cybersecurity Allies”) detailing how important it is that we prioritize cybersecurity education. His perspective (and ours as well) is that focusing on higher education is not enough – we need to push down into earlier education years. Through various programs, like the Software Engineering Institute’s Federal Virtual Training Environment and Brumley’s CTF hacking competition, CyLab has trained more than 180,000 people in the field of cybersecurity — more than any other institution. Brumley stated in his article, “Early education is absolutely essential — not just because STEM (science, technology, engineering and math) subjects are important, but because everyone makes cyberdecisions [sic], whether they know it or not. Every time you install an app on your phone, decide whether to update your computer, or create a password, you run the risk of making your data and life less secure.”
We commend Carnegie Mellon for these accomplishments.
Behind the Numbers
For those seeking more information on our findings, here is the methodology we used. CloudPassage hired an independent consultant to pull available online data regarding undergraduate computer science degree programs from top-ranked U.S. universities. The 121 university programs we reviewed came from three separate 2015 rankings: U.S. News and World Report’s Best Global Universities for Computer Science, Business Insider’s Top 50 best computer-science and engineering schools in America, and QS World University Rankings 2015 – Computer Science & Information. Our study was conducted by searching for the courses online, so we analyzed and reported on the information publicly available on the web. We focused on which undergraduate programs required a cybersecurity course to graduate with a computer science degree.
The study has brought to light the fact that cybersecurity is not a core requirement for most of the top computer science undergrad programs across the country. The absence of cybersecurity courses as a requirement to graduate is problematic, as security is a core skillset that any computer engineer should have as they enter the workforce.
As the conversation continues on social media and beyond, we are eager to engage with universities as they expand their curriculums to make security awareness and skills ubiquitous across all technology education programs.