Academia and industry should work together to train infosecurity graduates

(ISC)2 co-hosted a one-day conference with the University of Warwick WMG, on campus, earlier this month. What made this event more than a little different than others we stage was the fact that we ventured outside of the capital city, to...


(ISC)2 co-hosted a one-day conference with the University of Warwick WMG, on campus, earlier this month. What made this event more than a little different than others we stage was the fact that we ventured outside of the capital city, to Warwick, and that we held our event within a university environment. This allowed us to invite students and members of the university academic team to join us.  Out of the audience of 110, just under 30 of them where from the university.  It was an insightful experience for both the students and seasoned professionals in the room.

The first thing to note was that we confirmed that UK industry and indeed the information security sector is alive and thriving outside of London.  As chair of the day’s proceedings I was struck by the very palpable notion that information security is starting to be appreciated as a point of interest for all. The audience included representation from a number of the university’s various faculties, not just the specialist MSc course in information security. 

The days’ agenda  allowed for wide-raging discussion, and an overview of the current policy perspective from the UK government from James Morris, MP, who aside from being the local MP for the area including  Warwick, leads the Cyber Security programme of the All-Party Parliamentary Group on Homeland Security.  Specific security issues discussed included the far-reaching impact of threats to industrial control systems to the fact that the speed of travel for information has evolved beyond what anyone imagined when our grandparents learned of the Wright Brothers first flight two days after it had happened.  

The pace at which predictions that are tied to technical innovations come to fruition has also exceeded expectations. Fifteen-year old forecasts of how we would be interacting with personal media are truly imbedded in our society today.  Herein lay the overriding concern for the day.

Unfortunately our collective efforts at tackling the concerns that emerge with these developments are still very embryonic. There is great appreciation for the need to develop more people with the skills to secure our fast developing world, but it became clear there is a lot of work ahead in understanding how this can be done.  Morris noted that it was an important development that an industry body such as (ISC)2 was making itself available to talk to universities.

The day went on to demonstrate this. Typically, our conferences end with a panel discussion where the key speakers debate industry readiness to tackle the topics of the day. This time, given the setting, we chose to ask whether academic courses provide graduates that are suitable for industry. We only had to ask this first question: the audience took over the session without further prompting from the chair.

The clear conclusion from the debate was that despite the existence of graduate-level and specialist courses in the field, academia was not producing graduates that were well equipped for a career in information security. Nor is there a clear understanding of information security basics in many relevant degrees particularly within IT and computing science programming where it is treated as an option, rather than embedded across the curriculum. The gap was widest at the undergraduate level where the expressed concerns fell into two categories:

1. Much of what is taught at the undergraduate level is focussed on technology and more often than not technical forensics. These are areas that change quickly and graduates can find that their newly gained knowledge becomes obsolete in a short space of time. One of the earlier presentations had pointed out that the technologies effecting forensics in particular had undergone a drastic change, with the introduction of cloud and mobile platforms.  An engineering-type focus that imparts an understanding of principals was required rather than students who were attracted by the fun of digging around in the nuts and bolts.
2. Not enough attention is being paid to the soft transferable skills, particularly the communication skills and business knowledge, that are needed in most disciplines once students enter the workplace. Within professional circles, we have understood for some time that information security is about the ability to influence. With university students fascinated by the technology we have developed little idea of how to judge or help them assess their ultimate suitability for a role, at the point when they are making a significant decision to invest in their education.

While technical skills aren’t to be discounted, we need more rounded ability, and it is incumbent upon us in industry and academia to figure out how to recognise them, help them recognise themselves, and ultimately nurture their potential.  I believe universities, with a more complete understanding of the requirements, can identify and bring the best out of raw talent.  Industry too has a better appreciation of what it requires and must develop the enthusiasm to act as a resource to the academic community.

Given the energy that went into the debate, I ended the day encouraged, that the dialogue while young would be on-going and fruitful. 

John Colley, managing director EMEA

"Recommended For You"

University of Warwick security unit signs student CISSP deal CA CTO: Don't just complain about the IT skills crisis - do something about it