As a member of the (ISC)2 EMEA Advisory Board, I recently moderated a workshop held at the University of Bedfordshire to shed light on why this situation persists. The workshop brought together 15 representatives of higher education institutions, mostly lecturers within computing science at English universities, with nine certified (ISC)2 members including myself, all information security professionals from across industry.
Looking at security within computing science programmes reveals the same lack of appreciation for security fundamentals as persists in IT departments. It was generally accepted by the academic participants in the room that well under 10 percent of undergraduate computing science courses teach anything significant on security and, where it is taught, it is often optional with few students taking up the option.
As to the suggestion that Information security should be treated as a general subject across the discipline, academic participants responded that computing courses already cover a broad range of topics. A better understanding of the value of the subject area was needed to allow prioritisation during the re-accreditation of the courses.
The Industry participants highlighted that they only take limited numbers of graduates to fill IT security roles as they have little confidence in their ability to identify potential with recent graduates. Supervisory costs are high and they do not see an adequate return on graduate training. Perhaps most shocking, however, was the consensus from the industry participants that computing graduates are not differentiated from other graduates in the recruitment process for IT security roles.
There was a common view that computer science has lost its ‘wow’ factor generally and is poorly understood by potential students and employers. Autonomy of course development has contributed to a poor understanding of what constitutes a computing degree. Looking at security content, for example, it was recently found that there were 42 separate UCAS codes with some form of computer security in them.
Computing is often treated as half-vocational, expected to be relevant to industry but without the status of being required to practice in industry, unlike say an engineering degree. Professor Carsten Maple, Pro-Vice Chancellor at the University of Bedfordshire, and Chair of the Information Group for CPHC, identified that graduate unemployment for 2011-12 was 12.9 percent for computer science compared to an average of 7.7 percent across graduates of other university courses, a key challenge that CPHC and its members were addressing.
Clearly, higher education of computing will need to adapt to meet new challenges being faced today. Information security is one of those challenges, but also an opportunity. The (ISC)2 biannual Global Information Security Workforce Study highlights significant growth in demand for people with Information Security and IT Security skills.
Overall, the discussions revealed the need to make the case for embedding security basics within the core curriculum and to provide a guide as to how this can be done. In industry, I don’t think we realise that this has yet to be articulated. We may believe the need is obvious, but we have not done an adequate job of detailing why, or how much security knowledge is needed. This has left the academic community to work this out as they balance it against competing priorities.
The task ahead, while significant, should be straight forward. It is no longer difficult to convince people that security is important: we must move on now to define the requirement.
Dr Iain Millar, (ISC)2 EMEA Advisory Board