LAS VEGAS—For a long time, there’s been a chorus from employers about the lacked of skilled security professionals to fill available openings. And while it would not be an illogical leap to think universities are adequately preparing tomorrow’s security admins and CISOs, quite the opposite may be true.
Curricula cannot keep with an evolving landscape of attack trends, and instead rely on tired approaches that trend away from practical application and stick to the comforts of theory, experts said.
Rochester Institute of Technology adjunct Chaim Sanders, now of ZeroFox, and Rob Olson, a lecturer at RIT, are expected to give a talk tomorrow at Black Hat that exposes the gap between what’s being taught to new students and existing IT pros going back to school, and what employers really need. Potential employers, Sanders told Threatpost, can get something out of the talk as well around what certain accreditations afforded academic institutions really mean and how they translate to today’s workplace.
“If you are an employer or someone going back to school, or going to school for the first time, these are really interesting things to look at,” Sanders said.
Sanders and Olson support their talk with data on the security job market. For example, estimates from Cyberseek put the number at 800,000 security pros employed in the U.S., while analyst firm Frost & Sullivan has it around 1.7 million. And of the 137 computer security NSA-accredited institutions, or National Centers of Academic Excellence in Cyber Defense or Operations, each graduate about 90 students annually, or 12,300 in aggregate. To fill the current available openings, Sanders said these schools would need to graduate about 28,000 students annually.
“If we assumed, and I think it’s right to assume, that universities are a large source of computer security education employees, we’re currently able to produce around 50 percent of the requirement for what organizations really need and want,” Sanders said. “It certainly seems we need to do the absolute best with the students we have.”
And that just may not be happening.
Individuals in academia traditionally trend toward theory, something that’s a concerning pattern, Sanders said.
“They find that keeping up with practical implementations and security ramifications is too difficult to continuously update the curriculum,” Sanders said.
Some schools Sanders said, such as RIT, keep committees of faculty supported by groups of alumni who are in the profession whose aim is to keep curricula as fresh as possible. Many schools teach security concepts such as cryptography, for example, as part of an overall computer science program, or things usch as embedded systems within engineering, or compliance as part of information sciences. In fact, many NSA-accredited programs develop curricula to fit within many originating bodies rather than a dedicated computer security program, Sanders said.
“Some of the students who are coming out with these more historic versions of the accreditations and designations are maybe not as well prepared as some others. And it’s very difficult to determine which is which,” Sanders said.
Employers, meanwhile, may have to rethink how they value these accreditations as they consider new prospects. Though Sanders said that as the NSA accreditations begin instituting more stringent requirements and specificity around offense or defense, there is growing reliability around accreditations.
Institutions, however, cannot be completely faulted for flailing behind current trends when seasoned defenders still struggle with patching and coping with advanced attacks, among other things on the threat landscape.
“It certainly is difficult and it’s not made easier by the academic model,” Sanders said. “It really traditionally encourages people to stay within academia and not got out and learn new things and come back. Lifelong professors are probably not going to be as familiar with things outside their research area as someone who does this on a day-to-day basis. That is a big struggle within academia right now.
“It’s a very complex problem and it’s not made easier that it’s not just information security that’s changing, but it’s everything around it that feeds back into information security,” Sanders said.