Academia’s Role in Security Skills Gap Examined

At Black Hat, two RIT professors are expected to deliver a talk about the professional skills gap in security and how academic programs are falling short.

LAS VEGAS—For a long time, there’s been a chorus from employers about the lacked of skilled security professionals to fill available openings. And while it would not be an illogical leap to think universities are adequately preparing tomorrow’s security admins and CISOs, quite the opposite may be true.

Curricula cannot keep with an evolving landscape of attack trends, and instead rely on tired approaches that trend away from practical application and stick to the comforts of theory, experts said.

Rochester Institute of Technology adjunct Chaim Sanders, now of ZeroFox, and Rob Olson, a lecturer at RIT, are expected to give a talk tomorrow at Black Hat that exposes the gap between what’s being taught to new students and existing IT pros going back to school, and what employers really need. Potential employers, Sanders told Threatpost, can get something out of the talk as well around what certain accreditations afforded academic institutions really mean and how they translate to today’s workplace.

“If you are an employer or someone going back to school, or going to school for the first time, these are really interesting things to look at,” Sanders said.

Sanders and Olson support their talk with data on the security job market. For example, estimates from Cyberseek put the number at 800,000 security pros employed in the U.S., while analyst firm Frost & Sullivan has it around 1.7 million. And of the 137 computer security NSA-accredited institutions, or National Centers of Academic Excellence in Cyber Defense or Operations, each graduate about 90 students annually, or 12,300 in aggregate. To fill the current available openings, Sanders said these schools would need to graduate about 28,000 students annually.

“If we assumed, and I think it’s right to assume, that universities are a large source of computer security education employees, we’re currently able to produce around 50 percent of the requirement for what organizations really need and want,” Sanders said. “It certainly seems we need to do the absolute best with the students we have.”

And that just may not be happening.

Individuals in academia traditionally trend toward theory, something that’s a concerning pattern, Sanders said.

“They find that keeping up with practical implementations and security ramifications is too difficult to continuously update the curriculum,” Sanders said.

Some schools Sanders said, such as RIT, keep committees of faculty supported by groups of alumni who are in the profession whose aim is to keep curricula as fresh as possible. Many schools teach security concepts such as cryptography, for example, as part of an overall computer science program, or things usch as embedded systems within engineering, or compliance as part of information sciences. In fact, many NSA-accredited programs develop curricula to fit within many originating bodies rather than a dedicated computer security program, Sanders said.

“Some of the students who are coming out with these more historic versions of the accreditations and designations are maybe not as well prepared as some others. And it’s very difficult to determine which is which,” Sanders said.

Employers, meanwhile, may have to rethink how they value these accreditations as they consider new prospects. Though Sanders said that as the NSA accreditations begin instituting more stringent requirements and specificity around offense or defense, there is growing reliability around accreditations.

Institutions, however, cannot be completely faulted for flailing behind current trends when seasoned defenders still struggle with patching and coping with advanced attacks, among other things on the threat landscape.

“It certainly is difficult and it’s not made easier by the academic model,” Sanders said. “It really traditionally encourages people to stay within academia and not got out and learn new things and come back. Lifelong professors are probably not going to be as familiar with things outside their research area as someone who does this on a day-to-day basis. That is a big struggle within academia right now.

“It’s a very complex problem and it’s not made easier that it’s not just information security that’s changing, but it’s everything around it that feeds back into information security,” Sanders said.

Suggested articles

Discussion

  • maxCohen on

    Traditional academia can only go far and do so much. There's a lot though that can be done: 1. More specific fields of security rather than having to know all things. 2. Help students realize it is not a bad word or crime to be called a hacker or have a hacker mindset, 3. Being a hacker also means life long and often independent learning; that is true for any field. 4. Having places to practice the skills and experiment without fear of the federal government coming in and pressing charges for academic research.
  • April MJ on

    I just had an intern that was supposedly an infosec program senior. He had no actionable skillsets. My recommendation to the college: A) Integration of InfoSec vocabulary words so they become part of the student's lexicon B) Practice with opensource InfoSec tools like NMAP or packages like Kali or Security Onion C) An understanding of the OSI model, and where various InfoSec interventions can be placed (and more to the point - why)
  • Finally on

    Thanks for this post. My two cents: 1) Need for TLS/CA app development. Search NIST/CVD. 2) Ditch CIS and get out of the business building. Do CE with security focus for hardware layer ownage. 3) Certs don't cut it. You save your life by knowing what the certs can not legally admit to. It is a money suck and makes recruitment difficult. 4) Teach library injection, hidden process, and forensic points. The core of OS failed design. 5) Think about why teachers become teachers. College is a money train, and coursework is high school part II. 6) Business involvement with campus. It still lacks because internship is not course planning. 7) I learned more in 2 years than 6 years of college.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.