Top U.S. universities failing at cybersecurity education

Cybercriminals are only getting better at what they do, which means the skills gap is growing between the people who hack and the people who stop them. And universities aren't catching up fast enough: A recent study reveals dismal stats about cybersecurity education for undergraduates.

Top U.S. universities failing at cybersecurity education
Credit: Thinkstock

High-profile data breaches have become all too common in recent years with companies such as Target Home Depot and Anthem forced to own up to and handle PR nightmares following large-scale hacks. As a result, security has become a major priority for businesses both big and small -- but hackers always seem to be one step ahead. Experts agree that there is a growing need for cybersecurity professionals and universities across the country haven't caught up to the needs of the corporations. In fact, a recent study by CloudPassage found that most schools earn an "F" grade when it comes to teaching the next generation of cybersecurity pros.

The study from CloudPassage evaluated the top ranked technology universities based data from U.S. News and World Report's Best Global Universities for Computer Science, Business Insider's Top 50 best computer-science and engineering schools in America, and the 2015 QS World University Rankings for Computer Science and Information. CloudPassage evaluated the 122 universities on these lists to see what they offer in terms of cybersecurity courses and the cybersecurity requirements for each student to graduate -- and the results were dismal.

According to Robert Thomas, CEO of CloudPassage, the poor results suggest an immediate need for change in higher education. "In a world of escalating threats and attacks -- universities have a responsibility to address security with their students," he says.

Cybersecurity requirements for undergraduates are lacking

The report from CloudPassage revealed that out of the top 10 computer science programs in the U.S., not a single program requires a cybersecurity course to graduate. And on the list of Business Insider's top 50 computer science programs, only three schools out of the 50 require a cybersecurity course for graduation. Perhaps most surprisingly, out of the 122 schools reviewed, only one -- the University of Alabama -- requires three or more cybersecurity courses to graduate.

Using this data, CloudPassage assigned a grade to each university, and found that out of the top 50 schools on Business Insider's list, not a single university earned an A for its cybersecurity efforts and only three earned a B -- beyond that, 11 universities earned a C, 28 earned a D and eight earned an F.

"There needs to be a fundamental shift in the cybersecurity paradigm; we must get to a point where every university requires computer science majors to complete cybersecurity training as a graduation requirement, so that the programmers and developers of the next generation have security front-of-mind when delivering products to market," says Thomas.

However, these stats illustrate that cybersecurity is still not a priority for most universities -- even at schools with the top-rated computer science programs in the nation. Cybersecurity is quickly becoming a priority for organizations, so if students aren't graduating with the necessary education, the skills gap will only grow wider. However, it's not as if cybersecurity is completely lacking in undergraduate programs, most universities offer courses in cybersecurity -- even if it's only one course -- but most programs don't require students to take these courses in order to graduate. Rather, cybersecurity is viewed more as an elective, suggesting they expect students to enroll in the course if they see themselves getting into security after graduation. The reality of the situation is that security affects nearly every aspect of IT and technology at a company, and it's not just something the CSO needs to be worried about.

A growing need for cybersecurity professionals

Cybersecurity is a fast-growing field, which means the number of open positions will quickly outpace the number of qualified candidates entering the workforce. Peninsula Press, a division of the Stanford University Journalism Program, analyzed a 2015 Bureau of Labor Statistics report and found that there are more than 209,000 unfilled cybersecurity jobs in the U.S. alone. The number will only increase. The Peninsula Press also found that in the past five years, listings for cybersecurity roles have jumped 74 percent and that the demand for this role by 2018 is projected to grow 53 percent.

The problem is centered around the fact that cybercriminals are only getting better at what they do each year, meaning the gap between the good guys and the bad guys just grows wider. "Cybercrime is on the rise and the types of attacks we're seeing are becoming more aggressive, sophisticated and dangerous. We've seen this in more frequent and more critical breaches, and there is a trajectory towards attacks on both critical infrastructures and high-profile individuals," says Thomas.

In a report from Cisco on the cybersecurity talent gap, "the sophistication of the technology and tactics used by criminals has outpaced the ability of IT and security professionals to address these threats." That's a dangerous reality, where we have more cybercriminals than cybersecurity professionals, especially with the vast amount of personal data we access and share on our devices.

Most people use their smartphones and computers to access banking accounts, healthcare information, save pictures and share personal data, not to mention the vast number of everyday objects that are now Wi-Fi enabled. It's certainly made life easier, but it's also made everyone more vulnerable to identity theft, hacking and having sensitive data exploited.

Universities are slow to change

It seems like a simple solution -- why don't universities simply start offering more courses in cybersecurity? Unfortunately, the answer isn't that simple. It's not easy to alter a curriculum, especially when you have students who are far along in the program, with new students coming through the door every year.

One anonymous student at a California university spoke with Thomas and told him that "at my university, they [offer] a single elective cybersecurity-related course. I am an electrical engineering major, but I resolved to take this one, single course during my academic career." But in order to take this course, this student was required to declare a computer science minor and make changes to their course limit for graduation. They were told that if they "were truly interested in cybersecurity [they] would change their major from EE to computer science, because security isn't the purview of electrical engineers."

It's a dangerous attitude, considering security touches nearly every industry, especially with the advent of the Internet of Things, which aims to connect every device we use, according to Thomas. But instead of change their major, this student says they decided to pursue a cybersecurity education outside of their university, and went as far to create a campus student organization to provide students with an alternative if they want to learn more about cybersecurity without declaring a computer science minor.

"Curricula are not updated often enough (and in technology, the world is changing very rapidly), there may be politics, staffing difficulties, lack of budget, and so on. There are many factors at play in how programs are developed, but what we must focus on is how to enable universities to set up their students with the tools they need to be successful professionally. We are hoping that exposure of the problem and increased discussion will start the wheels turning in the right direction," Thomas says.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.