Do cybersecurity graduates possess the skills employers need?
This is the captivating headline in a new report from the Centre for Strategic and International Studies (via SANS). Conventional wisdom, as I indicated in my previous blog post, is that universities have the early-career professional shortage addressed through new and innovative cyber security degree programmes. Only this report, from CSIS, suggests the picture is far from that.
They write: “An evaluation of U.S. cybersecurity workforce development initiatives must ask whether cybersecurity education and training programs are preparing students for the kinds of high-skilled technical roles that represent the most serious workforce shortage. The evidence suggests that the answer may be no.”
Adding: “According to cybersecurity practitioners, employers are dissatisfied because they perceive the graduates of these programs as lacking practical experience as well as an understanding of the fundamentals of computing and information security. As a result, many graduates require extensive on-the-job training before they can begin work. In addition, employers often find cybersecurity graduates lacking in essential soft skills like teamwork, problem-solving, and communication.”
My impression is that academia, faced with the incredibly challenging lack of interest in STEM programmes, has in some cases developed new softer programmes for cyber security that do not include classic subjects from traditional Software Engineering and Computer Science programmes. This is not particularly a failing of academia: the system is geared to encourage applicant uptake, and taking a step back, a dwindling HE sector is in no ones interest.
Moreover, the underlying lack of interest in STEM is a recognised national challenge. I’d also argue that it is as clear cut as the CSIS report suggests: there is a place for many different types of programme, both highly-technical and more holistic. What matters, I would suggest, is the quality of the programme.
This does suggest however that cyber security degree programmes may not be the solution as some have proposed. Perhaps one interpretation of some (not all) cyber programmes is that they encourage such a broad curriculum, they end up building up an understanding of fundamental computing topics top-down, rather than bottom-up (from first principles).
This creates problems when cyber security tasks get deep into the techncial weeds. The reality is that large swathes of cyber security are technical in nature, and this has to be recognised in degree programmes.
If this report is accurate, it also has some implications for recruitment in the cyber security sector. It also suggests there is more to do in linking cyber security programmes with STEM learning objectives. It also highlights the enduring value of computer science and software engineering programmes.
Of course, hiring is not solely about graduates and degrees. It’s about the skills of the applicant, inter-personal skills, on-the-job performance, and overall aptitute to the role.