Ira Winkler posted an interesting article a month or so ago (yes, I’ve had this post in the hopper for a while) over at Computer World entitled “Let’s scuttle cybersecurity bachelor’s degree programs.” What really caught my attention were some of the tweets surrounding it, especially how they seemed to imply this statement was for ALL infosec degrees.
weldpond: Ira Winkler: Let’s scuttle cybersec bachelors degree programs. Shld incorporate sec into regular CS prog https://www.computerworld.com/s/article/9221668/Let_s_scuttle_cybersecurity_bachelor_s_degree_programs
0xcharlie: @WeldPond I think infosec should be in a trade school with apprenticeships and such, not in a degree program.
weldpond: @0xcharlie Your idea is not mutually exclusive with teaching CS majors secure coding concepts. We probably need both.
The suggestion that we should not have infosec degrees totally caught me off guard and went counter to the way I’ve been thinking for a while. Even our new blogger judykavuo, who is currently getting her masters in infosec, felt the need to write about it and counter a few points.
In the past I’ve given presentations and we have blogged here about how getting an infosec degree is an excellent starting point for those entering our field. We’ve found that most infosec degrees or certificates were at the graduate level and have been exploring some of the newer undergrad degrees as well and were thinking of recommending some of those.
I guess a lot of people were confused about the article and Ira later added the following note.
(And please note that I am talking about undergraduate cybersecurity programs, not graduate-level programs.)
Well after the initial confusion wavered off I found that the more I read Ira’s article, the more I tended to agree with his suggestion. I think it’s important to establish a strong technical foundation with a traditional undergrad degree and several years of real world IT experience. And then maybe at that point you are ready for a full-time infosec gig. You need to secure “something” … and … if you don’t know what “something” is how can you secure it? In hindsight I realized this is actually how I did it!
Now I’m not saying don’t do any infosec activities in undergrad or that initial job … it’s just that it shouldn’t be the focus. So feel free take two or three infosec classess as part of your undergrad or attend traditional classes that are known to incorporate security. In the first few years out in the real world, focus on learning your trade … just try to sprinkle in some infosec here and there. There’s a whole list of things you could do to spray security onto your non-infosec job. I’ve often found that teaching or leading others is a great way to learn and strengthen your knowledge. Here are a few suggestions.
- Blog about the security aspects of it.
- Attend meetups and conferences and present on the security aspects your trade.
- Join or start a technology specific security mailing list on it.
But the whole point is just to NOT make security the focus during these years…
It may sound counterintuitive, but the way to increase the number of cybersecurity professionals is not to start granting degrees in cybersecurity. I suppose it sounds logical. We’re hearing that the best way to deal with the shortage of cybersecurity professionals is to funnel students into cybersecurity degree programs. And while we’re at it, let’s address the problem of all those hackers who are thinking outside of the box by recruiting them for these degree programs. Unfortunately, the logic of these statements is about a micron thick.
What do you think? Should universities abandon infosec undergrad degrees? Today post image is from NewsOne.com.