Higher education is still too disconnected from the day-to-day reality of cyber security, according to InfoSec professionals who would like to see more real-life examples of dealing with incidents.
In a survey of over 1,000 cyber security professionals worldwide, half said the availability of cyber security or information security courses in formal higher education was either poor, or very poor: that number jumped to 83% for professionals with two to five years’ experience.
Part of the problem is that the tech industry moves fast, but cyber security moves even faster. It’s driven not by the rhythm of product releases, but by the discovery of new hacking techniques and zero-day flaws.
“I think today we don’t have enough cybersecurity education for anyone to really excel in this industry. I think one of the challenges — and that’s not only for cyber security but in the technology sector as a whole — is that modern technology moves so fast, that something that is actual and current today gets old and turns into ‘legacy’ in one-two years,” said a CIO from a bank in Brazil quoted by the research.
Just over a quarter (30%) of security professionals said the availability of cyber security and InfoSec courses in higher education was good or very good. In Europe, only 20% of respondents thought that was the case.
The research, commissioned by Kaspersky, found that nearly 40% of workers said their trainers and teachers didn’t have real-life experience in the industry.
“It was challenging to find educators who combined both the theoretical knowledge with practical knowledge,” a director of cyber security in the US was quoted as saying.
Cyber security courses focus heavily on the theoretical, not the practical
Many of the respondents were negative about the theoretical knowledge they gained on their courses – especially those early in their careers. Workers later in their careers seemed to have more appreciation of the theoretical grounding.
Less than a half of respondents said their college or university program offered them hands-on experience in real life cyber security scenarios as live projects. “Handling actual security incidents requires a different set of skills than theoretical knowledge alone,” said one US cybersecurity professional quoted in the report.
“There is a chronic worldwide shortage of cyber security experts, and there are indications that education might be a culprit for this issue,” the report said.
“Cyber security education programs often struggle to keep pace with the latest developments due to the rapidly evolving nature of cyberthreats that outpace curriculum updates,” it added.
Another part of the problem is that there are not always clearly defined career paths into security, especially outside of large organizations.
The UK government’s cyber security skills research, published last year, found that while about half of workers had previously worked in the sector, about a third had been recruited from a non-security role while the rest were career starters. In many cases, cyber security is something that is added onto an existing role, for example alongside responsibility for infrastructure or operations.
The Kaspersky research found that most companies do not demand candidates have information security qualifications for entry-level positions.
More than three-quarters of those with two to five years’ experience did not study information technology or computer science at college or university and have evolved into their role.
Instead, workers in cyber security have a range of qualifications, from engineering (36%), information technology (21%), computer science (15%), business management (13%), science (10%), math (3%), and others. Only 43% of current cyber security professionals had information security as part of their official curriculum.
Perhaps unsurprisingly, to keep pace with industry advancements many cyber security experts have to receive further training. Almost half of professionals questioned (46%) have taken additional cyber education courses later in their career as they found handling actual security incidents requires a different set of skills than theoretical knowledge alone.
The report said many respondents say they developed an interest in cyber security, or found better opportunities in this field and took it up as an organic career progression in the sector.
“I found it fascinating as it involves constant learning and adaptation to new threats, technologies and evolving technologies,” said one respondent, a cyber security and technology leader in North America. “It was mainly a personal interest that led me to take this role.”
The cyber security profession is changing rapidly
Professor Daniel Prince, a Professor in Cyber Security within Security and Protection Science at Lancaster University said that the InfoSec profession is still developing, and it’s only in the last 10 years that UK universities have started to graduate students from cyber security programmes.
But academic education is not about training an individual to do a specific task with a certain type of product, he said.
“The focus is on developing individuals who can critically think about the complex problems that cyber security throws up and grounding that thinking on evidenced based science,” he told ITPro. ”In the end technology, software, products constantly evolve and develop, but core concepts and foundational skills remain essential.”
Academic study is about supporting the development of well rounded, deeply skilled, critical thinkers who understand the core concepts of cyber security and can adapt to complex situations of cyber security, he said.
“It will never be possible for an academic institution to produce the perfect cyber security employee given there are so many different combinations of types of company, types of role, the technology platforms, services and customers.”
Prince said hands-on experience is essential and said that in the university’s MSc and MBA programmes it uses challenge-led and practical exercises. “The key thing with these types of “hands-on” exercises is both a combination of utilizing technologies and equipment, but understanding and learning on how they respond as part of a team, how they work problem solving, how they well the present to senior people,” he said
Clar Rosso, CEO of cyber security membership association ISC2 told ITPro that security professionals should take advantage of all on-the-job training and mentorship opportunities open to them – plus professional development courses and certification programs that are targeted to their current roles and career ambitions.
Rosso said that change is already underway at universities around the globe, and there was an increasing willingness to embed practical experience requirements in degree programs or align degrees with industry-recognized certification programs.
Community colleges and historically Black college and universities in the US excel at this, Rosso added.
“Research has shown that community colleges not only tend to cater to a more diverse population, addressing the current lack of diversity in the cyber security industry, but they also often offer hands-on learning opportunities, giving students the actual day-to-day skills they need to be successful,” Rosso said.
“Four-year degrees are becoming less and less of a requirement for hiring cyber security professionals, so we hope that the value of community colleges is top-of-mind for aspiring cyber practitioners.”