Universities Are Struggling to Teach Cybersecurity — Here's Why
"This looks good... but you're not actually going to teach them how to hack, are you?" The head of the Computer Science department asks, almost in a whisper, as if she had said a 'bad' word. I had just pitched a cybersecurity course to a major university. They liked it, mostly... except for the title: Ethical Hacking.
Typically, the computer science department only took meetings with people who had a PhD, or a check to write. I had neither. The exception had nothing to do with me and everything to do with the the enrollment crisis most academic institutions were (read: are) facing. Maybe a new "cyber-whatever" course (direct quote) would entice students to sign up for a computer science degree.
This decline in enrollment at colleges around the world is the result of several factors. Chief amongst these is the unclear ROI of time and money spent on a degree at a time when the future of work remains uncertain, largely in part due to the dawn of Artificial Intelligence. Add to this the fact that many employers are dropping degree requirements, and you find that folks are far less inclined to incur debt in pursuit of their education. Furthermore, the decentralized nature of learning — pioneered by YouTube and a number of dedicated online learning platforms — has all but signaled the end of higher education's monopoly on knowledge acquisition.
When it comes to cybersecurity education, there are a few specific reasons that universities are struggling.
Culture Clash. The culture of cybersecurity is about curiosity, breaking things, trial by fire, DIY, learning on the fly. Academia is about rules, permissions, order. Nothing exemplifies this better than the concept of gatekeeping / filtering out students via prerequisites under the guise of ‘scaffolded learning’. Who is allowed to take the Introduction to Python course, for instance? On many campuses, only those who have passed calculus. There is no objective rationale for this. It is a relic from a time when computer science was housed under Mathematics.
"Cybersecurity? That's Computer Science, right?" It has proven challenging for some institutions to define cybersecurity as an academic discipline in it's own right. Just as Computer Science was once considered a discipline under Mathematics, academia largely treats Cybersecurity as subdomain of Computer Science. What if every computer science degree — no, every degree — required an intro to cybersecurity?
Collaboration > Competition. Degrees and certifications don't have to be in competition. In fact, universities would benefit from collaborating with certification providers like CompTIA, ISC2 and others, to enhance the appeal of their current offerings. Perhaps no institution has bridged this gap better than Western Governors University.
There is no pipeline for cybersecurity educators. Some of the most brilliant security professionals I've worked with never went to college, or they dropped out. These individuals would never be permitted to teach a university level course. Though, this is slowly changing. The Tech-in-Residence Cyber Corps of the NYC Tech Talent Pipeline does a phenomenal job of preparing professionals in cybersecurity and other technical disciplines to teach at The City University of New York. They do unfortunately still require an undergraduate degree. For now. I'm optimistic this will change in the coming years.
‘Interdisciplinary’ and ‘multidisciplinary’ are just academic buzzwords. As an academic discipline, cybersecurity presents a unique opportunity for universities to adopt a real interdisciplinary and multidisciplinary approach to education. It is an opportunity for Mathematics and Computer Science and Criminal Justice and Law and Media and Communications and Journalism and Business and Economics to collaborate in unprecedented ways, because to learn 'Cybersecurity' is to study all of these things, and more.
So, yes — we will teach them to hack: It just doesn't mean what you think it does. By the way, if you’re a forward thinking university or training provider looking to help teach cybersecurity correctly, we should chat.
