Illustration: Jesse Lefkowitz
In an increasingly networked world, security attacks have become not just more frequent and sophisticated but also more financially damaging. The silver lining is the growing need for cybersecurity experts. Information security analyst jobs are expected to grow by 37 percent by 2022, according to the U.S. Bureau of Labor Statistics. “Every time there’s a new breach anywhere, a light goes on in some C-suite office and it opens up hiring,” says Ernest McDuffie, who leads the National Initiative for Cybersecurity Education (NICE) at the U.S. National Institute of Standards and Technology.
Consequently, more and more institutions now offer specialized master’s degrees in cybersecurity. Big names like IBM and Intel are collaborating with schools to keep security curricula up to date. “Today many companies are educating their workforce on their own,” says Marisa Viveros, vice president of IBM’s Cybersecurity Innovation Program. “But we also need universities to take that in a formal, programmatic manner and teach principles and fundamentals.” The NICE initiative, meanwhile, hopes to improve awareness and education and lists over 180 higher-education facilities as cybersecurity centers of academic excellence.
Previously, a computer science degree, on-the-job training, or even self-taught hacking skills had been enough to qualify someone for a security position. But cybersecurity has expanded enough in depth and scope in the past decade to warrant its own degree, says Gene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Safety. “Ten years ago, somebody involved in security would be doing data acquisition and response. Now…somebody involved in security has to be doing risk analysis and threat evaluation. They need to know law enforcement and forensics, planning and policy.”
Purdue’s cybersecurity program produces more graduates every year, and they steadily find employment, Spafford says. Master’s students get five-plus offers, while Ph.D.s get two to three apiece. Spafford feels this level of demand will hold up, at least for now: “One recent report says that the average starting salary for hires in the D.C. area is around US $116 000 a year. If there was an oversupply, that would not be the case.”
Cybersecurity master’s students take basic computer science courses, but two-thirds of their curriculum covers specialized areas such as network security, cryptography, data forensics, and policy, says Wenke Lee, director of the Georgia Tech Information Security Center. Hands-on lab courses and real-world projects defined by outside organizations or companies round out the education. This in-depth training is crucial to becoming a security specialist, says Lee.
Outside the United States, IBM has partnered with more than 200 universities around the world to equip students with security skills. Registered faculty at these institutes can access an IBM-developed curriculum and software portfolio online. Viveros says she had been astonished to find that before the IBM program, some schools in countries such as Poland and Mexico had never heard of the topic.
Indeed, the biggest challenge academic programs face might be getting enough interest. A survey by defense company Raytheon found that less than one-quarter of young adults in the United States believed a cybersecurity career is interesting at all.
One solution is to simply get the career on students’ radar, says Sukumaran Nair, chair of the computer science and engineering department at Southern Methodist University, in Dallas. In the Raytheon survey, 82 percent of respondents say that no high school teacher or guidance counselor ever mentioned the idea of a career in cybersecurity. “Once it’s clear to fresh grads from high school that this area will guarantee jobs, it’s very likely that they’ll choose this line of education,” Nair says. “Universities are well prepared to train them.”