There is currently an international shortage of graduates with the required cybersecurity skills, with the demand for these professionals far outstripping the supply. Looking to the future, a recent report by the World Economic Forum highlighted that technologies and expertise in encryption and cybersecurity, in particular, are in high demand.
It’s not just a matter of education responding to what the industry may or may not want; the engine of cybersecurity comes from governments.
How to ensure that the required skills are taught? Could the use of national and international frameworks be helpful?
Some research on the different frameworks and the role of national cybersecurity strategies in improving cybersecurity education has already been published, but a more UK-specific analysis has yet to be published.
It seems obvious to fill the skills gap by recruiting and training qualified apprentices. Working in the cyber industry while acquiring the required skills and academic knowledge should be the ideal solution. However, is there a difference in perception between the trinity: education, business and the student.
The perception of cybersecurity
If you’ve ever watched a thriller involving cybersecurity or hacking (apart from Mister Robot), there is either an oversimplification or outright fantasy in what is presented. And to be fair, you probably have to, otherwise watching our fearless hero say, “Don’t worry, the firewall is hardened, they’ll never get in…tissue paper between the system and the outside world” would be quite boring.
This is where our perception problem lies. The student may have a vision that could be unrealistic: a few strokes of the keyboard and voila! We’ve penetrated the Pentagon. The company obviously wants a return on investment. Many employers are realistic in their expectations; however, many may not understand the complexities behind the security of their technology.
They would like their new apprentice to resolve all technical issues, risk analysis, hardware security and software security, and ensure that they are compliant with the General Data Protection Regulation (GDPR) and the Privacy Regulation. privacy and electronic communications (PECR).
Then there is the academic side. Many e-degrees are derived from computer networking degrees. It’s a logical fit. But what about human factors, insider threat, law and regulation, what about GDPR, Digital Operations Resilience Act (DORA), PECR, Freedom of Information Act (FOIA) or Network and Information Systems (NIS) regulations and many others?
This poses a problem for us – no company should allow a newly graduated apprentice to secure their network. Giving them the keys to the server room is inadvisable, to say the least. We have to ask ourselves the question: does all this belong to the field of computing? Academically, should law and regulation, risk and governance be taught by law and business schools? Should human factors be taught by psychologists?
Where to start ?
The problem of where to start comes from perception. The company wants the graduate apprentice to be able to do something, the apprentice wants to do fun things, and the educator needs to teach the basics. These three agendas will not necessarily be achieved.
One way forward could be teaching politics: ISO/IEC 27001 and Cyber Essentials Plus. This could be useful to the business, give the academic a starting point and many degrees take this approach. But will it engage the student who watched Black hatwith Chris Hemsworth?
What should be taught?
If we do a Google search for “what is cybersecurity?” we get around 1.7 million results and potentially many different opinions. In truth, like many topics, cybersecurity brings together many topics. In addition to this, there are many different professional roles. All of this means that what should be taught becomes an even more problematic issue.
There are frameworks like the Cyber Security Body of Knowledge (CyBoK) which has 21 knowledge areas. These are grouped into themes including: human, organizational and regulatory aspects, attacks and defenses, system security, software and platform security, and infrastructure security.
Many of them could be brought together under a diploma title, to form coherent subjects. However, any degree that attempted to cover all of the above would lack the depth to ensure that the student (or graduate apprentice) would have enough useful knowledge.