Cybersecurity engineering: A new academic discipline

Cyber startups and legacy technology companies know exactly how to attract top undergraduates: a six-figure salary, a signing bonus, even a new car. With these luxuries in reach, choosing to forgo the job offer in pursuit of advanced higher education seems irrational for most new grads. However, this is exactly what’s being asked of them by the cybersecurity industry — an industry with zero unemployment and a severe skills shortage in both private sector employment and higher education.

With 3.5 million cybersecurity jobs expected to open by 2021, employers will continue to seek out prospective job candidates from technical schools and undergraduate programs to fill them. This may satisfy the immediate need well enough, but it does not address the demand for cybersecurity professionals with advanced degrees, which is becoming even more acute.

According to the U.S. Department of Labor’s Bureau of Labor Statistics, the median pay in 2018 for a cybersecurity analyst is likely to reach well over $100,000.

To encourage students to pursue the next level of education, we in academia must demonstrate that there is a clear path to better opportunities in terms of professional career advancement, including compensation, when entering the workforce with an advanced degree.

Despite — or because of — this challenge, universities must take a step back and listen to what industry needs before developing their cybersecurity master’s and PhD programs. By focusing on the skills and experience cybersecurity departments are lacking, universities can develop curricula that prepare graduates to meet an employer’s exact needs.

In order to create a new foundation for these programs, administrators and faculty must provide the educational environment to foster interest from undergraduate students earlier in their course of study, find creative ways to recruit faculty with expertise in cybersecurity, improve cybersecurity laboratory capabilities, and establish talent pipelines to corporate and government organizations that offer positions for high-quality cybersecurity talent.

Finding faculty

Highly qualified cybersecurity faculty are sought after as much as — if not more than — industry professionals. To hire and foster new faculty, institutions need to offer meaningful cybersecurity research opportunities that enable them to test new theories and solve real-world problems, all while building the PhD pipeline.

Another draw for faculty is a student body truly interested in their field of study. To drive this interest, cybersecurity must be “baked in” at the undergraduate engineering level, particularly in programs that deal directly with coursework like computer science. Offering immediate exposure to introductory cybersecurity courses at the undergraduate level – as opposed to one or two courses as part of computer science major requirements – will help engage students earlier. This exposure will incite interest in pursuing the opportunities of advanced graduate degrees and careers in cybersecurity. Key throughout the educational experience is that students develop and hone “real-world” cybersecurity skills.

Focusing the coursework

Whether students are mathematicians, computer scientists, computer engineers, or electrical engineers, masters and PhD programs in cybersecurity must provide both theoretical and hands-on engineering expertise to solve the complex cybersecurity problems affecting all public and private enterprises.

With regard to program content, many cybersecurity master’s programs blend the managerial with the technical. Given the demand — and the need — for highly skilled cybersecurity experts, it’s time to transition away from this approach and elevate cybersecurity to a standalone engineering discipline.

Master’s and PhD candidates in cybersecurity engineering must cultivate the acumen to design, engineer, and assess the software, hardware, applications, and technology that comprise our information and communications infrastructures.

Equipping laboratories

These infrastructures have impacted every industry through advances in computing. Cybersecurity can no longer be an afterthought in technology design and development. For example, the “WannaCry” ransomware that hit global organizations, affecting hundreds of thousands of businesses, universities, and even hospitals, exploited a known vulnerability in computer systems. Programmers were aware of the potential trouble months prior to the attack, but playing catch-up to remedy the problem is more challenging that understanding how to cyber-harden technology from the beginning and provide ongoing security protections throughout its lifespan.

This is why universities must develop cybersecurity laboratories and ranges that mimic real-world environments. In laboratories, students can evaluate cyberattack vectors, assess cyber defense methods, and design and develop new methods, protocols, and techniques. These environments also enable faculty and students to secure funding from private and public organizations to advance research. Compared to other fields, cybersecurity research in academia is nearly non-existent. Without the laboratory capabilities and program infrastructure to ensure we progress the field forward, we will continue to react to cyberattacks … and pay the price.

Partnering with industry

Leading cybersecurity executives claim it takes multiple years to effectively train a new hire to become proficient in the range of skills required of a cybersecurity practitioner. In order to reduce the large amount of time and resources that takes, industry should help shoulder the burden with universities to develop and improve cybersecurity degree programs. Similarly, universities must listen to their clients and create courses that align with the needs of corporate and government clients. By building cybersecurity masters and PhD programs with the client in mind, while also taking into account the growing academic body of knowledge, academia can expand the pipeline of skilled cyber engineers. While masters candidates will enter professional roles ready to perform on day one, those students who become PhD candidates will advance the state of the art in cybersecurity research while also building a cadre of much-needed academicians in the field.

Regardless of whether graduate students ultimately choose industry or academia, one thing is clear: Cybersecurity engineers who pursue higher levels of education will make a direct and positive impact on our collective digital security anywhere they may land.

Joe Scherrer is Director of the Cybersecurity Strategic Initiative at Washington University in St. Louis and a retired U.S. Air Force Colonel.