Addressing the cybersecurity skills gap

By Hammad Kazi. Posted

A 2021 survey of UK businesses concluded that phishing attacks were the most common type of security breach

Originally published in Hello World Issue 18: Cybersecurity, March 2022. All information true at the time of original publishing.

Over the last two years, the shift towards remote working and schooling has forced people to adopt new ways of living and working. The use of internet-based applications has increased, including use by new and often unskilled users such as older people and children. Unfortunately, and perhaps predictably, hackers have taken advantage of these gaps in knowledge. A 2021 survey by the UK’s Department for Digital, Culture, Media & Sport, for example, demonstrated the threat that cybersecurity breaches pose to businesses and charities (helloworld.cc/breaches2021). It outlined that 39 percent of businesses and 26 percent of charities in the UK reported having breaches in the preceding twelve months, and that the most common type of breach was a phishing attack.

There are opportunities for the IT industry, computer science academia, and educational institutes to help address this threat by developing cybersecurity skills in more students, especially by treating cybersecurity as a metadiscipline (incorporating ideas and theories from multiple disciplines) rather than as a single discipline. Some academics argue that cybersecurity education should begin at high school, before being integrated into computer science, engineering, and other IT-related degree programme curricula, to ensure that cybersecurity knowledge isn’t just concentrated in specialists (helloworld.cc/crick2019).

Opportunities

There are several ways in which educational institutes are increasing opportunities for undergraduates to develop cybersecurity knowledge and skills (helloworld.cc/parrish2018). For example, traditional computing programmes are incorporating security-based topics into their content. Some institutes are also offering separate cybersecurity courses in their continuing education, undergraduate-, and postgraduate-level programmes. There are also crossovers on this topic in subjects such as criminal justice, business law, and social science subjects that deal with the societal impact of internet-based breaches.

For us to get to the level of treating cybersecurity as a metadiscipline, it is important that it is introduced at high school, for example through the angle of providing a secure ecosystem in which programming activities can take place. There is evidence that students receiving a computing education in high school are eight times more likely to major in a computing degree (helloworld.cc/jin2018). Even if high-school students do not end up studying computer science later on, they will be better placed to have a basic understanding of cybersecurity, which can prove useful both in their careers and personal lives. Since there is a high prevalence of early-years usage of internet-based applications, in more industrialised countries at least, it makes sense to plug the cybersecurity knowledge gap during secondary school.

Guest lectures by industry experts can be an effective method of teaching cybersecurity

Challenges

This is still a work in progress, however, and a conscious effort is required to develop the course infrastructure in a way that enables students to work in a proactive cybersecurity environment, rather than in a reactive one. A review of the top 100 UK computer science university courses revealed that 6 percent of security curriculum content has no references to cybersecurity, privacy, secure programming, or other cybersecurity content during the course (helloworld.cc/ruiz2019). Furthermore, 39 percent of these courses do not offer mandatory cybersecurity content and instead push it to the end of the course as a low-priority add-on. Finally, only 17 percent of courses offer cybersecurity content in the first year.

These numbers make a strong case for the need for cybersecurity content in the UK to be baked into the course syllabus, starting from the high-school level, and continuing with priority into computer science degree programmes. In this way, students are taught how to develop their approach and thinking from the systematic perspective of a safe and secure platform.

Ways forward

Several factors should be considered to help overcome the challenges of integrating cybersecurity into course curricula as a metadiscipline (helloworld.cc/crick2019). Firstly, it is important that all the skills that a competent head of information security or chief information security officer should have, for example, are taught at the academic level. These skills include psychology, management and organisational behaviour, and technical knowledge, as well as soft skills such as communication, analytical thinking, and collaboration.

Cybersecurity should be taught in an effective manner using real-life case studies and guest lectures by industry experts in the field, and should include appropriate cybersecurity standards within the curricula (for example, the Payment Card Industry Data Security Standard — see helloworld.cc/pcidss). Course content can also be taught from the point of view of a hacker, thereby fostering a more experimental and creative approach to understanding how a network can be made safer and more secure. Institutions should prioritise the recruitment, retention, and development of the faculty, ensuring that they are kept abreast of all key developments in the field from around the world. Finally, it is critical that there is ample investment in educational resources, ranging from laboratories and equipment to course content and pedagogical innovations. A very pertinent example of this is the series of game-based camps run for high-school students by Purdue University Northwest in the USA to increase their awareness and interest in the field of cybersecurity (helloworld.cc/jin2018).

Addressing the cybersecurity skills gap is vital. It is clear that a concerted effort involving the IT industry, academia, and educational institutes is necessary to move cybersecurity from an optional add-on to a prioritised metadiscipline.


Further reading


Print

Free - UK only

If you’re a UK-based teacher, volunteer, librarian or something in between, we'll send each issue free to your door.

Digital

Free

Just want to read the free PDF? Get each new issue delivered straight to your inbox. No fuss and no spam.

Buy

From £6

If you’re not a UK-based educator, you can buy print copies from our store.