Education, the skills gap, and learning on the job
The question of whether the security industry should improve its ties with higher education was a hot button topic at this year’s BSides Leeds, with attendees debating the role of universities in supplying the next generation of infosec professionals amid a growing workforce gap.
Kicking off the third annual conference in northern England was infosec pro Daniel Cuthbert, who used his keynote address to comment on how much the industry has changed in the 20 or so years he has under his belt.
“I’ve seen the evolution of what was, in the very early days, a bunch of misfits [and] weirdos who nobody wanted to play with, but who had a very core community of people doing amazing things,” he said.
“Now, lots of people who work in tech are seriously impacting the way we live, and I think that’s makes our industry incredibly exciting.”
Discussion of the “hacker spirit” inevitably turned to the grim world of cybersecurity certifications and entering the workforce. Many believe that students are ill-prepared for a sector that moves as quickly as the next variant of ransomware.
“I certainly wouldn’t be here without my degree,” said Callum Lake, a computer forensics and security student who led a workshop at BSides Leeds on the ties between industry and academia.
“I’m simply trying to get across the fact that the learning material that we’re given needs to be improved.”
According to the Higher Education Statistics Agency (HESA), 101,100 students in the UK embarked on a computer science degree in the 2016-2017 academic year – a 4% increase from those who studied the subject area in the previous year.
This, however, is paired with a decrease in younger students in the UK who are taking home a computer qualification as part of their GCSE (secondary education) exams.
All of this comes as a study [non-HTTPS PDF] by the University of Roehampton in London illustrates that teaching hours of computing were in “decline” in 2018 – a trend that’s expected to continue, going forward.
For those who do pursue a generalist computer science degree, a diversity of career pathways await them. But the broad nature of the curriculum means that recent graduates may fail to tick the necessary recruitment boxes.
“Each of them [workplaces] want different things, so we can’t teach to their specification precisely,” one attendee of the workshop said.
“Industry has a tendency to assume that people should arrive fully trained with the toys that they want to play with, just as much as academia is trying to turn out people who can pick up any of these toys that they may not have used before.”
Others at the BSides Leeds workshop stood by the fact that the industry wants generalists trained in the basics of security, with the unspoken rule that most training of rookies is done on the job.
If this were true, most agreed, entry-level job advertisements need to scale back their list of ‘must-have’ candidate requirements.
“There is less of a lack of skills, in general,” said conference organizer Mark Carney, commenting on the widely publicized ‘workforce gap,’ which depicts an infosec industry in need of four million workers globally.
“The mistake is in the labelling.”
Carney, in the closing of the day-long event, added: “The role of ‘security analyst’ is vastly different depending on the organization, but the title is the same.”
The Infosec Skills Matrix, a project relaunched by Carney in collaboration with Dennis Grove, maps the capabilities required for positions across industry.
“We need to stop using ‘security analyst’ as a general role,” he urged.