The security course missing from higher education

Have you ever looked at the curriculum offered in a Computer Science program? Across many different universities, there are some commonalities among the courses students take. Generally, there's an introductory course in the first semester that introduces students to the world of computer science. Then over the course of subsequent semesters, students take courses about programming (including an introduction to OOP), databases, data structures, etc. This means that computer science graduates, while they may not be experts, do graduate with broad knowledge across many different areas. But there seems to be one glaring omission in many programs across Canada and the United States: computer security.

The omission of this core concept from the computer science curriculum creates multiple problems on different levels. But first, let’s take a broader look at the field of computer science and computer security. By now, we are aware of the cybersecurity workforce gap. There aren’t enough qualified people to fill critical roles defending our data and privacy, which means that too few students are graduating with the qualifications needed to fill those roles One reason may be that computer science has a very high dropout rate. If we need to graduate more students well-versed in issues of cybersecurity, one solution would be to attract more people to computer science programs. But that is a problem in itself.

Building interest in computer science among younger students

When high school students are preparing to apply to colleges, they’re likely to apply to programs they enjoy and are familiar with. In high school, they're introduced to geography, history, various science courses, and other humanities subjects. But what about computer science? Across 37 states, only 4.7% of high school students are enrolled in a foundational computer science course.

This shortage of computer science courses likely led to the decline in popularity of computer science for many years. However, in recent years, enrolment seems to be going up again. That’s great for the industry, but it doesn’t immediately solve the short-term workforce gap problem — although it will be helpful in a few years when more students of computer science programs graduate. However, simply getting more students into the funnel doesn’t solve the problem completely. As mentioned, these programs still lack coursework in data security and privacy.

We are aware of the rising number of cyber attacks happening across the globe. Cybersecurity has become such a critical issue that government leaders are talking about it. And the pace of these attacks does not seem to be slowing down. Companies and governments need to combat these attacks by hiring qualified people.

If you wanted to hire a cybersecurity expert or at least someone knowledgeable in that field, you’d probably look to hire a computer science graduate. It seems obvious that we should be teaching our computer science graduates how to tackle computer security issues to properly prepare them for the workforce. Unfortunately, that’s not the case (at least not in Canada or the United States).

What's missing from programs at colleges and universities

Out of the top 50 computer science programs in the US, three require a cybersecurity course for graduation [source]. Research I did on fifteen of the most popular universities in Canada revealed some good news: 53% of them offer a security course for students. The bad news is that only 13% of universities require this type of course. This means that for the majority of programs across the country, there’s a very good chance that students can complete their whole degree program without ever taking a course dedicated to computer security.

What about colleges? In Canada, higher education is broken up into colleges and universities. Universities are typically more theory-based, while colleges are more hands-on. Colleges typically have fewer electives, and the courses students take are predetermined. Again, my research shows that about 27% of colleges have a required computer security course as part of the curriculum for their general computer studies programs. This is a better percentage than at universities, but still not great.

What exactly does this mean? Is computer security being taught at all in these university or college computer science programs? Most likely, yes.

To clarify, we’re looking at general computer science degrees and diplomas. Many schools do offer graduate certificates or continuing education courses that specialize in computer security. And this doesn’t account for what is being taught inside the classroom — for example, a networking course likely covers some aspects of network security. A database course likely discusses prepared statements. However, the content of the courses is at the discretion of the professor. Someone knowledgeable in computer security will likely inject that subject matter into their courses, whereas someone who isn’t will not.

I’m not claiming that computer science graduates aren’t qualified for computer security jobs. But I am saying that they may not be qualified due to the lack of dedicated security courses being offered. In a time when computer security is at the forefront of the news, one wonders why computer security courses are missing from higher education.

Continuing developer education with Snyk

To help solve this, Snyk Learn offers lessons for developers that address vulnerabilities such as injection, prototype pollution, Spring4Shell, and more. These lessons look at a vulnerability in action, so developers can see how exactly the exploits work. They also examine the vulnerability under the hood to reveal why it works. And finally, the lessons provide mitigation techniques. These lessons might not solve all of the issues highlighted above, but they provide a starting point to help developers learn more about computer security.