A study examined course descriptions on UK university websites to determine the amount of IT security content in undergraduate IT courses:
"The vast majority of UK computing students receive virtually no security training when it comes to designing and developing new software applications, according to government funded research. Less than 20 per cent of all computing undergraduates in the UK receive more than five hours training in incorporating security functionality over the three to four year duration of their course. This was according to research by the Cyber Security Knowledge Transfer Network(KTN), which was created in 2006 by the government's Technology Strategy Board."
While the study methodology could be challenged (see my previous rant on security surveys), the results concur with a common perception: IT professionals in general do not learn much about IT security at college. Presumably IT students are expected to pick up IT security later through postgraduate courses, training while employed or self-training, rather than on their undergrad courses. Why might this be?
Maybe IT security is considered an advanced or specialist topic, more suited for postgrad courses such as MSc or PhD? Indeed ISC2's latest Global Information Security Workforce Study indicates that a high proportion of information security professionals are educated to degree level - around half have batchelors degrees, about a third have masters and around 7% have doctorates. Some aspects of IT security are certainly complex and benefit from more intense study at postgraduate level but surely most undergrads could easily understand the basics?
Maybe university departments lack the skills and expertise to teach IT security? Given the general state of the jobs market for IT security professionals and pay rates in academia, it's possible they can't get enough. There are some brilliant academics in the field but perhaps there are too few of them to support a critical mass.
Or maybe there's just something about IT security that means it is better taught on-the-job? Personally I'm not sure about that one. The theoretical basis for information security is exactly the kind of thing that is well taught in universities, providing students with the conceptual frameworks, models and methods on which to build useful skills and capabilities through real world experience.
So what do you think? Is it OK that security barely gets a mention on most IT degree courses? And what, if anything, should be done about it? In particular, is there anything practical that we can do to make a difference? Comments welcome.
Gary Hinson CISSP
Passionate about security awareness
www.NoticeBored.com Creative awareness materials
www.ISO27001security.com ISO/IEC 27000 standards