The shortage of cyber security professionals is well documented, and this lack of expertise can keep organizations from bolstering their security programs. CISOs and CSOs should be heartened by the fact that more colleges and universities are offering academic programs and degrees in cyber security specialties. They are also doing their best to place young professionals into the workforce.
Dozens of institutions have launched undergraduate and graduate security programs. Many provide both technical and management skills to help students become well versed in the latest security technologies, threats, vulnerabilities and management strategies.
Here’s a look at a few of the leading programs in the United States.
Carnegie Mellon University, Heinz College
A hallmark of the Heinz College Master of Science in Information Security Policy & Management (MSISPM) program is that it “covers the technology, management, and policy aspects of information security,” says Andrew Wasser, associate dean of the School of Information Systems & Management at Heinz College. “Unlike most of our competitors, we are not training our students to work as ‘eyes on glass’ in a security operations center, but rather to interact with senior management, suppliers, and policy makers.”
Many of the instructors are industry experts in the university’s Software Engineering Institute’s CERT Division. “They work closely with private sector and government agencies in addressing real-time threats,” Wasser says.
“We have a highly engaged Career Services team that works with students in finding leads, negotiating offers, mock interviews, cover letters, resumes, etc.,” Wasser says. “Our students and faculty go to industry conferences and complete capstone security projects with the private and public sector.” This past semester included projects on blockchain technology, vendor risk, and insider threat. “We have no problem helping our students find internships and full-time positions post-graduation,” says Wasser.
Degrees: A two-year, full-time Master of Science in Information Security Policy & Management (MSISPM), a part-time, Distance Master of Science in Technology in Information Security & Assurance (MSIT), and an executive education hybrid face-to-face/distance program for CISOs.
Curriculum: Classes in the core program cover topics including introduction to information security management, privacy in the digital age, risk management, software and security, cryptography, network and Internet security, cyber security policy and governance, and a Capstone Project working with organizations implementing best practices in information security. Technical and management elective courses include network and Internet security, network situational awareness, ethical penetration testing, applied threat analysis.
Full-time students may pick both technical and non-technical elective courses, while the core has both. Required managerial classes include professional speaking and writing, economics, statistics, decision making under uncertainty, and managing disruptive technologies.
Placement: The two-year MSISPM program has a required internship. A career services team works with students to find leads, negotiate offers, perform mock interviews and write cover letters or resumes.
Johns Hopkins University, Information Security Institute
The Johns Hopkins Master of Science in Security Informatics (MSSI) makes numerous security-management and core management courses available to students. “The MSSI program provides a holistic approach to information security education, including courses on privacy, ethics and policy, and it has a specialization dual degree option in healthcare security,” says Tony Dahbura, executive director of the institute.
It gives students a means to perform original research in the cyber security field. “Students are required to complete a capstone project under the supervision of faculty and external mentors,” Dahbura says. “These projects often lead to conference publications and other recognition.”
A policy and management track is designed for students who plan to go into consulting, policy-making or technical management, he says.
More than 25 companies and government organizations each year participate in a seminar series for students, in which they discuss cyber-related technical topics, provide information on their organizations, and make contact with interested students for career opportunities.
The organization partners with multiple companies and government agencies in a variety of ways: mentoring and co-mentoring on student capstone projects, participation in the institute’s Career Services seminar series and job opportunity announcements; membership in the institute’s advisory board to discuss emerging cyber security topics, and providing instructors to bring the latest cyber security practices to students.
Degrees: A Master of Science in Security Informatics (MSSI) degree program. The institute offers a policy and management degree track in addition to its technology and research track.
Curriculum: Technical courses include modern cryptography, network security, ethical hacking, software vulnerability analysis and cloud security. Management-related courses include financial issues in managing a secure operation and implementing effective information and security programs. Foundational management courses include writing articles and technical reports, presentation skills for scientists and engineers, managing people and resolving conflict, project management, leading change and fundamentals of management.
Placement: A cyber security-focused career services function helps MSSI students more readily obtain full-time jobs and internships.
University of Maryland
The university provides cyber security education through a program called Advanced Cybersecurity Experience for Students (ACES). The ACES curriculum consists of two linked, four-year academic programs: the Living-Learning Program (LLP) for freshmen and sophomores leading to an Honors College Citation in Cybersecurity; and the ACES minor, for juniors and seniors.
In the LLP, freshmen and sophomores live and work together both in and out of the classroom, says Michel Cukier, director of ACES. The curriculum introduces a group of honors college students who have an interest in cyber security to the hands-on technical and non-technical aspects of the field.
“It also takes full advantage of the [Washington] D.C.-based companies and government agencies involved in cyber security,” Cukier says. A co-curricular and pre-professional program related to cyber security complements the academic experience, he says.
The minor program focuses on upper-level technical coursework and experiential learning opportunities for students who are capable of and interested in gaining professional training in cyber security. Students also have the opportunity to participate in the living-learning program as peer mentors and tutors.
ACES facilitates regular networking opportunities with corporate and governmental leaders in cyber security, helping students gain mentors and professional contacts, Cukier says. Particularly talented undergraduates who weren’t part of the LLP may apply during their sophomore year to join the ACES minor as juniors.
The ACES curriculum balances technical skills with non-technical coursework, Cukier says. In the first semester, students learn about the ethics of cyber security as well as various coding languages.
ACES offers non-technical seminars such as accounting and economic aspects of cyber security, security incident handling and management, and the policy implications of cyberspace, which are often taken alongside classes such as digital forensics and reverse engineering.
The ACES program aims to offer real-world learning experiences in collaboration with government, industry, and university partners. “Our close proximity to the nation’s capital and strong partnerships with industry provides our students with the opportunity to get internships as soon as their freshman year,” Cukier says.
Degrees: The Living-Learning Program for freshmen and sophomores leading to an Honors College Citation in Cybersecurity, and the Advanced Cybersecurity Experience for Students (ACES) minor for juniors and seniors
Curriculum: ACES programs include introduction to UNIX, the Cybersecurity Professionals Colloquium series, applied security analysis, cyber forensics and experiential learning courses. LLP courses include foundations of cybersecurity I and II, seminars and experiential work in cybersecurity.
Placement: The ACES program provides networking opportunities for students to make professional contacts and find mentors.
New York University Tandon School of Engineering
NYU Tandon School of Engineering offers a master’s degree in cyber security, and the program is rooted in the belief that theory and research must translate into real-world solutions, says Nasir Memon, professor of computer science and engineering at Tandon.
To that end, the school operates the Offensive Security, Incident Response and Internet Security Laboratory (OSIRIS), where students collaborate and develop research. Its virtual laboratory, called VITAL, serves as a shared, central facility for a consortium of universities in New York City, providing hands-on research and learning opportunities for students who study remotely.
Tandon offers courses including hardware security, reverse engineering, cloud security, biometrics, and trust-risk-deception. “Our students also have the opportunity to work across many disciplines throughout NYU by completing dual majors in fields such as business, law, policy, or game development, to name a few,” Memon says.
The school is piloting a high-intensity online program for non-traditional candidates for its MS degree in cyber securityor computer science. It’s designed to prepare non-computer science majors who already hold a bachelor’s degree with the knowledge they need to enter Tandon’s research-based programs within 15 weeks.
At the baccalaureate level, students in computer science and engineering minor in cyber security, working closely with master’s degree students. Those who complete the minor are highly sought by security firms, government, and technology and financial companies, Memon says.
NYU Tandon also offers a Security Management Track for those studying for a master’s degree in either cyber security or technology management programs.
In addition, an MS in Cybersecurity Risk and Strategy for Executives was just announced by Tandon and the NYU School of Law. The 30-credit, one-year cross-discipline executive management program is intended for experienced professionals from a range of backgrounds.
The program incorporates both online courses and blended-learning modules. “Cyber security—both prevention and response—frequently requires coordination between public- and private-sector organizations and expertise in technology, law, and policy,” Memon says. “This program will create managers with the integrated expertise needed to play a leadership role in the field.”
Curriculum: Courses in hardware security, reverse engineering, security management, cloud security, biometrics and trust-risk-deception
Placement: Master’s students can choose a specialization in the National Centers of Academic Excellence (CAE) in Cyber Operations, which makes them eligible to apply for the CAE summer intern program.