Equifax: 143 million consumers; Yahoo: 3 billion accounts (every single one); Verizon: 14 million subscribers. These are just three of the major data breaches reported in 2017. The magnitude of people affected alone should scare you, mostly because it more than likely includes you. If you are like me, you're mad and believe someone should be fired for not doing their job. But it's not possible to fire all of the software engineers, and it wouldn't solve the underlying problem.
In my time as an undergraduate student, I was surrounded by many other eager classmates. However, to my surprise, I was the only person who wanted to specialize in security. Everyone else was gung-ho about software engineering or game design. I couldn't believe that I was the oddball out, but then I stopped to think about why that was the case. In most instances, no one knew cybersecurity was such a large field that was starved from well-educated working professionals, yet everyone who knew how to code was focused on being a software engineer. This was even seen in the courses I took — no security offerings. It was the same every semester when I received a new class syllabus only to see that the last week or two would be dedicated to security concepts. I was always initially excited until about a month before the end of the semester, when I realized we were a few weeks behind schedule and security would be skipped entirely. I went through my entire undergraduate curriculum with no security taught in any of my core computer science (CS) classes.
What really confused me was that my large, reputable school was sending many graduates to big tech places to write software, and all of these newbies were entering the professional world with no security fundamentals. How can a school boast about its CS program when its graduates are missing the most important information, namely, security basics? To me it felt like a double-edged sword, with one side in the graduates, who are doomed to learn security the hard way, and the other in the university, which could fall victim to insecure software its graduates wrote in the industry.
To my surprise, of the top five CS programs in the country, only two of the schools have security-related classes, for a whopping total of three security classes. Surely there has to be some reason why this is the case. Every year we see the number of data breaches rising, yet the number of security classes offered remains unchanged. Why is it that CS programs put so much emphasis on everything but security?
On a side note, many institutions offer separate degrees in cybersecurity, but there is still a lot of improvement that can be made for CS degree programs. When it comes to formal CS degree programs, security shouldn't be an afterthought, especially when history indicates that the number of cyberincidents will only continue to rise. Higher ed institutions need to give their students as much information as possible, not only to help them succeed but also to make the most of their academic experience.
The only way to nip these breaches in the bud is to develop a strong CS program that phases in security instead of just adding (but ultimately skipping) it at the end of a course. By incorporating security into your programs, you give graduates the skills necessary to make well-informed decisions in their professional careers that benefit not only them and their organizations but also the general public. I guarantee that if you add security to your CS program, not only will your graduates thank you — you could even prevent another breach like Equifax, Yahoo, or Verizon. Take pride in your students and your CS program, and make sure you have a reason to be proud with security-centric classes.
Michaela A. Webster is a graduate student studying information security policy and management at Carnegie Mellon University.
© 2017 Michaela A. Webster. The text of this work is licensed under a Creative Commons BY-NC-SA 4.0 International License