Operations // Careers & People
8/13/2014
12:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Time To Broaden CompSci Curriculum Beyond STEM

Having a visual arts background may not be the traditional path for a career in infosec, but it's a skill that makes me no less effective in analyzing malware patterns -- and often faster.

Debate about the impending doom brought about by a lack of science, technology, engineering and math (STEM) workers in the US seems to be a daily occurrence lately. Many in the industry believe that the shortage is a myth. But there are an equal number who worry about the “negative unemployment” rate in certain sectors of technology, particularly in Information Security.

Clearly there is a serious disconnect. If you ask ten technology professionals about the cause of the problem, you’re likely to receive eleven different answers. Here’s my take.

In speaking with people who are currently in school for computer science, I hear many complaints about the traditional curriculum: The classes offered are outdated. They’re too broad and general. One could excuse (or explain) these criticisms, in part, because the university model in the US is meant to be broad and general at the undergraduate level, and because classes are typically meant to cover subjects that have proven their utility in the field of academia or employment. Specialization comes in later on at the graduate level degree programs.

For those looking for training or certification for a specific technology job, product or discipline (which is inherently fast-paced), you should go to a vocational school or take workshops in your desired area of expertise. There are a significant number and variety of great ways to get up to speed on specific infosec jobs, including on-the-job training, boot camps, and SANS training.

Sadly, what I hear from people going to university undergrad school for a computer science degree is that there is far too little emphasis on how to turn what they’re learning in the classroom into a real job, or even gain an understanding of which entry-level jobs are available for new graduates, or where a student should look to get the specific skills that would improve his or her odds of getting hired.

It’s a bit like the Underpants Gnomes’ business plan in the cartoon South Park:

Phase 1: Collect Computer Science Degree
Phase 2: ?
Phase 3: Lucrative career!!

One way universities could better prepare students for the real world is by beefing up the writing and design components in the traditional computer science program. If you’ve worked in technology for more than a few months, you have undoubtedly felt the pain of working with people who lack the ability to communicate clearly or think creatively. Explaining requirements effectively, documenting code and work practices, writing technical specifications, creating effective use-case scenarios, making sensible user-interfaces -- these are just a few skills that broadening the curriculum could enhance.

These more creative abilities are not, technically speaking, computer science, but they can make the difference between a mediocre technology employee and a truly valuable one. If a bachelor’s degree was intended to teach students to be well-rounded and ready for an entry-level position, these would seem to me to be important skills to learn -- and not just in technology.

Artistic training is another non-traditional area where potential STEM grads could benefit. My own entrée into the world of infosec was not out of a traditional STEM degree program. I was the kid who got barred from registering for any more art classes so some of the other students could have a chance. Consequently, when I started in malware analysis, I used a very different approach than other researchers. With my visual arts background, spotting patterns was a quick and intuitive process. I will be the first to admit that this is not as rigorous and scientific an approach as other researchers use, but it is no less effective or accurate -- and it is often faster.

One of the things that I have come to appreciate most about the tech industry is the appreciation for different ways of thinking. There is no other industry I can think of that is more welcoming to people with ADD/ADHD or with autism spectrum disorders. And the industry is stronger for this inclusion. But, ironically, there is sometimes an attitude of hostility towards people who approach security problems from a less strictly logical perspective. We are fighting determined adversaries, who are not limited by course descriptions or degree requirements, and it would behoove us to bring some creativity and a broader skillset to the table.

Two obvious ways to eliminate the so-called talent gap in information security are, first, for businesses to have frank discussions with universities or students about the skills that are lacking in recent graduates, and, second, if more job candidates went directly to training or vocational education, rather than universities. Either way, it is my fervent hope that creativity does not get lost in the rush to churn out STEM graduates and employees.

What are you views? Let’s chat about them in the comments.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 4:17:51 PM
Re: Fresh Blood
You'll have to let us know if you ever recruit a hair stylist to your development team -- and how that works out. 
jaingverda
50%
50%
jaingverda,
User Rank: Apprentice
8/18/2014 | 4:15:51 PM
Re: Fresh Blood
That's the funny thing. At first my fellow developers and security people are like no way someone like that can write and read code and all the technical parts that go along with this field. But once I start breaking it down for them they tend to come around. Another interesting point is the hairstylists tend to have the same reaction that the developers due in no I could never possibly do that. But once I break it down for them and show them how it's not much different than what they do now the're asking me for links on where they can teach themselves theses skills if they are techincally inclined.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 4:05:59 PM
Re: Fresh Blood
That's a pretty interesting breakdown of the job, @Jaingverda. What the reaction of your colleagues to that analogy? 
jaingverda
50%
50%
jaingverda,
User Rank: Apprentice
8/18/2014 | 3:29:09 PM
Fresh Blood
I have said for a long time people like hairstylists would make for great programmers if they could work around the not having near as much social interaction. When you break down what they actually do (the good stylists at least) is they approach a person(problem) look at how it functions, try to apply an idea of what would look good(good working code or security measures) and build from the ground up. They wouldn't start with the finishing touches of a style before coloring or cutting. Also they have to apply a reasonable amount of logic to know how to get from the starting point(when the client walks in) to finished product.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 6:02:27 PM
Re: Going to a Tech or Vocational School
That's another one of those situations where you can try to get around the HR filters by talking to someone who works there, or by simply choosing to apply somewhere else. Not every company uses those filters, and even those that do usually have some way to end-run around them.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/13/2014 | 4:39:38 PM
Re: Going to a Tech or Vocational School
Given the extent to which automated systems cull job applicant resumes, I wonder whether those with non-STEM backgrounds can survive the first round.
blackwolf1099
100%
0%
blackwolf1099,
User Rank: Strategist
8/13/2014 | 3:22:16 PM
Re: Student
The people I have met in the industry are exactly the way you describe them. Thank you for the reply and the advice and I look forward to joining this community.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 3:00:14 PM
Re: Student
For most jobs, and InfoSec in particular, the biggest advantage is already knowing someone in the company you're applying to. Vetting is a huge aspect of the security industry. There are a ton of local, national and international events you can go to and get to know people. Figure out what events pertain to your favorite InfoSec genre and go hang out and get to know people. Despite our occasionally prickly reputation, security folks are also known for bonding with people more on the content of their brains than what they look like. One thing I hear repeated time and again is that for folks who've gotten into security, this community is like family.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 2:55:54 PM
Re: Going to a Tech or Vocational School
It would be nice for this to be in the screening process, but right now I think it's more important for people to consider in their own educational choices - how to make yourself a better employee when you get that far. Stealth-training, if you will. Add it to your resume in case someone knows how useful it can be, but don't expect that it will necessarily give you a leg up in most circumstances.
blackwolf1099
50%
50%
blackwolf1099,
User Rank: Strategist
8/13/2014 | 2:22:07 PM
Student
As a student in a program that is designed to churn out Infosec professionals my question is what do I do to make myself more attractive. My program focuses on network security, pentesting, fraud detection, data forensics, project management. I have been thinking about trying to get some certifications at the sametime. Whats your advice?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio