Operations // Careers & People
8/13/2014
12:00 PM
Lysa Myers
Lysa Myers
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Time To Broaden CompSci Curriculum Beyond STEM

Having a visual arts background may not be the traditional path for a career in infosec, but it's a skill that makes me no less effective in analyzing malware patterns -- and often faster.

Debate about the impending doom brought about by a lack of science, technology, engineering and math (STEM) workers in the US seems to be a daily occurrence lately. Many in the industry believe that the shortage is a myth. But there are an equal number who worry about the “negative unemployment” rate in certain sectors of technology, particularly in Information Security.

Clearly there is a serious disconnect. If you ask ten technology professionals about the cause of the problem, you’re likely to receive eleven different answers. Here’s my take.

In speaking with people who are currently in school for computer science, I hear many complaints about the traditional curriculum: The classes offered are outdated. They’re too broad and general. One could excuse (or explain) these criticisms, in part, because the university model in the US is meant to be broad and general at the undergraduate level, and because classes are typically meant to cover subjects that have proven their utility in the field of academia or employment. Specialization comes in later on at the graduate level degree programs.

For those looking for training or certification for a specific technology job, product or discipline (which is inherently fast-paced), you should go to a vocational school or take workshops in your desired area of expertise. There are a significant number and variety of great ways to get up to speed on specific infosec jobs, including on-the-job training, boot camps, and SANS training.

Sadly, what I hear from people going to university undergrad school for a computer science degree is that there is far too little emphasis on how to turn what they’re learning in the classroom into a real job, or even gain an understanding of which entry-level jobs are available for new graduates, or where a student should look to get the specific skills that would improve his or her odds of getting hired.

It’s a bit like the Underpants Gnomes’ business plan in the cartoon South Park:

Phase 1: Collect Computer Science Degree
Phase 2: ?
Phase 3: Lucrative career!!

One way universities could better prepare students for the real world is by beefing up the writing and design components in the traditional computer science program. If you’ve worked in technology for more than a few months, you have undoubtedly felt the pain of working with people who lack the ability to communicate clearly or think creatively. Explaining requirements effectively, documenting code and work practices, writing technical specifications, creating effective use-case scenarios, making sensible user-interfaces -- these are just a few skills that broadening the curriculum could enhance.

These more creative abilities are not, technically speaking, computer science, but they can make the difference between a mediocre technology employee and a truly valuable one. If a bachelor’s degree was intended to teach students to be well-rounded and ready for an entry-level position, these would seem to me to be important skills to learn -- and not just in technology.

Artistic training is another non-traditional area where potential STEM grads could benefit. My own entrée into the world of infosec was not out of a traditional STEM degree program. I was the kid who got barred from registering for any more art classes so some of the other students could have a chance. Consequently, when I started in malware analysis, I used a very different approach than other researchers. With my visual arts background, spotting patterns was a quick and intuitive process. I will be the first to admit that this is not as rigorous and scientific an approach as other researchers use, but it is no less effective or accurate -- and it is often faster.

One of the things that I have come to appreciate most about the tech industry is the appreciation for different ways of thinking. There is no other industry I can think of that is more welcoming to people with ADD/ADHD or with autism spectrum disorders. And the industry is stronger for this inclusion. But, ironically, there is sometimes an attitude of hostility towards people who approach security problems from a less strictly logical perspective. We are fighting determined adversaries, who are not limited by course descriptions or degree requirements, and it would behoove us to bring some creativity and a broader skillset to the table.

Two obvious ways to eliminate the so-called talent gap in information security are, first, for businesses to have frank discussions with universities or students about the skills that are lacking in recent graduates, and, second, if more job candidates went directly to training or vocational education, rather than universities. Either way, it is my fervent hope that creativity does not get lost in the rush to churn out STEM graduates and employees.

What are you views? Let’s chat about them in the comments.

Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 4:17:51 PM
Re: Fresh Blood
You'll have to let us know if you ever recruit a hair stylist to your development team -- and how that works out. 
jaingverda
50%
50%
jaingverda,
User Rank: Apprentice
8/18/2014 | 4:15:51 PM
Re: Fresh Blood
That's the funny thing. At first my fellow developers and security people are like no way someone like that can write and read code and all the technical parts that go along with this field. But once I start breaking it down for them they tend to come around. Another interesting point is the hairstylists tend to have the same reaction that the developers due in no I could never possibly do that. But once I break it down for them and show them how it's not much different than what they do now the're asking me for links on where they can teach themselves theses skills if they are techincally inclined.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/18/2014 | 4:05:59 PM
Re: Fresh Blood
That's a pretty interesting breakdown of the job, @Jaingverda. What the reaction of your colleagues to that analogy? 
jaingverda
50%
50%
jaingverda,
User Rank: Apprentice
8/18/2014 | 3:29:09 PM
Fresh Blood
I have said for a long time people like hairstylists would make for great programmers if they could work around the not having near as much social interaction. When you break down what they actually do (the good stylists at least) is they approach a person(problem) look at how it functions, try to apply an idea of what would look good(good working code or security measures) and build from the ground up. They wouldn't start with the finishing touches of a style before coloring or cutting. Also they have to apply a reasonable amount of logic to know how to get from the starting point(when the client walks in) to finished product.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 6:02:27 PM
Re: Going to a Tech or Vocational School
That's another one of those situations where you can try to get around the HR filters by talking to someone who works there, or by simply choosing to apply somewhere else. Not every company uses those filters, and even those that do usually have some way to end-run around them.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Moderator
8/13/2014 | 4:39:38 PM
Re: Going to a Tech or Vocational School
Given the extent to which automated systems cull job applicant resumes, I wonder whether those with non-STEM backgrounds can survive the first round.
blackwolf1099
100%
0%
blackwolf1099,
User Rank: Strategist
8/13/2014 | 3:22:16 PM
Re: Student
The people I have met in the industry are exactly the way you describe them. Thank you for the reply and the advice and I look forward to joining this community.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 3:00:14 PM
Re: Student
For most jobs, and InfoSec in particular, the biggest advantage is already knowing someone in the company you're applying to. Vetting is a huge aspect of the security industry. There are a ton of local, national and international events you can go to and get to know people. Figure out what events pertain to your favorite InfoSec genre and go hang out and get to know people. Despite our occasionally prickly reputation, security folks are also known for bonding with people more on the content of their brains than what they look like. One thing I hear repeated time and again is that for folks who've gotten into security, this community is like family.
LysaMyers
50%
50%
LysaMyers,
User Rank: Author
8/13/2014 | 2:55:54 PM
Re: Going to a Tech or Vocational School
It would be nice for this to be in the screening process, but right now I think it's more important for people to consider in their own educational choices - how to make yourself a better employee when you get that far. Stealth-training, if you will. Add it to your resume in case someone knows how useful it can be, but don't expect that it will necessarily give you a leg up in most circumstances.
blackwolf1099
50%
50%
blackwolf1099,
User Rank: Strategist
8/13/2014 | 2:22:07 PM
Student
As a student in a program that is designed to churn out Infosec professionals my question is what do I do to make myself more attractive. My program focuses on network security, pentesting, fraud detection, data forensics, project management. I have been thinking about trying to get some certifications at the sametime. Whats your advice?
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7298
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

CVE-2014-8346
Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.