Why do recent computer science graduates need to be retrained when they hit the commercial world?

Gunter Ollmann, CTO, Security, Microsoft Cloud and AI Division

October 15, 2013

4 Min Read

Universities and colleges are pumping out more and more software engineers each year. Yet it would seem to many in the industry that the quality of these freshly minted graduates is decreasing. Perhaps "quality" is too harsh a word -- "immediate usefulness" would likely be more appropriate. What's the problem?

During my career I've been lucky enough to work with and manage several of the world's most renowned security engineering and research teams. In some cases, it may have been the pedigree of the development teams that made it inappropriate to recruit new graduates or anyone with less than five years of experience, but in other cases, with tight deadlines and demanding schedules, the development teams themselves weren't prepared to expend the energy and time retraining a newbie.

That problem of "retraining" has always gnawed at me and, during the past year or so as I've worked with a growing number of universities and computer science professors around the world, I think I have a better understanding and articulation of the root cause to the "usefulness" problem when it comes to new software engineering graduates.

At its crux, the delta between university and commercial development can largely be attributed to two missed opportunities in the computer science:

 

  • 1. Individual project development.Through various courses and projects, students predominantly work on individual study assignments. It is the exception rather than the norm that they engage in group or collaborative development projects. I've been told about a common perception among students of university "honor code" infringement when it comes to discussing assignments or collaborative work.

    The problem with this in the commercial world is that, unless you're a phenomenal and well-known uber-engineer (or working for a dinky never-heard-of start-up), you're almost never going to be working on a project or product as a sole contributor. At every stage of a project, you'll be working within a collective of software engineers, QA engineers, product managers, and project managers. Group communication and collaboration skills are mandatory -- so, too, is maturity.

    Very rarely is an engineer born with these key group skills; they're skills that must be practiced and reinforced through hands-on experience. This should be occurring daily within the university and college education program, but it's not.

 

 

  • 2. Creating fresh applications.Most curriculums place an emphasis on learning the dynamics and advantages of a montage of programming languages and styles. The vast majority of projects and assignments students will participate in will revolve around writing new applications or modules from scratch. Very rarely will students have to face code written by others, or, if they do, it'll be to find some kind of logic flaw or bug.

    The reality of commercial software development is that the vast majority of time a software engineer will be editing someone else's code. More than likely the code will be several years old, passed through the hands of a dozen or more developers over that time, and only rudimentarily documented, and the engineer will be tasked with extending some existing functionality. Refactoring existing code to make it more efficient or reflect new standards is a timely and costly task, and no product manager will allow that to happen without a great deal of fuss that'll be well above a freshly minted engineer's pay grade.

 

I suspect that many of the old-hands charged with running engineering organizations or leading development teams are nodding to themselves right this moment -- wishing, too, that the next batch of newbie engineers pouring out of the college and university gates were better prepared for the careers they have chosen.

The disparity between the skills newly minted software engineers arrive with and the operational needs of the engineering teams they eventually join are felt acutely within the security industry. It takes a special and finely honed engineering skill set to make legacy applications and the code they're written from more secure. Merely sitting through a course covering the secure development life cycle (SDL) isn't enough to make a difference -- new engineers need the communication skills to negotiate and socialize ideas with their colleagues, and the ability to tweak existing code snippets and routines if they're to be useful within the first few months of on-boarding.

Gunter Ollmann, CTO, IOActive Inc.

About the Author(s)

Gunter Ollmann

Gunter Ollmann

CTO, Security, Microsoft Cloud and AI Division

Gunter Ollmann serves as CTO for security and helps drive the cross-pillar strategy for the cloud and AI security groups at Microsoft. He has over three decades of information security experience in an array of cyber security consulting and research roles. Before to joining Microsoft, Gunter served as chief security officer at Vectra AI, driving new research and innovation into machine learning and AI-based threat detection of insider threats. Prior to Vectra AI, he served as CTO of domain services at NCC Group, where he drove the company's generic Top Level Domain (gTLD) program. He was also CTO at security consulting firm IOActive, CTO and vice president of research at Damballa, chief security strategist at IBM, and built and led well-known and respected security research groups around the world, such as X-Force. Gunter is a widely respected authority on security issues and technologies and has researched, written and published hundreds of technical papers and bylined articles.

Originally, Gunter had wanted to be an architect but he lost interest after designing retaining walls during a three-month internship. After that, he qualified as a meteorologist, but was lured to the dark side of forecasting Internet threats and cyberattacks. His ability to see dead people stoked an interest in history and first-millennium archaeology.

See more from Gunter Ollmann
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Kuala Lumpur, Malaysia, skyline against the harbor at sunrise
Cyber Risk
Licensed to Bill? Nations Mandate Certification & Licensure of Cybersecurity ProsLicensed to Bill? Nations Mandate Certification of Cybersecurity Pros
byRobert Lemos, Contributing Writer
Apr 23, 2024
4 Min Read
MITRE Corp's logo in blue
Endpoint Security
MITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti BugsMITRE ATT&CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs
byNate Nelson, Contributing Writer
Apr 22, 2024
3 Min Read
A toddy cat (Asian palm civet) on a wooden fence, Indonesia
Cyber Risk
ToddyCat APT Is Stealing Data on 'Industrial Scale'ToddyCat APT Is Stealing Data on 'Industrial Scale'
byJai Vijayan, Contributing Writer
Apr 22, 2024
3 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events