Debate about the impending doom brought about by a lack of science, technology, engineering and math (STEM) workers in the US seems to be a daily occurrence lately. Many in the industry believe that the shortage is a myth. But there are an equal number who worry about the “negative unemployment” rate in certain sectors of technology, particularly in Information Security.
Clearly there is a serious disconnect. If you ask ten technology professionals about the cause of the problem, you’re likely to receive eleven different answers. Here’s my take.
In speaking with people who are currently in school for computer science, I hear many complaints about the traditional curriculum: The classes offered are outdated. They’re too broad and general. One could excuse (or explain) these criticisms, in part, because the university model in the US is meant to be broad and general at the undergraduate level, and because classes are typically meant to cover subjects that have proven their utility in the field of academia or employment. Specialization comes in later on at the graduate level degree programs.
For those looking for training or certification for a specific technology job, product or discipline (which is inherently fast-paced), you should go to a vocational school or take workshops in your desired area of expertise. There are a significant number and variety of great ways to get up to speed on specific infosec jobs, including on-the-job training, boot camps, and SANS training.
Sadly, what I hear from people going to university undergrad school for a computer science degree is that there is far too little emphasis on how to turn what they’re learning in the classroom into a real job, or even gain an understanding of which entry-level jobs are available for new graduates, or where a student should look to get the specific skills that would improve his or her odds of getting hired.
It’s a bit like the Underpants Gnomes’ business plan in the cartoon South Park:
Phase 1: Collect Computer Science Degree
Phase 2: ?
Phase 3: Lucrative career!!
One way universities could better prepare students for the real world is by beefing up the writing and design components in the traditional computer science program. If you’ve worked in technology for more than a few months, you have undoubtedly felt the pain of working with people who lack the ability to communicate clearly or think creatively. Explaining requirements effectively, documenting code and work practices, writing technical specifications, creating effective use-case scenarios, making sensible user-interfaces -- these are just a few skills that broadening the curriculum could enhance.
These more creative abilities are not, technically speaking, computer science, but they can make the difference between a mediocre technology employee and a truly valuable one. If a bachelor’s degree was intended to teach students to be well-rounded and ready for an entry-level position, these would seem to me to be important skills to learn -- and not just in technology.
Artistic training is another non-traditional area where potential STEM grads could benefit. My own entrée into the world of infosec was not out of a traditional STEM degree program. I was the kid who got barred from registering for any more art classes so some of the other students could have a chance. Consequently, when I started in malware analysis, I used a very different approach than other researchers. With my visual arts background, spotting patterns was a quick and intuitive process. I will be the first to admit that this is not as rigorous and scientific an approach as other researchers use, but it is no less effective or accurate -- and it is often faster.
One of the things that I have come to appreciate most about the tech industry is the appreciation for different ways of thinking. There is no other industry I can think of that is more welcoming to people with ADD/ADHD or with autism spectrum disorders. And the industry is stronger for this inclusion. But, ironically, there is sometimes an attitude of hostility towards people who approach security problems from a less strictly logical perspective. We are fighting determined adversaries, who are not limited by course descriptions or degree requirements, and it would behoove us to bring some creativity and a broader skillset to the table.
Two obvious ways to eliminate the so-called talent gap in information security are, first, for businesses to have frank discussions with universities or students about the skills that are lacking in recent graduates, and, second, if more job candidates went directly to training or vocational education, rather than universities. Either way, it is my fervent hope that creativity does not get lost in the rush to churn out STEM graduates and employees.
What are you views? Let’s chat about them in the comments.