Member-only story
A Cybersecurity Curriculum for the Masses
What should every person in cybersecurity know, and how?
Recently, I had the good fortune to be in a room with some really experienced, thoughtful, well-read cybersecurity professionals. I wanted to know what they think should be included in an undergraduate cybersecurity curriculum — but I had some constraints that mirrored the challenges I see in the “real world” of academia:
Requirements
- Academic rigor — non-security academics need to be able to approve the topics and readings, so it needs to have a strong research body of work supporting the topic
- Topics need to be able to be taught by someone who has not worked in cybersecurity — as many college classes are
- They can suggest only nine classes, as undergraduate curriculums must take into account general education and other learning requirements
- The suggested topics must stay relevant for at least ten years (because that’s how long it will take to get any changes approved)
- The topics must be useful for EVERYONE who works in ANY PART of security.
Here’s what they came up with, after 10 minutes of brainstorming:
- Influencing without authority
- Risk prioritization/quantitative management
- Business communication
- Cybersecurity career paths
- Networking (e.g. TCP/IP)
- Ethics, privacy, and law
- Threat modeling and adversary mindset
- CIS top critical controls (currently the CIS18)
- Modern application architecture
After looking at this list, they didn’t seem particularly thrilled. They suggested that we needed students to have access to industry professionals, even better if the teachers/adjuncts worked in the field. They suggested a capstone project (a “senior seminar”) that provided the opportunity to deal with real world problems. Their objections seemed to suggest that just learning theory was insufficient.
I asked them: if you had a job applicant who took these classes, would you hire them? They said “YES!” and then they…