A Cybersecurity Curriculum for the Masses

What should every person in cybersecurity know, and how?

Recently, I had the good fortune to be in a room with some really experienced, thoughtful, well-read cybersecurity professionals. I wanted to know what they think should be included in an undergraduate cybersecurity curriculum — but I had some constraints that mirrored the challenges I see in the “real world” of academia:


  • Academic rigor — non-security academics need to be able to approve the topics and readings, so it needs to have a strong research body of work supporting the topic
  • Topics need to be able to be taught by someone who has not worked in cybersecurity — as many college classes are
  • They can suggest only nine classes, as undergraduate curriculums must take into account general education and other learning requirements
  • The suggested topics must stay relevant for at least ten years (because that’s how long it will take to get any changes approved)
  • The topics must be useful for EVERYONE who works in ANY PART of security.

Here’s what they came up with, after 10 minutes of brainstorming:

  1. Influencing without authority
  2. Risk prioritization/quantitative management
  3. Business communication
  4. Cybersecurity career paths
  5. Networking (e.g. TCP/IP)
  6. Ethics, privacy, and law
  7. Threat modeling and adversary mindset
  8. CIS top critical controls (currently the CIS18)
  9. Modern application architecture

After looking at this list, they didn’t seem particularly thrilled. They suggested that we needed students to have access to industry professionals, even better if the teachers/adjuncts worked in the field. They suggested a capstone project (a “senior seminar”) that provided the opportunity to deal with real world problems. Their objections seemed to suggest that just learning theory was insufficient.

I asked them: if you had a job applicant who took these classes, would you hire them? They said “YES!” and then they…



