In 2016, Lewis University launched its Master of Science in Computer Science degree. The degree includes three concentrations: Software Engineering, Intelligent Systems, and Cybersecurity. That last concentration in Cybersecurity raised some eyebrows. We had been offering a successful graduate degree in Information Security with colleagues in Business since January 2005. That degree was innovative when it was launched: it recognized that keeping data secure was an interdisciplinary challenge, requiring technical skills but, just as importantly, insights into how and where information security impacted businesses and how organizations could plan and assess their information security strategies over time. But we in Computer Science had become concerned over time that this hybrid approach wasn’t up to the challenge of preparing hacker-level innovators ready to combat the ever-evolving cyber threat. The attackers have gotten more sophisticated, and the targets have diversified from desktops and laptops to more obscure platforms such as embedded computing systems and critical infrastructures. We needed room in the curriculum to “up the tech”: to stretch our legs and get our nerd on throughout the curriculum rather than shoot for a tech-business middle ground. And so we decided to include a Cybersecurity Concentration within the slate of solidly technical graduate Computer Science courses offered by the new Master of Science degree.
The change has benefited students significantly. Every student graduates able to program, an absolutely essential skill for a cybersecurity professional if they are going to understand and combat the attacks they’ll face. Every student graduates understanding how operating systems manage applications and the memory and storage the applications use, which, combined with their ability to code, enables them to grasp how hackers use programming instructions to take over system resources through vulnerabilities in the operating system. Every student graduates knowing how networks layer data into packets that control its flow through a variety of appliances that seek to manage and direct it, and attackers seek to compromise these appliances to make them route packets differently. Our curriculum covers encryption and authentication systems from a mathematical and programming perspective, which helps students appreciate how bulletproof the core algorithms are and how important it is, therefore, that the systems that integrate these algorithms not drop the ball. With courses like Programming for Penetration Testing, Programming for Digital Forensics, and Software Vulnerabilities and Defenses, we have chosen to train students far beyond the use of ready-made tools to the point that they could actually develop such tools. And, since the concentration is offered as part of the broader Master of Science in Computer Science, students have a great opportunity to learn the other parts of computer science that increasingly impact cybersecurity, most especially data science, where advanced artificial intelligence and data analytics can help us better protect data systems from attack in a proactive way.
It seems we made the right decision, as enrollment in the Master of Science in Computer Science has grown steadily over the past year. We also appreciate perspectives such as the one offered in this article, which argues, “With regard to program content, many cybersecurity master’s programs blend the managerial with the technical. Given the demand — and the need — for highly skilled cybersecurity experts, it’s time to transition away from this approach and elevate cybersecurity to a standalone engineering discipline.” That is precisely the belief we held in 2016, and we are glad to see others following suit. This, of course, doesn’t mean that degrees that do offer a blend of technical content and management principles lack value. Understanding the implications of cybersecurity on business assets and processes helps professionals prioritize IT initiatives in a way that best fits particular organizations. Such programs, however, should be named in a way that clearly reflects that focus: Information Security Management, for example. Such programs will continue to prepare students well for jobs in which they shape the overall security posture for organizations. But we must get to a place where students shopping for a quality cybersecurity educational program can assume they are selecting from a pool of choices steeped in computer science and engineering.
Our future cybersecurity health depends on having an ample supply of problem solvers whose deeply technical knowledge helps them outsmart and outrun similarly intelligent innovators trying to break in. For that to happen, we have to dig deep. Cybersecurity education must be rooted in Computer Science. It must provide students a rigorous understanding of how hardware and software work together to process, store, and transform data. Students can then use that first-principles background to engineer creative solutions to the kinds of pressing challenges they’ll find on the job. Indeed, cybersecurity is an engineering pursuit, in the same way its parent, computer science, is. It is the application of a mature body of theory and practice to meet new and evolving challenges. That’s engineering at its core.
The future of cybersecurity education must be increasingly technical.