Friday, March 18, 2022

The time is now to rethink cybersecurity education

I was asked to give a talk at a cybersecurity faculty summit on the 24th of February. As I sat working on the talk in the days leading up to the summit, the urgency and tenor of my message to my fellow faculty members changed significantly. Cybersecurity faculty at colleges, universities, community colleges, polytechnics, and vocational schools are now the ones training our next generation of architects and defenders of the digital front lines. The threats that we cannot see are as powerful if not more so as the ones we can. The casualties of both are material. As faculty, there is more urgency than ever to prepare all students with cybersecurity skills.


As Brad Smith stated in his blog post on 28 February 2022, Digital technology and the war in Ukraine, “One of our principal and global responsibilities as a company is to help defend governments and countries from cyberattacks. Seldom has this role been more important than during the past week in Ukraine, where the Ukrainian government and many other organizations and individuals are our customers.” The indiscriminate malware technology has been used to target financial, agriculture, and energy sectors, emergency response services, humanitarian aid organizations, the personally identifiable information of citizens, as well as government data. That list of targets alone must serve as an impetus to change our approach to cybersecurity education for we need skilled talent across all industries, all aspects of our public sector, and we must ensure that all future technologies are built securely.


Cyberattacks threaten our privacy, our national security, and our daily lives. Currently, only 3% of US students are attaining a credential in computer and information sciences, with far fewer specializing in cybersecurity. With over 700,000 open cybersecurity roles in the US right now,1 that represents one job opening for every 428 people in the US affected by a data breach in 2020.2


As faculty in higher education, we have a responsibility to help prepare our students with the skills that will not only ensure they are successful in the jobs of the future but also aid in safeguarding society. To that end, there are three philosophical moves that we need to make in academia today as groundwork for this near future. We must embrace the following:

  1. Cybersecurity skills are computer science skills
  2. Cybersecurity skills need to be taught across all disciplines
  3. We can’t do this alone


Cybersecurity skills are computer science skills

Just as security must be a foundational component of the software engineering development process, it needs to be a foundational component of computer science education. As I look across the various programs of study for computer science and computer engineering departments, too often courses on cybersecurity or security, compliance, and identity topics are electives or courses reserved for the final semesters of undergraduate or graduate study. Just as we expect that security must be the thread that runs through every stage and every component of a project—from ideation to strategizing to business requirements and functional requirements to build to testing to deployment—cybersecurity knowledge and skills must be that same thread through education. And so, we must ask ourselves some fundamental questions:

  1. What are our degree requirements?
  2. What competencies are we helping students to build? At what levels and across which horizons?
  3. Where in our individual course syllabi are security topics addressed?
  4. Who in the department is seen as responsible for cybersecurity education? Should that be all of us?


Cybersecurity skills need to be taught across all disciplines

Last year I had the opportunity to collaborate with our data science team at Microsoft to analyze data from job postings in the United States to examine areas of technical skill growth, demand, and salary data. This analysis was conducted with Labor Insights, an industry data set from Burning Glass for understanding the job market. The outcome of this analysis was the article “Cybersecurity skills and certifications open doors to the next hot jobs for recent grads.” Now, nearly a year later, we re-ran the analysis to see what has changed.


Over the 12-month period from May 2020-April 2021 the top ten industries seeking cybersecurity talent ranged from commercial banking to accounting, engineering services to aircraft manufacturing. Figure 1 depicts the top industries by % for cybersecurity job postings May 2020-April 2021.


MSLE cybersecurity 1a.jpg

Figure 1. Source: Analytics compiled through Labor Insight from Burning Glass. (Note: these industry classifications are based on the North American Industry Classification System (NAICS) standards.)


Re-running the analysis to examine data from the job postings, from February 2021-January 2022, there is not only an overall increase in the number of job postings listing cybersecurity skills, but a shift in where we are seeing the demand for skilled talent. Figure 2 depicts the top industries by % for cybersecurity job postings February 2021-January 2022. While commercial banking remains the highest in its demand for talent possessing such skills and certifications, direct health and medical insurance carriers has increased significantly, colleges, universities, and professional schools have joined the top ten, and both accounting services and administrative management and general management consulting services are seeking more talent with cybersecurity skills this year than last.


MSLE cybersecurity industries1.jpg

Figure 2. Source: Analytics compiled through Labor Insight from Burning Glass. (Note: these industry classifications are based on the North American Industry Classification System (NAICS) standards.)


While the changes mean that the cybersecurity job market provides a broad opportunity for students and recent grads to find a job in a field and at a company that suits them, it also means that we need to rethink where cybersecurity skills are being taught. While I argue above that cybersecurity skills need to be the foundation of computer science and engineering programs, knowledge of this discipline and such skills needs to proliferate across campuses. Business schools, schools of agriculture, health sciences programs, hospitality management programs, economics departments and more need to be addressing topics in cybersecurity. In the way that there are often writing requirements, language requirements, and overall distribution requirements for graduation, we must explore what digital skills or technical skills should be required for graduation too.


There are some departments and programs where cybersecurity skills may be a more natural fit than others—business schools or schools of agriculture, for example. However, there is a compelling argument to be made for embedding certification or micro-credentials in cybersecurity in other departments that may be a less obvious fit. The pilot program that the University of Texas System is running—embedding workplace skills valued by employers into the four-year curriculum, in an effort to boost earnings for alumni of the majors that typically make the lowest salaries—provides an approach that other institutions may follow. The opportunity to gain cybersecurity skills alongside a degree in history or English literature could not only produce a fascinating course of study, but also produce incredibly talented and compelling job candidates. And so, I think institutions must ask themselves the following:

  1. What would it take for us to begin to think about spreading technical skills and knowledge across our campuses?
  2. What are some additional approaches to ensuing that we are giving all students—regardless of department, major, or degree program—the opportunity to develop the skills they need for the jobs of tomorrow?
  3. Are our graduation requirements the right ones for the increasingly digital and technical workplaces?


We can’t do this alone

The field of cybersecurity is changing rapidly. The tactics of attackers and the defensive technologies are evolving rapidly. Keeping up to date in this field is a significant task in and of itself. For faculty members and higher education institutions seeking to train and support students in this field, partnerships between industry and the academy are essential for success.


In October Brad Smith announced Microsoft’s cybersecurity skills campaign. A key pillar of this campaign was making cybersecurity skills curriculum available free of charge to faculty at higher education institutions.   


Through the Microsoft Learn for Educators program, we are providing all higher education institutions with access to free curriculum, educator training, and tools for teaching. This includes Microsoft Security, Compliance, and Identity Fundamentals (SC-900) and Microsoft Azure Security Technologies (AZ-500) certification aligned course materials. To further support delivery of Microsoft’s ready-to-teach curriculum, we also provide faculty at all these institutions with access to additional resources including free practice and certification exams, curriculum integration support, course delivery prep sessions led by Microsoft Technical Trainers, lab access, and entry to our global community of educators committed to helping students succeed.


As faculty members we have an opportunity to protect the nation’s future. By educating a large and more diverse body of students to build the cybersecurity workforce of tomorrow—from across all corners of our campuses—we will be able to strengthen our cybersecurity protection for all. Let us collectively leverage this moment to do just that.


Rachel Wortman Morris, Ph.D. is a Senior Business Program Manager at Microsoft - one of the creators behind the AI Business School and the Microsoft Learn for Educators program. She is also a Clinical Assistant Professor at the University of Washington.  



1. Burning Glass Labor Insights

2. Identity Theft and Credit Card Fraud Statistics for 2021|The Ascent (



Posted at