CloudPassage today announced the results of a recent study analyzing cybersecurity education at undergraduate computer science and engineering programs at top American universities. According to the findings, not one of the top 10 U.S. computer science programs (as ranked by the U.S. News & World Report in 2015) requires a single cybersecurity course for graduation. In fact, only one of the top 36 U.S. computer science programs requires a security course for graduation: the computer science program at University of Michigan.

"I wish I could say these results are shocking, but they're not," said Robert Thomas, CEO of CloudPassage. "With more than 200,000 open cybersecurity jobs in 2015 in the U.S. alone and the number of threat surfaces exponentially increasing, there's a growing skills gap between the bad actors and the good guys. One way to close the gap is through automation, but we also need to train developers, at the very earliest stage of their education, to bake security into all new code. It's not good enough to tack cybersecurity on as an afterthought anymore. This is especially true as more smart devices become Internet accessible and therefore potential avenues for threats."

Key Findings

• None of the top 10 U.S. computer science programs require a cybersecurity course for graduation. In fact, three of the top 10 university programs don't even offer an elective course in cybersecurity.
• University of Michigan (ranked 12th) is the only one of U.S. News & World Report's top 36 U.S. computer science programs that requires a security course for graduation. 
• Only three of Business Insiders' top 50 U.S. computer science programs require a cybersecurity course for graduation: University of Michigan (ranked 11th), Brigham Young (ranked 48th), and Colorado State University (ranked 49th).
• Of the 121 universities studied, the following offer the highest number of elective courses on cybersecurity:
  • Rochester Institute of Technology (10 security electives)
  • Tuskegee University (10)
  • DePaul University (9)
  • University of Maryland (8)
  • University of Houston (7)
  • Pace University (6)
  • California Polytechnic State University (5)
  • Cornell University (5)
  • Harvard University (5)
  • Johns Hopkins University (5)
• Only one of the top five schools offering the most cybersecurity electives is ranked in the top 50 computer science programs in the U.S. (Business Insider): Rochester Institute of Technology.
• Despite not being ranked on the U.S. News & World Report list nor the Business Insider list, the University of Alabama is the only institution of the 121 studied to require three or more cybersecurity classes -- three for an information systems degree and four for a computer science degree.

Study Analysis

The American education system is failing computer science students by deprioritizing cybersecurity training. Universities are inadvertently contributing to the lack of cybersecurity readiness in the U.S. by failing to teach students how to implement security thinking and awareness into all new code design, development, and testing. Given the increasingly complex nature of today's threat landscape, security can no longer be added on after new products and innovations are delivered to market. Cybersecurity training must be a graduation requirement for all computer science programs.

Cybersecurity Education - A Starting Point

"Our research reinforces what many have been saying: there is an incredible IT security skills gap. But what we've revealed is that a major root cause is a lack of education and training at accredited schools," said Thomas. "CloudPassage is prepared to donate technology to universities committed to tackling this important issue. Our hope is to forge deeper partnerships with these schools when they are ready to expand their curriculum, with the longer term goal to make security awareness and skills ubiquitous across all technology education programs."