Why Universities should include dedicated Cybersecurity Programs
Background
Nearly twenty years ago, when I started my university studies, it was normal to find two computer-related programs across all universities in the Middle East: the Computer Science program and the Computer Engineering program. Neither of which contained a course in computer security. Computer security knowledge was a bit mystical for undergraduate students. One would be so lucky to find some underground hacking tricks such as cracking Windows passwords using L0phtCrack, running the Back Orifice trojan, or capturing clear-text passwords using some traffic sniffer tools. At that time, even a master’s degree in Information Security in Middle Eastern universities was non-existent, while – on the other hand – only a few universities in the West offered such degrees.
Fast forward to 2022, the current state of cybersecurity education – I would argue – at Middle Eastern universities is still not up to the level required to meet and address the challenges faced by businesses and organizations. There is a shortage of qualified cybersecurity workforce in the industry. I want to address here the existing problems in colleges and universities when it comes to this field of study and then provide recommendations on how to improve and enhance this field.
Current State
I am going to consider four Middle Eastern countries that are known to have great universities: Lebanon, Egypt, UAE and Jordan. When looking at the curriculum of the top universities in those countries, it will be clear that cybersecurity education is still behind. Except for Jordanian universities, which have made substantial progress in this domain, universities in the other three countries still lack sophisticated cybersecurity education.
In Lebanon, the top five universities are the American University of Beirut (AUB), the Lebanese American University (LAU), Saint Joseph University (USJ), Beirut Arab University (BAU), and the Lebanese University (LU). None of these universities have an undergraduate program in cybersecurity (i.e., no bachelor’s degree in Cybersecurity). The closest program offer is at AUB which offers a bachelor’s degree in Computer Science with an emphasis in cybersecurity. This emphasis on cybersecurity requires the student to take four courses in cyber and information security. The other universities might offer 1 course, at best, in cybersecurity in their computer science/engineering programs.
If we switch our attention to the top five universities in Egypt, we will see that there is only one university, Ain Shams University, that offers a bachelor’s degree in cybersecurity, the rest of the top universities, including the American University of Cairo (AUC) offer – at best – one or two courses in cybersecurity. The following table shows the list of those five universities along with their level of cybersecurity education:
Moving to the UAE, there is a slightly better position in terms of the level of cybersecurity education. We will consider 7 universities: four universities in Dubai, two in Sharjah, and one in Abu Dhabi. Two of those universities offer a bachelor’s degree in cybersecurity (or information security). Two other universities offer a bachelor’s degree in computer science with emphasis, or concentration, in cybersecurity. This concentrated program contains multiple courses. The last three universities only offer a single course in cybersecurity as part of their computer science/engineering programs. The following table shows those universities along with their levels:
Finally, visiting Jordan, we will see that it has the highest levels of cybersecurity education among the compared countries. Looking at the top five Jordanian universities, four of them are in an excellent position and offer dedicated bachelor’s degrees in cybersecurity. This is the level that all countries in the region should aspire to. The following table outlines those universities and their levels:
The Problems
To understand why cybersecurity education needs to be more present at colleges and universities, we need to understand how the lack of such education causes problems in the technology sector. I would like to look at these problems from two angles; the first is producing technology solutions (software or hardware) that are insecure, and the second is the gap in the cybersecurity workforce needed by the market.
Tackling the first issue, we know that graduates from computer science or computer engineering programs end up in various positions in the technology sector. Those positions can be in software engineering, system engineering, web/mobile application development, network administration, and so on. What happens when people in those positions lack cybersecurity education? They would ultimately build insecure software, design insecure networks, develop insecure web/mobile applications, etc. Those insecure hardware or software products open the door to potential cyber-attacks, exploitation, and compromises. On the other hand, if those engineers, developers, and administrators received the right level of education in cybersecurity and know the attack techniques and procedures, they would build networks and software applications with robust security principles and methodologies.
Regarding the second issue, there is now a large domain of profession that is specialized in cybersecurity. In other words, we don’t only have network engineers who are skilled in cybersecurity, but rather we have cybersecurity engineers, cybersecurity consultants, cybersecurity analysts, and so on. The market now needs professionals whose full-time jobs revolve around cybersecurity. Statistics show that there is a shortage in the cybersecurity workforce supply in comparison to the growing demand for Cybersecurity professionals across various sectors.
Future State
To address the above two issues, cybersecurity education needs to take two forms; the first form is where cybersecurity courses are provided as part of the typical computer science/engineering programs, while the second form is where dedicated cybersecurity programs are provided.
In the first form of cybersecurity education, there should be enough cybersecurity courses that correspond to technical major courses. For example, whenever the student takes a course in Networks, there should be a follow-up course in Network Security. Or when the student takes a course in Application development or programming, there should be a follow-up course in Application Security. The same goes for courses in Web Development and Operating Systems.
In the second form of cybersecurity education, there is should be programs for bachelor’s degrees in cybersecurity where students learn fundamentals of different aspects of cybersecurity such as penetration testing, security engineering, security operations, digital forensics, and malware analysis. Looking at the tables earlier comparing the different universities in the Middle East, we are still at an early stage – except maybe for Jordan. There is no excuse for any university not to have such dedicated programs. This is the ultimate vision that we would love to see in every university in every country. This way, we can meet the demand of the market while also reducing the attack surface of technological solutions.
How Axon Can Help
Axon has been helping many fresh graduates and senior undergraduates through an intensive cybersecurity internship program. We have been bridging the gap between academia and industry in this field. We also collaborate with many universities to conduct workshops and webinars on different cybersecurity topics and introduce computer science/engineering students to this field. And we are always ready to offer guidance and help to colleges to create a sustainable cybersecurity program.