Priya PatelIn a recent memo from the US government’s cybersecurity agency, CISA, senior technical advisor Jack Cable highlighted the lack of cybersecurity requirements in computer science degree programs. According to Cable, only one of the top 24 computer science schools in the US requires students to take cybersecurity courses. This lack of cybersecurity education has serious implications for the development of secure code and leaves software developers unprepared to address vulnerabilities in their products.
CISA hosted a workshop to address the challenges of incorporating security into computer science curricula, and one of the barriers identified was a lack of demand from the private sector. Until companies start prioritizing security in their hiring processes and expressing the need for developers with cybersecurity skills, universities have little incentive to change their practices. The White House’s National Cybersecurity Strategy even calls for holding application makers liable for security flaws, which requires better training for programmers.
The lack of cybersecurity education in computer science programs contributes to the growing disconnect between security executives and developers, and leaves the door open for more frequent and destructive cyberattacks. Simple weaknesses in code could be avoided with basic security knowledge, but without mandatory cybersecurity courses, developers are ill-equipped to address these vulnerabilities.
CISA has put out a Request for Information on the role of security in computer science education, and responses are due by February 20th. This is an opportunity to address the need for cybersecurity education in computer science programs and bridge the gap between developers and security professionals. By prioritizing security in computer science curricula, universities can ensure that future developers graduate with the necessary skills to write secure code and protect against cyber threats.
