Universities now have access to the UK’s first higher education cybersecurity learning guidelines for undergraduate degrees to be referenced within BCS, the Chartered Institute for IT, accreditation criteria for computing and IT-related degrees.
Matthew Hancock, Minister for the Cabinet Office said, “The UK has a world-class cybersecurity sector, but we can only continue in this vein if we have the highly skilled workforce we need to thrive. Initiatives, such as this, are excellent examples of encouraging the best young people to consider careers in cyber.”
Published by (ISC)2, the US-based not-for-profit membership body of certified information and software security people with nearly 110,000 members worldwide, and the Council of Professors and Head of Computing (CPHC), the guidelines reflect consultation with more than 30 universities and industry bodies, say organisers.
Developed in support of the UK government’s National Cybersecurity Strategy, the guidelines define cybersecurity imperatives and learning outcomes affecting the next wave of computing degrees from as early as September 2015.
The aim is to bring computing degrees into closer alignment with industry requirements. This could see over 20,000 cybersecurity graduates a year entering the UK workforce, it’s claimed. Directly addressing objective four of the Government’s National Cyber Security Strategy: “to equip the UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cybersecurity objectives”, the initiative will also address a severe skills shortage by introducing more people to the opportunity of pursuing a career within cybersecurity.
Carsten Maple, professor of Cyber Systems Engineering at University of Warwick and vice chair of the Council of Professors and Heads of Computing, said this marks a significant shift in the teaching of security in higher education; cybersecurity is now being recognised as integral to every relevant computing discipline from computer game development to network engineering. “Previously, cybersecurity was treated as a separate discipline to computing with students being taught how to create applications or develop systems and technology but not how to secure them; leading to proliferation of systems with built-in vulnerabilities. Academia, industry and government have all recognised this, which is why we have come together to address this issue and provide a practical and accessible way of incorporating cybersecurity into our curricula, and move the discipline forward.”
And Dr Adrian Davis, CISSP, managing director for EMEA at (ISC)2, said: “The UK has long been affected by both a cybersecurity talent shortage and a mismatch between the capabilities of computing graduates and the requirements of industry. These compounding issues have ultimately been compromising our ability to both build and defend the digital economy and UK plc.
“We are now amongst the first nations in the world to ensure that cybersecurity will be embedded throughout every relevant computing degree and, crucially, the most up-to-date skills will be taught as the framework is built and maintained with the input of front-line information and cybersecurity professionals. UK graduates entering the workforce will be able to immediately put their skills to use.”
Bill Mitchell, Director of Education at BCS, said: “As an Institute we are already heavily involved in tackling the skills gap in this field; from developing the profession through to ensuring that standards are met. This latest initiative means that additional guidance on cybersecurity elements will be provided to complement the existing information security criteria for computing-related degrees accredited by the BCS. Building cyber security into UK computing degree courses will go some way to resolving the skills gap situation by helping students to develop the skills that employers need.”
The new “Cybersecurity Principles and Learning Outcomes” guidelines document was developed over two years throughout workshops. These included industry bodies such as the Institution of Engineering and Technology and Tech Partnership UK, government departments including the Cabinet Office and the Department for Business Innovation and Skills; and more than 30 universities that offer undergraduate computing science degrees from the newest post-92 universities to the Russell Group.
Dr Alastair Irons, Head of Computing at the University of Sunderland and Chair of the BCS Academic Accreditation Committee said: “At the recent revalidation of its computer science suite of programmes the University of Sunderland embraced the CPHC (ISC)2 workshop outcomes by embedding cybersecurity throughout the programmes and modules. The revalidated programmes give students the opportunity to develop knowledge and skills in the fundamentals of computer security and apply computer security principles across the curriculum for example defensive programming in programming, security design in database modules. In final year there is a new advanced cybersecurity module which is core for computer science and computer forensics students and available as an option module across the rest of the computer science suite.”
Hugh Boyes, CEng, FIET, CISSP, Cyber Security Lead at the Institution of Engineering and Technology, said: “The development of these principles and learning outcomes facilitated by (ISC)2 is an important step forward in improving the software security and thus the overall cybersecurity of systems. It is important that education providers address these principles and outcomes so that our future software engineers are better equipped to address the vulnerabilities that are so often prevalent in deployed software.”
And Nick Savage, Head of the School of Computing, University of Portsmouth, said: “Cybersecurity is a fundamental aspect of computing in the modern world, and we need to be sure that computing courses are being taught with security from the offset,” said . “The key to the cybersecurity guidelines is that content will be integral to computing courses and not just a module added on. This should be reflected in the knowledge our graduates receive; application to operating system design will all be taught securely with cybersecurity implications at the front of mind. This is an important step change in the approach to cybersecurity education in the UK and we all need to be on board.”
Dr Tony Venus, Head of Standards at the Tech Partnership Company, said the employers of the Tech Partnership believe that cyber security awareness should be an integral part of every digital degree, and the new guidelines, developed in close collaboration with (ISC)² and BCS, will help universities implement this. “The Tech Partnership is leading the way by actively incorporating the guidelines into its own degrees, including IT Management for Business; Software Development for Business; and the innovative new Degree Apprenticeship in Digital and Technology Solutions, which has core cybersecurity content as well as a cybersecurity specialist route.”
Guidelines
The development of the guidelines document was led by (ISC)2 and CPHC over the last two years, and BCS provided the accreditation framework. The group also included cybersecurity professionals from the Russell Group Universities, Cabinet Office, MoD and the Institute of Engineering and Technology. Students will be taught core concepts and principles, including:
Information and risk: models including confidentiality, integrity and availability (CIA); concepts such as probability, consequence, harm, risk identification, assessment and mitigation; and the relationship between information and system risk.
Threats and attacks: threats, how they materialise, typical attacks and how those attacks exploit vulnerabilities.
Cybersecurity architecture and operations: physical and process controls that can be implemented across an organisation to reduce information and systems risk, identify and mitigate vulnerability, and ensure organisational compliance.
Secure systems and products: the concepts of design, defensive programming and testing and their application to build robust, resilient systems that are fit for purpose.
Cybersecurity management: understanding the personal, organisational and legal/regulatory context in which information systems could be used, the risks of such use and the constraints (such as time, finance and people) that may affect how cybersecurity is implemented.
The full guidelines can be found here: http://cert.isc2.org/isc2-cphc-whitepaper/.
