Thursday, August 24, 2017

Mastering the Cyber Security Skills Crisis with a Framework

Adam P. Henry, UNSW
Greetings from UNSW Canberra at the Australian Defence Force Academy, where Adam P. Henry, is speaking on his report "Mastering the Cyber Security Skills Crisis: Realigning Educational Outcomes to Industry Requirements".

Adam asserted that there is a shortage of cyber security personnel in Australia. However, his report is on university degrees, which are not necessarily intended to to provide "job ready" staff. University degrees provide a broad education and it is expected that industry and specific employers will provide specific job skills.

Some university degrees do provide specific work skills and experience, such as engineering and computer science. I am tutoring ANU engineering and computer science students in the ANU Techlauncher course after this seminar.  Some of these students undertake group projects for companies and government agencies, while others are individual "interns" working under supervision in organisaitons.

Adam emphasized practical time on task and testing of students on work-relevant exercises. He looked at different forms of education, including industry certifications, as well as higher education. Adam divided expertise into five levels, from basic to advanced expert. It would be useful to relate these to the Australian Qualifications Framework (AQF), which has ten levels. He also divided the field of education into five areas, including "people". He also had nine purposes in his framework.

Adam conducted surveys of students. Interestingly, 40% of students were not already working in cyber security and 56% were studying to get a new job. Also 34% were interested in going on to a PHd. One this last point, I suggest a Professional Doctorate may be better than a PHd.

Adam compared the offered Australian degrees with a the requirements for the US standard cyber security job characteristics (NIST KSA).  However, he also pointed out that some cyber security jobs may be so specialized that the employees don't have a career path. That suggests that education needs to be broad to get the employees out of that trap.

This 28 page report argues that Master of Cyber Security programs in Australia do not meet the requirements of industry. However, this is based on comparing what is in the Australian degrees with U.S. Government requirements. As a trained and qualified educational designer, specializing in IT and with a background in defence, if you give me that as the requirement, I could design a degree program, to meet that specification. However, are the US requirements what Australian industry needs and who says what is required?

When designing engineering and computer science programs and courses, there are professional bodies for universities to turn to for guidance. Engineers Australia and the Australian Computer Society accredit relevant programs. There seems to be a lack of equivalent in the cyber security area. This is something the universities can help rectify. In practice many of the people who write the "industry" requirements for education are actually academics seconded to committees by EA and ACS.

The report is on firmer ground suggesting "... mission-specific and purpose-driven courses may better prepare students and address the skills crisis than generalist degrees." (p. 3). However, I suggest that purpose-driven courses can be incorporated into degree programs, using tools such as e-portfolios. The degree can provide a general framework, into which specific industry certifications can be inserted, as required.

Australia has an advantage when it comes to designing practical, flexible, education.  The vocational and university arms of education are able to support each other. The workforce can be trained by a combination of university degrees, vocation programs at government TAFEs and commercial training organizations (RTOs), plus training in the workplace RTOs.

ps: I prepared a Cyberwar Hypothetical for Teaching ICT Ethics at ANU.

No comments:

Post a Comment