Friday, September 15, 2017

Draft Cybersecurity Curricula from IFIP, ACM, IEEE-CS AIS SIGSEC

A 74 page Draft Cybersecurity Curricula 2017, Version 0.75  is available (12 June 2017) from the Joint Task Force on Cybersecurity Education (JTF). The task force has representation from the IFIP Technical Committee on Information Security Education (IFIP WG 11.8), as well as ACM, IEEE Computer Society and AIS SIGSEC. A final curricula recommendation is due in December. It is not clear how the curricula relates to the cyber-security certifications recently announced by ACS and IFIP.

The 12 June draft of the task force divides the Curricular Content into six "Knowledge Areas":
  1. Data Security
  2. Software Security 
  3. System Security 
  4. Human Security 
  5. Organizational Security 
  6. Societal Security
Recommended study hours per knowledge area have not yet been specified.

The report contains a curious section 5.1 on "The Academic Myth" (page 58):
"Students who graduate from a four-year university program assume that the baccalaureate degree is a sufficient qualification to attain a position. This understanding may be true in some fields, but not necessarily in the computing disciplines nor specifically in cybersecurity. Belief in this myth has stymied many a job hunter worldwide. The degree credential is growing in importance, but it is not a sufficient condition for a position. A general understanding exists in cybersecurity and other fields that a successful professional must be a good communicator, a strong team player, and a person with passion to succeed. Hence, having a degree is not sufficient to secure employment."
The report goes on in the next section to detail Non-technical Skills (Section 5.2, Page 58):
"Non-technical (sometimes called “soft”) skills are vital to the success of cybersecurity professionals. The ability to work in a team, communicate technical topics to non-technical audiences, successfully argue for resource allocations, hone situational awareness, and operate within disparate organizational cultures are just a few of these skills. The US Chief Human Capital Officers Council (CHCO), among other bodies, has developed a list of non-technical competencies pertinent to the cybersecurity workforce. The list includes: accountability, attention to detail, resilience, conflict management, reasoning, verbal and written communication, and teamwork. The full list of competencies is available in the Competency Model for Cybersecurity. Professional associations such as (ISC) and ISACA also provide recommendations for non-technical skills required for cybersecurity professionals."
The report's authors seem to assume that that these soft skills have no place in a baccalaureate degree program. However, those are the skills I, and my colleagues, are teaching to computer science and engineering students at the Australian National University. As part of team projects and individual internships, the students have to learn to work together, communicate with a real client, negotiate for resources and present their work. Obviously, students with limited work-place experience can only learn so much and there is a continual discussion of the role of higher degrees for improving skills and smaller sub-degree courses. That approach fits with the ACS' approach to certification, which recognizes experience alongside formal qualifications.

No comments:

Post a Comment