As curricular changes try to keep pace with the security threats emerging to multinational corporations and government agencies alike, the shortage of cybersecurity experts has reached a point of grave concern. The gap between the generic skills that cybersecurity graduates in Ireland carry and what the industry demands of them has been at the centre of the debate about the role of education in an increasingly sophisticated and specialised domain.
However, new academic pathways are seeking to lead graduates directly towards the standardised industry positions that are still emerging. Cyber Skills, a national project between University College Dublin (UCD), Munster TU, University of Limerick (UL) and TU Dublin is developing programmes designed to address the urgent cybersecurity skills demand.
Dr Donna O’Shea, the project lead of Cyber Skills and chair of cybersecurity at Munster TU explains that she saw Cyber Skills as an opportunity for constructive collaboration. “I found working as head of department [of Computer Science at Munster TU] and also working with other universities and technological universities and institutes of technology that we were all working in silos, and were all producing great programmes independently … I felt that this was an opportunity of bringing together the domain leaders nationally in cybersecurity skills and training.”
Merging the perspectives and various cybersecurity competencies of the partner institutions, O’Shea explains, required intense collaboration. While the various partner institutions have remained focused on the ultimate goal of the programme, operational difficulties have presented a challenge. From deciding at which institution students would register to coordinating divergent governance structures, “the tension has really been around: how do we get a learning management system up and running?”.
The gap between the generic skills that cybersecurity graduates in Ireland carry and what the industry demands of them has been at the centre of the debate about the role of education in an increasingly sophisticated and specialised domain
High-profile security breaches have emerged internationally, as a result, mitigating exposure has become a priority for businesses. However, to build systems that can detect and respond to security threats, specific skills provided by targeted educational pathways are needed. With modules such as Cryptocurrency and Protocols and Secure Software Development, Cyber Skills is seeking to place industry demands within a broader mission to reimagine the viable options for graduates to receive an education in the cyber domain.
The new programmes will begin this September, with three academic pathways drawing from the lecturing teams in each of the four institutions. However, integrating specialised skills according to the technical requirements of industries and companies raises issues about the role of education. Stephen Farrell, a research fellow in computer science at Trinity argues that serving the labour market should not be the priority.
There exists a “tension between training that’s very specific to industry needs at the moment, one that’s very specific versus generic”, Farrell explains. “And I would argue that, for the university, the role should be much more to train people to understand the generic ways of evaluating risk, reducing risk based on up-to-date kind of mechanisms for defence and attack.”
Degree programmes in this domain develop an alternative type of thinking about risk evaluation, creating an understanding of systems mechanisms and their vulnerabilities which is distinct from industry training on systems building. Farrell argues that there is value in “getting people to try and understand risk and generic attack mechanisms, defence mechanisms at the technology level, but not over emphasising today’s threats in too much detail because they change over time.”
With funding of €8.1 million from pillar three of the Human Capital Initiative from the Higher Education Authority (HEA), Cyber Skills represents one of 22 projects selected for funding. Head of Skills at the HEA, Dr Vivienne Patterson explains how pillar three rewards innovation and agility in the higher education system, including understanding and reacting to changes in the labour market. “The idea behind this initiative was that working with enterprise was a key eligibility requirement of the projects … working with enterprise [such] that you could be much more reactive and respond much, much more rapidly to what was required in terms of skill needs of the regions or indeed, nationally.”
Unfortunately, the vast number of cyberattacks on various lucrative sectors and businesses over the past five years has further complicated the development of computer science degrees. Whether developing expertise and strategy to fend off attackers is the role of the university, and whether enterprises should consult on the design of such programmes, remains uncertain.
The vast number of cyberattacks on various lucrative sectors and businesses over the past five years has further complicated the development of computer science degrees
Patrick Magee, the director of IT Services at Trinity, explains that “in part, GDPR has made people understand the importance about data protection and security, but the reality is, as more and more of us become comfortable with digital being in every part of our world, then the threats that are existing and emerging, are becoming more and more pervasive, and more and more sophisticated”.
After a high profile cyber attack on the HSE, ransomware attacks in Irish higher education institutions and cyber fraud losses to Trinity Foundation, meeting the urgent demand for tailored cybersecurity expertise has taken precedence. The security vulnerabilities of corporate and public offices were exposed with the critical shift to at-home working during the pandemic. With devices such as computers moved to the public internet (and outside the office network), data breaches became more prevalent – and public.
Organisations need to find a balance between the effort devoted to developing new systems and defending existing ones. Reducing risk, Farrell explains, is the critical objective. “It’s not really feasible to think you can get ahead of attackers, because attackers have an easier problem than defenders. If you want to build a system and defend it, you have to defend against all reasonable risks that you can think of and that you can afford to protect for. Whereas the attacker only has to find one way in.”
O’Shea explains that “industry needs, obviously, correspond with student or graduate employment opportunities”. Taking an MSc in Cyber Security, she explains, may produce “well-rounded cybersecurity professionals that could probably do a lot of different types of job role[s]”. At Cyber Skills, she says, “we’re not giving the individual the skills to do network security, or to do pen testing, or to do malware investigations: we’re giving them the skills to perform the job role that they need to perform”.
In particular, O’Shea notes that the Cyber Security Skills Report from Cyber Ireland enabled Cyber Skills to collaborate with enterprises such as Mastercard that “wanted to provide a pathway or training, very specialised and tailored to address that need” and Dell, with offices in Limerick and Cork, that could identify skills requirements to inform the developed pathways at Cyber Skills.
As more and more of us become comfortable with digital being in every part of our world, then the threats that are existing and emerging, are becoming more and more pervasive
With microcredentials offering graduates the opportunity to select various courses to build their own qualification, Cyber Skills both opens the range of viable education routes and facilitates learners seeking to follow targeted industry tracks. In an open digital economy like Ireland’s, however, even new qualifications and collaboration between third-level institutions may not meet industry demand.
For Magee, the set of skills provided by such degree programmes must operate in conjunction with the microcredential awards offered by Cyber Skills. He explains that “for the next certainly five years plus, there is probably no career more guaranteed to result in a job offer than in the field of cyber security because there is a clear and evident gap between the numbers that we need, and the numbers of graduates that are available, and then the number of people who can be retrained quickly enough to fill it”.