Cyber security to be included in all UK computing degrees

New government-backed guidelines that embed cyber-security into UK computer science and IT-related degree courses come into force in September with a two-year “grace period” for universities to comply with the new teaching criteria.

The guidelines and learning outcomes, which support the government's Cyber Security Strategy, were drawn up following consultation with 30 leading British universities and  government and industry bodies.  

They have been co-published by (ISC)2 and the Council of Professors and Heads of Computing (CPHC), with the subject now included in degree accreditation criteria from the British Computer Society (BCS) and the Chartered Institute for IT for computer science degrees.

It applies to 100 UK universities which will now teach cyber-security as part of their computing degrees. The aim is to address a critical skills shortage in cyber-security by ensuring more than 20,000 computer science graduates a year study the subject.

The move directly addresses objective four of the Government's National Cyber Security Strategy: “to equip the UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber-security objectives”. 

Computer science graduates in the UK are currently more likely to be unemployed than graduates of any other discipline, according to data from the Higher Education Statistics Agency.

Adrian Davis, managing director for Europe, the Middle East and Asia at (ISC)2, was reported in the Times Higher Education Supplement as saying that the new guidelines would help resolve the UK's “cyber-security talent shortage and a mismatch between the capabilities of computing graduates and the requirements of industry”.

Bill Mitchell, director of education at BCS, adds: “This latest initiative means that additional guidance on cyber-security elements will be provided to complement the existing information security criteria for computing-related degrees accredited by the BCS. Building cyber-security into UK computing degree courses will go some way to resolving the skills gap situation by helping students to develop the skills that employers need.”

(ISC)2's Global Information Security Workforce Survey found that 63 percent of UK public and private sector organisations have too few cyber-security workers, withone in five UK respondents admitting they would take over eight days to rectify a security breach. 

Davis added: “We are now amongst the first nations in the world to ensure that cyber-security will be embedded throughout every relevant computing degree and, crucially, the most up-to-date skills will be taught as the framework is built and maintained with the input of frontline information and cyber-security professionals.”

Key elements of the courses will now include defensive programming – designing systems from the outset which are secure from vulnerabilities, threats and attacks.

On the content, Hugh Boyes, CEng, FIET, CISSP, cyber security lead at the Institution of Engineering and Technology, said, “The development of these principles and learning outcomes facilitated by (ISC)2 is an important step forward in improving the software security and thus the overall cyber-security of systems. It is important that education providers address these principles and outcomes so that our future software engineers are better equipped to address the vulnerabilities that are so often prevalent in deployed software."

Nick Savage, head of the School of Computing, University of Portsmouth agreed, saying: “The key to the cyber-security guidelines is that content will be integral to computing courses and not just a module added on. This should be reflected in the knowledge our graduates receive. Application to operating system design will all be taught securely with cyber-security implications at the front of mind. This is an important step change in the approach to cyber-security education in the UK and we all need to be on board.” 

Meanwhile Dr Tony Venus, head of standards at the Tech Partnership Company, concluded with what appeared to be a widely supported view: “The employers of the Tech Partnership believe that cyber-security awareness should be an integral part of every digital degree”.