SC Exclusive: Cyber-security fails to make the grade at university
SC Exclusive: Cyber-security fails to make the grade at university

It has been said that the cyber-security skills gap will result in a shortage of  two million professionals by 2017 (according to ISC(2)), a problem which has led some to call for a societal shift in security thinking, as well as increasing government involvement.

On the latter, there has at least been some traction; GCHQ has started accrediting cyber-security Masters degrees, and Coventry University is now offering the first MBA in Cyber Security.

However, an analysis of this year's UCAS undergraduate course acceptances by reveals that this shortage will continue with the numbers – and thus interest – in security courses considerably lower than in recent years.

The majority of computer security courses are categorised in the UCAS numbers under ‘Information Systems', and a review of these courses reveal that they include ethical hacking, computer security and forensics,  computer and information security, data science and cyber-security.

Although the universities themselves decide which category their course fits under, UCAS officials told SC that Information Systems is used for the majority of cyber-security courses, with the body's own categorisation indicating that these courses should include information modelling (how information flows within an organisation), system designs and methodologies, databases, system auditing, data management and systems analysis.

The figures

The bad news is that, looking at the UCAS entries for last year, the number of undergraduates taking these courses is plummeting.

In 2014, 1,905 men and 460 women (2,365 in total) enrolled in these courses but this represented a fall of 11 percent year-on-year (2,670), 18.7 percent compared to 2012 (2,910) and 34.5 percent compared to 2011 (3,610). The enrollment number was almost half as much (41 percent) as the 4,010 people that enrolled on Information Systems courses back in 2010, and is the worst since UCAS starting tracking course applicants in this way back in 2007.

It is worth noting that *some* cyber-security courses fall under the wider ‘I' group in UCAS' figures, with these encompassing the likes of computer science and software engineering. But even these figures made for dire reading, especially regarding the number of young women undertaking a computer science-related course.

Dr Adrian Davis, European MD at (ISC)2, told SC that the skills gap could take a generation to fix: “The numbers behind the skills gap are evidence of the colossal change that has taken place in our economy and society as we moved into our digitally dependent age. We shouldn't really be surprised at the growth in demand for people with the skills in areas such as information security that are needed to make our new society work; the adjustment required is enormous.

“We must also address other needs long before we can begin to directly develop skill. People need to discover and develop interest in a subject, appreciate the opportunities before they will even consider investing in an education. Students won't choose subjects they don't understand.”

Davis added that the information security profession must ‘do a better job of communicating', while governments, industry and academia must work together to fill the gap.

“We are talking about an adjustment that usually takes a generation to achieve; unfortunately, we do not have this long. Governments, industry and academia must work together on tackling the issues.  It's time to ramp up the scale.