We Must Consider Software Developers a Key Part of the Cybersecurity Workforce

Four and a half years ago, as a student studying computer science, I wrote in the Harvard Business Review what at the time felt like a simple observation: I didn’t need to take a cybersecurity class to graduate, and neither did my peers at 23 of the top 24 universities in computer science.

It’s now 2024, and after seeing some of the most brazen ransomware attacks ever and increasingly bold cyberattacks on the federal government by nation-state adversaries over the past few years, cybersecurity in computer science education remains an elective. Indeed, that list of the top 24 universities in computer science hasn’t changed: 23 still don’t require cybersecurity. Cybersecurity is viewed as a subdiscipline, much like graphics or human-computer interaction – not essential knowledge that every future software developer should be equipped with as they enter the workforce. This is unacceptable. All too often, attacks exploit simple weaknesses that any developer with basic security knowledge could have stopped.

It is long overdue for academia to reconsider their role in producing a software developer workforce that enables increasingly damaging cyberattacks. As long as cybersecurity remains an elective, too many software developers will lack even a basic understanding about security and will continue prioritize speed to market over the security and safety of their customers. The truth is that what we traditionally view as the cybersecurity workforce alone will not fundamentally change the state of cybersecurity. To foster long-term cybersecurity, we must ensure that software developers and business leaders can build in security from the onset.

In March 2023, the White House issued the National Cybersecurity Strategy calling for a fundamental shift in accountability from those least capable—like individuals and small businesses—onto those most capable, namely technology manufacturers. The White House’s follow-on National Cyber Workforce and Education Strategy directly acknowledges the need for security knowledge in software development, stating “participants in the software development process—from business leaders to software developers and product managers—must be equipped to manage the security and privacy implications of the software they create.”

CISA’s global Secure by Design campaign aims to fulfill the National Cybersecurity Strategy’s vision by highlighting areas where various stakeholders, including software manufacturers and academia, can act. Software manufacturers in particular must adopt the core principles outlined in our Secure by Design whitepaper to improve our nation’s cybersecurity.

These principles must also be advanced in academia. In September, we hosted a workshop at the National Cybersecurity Education Colloquium (NCEC) focused on identifying challenges in weaving security into computer science curriculums. We identified the following key issues during this interactive roundtable discussion with computer science and cybersecurity educators:

1. Security is treated as an elective. The prevailing attitude of the computer science field is that security is a subdiscipline, not a fundamental area of knowledge. As such, security knowledge is only seen as needed for students who show particular interest or seek further degrees in research.
2. Limited resources and experience among faculty. This generation of computer science faculty was trained in the same system, so it’s not surprising there is a lack of security knowledge. That fact, coupled with a lack of standardized security education materials and a limited desire among faculty means integrating security into curriculums is challenging.
3. Lack of a demand signal by industry. Universities want to produce graduates who are employable. To date, companies have not expressed that security is one of the key factors they evaluate when hiring software developers. Until that changes, universities have little incentive to change their practices.

Workshop participants also identified several potential solutions to these challenges, including integrating security requirements into the accreditation process for computer science programs, and increased availability of computer science curriculum materials.

At CISA, we’re continuing to drive the mission of making software secure by design. We’re exploring ways of integrating security requirements for schools to be designated/redesignated as a NSA/CISA National Center of Academic Excellence (N-CAE). We are also engaging with educators from the K-12 level to universities and other software development education platforms to further integrate security into their curricula. And, we are working across academia and industry to further establish cross-disciplinary education for both computer science and cybersecurity professionals to better integrate security in the earliest stages of product development. CISA will publish future blogs on these topics as they mature.   

We have a path forward, but we’d love additional thoughts on how we can best achieve a future that’s secure by design. In December, CISA released a Request for Information (RFI) seeking your feedback on the role of security in computer science education, with responses due February 20^th. Whether you submit feedback to the RFI or not, you can always drop us a note at SecureByDesign@cisa.dhs.gov.