Recently, I started exploring ways I could be a stronger advocate for a course of study and a career in cybersecurity to students at the University of Chicago, my alma mater. For many attending elite schools, careers in anything information technology strike many as too vocational. In fact, for years, the University of Chicago didn’t even offer an undergraduate degree in Computer Science. Interested students were advised to major in Math. Stories of Bill Gates and Mark Zuckerberg dropping out of Harvard don’t exactly help to dispel the myth that an elite education is not suited for those looking to pursue a career in high tech. But few would argue that those two examples, and a few others, are proof positive that being a college dropout or avoiding college altogether, as some have suggested, is a recipe for success, particularly for those few fortunate enough to be admitted to some of the top schools in the country.
The lament for these select few students, however, are the choices they are being steered to. For all the talk about Science, Technology, Engineering, and Math (STEM), many are told that the choices are really down to a career as a management consultant, Wall Street quant, medical doctor, or a small number of “real” engineering options (usually electrical and chemical). And until recently, engineering wasn’t even an option at many select schools like the University of Chicago.
For those not STEM inclined, being a lawyer is of course the catch-all for all those liberal arts folks looking to still maintain that elite label. It also doesn’t help that parents and career counselors are steering students away from their true passions if the major doesn’t offer a direct linkage to some highly paid profession. As many of us have learned, there is more than one path to reach the same destination. That may be cold comfort to parents worried about their children returning to the nest for extended stays after college, but the data doesn’t bear that out. As the Washington Post article I just linked to reveals, most students pursuing liberal arts majors don’t end up as overeducated Baristas, even if their job title and major don’t appear to align.
While it is true that many employers often structure their job requisitions in search of very specific skills and experience, STEM students often find similar challenges in qualifying, as even STEM majors are not designed to be vocational. Just think about the medical field. No one starts doing open heart surgery upon simply graduating from medical school, let alone obtaining an undergraduate degree in Biology.
Our focus should instead be on the broader knowledge that when combined with passion and grit, truly propel students to succeed, or at minimum, be self-sufficient. What I would suggest is that pursuing one’s passion in higher education is the best path to a successful career. That said, however, classroom learning is not enough. Internships, volunteer opportunities, and ongoing mentorships are an essential component. For example, there is nothing wrong with a student pursuing an internship in the IT field while pursuing a degree in Philosophy, so long as the student has a passion for both. As someone who obtained graduate degrees in Legislative Affairs and Law while working full-time in IT, I can tell you that the benefits were noticeable, even if it brought my career in a different direction than I anticipated.
But let’s take this back to the central question this article poses: why study cybersecurity?
The reason is less about STEM or even career prospects; instead, cybersecurity represents the quintessential interdisciplinary opportunity that elite schools often hunger to pursue. Unfortunately, it fails to get adequate attention—in part because it is so interdisciplinary. In some senses it combines computer science and the various parts of IT architecture, which many schools now relegate to a Management Information Systems degree. But many computer science purists relegate cybersecurity to quality control and consider it a necessary evil. Cybersecurity is engineering, in some senses, but it represents the same relationship a bridge-builder has with an explosives expert.
Fundamentally, cybersecurity is not about writing elegant code or building a high performance network. It is about managing risks. The reason we continually fail to adequately secure our networks is not a failure to understand technology, but a failure to understand people and how they behave. That’s why some of the best penetration testers and incident investigators come from non-STEM backgrounds. They anticipate human failings as well as computer vulnerabilities and are often more comfortable thinking in shades of gray rather than black and white. In their world, nothing is ever completely secure, and they’re fine with that. The beauty of the social science and humanities disciplines is their ability to thrive amidst uncertainty and incomplete information. And nothing is more uncertain than the management of risk in human endeavors, of which cybersecurity is but one aspect. Whether you’re managing a hedge fund or assessing the prospects of a proposed advertising campaign, understanding and managing risk is a key ingredient.
So, for those designing a cybersecurity curriculum, make sure students have an understanding of software design and can write their own code. Introduce them to the relevant laws and regulations and various best-practice frameworks. But also make sure they have a solid grounding in economics and psychology, so they can understand why attackers do what they do—and the incentives that are likely to dissuade or encourage malicious activity. Have them read the Cuckoo’s Egg, but also have them read the History of the Peloponnesian War.
Some would say this is overkill for a career that is really about checking boxes, but that couldn’t be further from the truth. I won’t be so arrogant to suggest that cybersecurity is the key to having a successful business, but being able to manage risk certainly is. For those looking to become experts at managing risks, there are few places that offer a better grounding in that than the field of cybersecurity.