Yesterday, my RSS feeds highlighted a provocative article: “STEM Stinks for Cybersecurity” (Forbes Magazine). In this article, the author argues that we don’t need more people with university degrees in science, technology, engineering, or mathematics — what we need is more people with Vocational Training (he calls it VoTech) who are familiar with the security tools and know how to run the security tools. I think this position misunderstands both STEM and Cybersecurity.
Let’s start with STEM. The author seems to believe that the emphasis on STEM is at the university level — that we only want STEM degrees. That’s wrong and misguided. Emphasizing STEM is important much earlier — from the first days of education to the end of high school. We need to be raising students that are unafraid — who perhaps even love — science, engineering, math, and technology. The ability to understand these disciplines is key to having adults who think critically, and who can recognize pseudo-science when they see it (and thus, believe neither the creationists nor the climate-change-denouncers). Being familiar with these disciplines is also key if you are going to exist in the modern world, where technology is everywhere (and technical terms are everywhere). They are particularly important even if you are going into VoTech — just because you are working with tools doesn’t mean you don’t apply scientific principles or use mathematics. In fact, most CNC tool programmers use mathematics regularly. Familiarity with technology is required in almost every field today — even the soft fields are making extensive use of technology.
Let’s now turn to the question of whether VoTech is sufficient for Cybersecurity. I’ll start by saying that I have no problem with encouraging vocational technology — I think it was a disaster when shop classes were removed from schools, and I’ll support vocational training. Having trained machinists and technicians and repair support is vital to the success of most operations (and it should go without saying that all need to be familiar with STEM). But with respect to Cybersecurity, my opinion differs.
Technicians trained in using tools are only as good as the tools they use. While this is fine in manufacturing, it’s not in Cybersecurity. Cybersecurity tools can only find what they are programmed to find — which are signatures of yesterday’s attack. VoTech Cybersecurity experts, as a result, can typically only find what the best of their tools find. Perhaps, as they gain lots of experience, they will be able to go outside of that box and identify additional attacks. The basic trainee won’t; our systems won’t have time to wait.
Cybersecurity requires individuals who are familiar with technology, systems, mathematics, engineering… and can think critically, and can present their thoughts and findings (which is where the arts come in, and why you see a movement from STEM to STEAM). Successful cybersecurity is much more than running vulnerability scans. It is getting in with the engineering team from day 0 — identifying the security requirements and how they trade off other engineering and mission requirements. These are skills you learn in engineering courses and software and system design courses, not vocational training. It is being able to recognize results and findings that just seem off, and having the ability to track down the root cause (and not just the symptom of the day). The ability to recognize that “this doesn’t smell right” is a critical thinking skill; I don’t believe a VoTech trainee will have that without significant experience. Successful cybersecurity is being able to assess your findings in the context of the larger system, mission, and business picture — a perspective that someone who is only familiar with tools will not have. Successful cybersecurity is looking at all aspects of the system from the low hardware up through the design layers, from operational procedures and processes to suppliers. An emphasis on tools alone does not give that ability. Lastly, cybersecurity requires individuals that can think out of the box, because that’s what the adversaries do. Stopping the script kiddies is easy; VoTech can easily catch the low-lying fruit. The real threat comes from the determined adversary, and they don’t do what you (or your tools) expect.
Don’t get me wrong — technicians are important. If that is the highest level of skill you can obtain, and you’ve had that K-12 STEM/STEAM education, go for it. Some people work best with their hands. But if you can go on and get that STEM/STEAM degree, you will be much more successful and much more useful in the field (plus, you’ll earn significantly more over your lifetime — enough, perhaps, to pay off your student loans :-)).