Advice to (Cybersecurity) Undergrads

Since I frequently get questions from people just setting out on the path (or even some ways along the path) to becoming future cybersecurity experts, here is some quick advice on making the best of your all-too-brief undergraduate years.

Disclaimer: It should go without saying that this is all my personal opinion, not that of my employer, and most importantly caveat lector.

What sort of classes should I take?

There has been an explosion of paths towards obtaining a cybersecurity education of late. In addition to boot camps, MOOCs, certifications, and learning “on the job” so to speak, many academic institutions are now advertising specialized degrees in Cybersecurity or Cyber-Operations in addition to a more traditional degree in Computer Science, my current institution included [1, 2]. A pretty natural question to ask is how these specialized degrees stack up against a general CS education.

My opinion is that you are not going to go too badly wrong in picking either of the wide or narrow paths. After all, many great security researchers and industry practitioners have come out of more general programs and or even hold non-CS degrees (one of my PhD advisors, extremely well known in the field, received a math PhD because there were no CS programs at the time that he graduated). I would certainly say that one will not be penalized by opting for a more traditional, broader program (with one important caveat).

In fact, while there are advantages to these specialized majors, you are going to be well served by ensuring—one way or another—that you have strong CS fundamentals (i.e., data structures, algorithms, systems, networking, theory of computation). I will be the first to tell you that I was no star in my theory classes, and I am sure my professors would readily agree! But, I also consider myself much the better for having struggled through them.

(Of course, this shouldn’t be misconstrued as an endorsement of slacking off in your classes—doing well there is extremely important!)

Are classes enough?

On the other hand, where I would strongly caution people just starting an undergraduate career is to avoid the attitude that education begins and ends with classes. Instead, think of classes and your professors more as giving you a framework for thinking about an area and pointing you to some of the topics you should absolutely know. The undergraduate years go by incredibly fast, and despite our best efforts there is only so much material we can cram and a student can productively retain in one semester. So, even in this basic sense classes are better thought of as a perhaps necessary but not sufficient ingredient for long-term success.

But, even if we were able to cover absolutely everything a student should know about an area, a common and related misconception is that classes exist merely as a mechanism for transferring facts for rote memorization. This is similarly the wrong view to hold. The details of an area can change wildly from decade-to-decade, even year-to-year in a young field like computer science. The true measure of ones mastery is the ability to adapt as old “facts” and assumptions change out from beneath us—to see the forest for the trees, as it were.

What else should I be doing?

In my experience, perhaps the biggest differentiator between those that succeed and those that do not is learning outside the classroom. If you make an effort to cultivate a habit of autodidactism, you are going to naturally fill in the gaps that whatever classes you take do not cover, and CS fundamentals will give you the tools to tackle whatever you encounter along the way. Indeed, an undergrad that learns how to learn effectively is well prepared for industry, or graduate work if so desired.

I would certainly recommend taking advantage of extracurriculars like CTF, CCDC, or anything else piques your interest. Programming for fun, developing your own personal software or hardware projects, exploiting CTF challenges, publishing your code on Github, and writing a blog about your exploits (pun intended) are all excellent practical exercises to round out your knowledge and capabilities. Even better, they serve as evidence to future employers, grad school admissions committees, and whoever else that you can back up your formal education with useful skills and the ability to continue learning, long after you have left your alma mater behind.