You might presume that having a computer science degree would make you a shoo-in for a job in the field of information security.

But faced with a shortfall of suitable applicants, an increasing numbers of businesses are hiring candidates without a university-level education in computing.

The global information security body, the International Information Systems Security Certification Consortium (ISC2), found that almost one third information security (infosec) professionals in the UK have a degree other than computer science and just over one in five were only educated to college (high school) level.

Of those non-comp sci grads working in infosec, 60 percent were engineering graduates, 27 percent were business majors and 13 percent studied social sciences or history.

Compared to other students who complete university, UK computer science graduates have high levels of unemployment. Six months after graduation 17 percent were not in full time work in 2012 and 13 percent in 2013.

The high unemployment among computer science graduates coincides with UK firms claiming they are struggling to hire IT security professionals, with 63 percent telling ISC2 they were unable to find the right candidate. So why aren’t Britain’s university’s producing the infosec professionals businesses want?

This disconnect is partly down to the nature of information security work changing, according to Dr Adrian Davis, European MD of ISC2. Today the CISO role encompasses a much broader range of tasks than was once the case and requires a broader skillset than technical knowhow, he said.

“Ten years ago it was very much bits and bytes and firewalls. If you were good at technology, you could carve out a very good career and be very successful.

“I think as the world has moved on. Today you have to be able to talk to the business about how to develop a new app securely and the next minute you have to talk to the firewall guys. You may even have to run an outsourcing contract. A lot of those require softer skills that, to be fair, not everybody has.

“A lot of information security is not necessarily about twiddling the dials. It’s about communicating.

“You need to have students with the correct skills. Some of that universities can teach and some of that they can’t.”

The make-up of UK university courses is also to blame, he said. Most UK university Computer Science courses offer only one information security module or unit – approximately five percent of the total credits according to ISC2.

Instead of focusing on computer science, future CISOs might be better off studying business and separately getting a computer security certification, he said.

“There used to be a comment that the CISO of the future would have an MBA and a hold a CISSP [Certified Information Systems Security Professional] and I know that’s a reality in some organisations.”

Further reading