Operations

3/24/2015
10:30 AM
Jeff Schilling
Jeff Schilling
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Educating The Cyberwarriors Of The Future

If I have to choose between hiring a university-educated CompSci grad or an IT specialist strong in sysadmin, networking or programming, I will pick the IT specialist every time.

Some 209,000 cybersecurity jobs remain unfulfilled. And according to a January PBS report, job postings for the profession are up 74 percent. These are shocking numbers that quantify one of the nation’s primary cybersecurity issues.

Why can’t we just turn on the cybersecurity-training factory and turn out 200,000 cybersecurity professionals quickly to meet the demand? The surprising answer is that too many senior-level executives — even ones who work in the cybersecurity field — don’t have a basic understanding of what to look for in cybersecurity talent. Compounding the problem is that most professional education paths, in colleges and universities, can’t provide the experience-based training required.

Skill and experience trump education
Like every security team in business today, we are hiring. Each week, we receive 50-60 resumes of prospects wanting to join the FireHost security team. My observation after going through the security recruiting process for the last three years (in my post-military career) is that college and university educations do not prepare students for success in cybersecurity.

In fact, when we do find a good prospect, I don’t even notice if they have a college degree. It is not a factor in selection and salary discussions either. Cybersecurity is a skills-based profession that is always rooted in experience and repetition. Both the universities and technical schools struggle to provide live environments that can replicate complex security environments, even for small- to medium-sized businesses.

If this is the case, then where do you hunt for future cybersecurity specialists?

Map talent to disciplines
The easy answer is to hire prospects away from companies where they are currently — and successfully — doing the job. However, this strategy has driven up the cost of skilled labor to the point that it is no longer an option for most security teams. Instead, many companies are opting to discover and train their own talent.

IT services involve three major functions: host and application administration, computer programming, and network engineering. All three of these functions can directly pivot to a cybersecurity discipline: host forensics, malware analysis, and network forensics, respectively.

The critical data that a security analyst needs to understand in order to detect threat activity relates to these three IT and security functions. When I screen resumes for security prospects, I look for experience in one or more of these fields of work, either as an IT specialist or security specialist.

In fact, if I have to choose between a university-educated cybersecurity graduate or an IT specialist who is strong in sysadmin, networking or programming, I will pick the IT specialist every time. For me, the ideal prospect is often someone who ran a small IT shop where they had to do everything in all three functions. A model cybersecurity pro must understand how the IT infrastructure works before he or she can understand how to protect against attacks and find threat activity.

The value of certifications
Are certifications a good judge of talent? Yes and no. When you can align certifications with relevant job experience related to that certification, then, yes, certifications are very important. However, I have found an anomaly with security prospects who possess many certifications but no track record of doing anything related to those certifications. In these cases, certifications are not a good judge of talent.

My trick is to look at an applicant’s experience, then see what level of certifications they have been able to achieve. Thus, I use certifications as a validation that the prospects not only have experience, but also have passed a benchmark to demonstrate their skills and abilities. A red flag may rise when someone has many certifications that don’t inherently go together. We call these individuals “badge finders.”

Integrate cybersecurity into undergrad CompSci
So, what are possible solutions? The first is actually quite provocative: eliminate cybersecurity undergraduate programs. In my opinion, security should be integrated into all computer science and engineering undergraduate programs. As we train our future sys admins, programmers and network engineers, we should teach the principles of cybersecurity in every aspect of their education. This approach will provide future cybersecurity warriors with a deep knowledge in how IT infrastructure works before they decide to specialize.

This change also will have the inverse effect of ensuring that our IT service providers are better grounded in security. This gives folks like me, who are looking for entry-level security professionals, a broader group to assess. When needed, we may then leverage graduate and doctorate programs for specialization in security.

Leverage technical trade schools
My second solution is not nearly as proactive. We are critically short on security personnel with hands-on technical skills in managing security infrastructure. This is a skill that does not take four years to learn and does not require a live environment to become proficient. This includes managing devices in a security stack (e.g., firewall, IPS/IDS, WAF, etc.). These skills are great opportunities for vendor-managed training programs and technical schools.

These programs exist today, but we are simply not getting enough people into appropriate courses. Maybe government grants could drive more students to look for this opportunity. It would also be advantageous for vendors to work directly with technical schools to provide equipment and training packages that facilitate more cybersecurity wrench-turners for gear they hope to sell.

My last suggestion is core to classic professional training models that date back to the middle ages: establish a master-apprentice framework for cybersecurity. I set up this model when I wanted to accelerate the progression of forensic college hires in an incident response practice. We really underestimated the success we would achieve in this mentoring program. In fact, our forensics consultants were doing advanced work within 6-8 months.

For now, placing security training at the core of all computer science and IT tracks is the first step toward preparing the next generation of security professionals to properly defend valuable assets, information, and digital identities. But it’s only a start. Let’s continue the discussion of next steps in the comments.

Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Wolf29
50%
50%
Wolf29,
User Rank: Apprentice
7/6/2015 | 7:59:49 AM
Schools Can't Teach Novelty
I used to be acting chair of a computer networking department in an Atlanta college.  My school was just like every other.  We were all too busy teaching click-paths and memorization to teach troubleshooting and dealing with novelty.  The school had a BS in Info Sec, and it was certainly a lot better than nothing.  Some of the students went very far and are going farther.  They are hitting a wall at company HR departments, however.  Now that they have the diploma, they have to be able to get into something to learn how networks work.  Without the diploma, they are dropped from the search altogether, but even with the diploma, they are not getting useful experience, as part of the course of studies.

I would like to see courses that prepared students for some of the more basic security certs, and that were based on troubleshooting and logical real-world problem solving.  Children are being taught how to use computers at a very young age, but they are generally not being taught how to hack and counter-hack.  That would be a fun class, and promote better thinking.  This would lead to a more useful applicant pool.
Chambers
50%
50%
Chambers,
User Rank: Apprentice
3/30/2015 | 11:44:51 PM
Combat Informatics
I'd been looking for a security practitioners tradecraft canon to at least provide me with some idea as to what to master but couldn't find one.  Operational security has a tendency to be very wide and deep so it's tough to nail down what aspects make up a quality operative or analyst.  Over the years I naturally began outlining and organizing my work and acquired training.  I recently started posting things to my homepage. I call it Combat Informatics.  It's a living web document.  
bandrews750
50%
50%
bandrews750,
User Rank: Apprentice
3/30/2015 | 6:02:10 PM
Why Not Both?
You make good points that the modern education system has serious flaws, but advocating a switch to only specific skills has longer term dangers.

Some may be able to learn a specific system.  A few of those will be able to transfer skills between systems, but the lack of mastery of the underlying concepts will lead to many dangers in the future.

Which system should a student train on?  What happens when the company shifts its IPS or directory system?  Can someone who knows AD, but not core access control concepts, switch to the new system?

I would fully agree with an apprentice system, but then we would have to admit that some workers are not worth the money we are required to pay them.  That will not happen until something external (read politics) forces it to happen.

I am constantly telling students I teach that getting hands on skill is vital in today's world.  Is encouraging them to completely skip the degree really of value?  Not to the smart ones.  Nothing says they have to only have academic or hands on experience.

No one today has an excuse to not have both!
JosephD817
0%
100%
JosephD817,
User Rank: Apprentice
3/30/2015 | 12:20:21 PM
Start it early, build success!
One thing that I think would benefit everyone would to incorporate Computer Science in the public school K-12.

As a society, we teach Physical Science, Social Science, and other sciences that, in my opinion, are less used/needed than Computer Science.

I am located near Augusta, GA and with the new US ARMY Cyber Brigade coming to Fort Gordon, the loacl school systems has added cyber classes to the High School curriculum. I would like to see this introduced much earlier to build a lifetime of understanding in Computer Science. Locally, I am involved with some programs that teach young kids, but this needs to be MANDATORY.

 

Joseph Dain, CISSP
Jeff.schilling
50%
50%
Jeff.schilling,
User Rank: Author
3/30/2015 | 11:32:03 AM
Re: Apprentice to Master
I think no one strategy will scale to 200,000 open positions.  We have to re-engineer how we build the security professional pipeline in all of the ways I describe in the article.  

However, I think an Apprentice to Master approach will help most of us who are looking to bring in folks with great IT skills who now just need to learn how to apply that knowledge base to security operations.  
cprofitt
50%
50%
cprofitt,
User Rank: Apprentice
3/30/2015 | 11:17:51 AM
Employers need to be willing to hire and train talent
First, I agree with adding this to all comp-sci related degrees. I also think that current employers need to bite the bullet and be willing to hire and train talent. There are systems administrators, network professionals, etc that would be willing to make the jump that lack the formal training. If the situation is so dire then hire and train, and stop expecting trained people to fall from the sky.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/26/2015 | 4:47:57 PM
Apprentice to Master
This seems to me like a great option but wondering can it scale to fill 200,000 jobs? How can  apprentices find  masters and vice versa? 
Jeff Stebelton
0%
100%
Jeff Stebelton,
User Rank: Strategist
3/25/2015 | 10:14:10 AM
Re: Informal and formal training opportunties
SANS and ISC2 don't belong in the same list as ISACA, ISSA and OWASP. Though ISSA and ISACA offer their own certifications, and OWASP does offer training, they are professional organizations. SANS and ISC2 are training orgnaizations. There's no membership in SANS except as an alumni of their training. 
Jeff.schilling
100%
0%
Jeff.schilling,
User Rank: Author
3/24/2015 | 3:31:30 PM
Re: Informal and formal training opportunties
Thanks for the feedback and additional discussion.  Great thoughts.  I would say some of the certifications below you mention as not helpful I have found to provide pretty good quality training as long as it is complemented by an in house training program or apprentice/master relationship.  
andregironda
50%
50%
andregironda,
User Rank: Strategist
3/24/2015 | 3:05:26 PM
Informal and formal training opportunties
Great article -- great way forward!!!

Personally, I have to balance new kinds of training from a variety of sources. Some academic, such as Coursera and American Public University's Intelligence Studies courses. Some "hands-on" such as the Offensive Security PenTesting with Kali Linux Online course and labs. Some for both on-going and referential treatments, such as Books24x7, SafariBooksOnline, Lynda, and TeamTreeHouse. Others geared towards question and answer forums, such as Security.StackExchange.com, ReverseEngineering.StackExchange.com ServerFault, NetworkEngineer.StackExchange.com, and StackOverflow -- or even Quora. I find that networking with professionals on LinkedIn is also higher order -- there are many groups to start up a conversation or read the daily news (although TechMeme and other sites tend to aggregate these better). My go-to resource for everything tech, for the past decade, has been my full-content searchable RSS feed collection.

There are things that I do not find useful or conducive to learning: Facebook, infosec conferences, colleges and universities (even the ones that cater to netsec, cyber security, forensics, et al), and professional organizations (e.g., SANS, ISACA, ISC2, ISSA, OWASP, etc). Not all of these are quite as unequal as I'd suggest. It requires a balance. For example, I did mention some online formal learning to kick off my previous paragraph (not many undergrad/grad programs measure up to my needs, however). I think some OWASP chapters (e.g., Austin, which also has Austin Hackers Anonymous -- an excellent model to build on a local chapter setting because every attendee must present their ideas to the community) and some certifications (e.g., CISSP and Security+ for resume filtering) can lead to meaningful conversations and good, local networking. Occasionally, I will attend a Toorcon, DerbyCon, or GrrCon. Sometimes I'll even proctor a CISSP exam. Do these activities pop off the top of my priority list? Never, but they can be useful.
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.