IT security professionals: between academic training and self-taught

The growth of cyber attacks over the years has resulted in an increased demand for information security professionals. According to recent studies using 2013 as a benchmark, the growth of vacancies in the cybersecurity sector should increase by 350% by 2021. However, it is estimated that the shortage of professionals sufficiently qualified to meet this demand should generate, for the same year, three and a half million vacancies worldwide that will not be filled.

Given this panorama and thinking particularly of the youngest, as part of the series on computer security education that we publish every Monday in November on the occasion of Anti Malware Day 2019, we decided to consult different specialists who work in the industry to find out how they were trained in this field, how true it is that several of the professionals currently working in this industry have learned independently, if they consider that the university offer is adapted to this demand growing and that their opinion on the dissemination of careers and specializations in this field is in the training phase.

Self-taught training?

Although more and more universities around the world offer degrees in computer security, it is not yet a diploma that is found in all institutions. Many professionals in this field have acquired their skills through certifications and in a self-taught manner. However, although they are not as widespread as they should be when you consider demand, the reality is that supply is increasing, experts say.

According to Aryeh Goretsky, an ESET researcher emeritus who started working in the industry in the late 1980s, there were no cybersecurity courses or certification at the start. He explains: "Although we were taught computer security, the focus was on access control models and the concept of securing computer systems for multiple users, but not in a broader perspective or in as a globally interconnected system. As a result, those interested in the concept of cybersecurity, given the behavior of computers and interconnected networks that communicated with each other, had to learn it for themselves from books and practical experience. "

For his part, Marc-Etienne Léveillé, a malware researcher at the ESET research office in Canada, who studied software development and computer engineering, explains that "many of the things I learned at university do not apply to my position as a researcher, which meant that I had to read and learn many aspects of security on my own.

There is no doubt that today's scenario contributes enormously to self-taught learning. We see it with the educational and quality offer offered by platforms that offer massive and open online courses (MOOC, for its acronym in English) like Coursera, with the possibility offered by social networks like Twitter to constantly share information and in which great professionals connect with people eager to learn; in addition to the many resources available on YouTube, websites and other repositories. "Although self-training is a possible path and many professionals in this industry have been trained in this way, it is not the only option," explains Daniel Cunha Barbosa, ESET researcher in Brazil. He adds :

However, despite the frequent need to learn many aspects of the safety and daily work of researchers on their own, many agree on the value of university education. "If I had to choose the path again, I would choose the university again, because it gave me the opportunity to meet many people and participate in different extracurricular activities," explains Marc Etienne.

Development of the academic offer in IT security

As security incidents have increased over the years, the desire to standardize the educational aspects of those wishing to take training in this sector has grown, says Goretsky. "Generally speaking, I think that the wide range of education available at all levels of cybersecurity is positive, but I am also concerned about the quality of the education offered," said the latter. "We need both professionals with theoretical knowledge and operational profiles, and we need them all to have solid knowledge of the building blocks of complex systems. Although much of this knowledge can be learned,

In countries like Canada, the supply of university cybersecurity courses has increased, says Léveillé. "Today, there are diplomas with specializations in computer security, whereas before, the only option was to develop software or computer networks. Likewise, there is always a growing demand for professionals that must be covered in our industry. Perhaps with the effort of educational programs, we will see a more stable situation in a few years, "he said.

For Cunha Barbosa, "it is more positive that there are specialization and postgraduate programs than diplomas themselves, because a diploma which gives the professional future a broader basis will allow him to know technological aspects which go beyond safety and will help him become a better prepared professional. "

How well are careers in cybersecurity promoted?

Often, young people face a difficult process when it comes to choosing a career to study. Many finish high school without being very clear about what they want to do with their lives. Beyond the multiplicity of factors that come into play and make this process difficult, the fact of not having information on less traditional careers means that young people fail to connect their personal interests and tastes to a space. training.

Several specialists agree that the visibility of security careers is greater today than it was a few years ago. "Before it was something you had to find out for yourself, but now I see a lot more students interested in computer security as a student. Now we see that there are more and more companies and schools that want to interest students, "says Léveillé.

On the other hand, "young people often have a false idea of??what cybersecurity is and don't realize its scope," says Aryeh Goretsky. Young people may find the image of a prototype hacker attacking computers and gaining glory and money attractive, but there is also a need to explain what cybersecurity does. "I think there is a general lack of awareness, as defending networks and equipment against an attack is often a more difficult and intense task than attacking these networks and computers. However, what the media and the entertainment industry convey is a biased and idealized image of the attacker, not of those working on the defense side, which distorts the view of what cybersecurity is, "said -he.

Design security: a training problem?

When asked if they consider that the security content seen during the training process by future programmers and / or developers is sufficient so that professionals, when they jump into the job market, are capable to provide secure systems, Marc Etienne replies that "secure development is very well taught today. The problem is that developers need to be encouraged to apply what they have learned. Security issues in the code must be detected during the code review and must be resolved before being included in the project. If developers find that their code is still rejected, they will be more careful and develop appropriate reflexes. "

The development of professionals in the field of computer security must be constant because of the continuous evolution of threats. Although there are currently many options for developing sufficient skills in this field, such as careers, specializations, certifications and even courses and materials available for independent study, it is clear that there is no there is no single solution.

Above Article is associated with DICC offers cyber security course in delhi.. DICC is a well-known ethical hacking institute in Delhi.