How do universities teach future security guards?
A recent interview with Kirill isox Ermakov prompted me to write this post , in which he, in particular, said:
A long time ago in an interview with officials and specialists of varying degrees of importance in the context of the IS topic, the topic of staff shortages in the industry skips. Artyom Sychev, deputy head of the Central Security and Information Protection Directorate of the Central Bank, and Mikhail Babich, the plenipotentiary of the president in the Volga Federal District, who spoke at the meeting with the Security Council Secretary Nikolai Patrushev, are also dissatisfied with the problems with personnel in the information security sphere:
It turns out that the market is experiencing a serious shortage of information security specialists, and not those ... Apparently, many educational institutions did not read further. Indeed, why? "Information security" is fashionable, so it’s enough to open a direction \ department and the flow of applicants is guaranteed. The result is predictable and described by Mr. Sychev mentioned above. A flood of those poured into the market, "that of all information security only knows what it is."
Still, it was necessary to read the phrase to the universities to the end, because it completely looks like this: the market is experiencing a serious shortage of information security specialists, namely specialists, and not those who accidentally entered the industry. And this is a much more serious task, involving a huge layer of work for educational institutions! Do they even have a chance of success?
Kirill Ermakov in an interviewshared his experience:
But such a situation is not so much the fault of the university as the result of circumstances. An educational institution, in fact, has few options:
1. Teach yourself.In this case, training usually takes place at the level of theory; practice is most often inaccessible to students. After all, everything depends on the initiative of the teacher. The teacher runs around conferences \ seminars \ exhibitions. The teacher makes contact with the vendors, negotiates the transfer of software, and extracts materials. The teacher knocks out the laboratory, thinks out how to put everything, etc. Are there too many “Teacher” in this chain? Unpaid enthusiasm for a family you can’t feed. Therefore, often in universities they say the “fundamental” (that the teacher has been reading for 10 years and will read another 10 without changes): about the basics of cryptography, ciphers, etc. However, to be honest, few people need a theoretical specialist. Business requires practices that are ready for the realities and everyday life of the IB service.
2.Hire a practicing "safe" company. Let us leave aside the question, "at whose expense is this banquet." Most likely not without altruism. An experienced specialist teaches students what he knows. Of course, such training is more useful for students, but there is one drawback - the practitioner is hardly familiar with the solutions that he does not have to face in his work. In addition, to be a good security guard does not mean to be a good teacher. Not everyone can connect material in a coherent and accessible way and interest students. A practicing security guard is often limited by the scope of his own experience, and there is not always time and desire to learn something new.
3. Partnership with manufacturers.Ideally, partnership with various vendors should provide just the same full range of knowledge on information security. The manufacturer of the product knows the state of the industry, as well as all the nuances of applying its solutions. And he can talk about competitors (the degree of objectivity of such a story depends on the moral principles of the teacher). However, not every solution on the market has a training base. It is worth recognizing that cooperation with universities for companies is more likely an expense item. And far from every manufacturer is capable and willing to invest and bear expenses in this direction.
Most often, vendors offer this scheme: they provide their product for free to an educational institution, they can also give documentation to it, and then the university, if it wants, decides on its own what and how to tell students. Thus, the main burden falls on the teachers, and only great enthusiasts undertake it.
The approach practiced in our company I have already described. The secret to success is simple - we took all the bottlenecks on which the university could stall. The training center develops a program, all materials, laboratory work, prepares a virtual machine on which practical classes will be held. The university does not remain left to its own devices - local training, as well as webinars, are conducted by company specialists. But these are not ordinary specialists. In addition to knowledge in information security, we have specialized pedagogical education.
The day before yesterday, July 5, completed educational practice for students of LETI. A couple of months before this day, we, together with the specialized department of the university, discussed the topic for practice, which was presented to students in full-time classes. We decided to focus on the human factor in information security. As part of the practical course, I touched on topics such as “Psychology and threats to information security”, “The human factor and its impact on the organization’s activities”, “Social engineering techniques and methods of protection against social engineering”, “Practical use of the DLP system in terms of human factor ”and much more. The course ended with testing the skills of solving the indicated problems with the help of DLP-systems (well, and where without them).
Based on the results of the practice, I asked Alexander Kimovich Plemyannikov (Deputy Head of the Information Security Department) to evaluate this project. His answer:
As you can see, the problem with the training of specialists in the field of information security is completely solvable. Manufacturers can close this educational “gap” if they move from high-profile statements about the bright future to real actions. By them I understand the interest in the high-quality presentation of the material, the development of normal teaching and methodological complexes, and representatives of companies visiting universities with educational and training purposes.
“In general, I graduated from MIREA in information security. But this did not become a security guard. What we were taught at the institute was completely uninteresting. ”Under the cut, a post about how universities are changing the situation and what comes of it.
A long time ago in an interview with officials and specialists of varying degrees of importance in the context of the IS topic, the topic of staff shortages in the industry skips. Artyom Sychev, deputy head of the Central Security and Information Protection Directorate of the Central Bank, and Mikhail Babich, the plenipotentiary of the president in the Volga Federal District, who spoke at the meeting with the Security Council Secretary Nikolai Patrushev, are also dissatisfied with the problems with personnel in the information security sphere:
“In the regional executive bodies and local self-government bodies, 1,672 specialists provide information protection, of which only 26% are provided for by the staffing table, and only 6% have specialized education. In addition, for most state information systems in 2014-2015, measures for their creation, modernization and operation were financed by a little more than 50% of the planned funds, and information protection financing is carried out on a residual basis. ”
It turns out that the market is experiencing a serious shortage of information security specialists, and not those ... Apparently, many educational institutions did not read further. Indeed, why? "Information security" is fashionable, so it’s enough to open a direction \ department and the flow of applicants is guaranteed. The result is predictable and described by Mr. Sychev mentioned above. A flood of those poured into the market, "that of all information security only knows what it is."
Still, it was necessary to read the phrase to the universities to the end, because it completely looks like this: the market is experiencing a serious shortage of information security specialists, namely specialists, and not those who accidentally entered the industry. And this is a much more serious task, involving a huge layer of work for educational institutions! Do they even have a chance of success?
Kirill Ermakov in an interviewshared his experience:
“What we were taught at the institute was completely uninteresting. Some kind of ISO, 152-FZ, PCI DSS, seemed useless nonsense. Only many years later, I realized that all these documents were written in blood and hacks. Insta give a base that allows you to somehow build enterprise security, understand how it all should work. This is all taught at the institute, but they do not explain why this is necessary. Working as an ordinary lone pentester or a security guard in your company, you also don’t understand why all this is necessary. Education is trying to instill in you a systematic approach, without explaining where and how you will apply it. ”
But such a situation is not so much the fault of the university as the result of circumstances. An educational institution, in fact, has few options:
1. Teach yourself.In this case, training usually takes place at the level of theory; practice is most often inaccessible to students. After all, everything depends on the initiative of the teacher. The teacher runs around conferences \ seminars \ exhibitions. The teacher makes contact with the vendors, negotiates the transfer of software, and extracts materials. The teacher knocks out the laboratory, thinks out how to put everything, etc. Are there too many “Teacher” in this chain? Unpaid enthusiasm for a family you can’t feed. Therefore, often in universities they say the “fundamental” (that the teacher has been reading for 10 years and will read another 10 without changes): about the basics of cryptography, ciphers, etc. However, to be honest, few people need a theoretical specialist. Business requires practices that are ready for the realities and everyday life of the IB service.
2.Hire a practicing "safe" company. Let us leave aside the question, "at whose expense is this banquet." Most likely not without altruism. An experienced specialist teaches students what he knows. Of course, such training is more useful for students, but there is one drawback - the practitioner is hardly familiar with the solutions that he does not have to face in his work. In addition, to be a good security guard does not mean to be a good teacher. Not everyone can connect material in a coherent and accessible way and interest students. A practicing security guard is often limited by the scope of his own experience, and there is not always time and desire to learn something new.
3. Partnership with manufacturers.Ideally, partnership with various vendors should provide just the same full range of knowledge on information security. The manufacturer of the product knows the state of the industry, as well as all the nuances of applying its solutions. And he can talk about competitors (the degree of objectivity of such a story depends on the moral principles of the teacher). However, not every solution on the market has a training base. It is worth recognizing that cooperation with universities for companies is more likely an expense item. And far from every manufacturer is capable and willing to invest and bear expenses in this direction.
Most often, vendors offer this scheme: they provide their product for free to an educational institution, they can also give documentation to it, and then the university, if it wants, decides on its own what and how to tell students. Thus, the main burden falls on the teachers, and only great enthusiasts undertake it.
The approach practiced in our company I have already described. The secret to success is simple - we took all the bottlenecks on which the university could stall. The training center develops a program, all materials, laboratory work, prepares a virtual machine on which practical classes will be held. The university does not remain left to its own devices - local training, as well as webinars, are conducted by company specialists. But these are not ordinary specialists. In addition to knowledge in information security, we have specialized pedagogical education.
The day before yesterday, July 5, completed educational practice for students of LETI. A couple of months before this day, we, together with the specialized department of the university, discussed the topic for practice, which was presented to students in full-time classes. We decided to focus on the human factor in information security. As part of the practical course, I touched on topics such as “Psychology and threats to information security”, “The human factor and its impact on the organization’s activities”, “Social engineering techniques and methods of protection against social engineering”, “Practical use of the DLP system in terms of human factor ”and much more. The course ended with testing the skills of solving the indicated problems with the help of DLP-systems (well, and where without them).
Based on the results of the practice, I asked Alexander Kimovich Plemyannikov (Deputy Head of the Information Security Department) to evaluate this project. His answer:
“Firstly, I want to note the balance of classes: lecture, practical and supervising. The theory is practiced in practical exercises and is necessarily controlled by tests. Secondly, students have access to a learning platform where all the necessary teaching materials and tasks for knowledge control are concentrated. Thirdly, students can perform tasks remotely, using personal technical means.
Live communication with professionals is much more effective than reading online publications. Instant feedback, case studies - this is what trainees expect. Practical tasks are well thought out and as close as possible to realities. This motivates students to find the right solutions for reasons of professional suitability, and not for an assessment in the set-off.
Our department has been cooperating with SearchInform for three years and in this area we do not plan to change our partner. As for other areas, the search is underway, but so far there are no offers from market participants with a comparable quality of training. Nevertheless, we are ready for dialogue. ”
As you can see, the problem with the training of specialists in the field of information security is completely solvable. Manufacturers can close this educational “gap” if they move from high-profile statements about the bright future to real actions. By them I understand the interest in the high-quality presentation of the material, the development of normal teaching and methodological complexes, and representatives of companies visiting universities with educational and training purposes.