Analysis: InfoSec rookies lack the basic skills

Some of the security industry’s pre-eminent thinkers have raised concerns that most graduates entering the industry lack the basic knowledge of IT architectures essential to outsmart attackers.

University graduates were trained to use the latest tools, SC Magazine was told, but would be left stranded and fumbling should those systems fail, or be bypassed.

Telstra chief security officer Glenn Chisholm and many of his senior industry peers said the basics they learnt in university, such as assembly language, are missing from today's curriculum.

“Now there is too much cream on the top and not enough depth in the column,” Chrisholm told SC.

“I say [to graduates] I know you can write in Java, but you need to understand the affects of assembly which is what malicious software is written in. It is a very difficult job to bring them back to that level.”

Graduates also had to learn far more in a shorter time than did their predecessors: as Chrisholm put it, they must learn 15 years of material in one.

Even the head of Edith Cowan’s cyber security program, Professor Craig Valli, acknowledged the shortfall of talent.

Of some 500 students in the security course, only 100 would show promise.

“The others I tell the ballerina story – that at one stage, I wanted to be a ballerina, but that didn’t work out either.”

Valli had introduced “basics” back into the course where students were taught assembly, programming in C, and scripting.

While Telstra, and other organisations with large security teams had the resources to bring university graduates up to speed, Chisholm said many more did not.

On the job

Security veterans agreed that skills taught in most university classrooms were too far removed from those needed in the workplace.

“We are in a race against time,” Cisco chief security officer Jon Stewart told SC Magazine. “Demand for skilled staff is exceed­ing supply, and what you had to be when I started is very different than what you have to be today.”

Stewart, like many other veterans, learned most of his security skills and knowledge of regulatory requirements on the job.

He sees the classroom as a sanitised world far removed from the complex and imperfect environments that students would face when entering the industry.

“Ironically, the generation of people hiring out of university don’t even understand OSI. They have commoditised the series of education that has gone to the upper layer stack which says ‘here’s how you do programming in a balanced environment’”.

“The concept of buffer overflow is just not even in their mind­set because they didn’t learn in an environment where that was possible ... The nature of that education is removing the very elements that this industry needs for those on the job.”

Marcus Ranum, chief security officer at Tenable Network Security also fired a shot at the university education system.

“I think the computer science cur­ricula are a failure in a lot of ways,” Ranum told SC. “The root failure is that there is no trade focus and software development is a trade, not an art. The people at universities don’t teach [students] that it’s not software until its good software.”

Speaking of training in secure software development, he said student developers were being compensated for “writing bad software quickly”. “Get the app on the Apple store, make a million and who cares?” Ranum said.

For Alana Maurushat, lecturer of law, cybercrime and security at the University of NSW, practical security including ethical hacking was missing from curricula. She knew of only a handful of Australian universities where ethical hacking and similar skills considered risky were taught quietly because of fear of litigation.

Many more universities in North America and Europe had publicly taught students to hack under controlled environments.

Certifications also lacked the content required to create competent students, according to RSA chief security officer Eddie Schwartz.

“They are generalist areas,” he said. “Those who prep for CISSP will find the certification interesting, but that's not what is needed in InfoSec operations.”

Schwartz had completed the CISSP but never taken a university security course. Instead, he gained his experience in security from eight years in the US military training in "adversial techniques", and work in law enforcement and intelligence where he had "hands on experience" chasing criminals.

Yet although the skills shortage problem was decades old, respected cryptographer and BT chief security officer Bruce Schneier did not consider it a “bad thing”.

“It means the tools are becoming ubiquitous,” Schneier told SC. “You should remember that the first automobiles came with a repair manual and a tool kit –  now my mother drives”.

Schneier cited Clay Shirky’s statement, which notes that profound changes happen when technology becomes normal, then ubiquitous, and finally so pervasive as to be invisible.  Schneier said the decline in technical skills means technology is becoming more of a social tool.

“It is a good thing and it is a failure of us in security not to build our systems to be resilient,” he said.

“There is a paucity of security skills among professionals that we have been trying to address for decades and I have no magic solution for it.”

Has your experience proven otherwise? Do you have a magic solution to the problem? Comment below...

Copyright © SC Magazine, Australia