Recently i went to a cyber security seminar in Singapore
where the target audience were from the financial industry. During one of the
Q&A sessions, one of the audience asked a speaker how did he get into this
(security) field and what is important for a cyber security professional to
have to ensure that the person is right for the job. He replied that while the
technicalities of products, tools and techniques are important, they can easily
be trained.
I do not quite agree with the reply as the answer seems to
assume anyone can be trained easily to become a knowledgeable cyber security
professional. From what i've been through and seen, training is just a small
part of being a well equipped security professional. Unlike some other
professions, cyber security is a faculty where continuous learning is
essential, needed and mandatory. Those who believed that having a qualification
or certification certifies themselves as a security guru is actually making
themselves fall into a well of delusion. The security risks, cyber attacks,
viruses and trojans, processes and even methodologies are constantly changing
over time. Those who fail to follow or fail to educate themselves with the
latest security news or trends will be left out of the playing field.
Training is important but without passion in the field, then
one can only hope you are prepared for the attacks that you are not trained to
handle. Let's ask ourselves. Why the bad guys are winning? And why are they
still winning despite having many security professionals in the organization
trained to subdue or to protect from the bad guys? Take a recent example of a
hacking incident where the website of EC-Council, the organization that provide
Ethical Hacking training and certifications was hacked and defaced. Some even
called it 'Hacking the Ethical Hackers'. And if we look at the profiles of
these bad guys, hackers, script kiddies, black hats or whatever we decide to
call, some were college students, some were jobless, some were not even working
in the IT industry let alone being sent for expensive professional training
yet they were and are still able to successfully hack and attack critical
infrastructures of well known organizations. So the question is why even being
professionally trained, do we still fail?
Passion. Merriam Webster defined it as 'a strong feeling of
enthusiasm or excitement for something or about doing something'. If we learned
one thing about these hackers, they are passionate about hacking. With such a
strong sense of passion, comes the dedication they put into in training
themselves to attack and educating themselves with the latest attacking tools
and techniques from free courses/manuals online (God bless the Internet). If
one thing that majority of the security professionals are lacking is this:
PASSION.
Recently, my department head interviewed a candidate for a
position to work with the ethical hacking team. The candidate had a degree and
a CEH (Certified Ethical Hacker) certification but what initially seemed to be
a prospect eventually was not. The reason shared was simple. The candidate did
not seemed to know what's going on in the cyber security world for the past 5
years and basic penetration testing question couldn't be confidently answered
let alone correct. Hence the reason why hiring a security professional is not
as easy as simply by looking at the credentials.
If we, the security professionals are as passionate as the
bad guys out there, keep up with the latest news on cyber attacks, defense and protection technologies, then we may have a chance to level the playing field with the skillful hackers out there.
No comments:
Post a Comment