Sunday, 23 March 2014
Cyber Security - Passion vs Training
Recently i went to a cyber security seminar in Singapore where the target audience were from the financial industry. During one of the Q&A sessions, one of the audience asked a speaker how did he get into this (security) field and what is important for a cyber security professional to have to ensure that the person is right for the job. He replied that while the technicalities of products, tools and techniques are important, they can easily be trained.
I do not quite agree with the reply as the answer seems to assume anyone can be trained easily to become a knowledgeable cyber security professional. From what i've been through and seen, training is just a small part of being a well equipped security professional. Unlike some other professions, cyber security is a faculty where continuous learning is essential, needed and mandatory. Those who believed that having a qualification or certification certifies themselves as a security guru is actually making themselves fall into a well of delusion. The security risks, cyber attacks, viruses and trojans, processes and even methodologies are constantly changing over time. Those who fail to follow or fail to educate themselves with the latest security news or trends will be left out of the playing field.
Training is important but without passion in the field, then one can only hope you are prepared for the attacks that you are not trained to handle. Let's ask ourselves. Why the bad guys are winning? And why are they still winning despite having many security professionals in the organization trained to subdue or to protect from the bad guys? Take a recent example of a hacking incident where the website of EC-Council, the organization that provide Ethical Hacking training and certifications was hacked and defaced. Some even called it 'Hacking the Ethical Hackers'. And if we look at the profiles of these bad guys, hackers, script kiddies, black hats or whatever we decide to call, some were college students, some were jobless, some were not even working in the IT industry let alone being sent for expensive professional training yet they were and are still able to successfully hack and attack critical infrastructures of well known organizations. So the question is why even being professionally trained, do we still fail?
Passion. Merriam Webster defined it as 'a strong feeling of enthusiasm or excitement for something or about doing something'. If we learned one thing about these hackers, they are passionate about hacking. With such a strong sense of passion, comes the dedication they put into in training themselves to attack and educating themselves with the latest attacking tools and techniques from free courses/manuals online (God bless the Internet). If one thing that majority of the security professionals are lacking is this: PASSION.
Recently, my department head interviewed a candidate for a position to work with the ethical hacking team. The candidate had a degree and a CEH (Certified Ethical Hacker) certification but what initially seemed to be a prospect eventually was not. The reason shared was simple. The candidate did not seemed to know what's going on in the cyber security world for the past 5 years and basic penetration testing question couldn't be confidently answered let alone correct. Hence the reason why hiring a security professional is not as easy as simply by looking at the credentials.
If we, the security professionals are as passionate as the bad guys out there, keep up with the latest news on cyber attacks, defense and protection technologies, then we may have a chance to level the playing field with the skillful hackers out there.