back to article Cyber security: Do the experts need letters after their name?

Despite its reticence over everything Snowden, GCHQ has been awfully proud of its work with academia over the last year. Though it has always worked closely with universities, the Cheltenham-based spy agency has given its backing to various government initiatives designed to give a fillip to British cyber-security wannabes and …

  1. IT Hack

    Good Grief

    Children as young as 11 are introduced to the concept of cyber crime and what can be done to stop it.

    Argh.

    That is all.

  2. Pete 2 Silver badge

    Professionalism by degrees

    Getting a degree is a good first step. But that's all it is. It tells potential employers nothing about the practical skills, professionalism, integrity or experience of a candidate.

    As such, employing people in something as critical as IT security based on such a basic qualification is asking for trouble. There is already an organisation in the UK that provides a sort of professional qualification and sets standards for its members, but the British Computer Society never seems to get a mention when talking about such things. Is the failing theirs, in not pushing and publicising their role - or is it that IT isn't really a "profession": just a series of "jobs" strung together, more or less, into a career?

    There is obviously a need for something "above and beyond" a BSc or MSc and it could be argued that membership of a chartered institute would fulfill that requirement. After all it appears to be a necessary requirement for proper architects and other "real" professionals.

    So instead of trying a DIY approach of setting up single solutions at various academic institutions, shouldn't the government be addressing the problem of getting suitable security professions at a much higher level, and breaking with IT tradition by mandating a truly professional qualification?

    1. big_D Silver badge
      Facepalm

      Re: Professionalism by degrees

      I studied computing at school (when it reall was still computing) and at college, but I couldn't get a grant for Uni and my parents couldn't afford to send me to Uni, so I didn't bother.

      College was a waste of time anyway, I got a bit of paper at the end, but that was it. In my first lesson in the first year, they wanted to see what level our programming skills were at, so we had a simple task to perform (calculate the minimum number of coins to give in change). We had a double lesson to complete it, I had finished the main algorith in under 10 minutes, so I spent the rest of the time writing machine code to make a UI around it. The lecturer's reaction at the end of the lesson? "Wow, I didn't know you could do that with a computer!"

      If I know more than the lecturer on the first day of "studying", then what is the point? I did pick up a few things and a local company took 2 of us for one day a week to learn S/38 and RPG (a sick joke of a programming language - take all of the disadvantage of Assembler and meld them with all of the disadvantages of a high level language), but in general it was 2 years of dossing around, drinking coffee and smoking fags waiting for the Prime mini computer to compile COBOL projects.

      Getting my first gig was a little difficult, because I didn't have a degree, but I went in cheap and a company took a chance on me, I doubled my salary in the first 6 months and never looked back. I was always chosen to lead projects in new technologies and I moved over into vulnerability testing in the early noughties.

      Heck, I even ran a project seminar at a German University for 3 years - they forgot to ask what university qualification I had until I had successfully been running the course for 3 months!

      A degree shows that you know how to research and study, but it doesn't necessarily mean you know your subject well - I have worked with several university grads who knew a very narrow part of their course well, but their knowledge of IT in general or even how to use the knowledge they had gained to use a different system or programming language was very poor.

      Obviously that isn't true for all and I don't really want to insult anyone, I just wanted to reinforce Pete's point that it doesn't tell you anything about the practical skills, professionalism, integrity or experience. It is the individual behind the qualification (or no qualification), which counts at the end of the day.

      Living in Germany I like that you can study IT at Uni or you can do an apprenticeship in coding, admin or mechatronics, for example.

      1. Sir Runcible Spoon

        Re: Professionalism by degrees

        "A degree shows that you know how to research and study, but it doesn't necessarily mean you know your subject well"

        Couldn't agree more. Having recently been asked to provide high and low level designs for new technologies (that I've never touched before) in under a month is always going to be a struggle, but having a good general knowledge and with the proper attitude you get it done.

        On a subsequent call I was asked to deliver yet another set of designs for one of a choice of security systems. I was asked which one I preferred to do, to which I responded - "I don't mind, I'm equally ignorant of all of them". No-one minds that kind of answer if they know you have got what it takes to do the job anyway and it's an approach I often take at interviews as well.

        "Nope - I don't know the answer to that, but I can find out fairly quickly because I understand all the underlying principles involved"

  3. Anonymous Coward
    Anonymous Coward

    Almost seems a little pointless now that UK Gov are moving everything into a Google hosted cloud. Don't worry everything is marked as OFFICIAL.

  4. Anonymous Coward
    Anonymous Coward

    All hackers are not equal

    Coding is a 'contact sport'. You can’t learn it in a classroom. You can’t learn it by reading a book, or a blog. You have to spend some time with a compiler and figure it out for yourself. Classrooms, books, blogs etc have value in the educational process, but they can’t impart the abilities that spending time doing an activity does.

    So what of hacking? Given the plethora of law changes and increasingly harsh penalties, not least of which is potential deportation to the land of the free, how are the next generation to gain real world experience? Lecturers can setup practical exercises, sure, much the same as they can set coding assignments. That’s not quite the same thing as doing it for real.

    Surely the first step is to change how we measure the cost of security breaches. It’s no good allowing companies to defray the entire cost of a breach as “being hacked”. Attaining a higher level of security would have cost them money to implement whenever they did it. That the CTO allowed a breach to occur before it rose up his priority spending list isn’t actually the fault of the hacker. If all hacking is a crime, then nobody can develop real world skills. We need to maintain penalties for those wrecking systems, or selling or misusing confidential data, but we need to differentiate those who merely gain access and then leave.

    If only rogue states tolerate citizens hacking foreign institutions, then only rogue states will eventually have the best hackers – that’s not going to be the best form of defence for the western world.

    1. amanfromMars 1 Silver badge

      All hackers are not equal ..... Amen Hallelujah, and we can thank Global Operating Devices for that.

      Regarding unequal hackers and code crackers, Anonymous Coward, and …

      Coding is a 'contact sport'. You can’t learn it in a classroom. You can’t learn it by reading a book, or a blog. You have to spend some time with a compiler and figure it out for yourself. Classrooms, books, blogs etc have value in the educational process, but they can’t impart the abilities that spending time doing an activity does.

      .... are there lots of things learnt and to be deeper explored and further developed and tested and tempered through valuable and valued experience in both private and personal, public and pirate experimental use, and/but which can beautifully easily be turned to rabidly server and insatiably satisfy the darker webs that weave entanglements with the wilder sides of life in Live Operational Virtual Environments …. [and which be both Practically Real and Intangible CyberSpace AIdDVentures, xerocred (Perhaps if we could stop using the comical sci-fi 'cyber' term to describe ICT security then maybe more people would be interested.)] ….. which are best kept securely vaulted and MKUltraTS/SCI for the benefit of the Greater Good, for to abuse and misuse some things which are increasingly easily learned in this day and age of Instant Universal Communication and Zerodays and SMARTR IntelAIgent Steganography, can harbour and wield the ultimate sanction, Extremely Prejudicial Termination and Permanent Future Removal with Current Player Eradication from The Great Game.

      Haven’t you heard? … Take care Out There and remember to never forget ……..

      Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know. And if one looks throughout the history of our country and other free countries, it is the latter category that tend to be the difficult ones. ….. Donald Rumsfeld RIP

  5. Pascal Monett Silver badge

    "aimed at even younger kids"

    No. Just, no.

    Young kids need to have their minds properly opened to curiosity and inquisitiveness. They need to be taught that searching for answers is not a crime, and finding them is its own reward.

    When they are intelligently curious and have thus been properly formed, then is the time to expose them to specific areas of work, not before. Anything done before that time is just replicating the cookie-cutter mentality. Quick ! We need a security cookie ! Quick ! We need an encryption cookie !

    Such schemes are bound to lock people in limited roles, enhancing their fragility when the market changes and their skills are no longer in need. That has been done, and the method has demonstrated its weaknesses. We must not continue making the same mistakes.

    1. steven W. Scott
      FAIL

      Ah, but that is precisely the point

      Creative, curious, bright and eager children have a tendancy to grow into market changers - This is anathema to institutions which by far prefer to control and maintain continuity in the marketspace.

      Limited roles and market fragility are desired by government and industry. With narrowly defined roles salary demands are regulated, and planned obsolecence allows the discarding of IT related personnel to reduce pension/benifit/longevity costs. Having experienced this at least three times in my career, roughly every ten years or so, I am not so sure that I'm just being cynical. Lots of friends accompanied me, and I fear I may never know what four weeks of vacation is like.

      After 30+ years in the field, the breadth of my knowledge across all major platforms is a rarity, but when I seek employment, I must choose only one area of expertise. Do I want to sling web java? .Net? CICS/VTAM sysprog? Unix/Linux admin? MVS Assm/Cobol dev? Devops/automation engineer? CyberSec engineer? Do I get free blinders with that?

      It is, after all, a business's perogative and duty to do the things necessary to reduce costs as much as possible, but when government and business collude with higher education to cattle-drive the masses into unfulfilling existences of drudgery and boredom, society rots as a whole. Sure, some people are just fine living with those parameters, but those who look for more, who thrive on creativity, challenge and knowledge, are the most frustrated of all, and at the age of 11, these are the ones who should be nurtured the most. Instead, we teach them about the box we made ourselves, and how they can get in it and be all safe and warm and cozy inside. Forever!

      The labels are there to represent the young prospect's confirmity to having eaten, lived, and slept in the box for at least a few months and maybe years. There is no class or test that can imbue talent or extrodinary ability. You're either born with it, or you're not. When we devise educational programs that actually minimize exceptionalism, we do us all a disservice. The age of inventors will sorely be missed.

  6. amanfromMars 1 Silver badge

    Breaking Bad News ...... Tempestuous Storms Ahead

    The recognised universities may soon qualify as Academic Centres of Excellence in Cyber Security Education. Alongside this, GCHQ and the Engineering and Physical Sciences Research Council continue to add names to the Academic Centres of Excellence in Cyber Security Research, set up in 2012. Eleven have so far been added to the list …. https://www.cesg.gov.uk/awarenesstraining/academia/Pages/Academic-Centres.aspx

    If such can be considered the public sector reply to a catastrophic cyber efficient deficit and future intellectual property black hole which can easily be exploited for alternative fantastic gain and disruptive politically adept action …in a sort of HyperRadioProActive IT activity ….. is it a cloned drone operation of the pirate and private sector with its CyberSpace Command and Control Centres of QuITe Excessive Exceptional Exclusive Executive Excellence ….. http://forums.theregister.co.uk/forum/1/2014/11/15/bofh_2014_episode_12/#c_2360107

    And if you investigate the information provided in the http://www.theregister.co.uk/2014/11/17/security_education/ you will discover that peanuts for monkeys are on offer in grants which total a measly and miserly £20k. after all manner of hoop jumping.

    No wonder the West is collapsing and imploding. It is trying to keep things for changing with a new orderly world order in command and control of future power and present direction.

  7. xerocred

    Another fabricated shortage?

    Perhaps if we could stop using the comical sci-fi 'cyber' term to describe ICT security then maybe more people would be interested.

    1. tfewster
      Thumb Up

      Re: Another fabricated shortage?

      Or focus on the important part, Information Security. If your desktops get pwned and used as a botnet, it's irritating. If your data gets stolen or trashed, you're out of business.

      So...how should we approach security? By getting people with certificates to pen test and fix ALL the holes? Or by getting a business type to assess the values and risks, and communicating that to the business to focus on key areas? I don't know the answer, but I don't think a lack of technical skills is the biggest problem.

  8. Anonymous Coward
    Anonymous Coward

    Great, just what we need, the equivalent of flooding security with "mcse", all the tools will need clickboxes and wizards next.

    I learned my craft many many moons ago, I have no degree or qualifications, about 15 years solid experience in the industry now. Already you look round at "cyber" professionals and see the same dead look of lifer's going through the motions for the latest trendy tag with no interest or passion for what they do. And it makes me want to go do something else for a living the worse it gets...

  9. cyberjack

    "Cyber security: Do the experts need letters after their name?"

    Cyber? WTF. Like it or not, cyber security is the new Information Security, deal with it, it aint going away.

    Do the experts need letters after their name? No, not when a security professional is recruiting staff with diverse skills. But when HR departments are recruiting from scratch they need something to demonstrate knowledge. Letters-after-name are easy to see; they are right there after the name! So it must mean this guy/gal? probably knows their onions.

    But too many letters and I'm left wondering, when do these intellectuals get any time to actually do the work?

    Yours,

    Dr Cyber Bloke, CISSP, CISA, CISM, CIPP, CGEIT, CRISC, CPP, CEPT, CCE, CEH, GCFA, GSEC, EnCE, ISO 27001 LA, ITIL, BSc, DCM and Bar

    1. Mike 137 Silver badge

      when do these intellectuals get any time to actually do the work?

      Accumulating these acronyms does not mean they're intellectuals (although being one is not necessarily a bad thing in a sphere where unconsidered rote learning and rule of thumb still dominate) - it means they've put up the money to take a bunch of computer marked multiple choice pub quizzes. Expertise cannot be evaluated that way, but it does free those who select practitioners from the burden of knowing the subject. It also creates multiple closed shop cliques that can capitalise on the "mysteries" of narrow subsets of infosec - witness PCI DSS, which is in reality little more than basic good practice in infrastructure security and information management - things you should be doing as a matter of course across your whole estate - but has spawned a huge and very lucrative specialist consultancy and conference industry.

      BTW, I recently saw an UK advert for a PCI security contractor at 450 quid a day (that's over US$170k per year) that specified "at least two years IT security experience", and a recent survey of the security knowledge of software developers incidentally found that almost 50% of respondents in key fields including banking and systems software development had less than two years experience. It appears therefore that the pub quizzes are a fast track for the inexperienced into lucrative security-related roles where they can earn a lot while perpetuating the insecurity of our infrastructure.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like