How to become safe?
On the Web, quite often there are questions: “what to read about information security? how to go to safety? What should a security specialist know? How to start studying information security? "
For 6 years now, with colleagues at the front line, we have been developing and implementing our training courses in CIS universities on the prevention of information leaks and the use of DLP systems. During this time we have developed our own vision of the problem indicated in the title. This is not an axiom, not the ultimate truth. You may not agree with part of the judgments. But let's get started.
Be, not seem to be
How to become safe? How to become strong? Wrestlers, bodybuilders, bodybuilders, powerlifters, turnstile men strong? Yes. Equally? Not. Each has its own specialization. Therefore, intending to become a safe person, first of all, it is necessary to determine the scope of activity: virus analyst, developer of various systems, pentester, manager, etc. Each area has its own set of qualities, knowledge, responsibilities, tasks and tools.
What makes an athlete a good weight lifter? Belt, knees, knee pads, magnesia-starched hands? Not again. This attribute makes a person look like a weightlifter. In reality, the role played by the technique of the exercise and the weight taken. And the bezopasnik becomes a good specialist not because he has a mountain of certificates, 2 presentation hard drives and 300 thematic webinars in the “parse” folder, but because he has the knowledge, understanding of their application and practical experience.
')
Fight of two yakozun
In the field of information security also did not go without the perennial problems of employers and applicants. The first, as you know, I would like to see an experienced young specialist in the staff, not older than 25 years old, but with 30 years of experience working on everything from setting up an access control system to making up corporate booklets in Illustrator. And, of course, he must work for 12,000 rubles (preferably a year). As for the applicants, in the first place in the wishes they usually have a six-digit amount of the monthly salary. In general, a known conflict of interest.
In addition, there is a perception that graduates do not know anything, have no experience, and in general should be grateful that at least someone wants to take them. On the other hand, graduates would be happy to learn more on their own, but the requirements of employers often differ so much that it is not obvious where to begin.
Start with yourself
This brings us back to the first question. Having decided in what area you want to work, you need to do work on the collection of primary information. If you want to work in a bank, study open vacancies on the portals of recruitment agencies Analyze what skills “flash” more often, what certificates are in demand, etc. Feel free to ask directly . There are no acquaintances from the necessary sphere - go to thematic resources , forums , groups in social networks. Anyway, until you decide on the answer, there is no sense in moving on.
For example, what does a security officer need to know to prevent information leaks?
The first thing you have to face in this position is the specification. GOSTs, industry standards, federal laws, orders of departments, etc. Do you process personal data? - must "know and be able to" FZ-152. Linked to public information systems? - do not forget about the orders of FSTEC No. 17 and No. 21. Do you want to protect commercial secret information? - first enter the appropriate position. In general, without a mountain of paper anywhere.
The second mandatory item is skills. Ideally, you need to be a little lawyer (and they will have to become fulfilling the order according to regulatory documentation), a bit of a psychologist (working with people in the style of an investigator of the Ministry of Internal Affairs) and a lot of analyst, because the main activity is related to detection, prevention and investigation of leaks. This is the minimum set that will be further replenished with specific knowledge and experience specific to a particular company.
Continue with the pros
Where to get the missing knowledge? If earlier there was a lack of good technical literature, today there is so much information that your eyes run and give up.
Unfortunately, the Network is mostly rich in various marketing transfusions from empty to empty: presentations and reports from “commercial” conferences, various enticing webinars and so on. Finding something really useful becomes a non-trivial task.
However, he who seeks will find. For example, Alexey Lukatsky, in his blog made a selection of courses and platforms on the topic of information security ( part 1 , part 2 ). The only "but" - most (not all!) Of the proposed resources are English-speaking. Nevertheless, as practice has shown, there are enthusiasts who take on both individual books and global projects .
If you want to get knowledge of a point, for a particular issue or direction, I repeat, do not be afraid to ask. There are thematic and sectoral communities, such as the Union of the Heads of the Security Services of the Urals , where, if they do not respond directly, they will at least give advice on which way to dig. It is also useful to attend workshops and practical activities . At this options do not end there - there are specialized courses for students.
In order not to go far beyond the example, I will tell you about our training center. For the past six years, we have been teaching students for free to choose an information security course. Today we cooperate with more than 50 universities in the CIS countries and give the participants real practical knowledge through an integrated approach to the learning process. Schematically it looks like this:
In addition to the textbook and lectures, most of the time is reserved for classes with real software (DLP-system) and analysis of situations that do not "can ever happen", but which occur "here and now." In turn, the separation of material between the university and the distance learning system helps weed out those who are lazy or unable to absorb the material on their own. In the end, a good specialist should be able to work autonomously, and not look around in search of teachers, faced with an unfamiliar situation.
As you can see, there is something to choose from. I hope I at least partially answered the question "how to become a security guard?" Well, if not, then I am ready to continue in the comments.
For 6 years now, with colleagues at the front line, we have been developing and implementing our training courses in CIS universities on the prevention of information leaks and the use of DLP systems. During this time we have developed our own vision of the problem indicated in the title. This is not an axiom, not the ultimate truth. You may not agree with part of the judgments. But let's get started.
Be, not seem to be
How to become safe? How to become strong? Wrestlers, bodybuilders, bodybuilders, powerlifters, turnstile men strong? Yes. Equally? Not. Each has its own specialization. Therefore, intending to become a safe person, first of all, it is necessary to determine the scope of activity: virus analyst, developer of various systems, pentester, manager, etc. Each area has its own set of qualities, knowledge, responsibilities, tasks and tools.
What makes an athlete a good weight lifter? Belt, knees, knee pads, magnesia-starched hands? Not again. This attribute makes a person look like a weightlifter. In reality, the role played by the technique of the exercise and the weight taken. And the bezopasnik becomes a good specialist not because he has a mountain of certificates, 2 presentation hard drives and 300 thematic webinars in the “parse” folder, but because he has the knowledge, understanding of their application and practical experience.
')
Fight of two yakozun
In the field of information security also did not go without the perennial problems of employers and applicants. The first, as you know, I would like to see an experienced young specialist in the staff, not older than 25 years old, but with 30 years of experience working on everything from setting up an access control system to making up corporate booklets in Illustrator. And, of course, he must work for 12,000 rubles (preferably a year). As for the applicants, in the first place in the wishes they usually have a six-digit amount of the monthly salary. In general, a known conflict of interest.
In addition, there is a perception that graduates do not know anything, have no experience, and in general should be grateful that at least someone wants to take them. On the other hand, graduates would be happy to learn more on their own, but the requirements of employers often differ so much that it is not obvious where to begin.
Start with yourself
This brings us back to the first question. Having decided in what area you want to work, you need to do work on the collection of primary information. If you want to work in a bank, study open vacancies on the portals of recruitment agencies Analyze what skills “flash” more often, what certificates are in demand, etc. Feel free to ask directly . There are no acquaintances from the necessary sphere - go to thematic resources , forums , groups in social networks. Anyway, until you decide on the answer, there is no sense in moving on.
For example, what does a security officer need to know to prevent information leaks?
The first thing you have to face in this position is the specification. GOSTs, industry standards, federal laws, orders of departments, etc. Do you process personal data? - must "know and be able to" FZ-152. Linked to public information systems? - do not forget about the orders of FSTEC No. 17 and No. 21. Do you want to protect commercial secret information? - first enter the appropriate position. In general, without a mountain of paper anywhere.
The second mandatory item is skills. Ideally, you need to be a little lawyer (and they will have to become fulfilling the order according to regulatory documentation), a bit of a psychologist (working with people in the style of an investigator of the Ministry of Internal Affairs) and a lot of analyst, because the main activity is related to detection, prevention and investigation of leaks. This is the minimum set that will be further replenished with specific knowledge and experience specific to a particular company.
Continue with the pros
Where to get the missing knowledge? If earlier there was a lack of good technical literature, today there is so much information that your eyes run and give up.
Unfortunately, the Network is mostly rich in various marketing transfusions from empty to empty: presentations and reports from “commercial” conferences, various enticing webinars and so on. Finding something really useful becomes a non-trivial task.
However, he who seeks will find. For example, Alexey Lukatsky, in his blog made a selection of courses and platforms on the topic of information security ( part 1 , part 2 ). The only "but" - most (not all!) Of the proposed resources are English-speaking. Nevertheless, as practice has shown, there are enthusiasts who take on both individual books and global projects .
If you want to get knowledge of a point, for a particular issue or direction, I repeat, do not be afraid to ask. There are thematic and sectoral communities, such as the Union of the Heads of the Security Services of the Urals , where, if they do not respond directly, they will at least give advice on which way to dig. It is also useful to attend workshops and practical activities . At this options do not end there - there are specialized courses for students.
In order not to go far beyond the example, I will tell you about our training center. For the past six years, we have been teaching students for free to choose an information security course. Today we cooperate with more than 50 universities in the CIS countries and give the participants real practical knowledge through an integrated approach to the learning process. Schematically it looks like this:
In addition to the textbook and lectures, most of the time is reserved for classes with real software (DLP-system) and analysis of situations that do not "can ever happen", but which occur "here and now." In turn, the separation of material between the university and the distance learning system helps weed out those who are lazy or unable to absorb the material on their own. In the end, a good specialist should be able to work autonomously, and not look around in search of teachers, faced with an unfamiliar situation.
As you can see, there is something to choose from. I hope I at least partially answered the question "how to become a security guard?" Well, if not, then I am ready to continue in the comments.
PS Who am I?
Drozd Alexey, director of the SearchInform training center, head of the direction for working with universities. I work in the field of information security for 5 years. I teach 8 years. He graduated from BSU (Minsk).
Source: https://habr.com/ru/post/299316/
All Articles