How do universities teach future security guards?
To write this post I was pushed by a recent interview with Kirill isox Yermakov, in which he, in particular, said:
Already a long time ago, in an interview with officials and specialists of various degrees of importance in the context of the topic of information security, the subject of staff shortages in the industry is slipping. Dissatisfied with the deputy head of the Central Security and Data Protection Directorate of the Central Bank Artem Sychev, and Presidential Plenipotentiary in the Volga Federal District Mikhail Babich, who at a meeting with the Secretary of the Russian Security Council Nikolai Patrushev, spoke about the problems with personnel in the information security field
It turns out that the market is experiencing a serious shortage of information security specialists, and not those ... Apparently, many educational institutions did not read further. Indeed, why? "Information security" is fashionable, so it’s enough to open the direction \ department and the flow of applicants is guaranteed. The result is predictable and described by Mr. Sychev mentioned above. A flood of those rushed into the market, “that of all information security only knows what it is.”
Still, it was necessary to read the phrase to the end until the end, because it completely looks like this: the market is experiencing a serious shortage of information security specialists, namely specialists, and not those who got into the industry by accident. And this is a much more serious task, involving a huge reservoir of work for educational institutions! Do they even have a chance of success?
')
Kirill Ermakov in an interview shared his experience:
But this situation is not so much the fault of the university, as the result of circumstances. The educational institution, in fact, has several options:
1. Teach on your own. In this case, learning occurs usually at the level of theory, the practice is often not available to students. After all, everything depends on the initiative of the teacher. The teacher runs on conferences \ seminars \ exhibitions. The teacher makes contact with the vendors, negotiates the transfer of software, extracts materials. The teacher knocks out the laboratory, thinks up how to put everything, etc. Is there too much "teacher" in this chain? You cannot feed a family with unpaid enthusiasm. Therefore, often in high schools they say “fundamental” (what the teacher has been reading for 10 years and will read 10 more without changes): about the basics of cryptography, ciphers, etc. However, to be honest, very few need a specialist theorist. Business requires practices that are ready for the realities and everyday life of the information security service.
2. Hire a practitioner "bezopasnika" any company. Let us leave aside the question “at whose expense this banquet”. Most likely not without altruism. An experienced specialist teaches students what he knows himself. From such training, of course, there is more benefit for students, but there is one drawback - the practitioner is hardly well acquainted with the solutions that he does not have to face in his work. In addition, being a good person to be safe does not mean being a good teacher. Far from everyone can tell the material in a coherent way and interest the students. Practitioner Bezopasnik is often limited by his own experience, and to learn something new is not always the time and desire.
3. Partnership with manufacturers. Ideally, a partnership with various vendors should provide just the full range of knowledge of information security. The manufacturer of the product knows the state of the industry, as well as all the nuances of applying its solutions. Yes, and can tell about competitors (the degree of objectivity of such a story depends on the moral principles of the teacher). However, not every solution on the market has a training base. We have to admit that cooperation with universities for companies is rather an expense item. But not every manufacturer is able and willing to invest and bear expenses in this direction.
Most often, vendors offer such a scheme: they provide their product for free to an educational institution, they can also give documentation to it, and then the university, if it chooses, decides on its own what to tell students. Thus, the main burden falls on the teachers, and only big enthusiasts take it.
The approach practiced in our company I have already described . The secret of success is simple - all the bottlenecks on which the university can stall we took it upon ourselves. The training center develops a program, all materials, laboratory work, prepares a virtual machine, on which practical exercises will be held. The university does not remain left to itself - on-site training, as well as webinars, conducted by the company's specialists. But they are not ordinary specialists. We, in addition to knowledge in information security, have specialized pedagogical education.
The day before yesterday, on July 5, the study practice for LETI students was completed. A couple of months before this day, we, together with the profile department of the university, discussed the topic for the practice, which was presented to the students in full-time classes. We decided to focus on the human factor in information security. Within the framework of the practical course, I touched upon such topics as “Psychology and Information Security Threats”, “Human Factor and Its Impact on the Organization’s Activities”, “Social Engineering Techniques and Ways to Protect against Social Engineering”, “Practical Use of the DLP System in the Context of Human factor "and much more. The course has ended with testing the skills of solving the indicated tasks with the help of DLP systems (well, where can we go without them).
Following the practice, I asked Alexander Kimovich Plemyannikov (deputy head of the Information Security Department) to evaluate this project. His answer:
As you can see, the problem with the training of specialists in the field of information security is quite solvable. Manufacturers can close this educational “gap” if they move from loud statements about a bright future to real action. By them, I mean an interest in a high-quality presentation of the material, the development of normal educational and methodological complexes, visits to universities by representatives of companies not for advertising, but for educational purposes.
“In general, I graduated from MIREA in information security. But that didn't make him safe. What we were taught at the institute was completely uninteresting. ”Under the cut post about how universities change the situation and what comes of it.
Already a long time ago, in an interview with officials and specialists of various degrees of importance in the context of the topic of information security, the subject of staff shortages in the industry is slipping. Dissatisfied with the deputy head of the Central Security and Data Protection Directorate of the Central Bank Artem Sychev, and Presidential Plenipotentiary in the Volga Federal District Mikhail Babich, who at a meeting with the Secretary of the Russian Security Council Nikolai Patrushev, spoke about the problems with personnel in the information security field
“In regional executive authorities and local governments information protection is provided by 1,672 specialists, of which only 26% are provided for in the staff list, and only 6% have specialized education. In addition, for the majority of state information systems in 2014-2015, measures for their creation, modernization and operation were financed by a little more than 50% of the planned funds, and information security financing is carried out according to the residual principle. ”
It turns out that the market is experiencing a serious shortage of information security specialists, and not those ... Apparently, many educational institutions did not read further. Indeed, why? "Information security" is fashionable, so it’s enough to open the direction \ department and the flow of applicants is guaranteed. The result is predictable and described by Mr. Sychev mentioned above. A flood of those rushed into the market, “that of all information security only knows what it is.”
Still, it was necessary to read the phrase to the end until the end, because it completely looks like this: the market is experiencing a serious shortage of information security specialists, namely specialists, and not those who got into the industry by accident. And this is a much more serious task, involving a huge reservoir of work for educational institutions! Do they even have a chance of success?
')
Kirill Ermakov in an interview shared his experience:
“What we were taught at the institute was completely uninteresting. Some kind of ISO, 152-FZ, PCI DSS, seemed useless nonsense. Only many years later, I realized that all these documents were written in blood and hacks. In the insta give a base that allows you to build somehow enterprise security, to understand how it all should work. This is taught at the institute, but they do not explain why this is necessary. Working as an ordinary loner or pentester in your company, you also do not understand why this is all you need. Education is trying to instill in you a systematic approach, without explaining where and how you will apply it. ”
But this situation is not so much the fault of the university, as the result of circumstances. The educational institution, in fact, has several options:
1. Teach on your own. In this case, learning occurs usually at the level of theory, the practice is often not available to students. After all, everything depends on the initiative of the teacher. The teacher runs on conferences \ seminars \ exhibitions. The teacher makes contact with the vendors, negotiates the transfer of software, extracts materials. The teacher knocks out the laboratory, thinks up how to put everything, etc. Is there too much "teacher" in this chain? You cannot feed a family with unpaid enthusiasm. Therefore, often in high schools they say “fundamental” (what the teacher has been reading for 10 years and will read 10 more without changes): about the basics of cryptography, ciphers, etc. However, to be honest, very few need a specialist theorist. Business requires practices that are ready for the realities and everyday life of the information security service.
2. Hire a practitioner "bezopasnika" any company. Let us leave aside the question “at whose expense this banquet”. Most likely not without altruism. An experienced specialist teaches students what he knows himself. From such training, of course, there is more benefit for students, but there is one drawback - the practitioner is hardly well acquainted with the solutions that he does not have to face in his work. In addition, being a good person to be safe does not mean being a good teacher. Far from everyone can tell the material in a coherent way and interest the students. Practitioner Bezopasnik is often limited by his own experience, and to learn something new is not always the time and desire.
3. Partnership with manufacturers. Ideally, a partnership with various vendors should provide just the full range of knowledge of information security. The manufacturer of the product knows the state of the industry, as well as all the nuances of applying its solutions. Yes, and can tell about competitors (the degree of objectivity of such a story depends on the moral principles of the teacher). However, not every solution on the market has a training base. We have to admit that cooperation with universities for companies is rather an expense item. But not every manufacturer is able and willing to invest and bear expenses in this direction.
Most often, vendors offer such a scheme: they provide their product for free to an educational institution, they can also give documentation to it, and then the university, if it chooses, decides on its own what to tell students. Thus, the main burden falls on the teachers, and only big enthusiasts take it.
The approach practiced in our company I have already described . The secret of success is simple - all the bottlenecks on which the university can stall we took it upon ourselves. The training center develops a program, all materials, laboratory work, prepares a virtual machine, on which practical exercises will be held. The university does not remain left to itself - on-site training, as well as webinars, conducted by the company's specialists. But they are not ordinary specialists. We, in addition to knowledge in information security, have specialized pedagogical education.
The day before yesterday, on July 5, the study practice for LETI students was completed. A couple of months before this day, we, together with the profile department of the university, discussed the topic for the practice, which was presented to the students in full-time classes. We decided to focus on the human factor in information security. Within the framework of the practical course, I touched upon such topics as “Psychology and Information Security Threats”, “Human Factor and Its Impact on the Organization’s Activities”, “Social Engineering Techniques and Ways to Protect against Social Engineering”, “Practical Use of the DLP System in the Context of Human factor "and much more. The course has ended with testing the skills of solving the indicated tasks with the help of DLP systems (well, where can we go without them).
Following the practice, I asked Alexander Kimovich Plemyannikov (deputy head of the Information Security Department) to evaluate this project. His answer:
“First, I want to note the balance of classes: lecture, practical and supervising. The theory is worked out in practical classes and is necessarily controlled by tests. Secondly, students have access to a teaching platform, where all the necessary teaching materials and tasks for knowledge control are concentrated. Third, students can perform tasks remotely using personal technical equipment.
Live communication with professionals is much more effective than reading online publications. Instant feedback, practical examples - this is what trainees expect. Practical tasks are well thought out and as close as possible to reality. This motivates students to find the right solutions for reasons of professional suitability, and not for the assessment in the record book.
Our department has been cooperating with SearchInform for three years and in this area we do not plan to change a partner. As for other areas, the search is conducted, but so far there are no proposals from market participants with a comparable quality of organization of training. Nevertheless, we are ready for dialogue. ”
As you can see, the problem with the training of specialists in the field of information security is quite solvable. Manufacturers can close this educational “gap” if they move from loud statements about a bright future to real action. By them, I mean an interest in a high-quality presentation of the material, the development of normal educational and methodological complexes, visits to universities by representatives of companies not for advertising, but for educational purposes.
Source: https://habr.com/ru/post/305072/
All Articles