Patrick Miller's (@PatrickCMiller) tweeted out this article "The asymmetric balance: Cybercriminals and security experts"
The overall premise of the article states that barrier to entry for cybercriminals is low, which allows them to quickly begin their career and make money while it takes much longer to develop an effective cybersecurity professional who can find and stop those same criminals. The implication being that this is one of the reasons we are rapidly falling behind in protecting our networks, finances and intellectual property. On this point I can agree.
However, the author says several things about the cybersecurity profession I completely disagree with.
First the author states: Becoming a cybersecurity expert generally requires years of training and, in most cases, several degrees.
Years of training? I partially agree, if you count 4-5 years as a lengthy time. I've been doing information security for 15+ years and in that time I've found dozens of capable, impactful security practitioners with as little as 4-5 years of experience. Defenders who have a willingness to learn, a deep curiosity to find the root cause of puzzling issues and a drive to fix problems will be effective at job of protecting an organizations network once they have the experience.
Second, says several degrees are needed. I have one degree and while it is a technical degree (Electrical Engineering), at the time I obtained that degree, computer security wasn't even a thing. So all my learning has been via training (some class, mostly OJT), conferences, infosec group meetups, and self-study. Then if you consider that there are dozens of extremely capable practitioners today that either don't have a degree at all or have a completely unrelated non-technical degree (much less multiple degrees) who are are daily improving their organizations security, you realize that such a firm requirement is not mandatory. Degrees are good if you are moving up the management stack and you need to understand business and finance and marketing so you can that the security organization you are managing properly supports the organization, but at the technical level I don't believe they are required for a person to be effective.
Third, the author implies the need for at least one, if not multiple, certifications. I admit, I have three certs myself, but having those certs does NOT make me an effective security practitioner. Indeed, there have been MANY, MANY discussions on whether or not a person should have or needs to have these or if a job should require these, but for this discussion, I'm just positing that a person can be an expert regardless of whether or not that person has certifications.
Finally, the last issue I have with this article is the statement that "One possible way businesses can protect themselves is by employing modern, automated technology...This type of system processes more alerts a day, saving businesses time, money and manpower while they implement protection."
This statement is misleading. First is important to understand that the author of the article is Dotan Bar Noy, the CEO and Co-Founder of ReSec Technologies which sells a product that does automated scanning of incoming files in a multitude of ways and mitigates known and detected attacks. I've read through their website and it sounds like good technology and my point isn't to bash his company or technology, but just to say he's got skin in this game. And while technology that automates some security analysis and responses CAN add an important layer of protection to your enterprise, do not be fooled into thinking that it will REDUCE the time, money or manpower your organization is spending. It will simply SHIFT where those resources are spent. Were you spending a lot of time running down alerts for file downloads and meticulously forensically examining each newly found file? Did you buy ReSec's product or a FireEye AX or Palo Alto's Wildfire so that now those files are automatically scanned, evaluated and blocked? Great! But now your personnel are busy running THOSE alerts down, tweaking the settings to accomodate exceptions the organization needs to operate, and administering the new devices (on top of all the devices they are already managing).
So do you have less work? No, just different work often taking up the same amount of resources and it is up to each individual organization to determine if the different work is also better work.
So what's my points?
1. You do need time to become a security expert, but degrees and certifications might not be required. If your employees or prospective employees have the desire to learn and the drive to resolve problems, they will be effective workers who can find and stop cybercriminals.
2. New technology is valuable and critical, but does not necessarily reduce required resources. Understand the impact of installation not only in terms of the additional protection it can give, but also in term of the cost of resources spent in administering the new system, responding to the additional alerts and implementing a configuration so that the new system does not negatively impact your operational mission.
Links on how to enter into the field:
Discussions on certifications vs experience vs degrees: