Lack of formal education causes talent shortage in cyber-security

There is a lack of formal education in cyber-security, says Tom Van de Wiele, principal security consultant, F-Secure

There are lots of ways to learn about cyber-security, but certifications is a really bad way, says Tom Van de Wiele, principal security consultant, F-Secure.

"Certifications are usually a very bad way of learning anything. Most of the certificates you can get for studying days, weeks, maybe months. But usually you want certificates when you're kind of a junior in the business. It is a good stepping stone. But the industry always prioritises experience over certifications," he explained.

And the industry always needs people with experience, the cyber-security veteran told SC Media UK at the F-Secure headquarters in Helsinki. He attributes the talent shortage in cyber-security to the lack of structured, university-level education in the domain.

"Right now, cyber-security is seen as an extra thing that you learn in college or university. But that's certainly not enough. It is still very much a niche market. And you need to be able to train, and that's the problem. There's no formal education, at least not internationally," he said.

As of now, these skills have to come from experience of working in different jobs in the sector.

"In most of the hacking stories that you read about companies getting compromised, most real hackers barely use any acute technical skills. It just comes down to having being a really good system administrator, knowing systems very well, knowing networks, knowing how the cloud works, knowing how programming works, these kinds of things give you lots of value."

The parallel learning avenues on the internet and certifications are not enough to meet this talent gap, he noted. And there is the lure of quick money and fame by turning into a black-hat hacker.

TalkTalk hacker Daniel Kelley took to hacking during his school days after he failed to obtain the cut-off GCSE grades to join a computer course at his local college. Kelley, then just 16,  confident in his computer skills, felt offended and hacked into the college network using distributed denial of service (DDoS) to screw up the college's website, disturbing teaching hours and exam schedule

"Turning to the illegal side of things is not going to get you a job. You're going to get into prison. There's still this Hollywoody belief that if you do if you do enough crimes, you will end up on the other end and become a good guy. It doesn't work like that. You're not going to get hired by the FBI, you're just going to go to prison."

Acknowledging that prerequisites such as minimum grades or aptitude tests can become entry barriers, as in the case of the TalkTalk hacker, he pointed out that there are many other valid entry points to the cyber-security industry.

What sort of basic understanding of programming does he look for in a prospective hacker? "Whatever gets the job done," came a quick answer.

Talent scans and bug-bounty programmes are good to get noted in the industry, he said, admitting that he would have also tried his hand in bug-bounty programmes, had he been 25 years younger.

"I would also want to do that for six months just to see if I could do it as an intellectual challenge. But a career as a mercenary is not going to last very long... People that participate in those (programmes) usually do it for the pride, sometimes for fun, or a combination (of both)."

Bug bounty programmes are generally great, agreed security technologist Bruce Schnier at Cyber Security Nordic in Helsinki.

"The problem with the vulnerability market is that the attackers pay a lot more than the defenders. The companies that buy vulnerabilities for building attack tools sell it to governments or the criminals who pay more than the (affected) companies," he said.

"Bug bounties give some incentives to the researchers to sell it to those vendors who fix them."

Companies who have bug bounty programmes are supposed to already have a high level of maturity, noted Van de Wiele.

"Bug bounty programmes cannot replace a vulnerability management process. There are people who just do it for the sport and for the money... There's nothing wrong with that, as long as you're not causing any harm, as long as you follow the rules," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews