So, I attended a Lunch and Learn on Cyber Security presented by AASIM Cyber Group. One of the points brought up was the lack of qualified Cyber Security Warriors. My question is what is lacking? Ok, besides live bodies who want to be more than a live in the basement hacker, what skills do we need people to learn to provide top level security to our infrastructure.
So here is my take, please feel free to provide feedback.
First, does a good Cyber-Security Professional need a command of programming. Or do they need a passing knowledge of basic scripting? What level of proficiency is enough? Basic, Intermediate, or Advanced knowledge of programming and in which language would best help them understand vulnerabilities? Oh, and don’t forget they must have some knowledge of Operating System Kernels. My thinking says they need to understand Java and PHP at least an intermediate level with some knowledge of Python or Ruby.
Second, what kind of hardware experience should a security expert have. Now, knowing a bit about network infrastructure, it is necessary to know how to secure your access points. Tapping the switches and routers or even the Wireless Access Points can be an easy way into any network. So, what level of hardware knowledge should they have. Sure, the CompTIA A+, Network+ and Security+ should be a minimum for any IT Professional but how much more for a Cyber-Security Professional? My thinking is an MCSE from Microsoft and a CCNA-Security from Cisco should be minimums. Lastly, do not forget about the new Internet of Things (IoT) and that most control systems running Audio/Visual Systems are on the network and have numerous open ports. Maybe a little experience with Raspberry Pi or Arduino would be usable.
Third, how much business knowledge should a Cyber-Security Professional have. Hey our job number one is to support business and we as IT Professionals must understand that we have a responsibility to keep the business moving with little harm done to our co-workers. Besides basic accounting knowledge, because who doesn’t run a budget. But, what about understanding that many marketing departments are having to adopt e-marketing and that platforms such as Google and Facebook are important to the business. Let’s not forget about Unified Communications, especially video conferencing systems. These are business necessities but have numerous security flaws.
So, where do we need to train the current generation of Cyber-Security Specialists? What skills do they need and what soft skills are needed for them to be successful? As an experienced field technician who might want to change professional tracks, where should I look to train.