Asia Pacific Security Magazine, Nov/Dec 2017

Page 12

Cyber Security

Cyber security skills : Hiring to train Interview with Chris Thomas, RSA Advisory Systems Engineer, who leads the threat detection and response team, and Rui Ataide, Principal Consultant, Incident Response.

C

By Chris Cubbage Executive Editor

12 | Asia Pacific Security Magazine

hris Thomas: "Industry needs to look at the opportunity to build people as opposed to hiring a senior 10 year veteran. Someone that has the right aptitude and the right attitude. Building these people requires industry to invest in some training and deliver them on the job. This is what RSA is doing at the moment and trying to embrace the skills shortage. We recognise we can’t go out and hire an experienced person every time. We still need to invest and build people up rather establishing formal internships or just having a bit of programing. We are implementing programs to up skill people and build the people that we want, molding them to the roles that we have, rather than just trying to hire experienced people. RSA is working closely with tertiary institutions to help train the next generation of security analysts. One such initiative is a partnership with Singapore's Temasek Polytechnic to create a learning SOC, where students gain hands-on experience in responding to cyber threats. RSA also offers courses to employees aimed at building soft skills like presentation and demonstration skills, public speaking, management and leadership, business and time management. These skills are as critical as technical skills in the working environment. Learning outcomes from Deakin University's Bachelor of Cyber Security and Master of Cyber Security include communication, critical thinking, problem solving, self-management and teamwork. Other universities, such as Southern Cross University (SCU), offer degrees in IT management. SCU says of its Masters of IT Management: "As an IT specialist, you know how complex information systems work. But do you have management skills to implement state-of-the-art solutions across multiple levels of business?" SCU claims the degree equips graduates with the ability to identify risks, integrate solutions and manage projects effectively across the broader business. Rui Ataide: The skills shortage requires the expectation for the hiring side to be reset. We don’t have people that are going to have 5, 6, 10 year’s experience on technology that is so recent and so new. This needs a bit of shifting and programs in university need to be getting people more exposed to certain environments and technologies, which

will help them to be a bit more industry ready. Currently, employers want one of two things in a prospective employee: 1. We want to you to have experience but we are not willing to pay for it; or 2. We want a graduate with 3 years’ experience. What does good look like? Chris Thomas: "There are different sets of skills that people need within the IT security space and within the SOC. Where companies, business and government need to be looking is at bringing in people at lower levels and then maturing them and training them so that they move towards the higher levels of skill sets. You need to understand technology, networking and operating systems but as you progress through your career and as you progress to responding to an incident, the level of skill that someone needs to go and understand a problem adapts. In a SOC it may involve moving from an alert to deep diving into a network packet or protocol or a binary file to look at it, break it apart and find out what can I abstract from that to improve my security posture. These skills take time to develop and the incidents also change. I think if you start to build a team from the ground up you can very quickly and easily identify people with the right attitude and people with the right mindset. Some of them are going to end up being in a SOC or the like. Technical leads may then follow a business and management path or will end up being the SOC manager or eventually a CISO. I think that is where we have to start focusing. Yes! We are still going to need to hire skilled people, especially companies that are just starting off. You need someone with the right skills in order to build and train a team around them. This is one of the areas that the industry has been lacking, the soft people skills that develop teams. How are we measuring that aspect? I think that’s a very important part because despite being the most brilliant technical mind, if you can’t articulate what it is you’re doing, it just doesn’t work out. Especially now that security is becoming more of a business and board level concern.


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.