Every year thousands of graduates in information security or computer science graduate from colleges and universities completely unprepared for real work. Here we take a look at the results of a recent survey that highlighted the biggest skill gaps for alumni, and how job candidates can stand out from the crowd.
Almost every week I receive at least one letter from a reader who asks for advice on how to start a career in information security. In most cases, applicants ask which certifications they should earn or which specialization has the brightest future.
It is rarely asked what practical skills you need to master in order to become a more attractive candidate. I always warn you that I myself do not have any certificates or diplomas, but I regularly talk with heads of information security departments and recruiters - and often ask about impressions of modern candidates.
The typical answer is that so many candidates simply lack experience with practical problems.
Of course, most graduates lack practical experience. But, fortunately, a unique aspect of information security is that experience and fundamental knowledge can be gained by the good old method of trial and error.
One of the key tips is to learn the basics of how computers and other devices interact with each other. I say this because networking is a fundamental skill on which many other areas of learning are built. Getting a job in security without a deep understanding of how data packets work is a bit like trying to become a chemical engineer without first studying the periodic table.
Please don't take my word for it. The SANS Research Institute recently surveyed over 500 cybersecurity practitioners at 284 different companies in an effort to find out which skills they find most useful for job candidates and which ones are most often missing.
In the course of the survey, respondents were asked to rank different skills from “critical” to “optional”. A whopping 85% cited network knowledge as a critical or "very important" skill, followed by Linux (77%), Windows (73%), common exploit techniques (73%), computer architecture and virtualization (67%), data processing and cryptography (58%). Quite surprisingly, only 39% cited programming as a critical or very important skill (we'll come back to that in a minute).
How did cybersecurity professionals assess potential job applicants on these critical and very important skills? The results seem overwhelming:
| Skills | How many candidates could not solve even basic problems | How many candidates have demonstrated skill |
|---|---|---|
| General hacking techniques | 66% | 4.5% |
| 47% | 12,5% | |
| 46% | 4% | |
| Linux | 40% | 14% |
| 32% | 11,5% | |
| 30% | 2% |
“Employers report that cybersecurity training for students is largely inadequate and frustrated that they have to spend months searching before they find qualified entry-level employees, if any,” says Alan Paller, director of research at the Institute. SANS. “We suggested that to begin to address these challenges and close the gap, we need to articulate the skills that employers expect but don’t find in graduates.”
The truth is, some of the smartest, most astute, and talented computer security professionals I know have no computer science or computer science certifications or degrees. In fact, many of them never went to college or graduated from university.
Rather, they got into safety because they were passionately and intensely interested in the topic, and this curiosity forced them to learn as much as possible - mainly by reading, trying and making mistakes (many mistakes).
I am not discouraging readers from pursuing higher education or certification in this field (which may be a basic requirement in many corporations), but simply so that they do not see it as a guarantee of stable and high-paying work.
Without mastering one or more of these skills, you simply won't be considered a very attractive or outstanding candidate.
But how?
So where to focus and where is the best place to start? First, while there are an almost endless number of ways to gain knowledge and there is virtually no limit to the depths you can explore, the fastest way to learn is to get your hands dirty.
I am not talking about hacking someone's network or some bad site. Please do not do this without permission. If you break third-party services and sites, then choose those that offer rewards through bug bounty programs , and then make sure you follow the rules of these programs.
But almost everything can be played locally. Want to master general techniques for hacking and exploiting vulnerabilities? There are countless free resources available ; specially designed tools like Metasploit and WebGoat , and Linux distributions like Kali Linux with lots of tutorials and online tutorials. In addition, there are a number of free penetration testing and vulnerability detection tools such as Nmap , Nessus , OpenVAS, and Nikto . This is not a complete list.
Organize your own hacker lab. You can do this on a spare computer or server, or on an old PC, which are sold abundantly for cheap on eBay or Craigslist. Free virtualization tools like VirtualBox, simplify work with various operating systems without the need to install additional equipment.
Or consider paying someone to set up a virtual server that you can experiment on. Amazon EC2 is a good low-cost option. If you want to test web applications, you can install any number of web services on computers in your own local network, such as old versions of WordPress, Joomla, or online store engines such as Magento.
Want to explore networks? Start with a decent book on TCP / IP , get a good understanding of the networking stack and how all the layers interact with each other .
While you are assimilating this information, learn to use some tools that will help you put your knowledge into practice. For example, take a look at Wireshark and Tcpdump , handy tools used by network administrators to troubleshoot network and security issues, and to understand how network applications work (or don't). Start by checking your own network traffic, web browsing, and everyday computer use. Try to understand what applications are doing on your computer by looking at what data they send and receive, how and where.
About programming
Employers may or may not require programming skills in languages such as Go , Java , Perl , Python , C, or Ruby . Regardless, knowledge of one or more languages will not only make you a more attractive candidate, but will also facilitate further study and progress to higher levels of proficiency.
Depending on the specialization, at some point you may find that the possibilities for further training are limited precisely by the understanding of programming.
If you are intimidated by the idea of language learning, start with basic Linux command line tools. Just learning how to write basic scripts to automate routine tasks is already a great step forward. What's more, proficiency in shell scripting will pay handsome dividends throughout your career in virtually any technical role related to computers (whether you're learning a particular programming language or not).
Get help
Make no mistake: like learning a musical instrument or a new language, acquiring cybersecurity skills is time-consuming and stressful. But don't be discouraged if you are overwhelmed and overwhelmed by the entire amount of information. Just take your time and keep walking.
This is why support groups help. Seriously. In the information security industry, the human side of networking takes the form of conferences and local meetings. It's hard to overstate how important it is to your sanity and career to connect with like-minded people on a semi-regular basis.
Many of these events are free, including BSides Meetings , DEFCON Groups and OWASP Meetings... And since the tech industry continues to be predominantly male, there are a number of cybersecurity meetings and women-focused groups such as the Cyberjutsu Sorority and others listed here .
If you don't live in the wilderness, chances are there are several information security conferences and meetings in your area. But even if you're off the beaten path, many of these meetings are now being held virtually due to the COVID-19 pandemic.
In short, don't expect a diploma or certificate to give you the skills that employers understandably expect from you. This may or may not be fair, but you will have to develop and improve skills that will serve the future employer (s) and job opportunities in the field.
I'm sure the readers have their own ideas on what to focus their efforts on for beginners and students. Please feel free to speak up in the comments.
See also: