I see entry level security skills as a problem for industry - what can we do about it?

Question

Okay, so we push corporates to improve security, and provide training to IT staff and awareness presentations to CEO's etc, but each year a new batch of graduates are brought in to companies as others leave, and they typically have one of two perspectives:

1. security?
2. security fascist!

One of the things a few of us are trying to do in Scotland is facilitate training sessions for students (lectures, workshops, summer placements) by companies (banks, law enforcement etc) but there is a real struggle getting buy in - even though the companies are offering their resource for free (well, they understand the benefits to them of getting graduates in with some experience) and organisations such as the Chartered Institute of Information Security sponsor many of us to provide training in as many areas as possible.

What could we do to improve this - not just in Scotland, but everywhere, as it should be relevant to all...the problem is not going away, in fact it is getting bigger, but companies don't take it seriously until they are hit badly, and even then only until the newspapers target someone else.

Companies have security policies, but do they have culture from the top to the bottom? "No" is the easy answer. We try to fix the culture at the top, but typically that is high effort for no return so can we get in at the bottom? Educate students and new graduates!

The problem is, of course, that students don't want to hear about security, as it goes against the usual student ethos :-)

[edit - unless they are taking a security course, as @D.W. pointed out, but that is where we get a lot of the security fascists from - overkill on the security, not enough focus on real world, less than ideal scenarios]

So

• What do you see students and graduates interested in?
• What would work in your company / university / organisation?
• What is the biggest win for you?
• What are you fed up with hearing
• Does your organisation have an alternative solution? about?

If you have key learning points you think are appropriate for the community, let's get them into the community!

-----------Added bounty. 2 really good answers, but would really appreciate many more points of view, as I see this, and the associated problem (How to educate CEO's etc on security) as essential things to get better at.

Answer 1

One of the things I've been most impressed by in the last few years is the new focus on security as being a balance between cost and risk. A security solution should not be implemented if the cost exceeds the risk of exploit, and both costs and risks can be hard to diagnose.

The thing I like most about this core concept is that it basically mandates the idea that there is no "one size fits all" solution. Designing security is as much a craft as designing a solution or a peice of software. It offers a middle ground between (1) clueless and (2) nazi.

When presenting it to an audience new to security, I like to put it out there as a challenge - the challenge is making something that is secure within reason for the functionality it must provide to meet it's goal. Geeks like puzzles and this is a pretty cool puzzle when you get down to it.

If I had all the funding and time I could wish for, I'd craft a security concentration for both undergrad and grad programs that introduced security topics as a set of puzzles. I'd start with "what was the problem that caused this technology to be used?", and then "how does the technology work?" and "what problems can it cause?"

As far as the questions go:

What do you see students and graduates interested in?

They want meaningful work and a chance at a good job in the industry. I think security can be presented as both things. If you view security not as saying "no" all the time, but as coming up with clever solutions that let people get their jobs done efficiently but with little risk to the business, then I think the work is exceedingly meaningful. Also, I've never lacked for a job as a security nerd, so I'm always glad to speak from personal experience on that one.

What would work in your company / university / organisation?

I'm probably an outlier - I work for a defense contractor. Security is such a part of our corporate culture that I have problems envisioning the world without it. The thing I find most often, though, is that geeks suck at rote process - and there's a LOT of aspects of security (especially physical security) that requires slavish adherance to security details. To a point, I can motivate people to figure out ways to "engineer-proof" things - for example - "what can you do to make sure that you lock up the secure thing in the big metal safe at the end of the night?" Sometimes folks come up with really creative solutions.

What is the biggest win for you?

Personally, I love the challenge. I like making secure things work, and security is an added part of the fun. I also really, really like seeing the light come on for newer engineers when they start thinking like a security nerd. And one of the things I like about my corporate culture is that helping other people to think through security for themselves is a big part of the job and the social contract.

What are you fed up with hearing about?

I'm a little fed up with being told the rules are "stupid". They may be tedious, but if you think they are stupid, then you generally aren't seeing a big enough picture.

Sadly, on the other end, I'm also tired of being told that the mandates of a highly secure working environment mean that someone can't move quickly. Secure does not equal slow, especially not when I wonder if the only reason for slowness is red tape.

Answer 2

Well I certainly can tell my share of the "student ethos" because I too did not care (or did not care enough) about security. Add the fact that I was a bit more involved into security than my student friends, you can tell where this is going.

The main problem I had was simply that at school, you are told how stuff works and how you ought to do it performance-wise. What you don't get told is what you should never do security-wise. Also the course is so tight that you are actually jumping around to cover as much as possible but without really getting into a subject.

At school we did some projects for our final diploma but you only get rated on time planning, project completion and working state. Never are you rated on security issues. Your project could be susceptible to even the most primitive SQL-Injection or XSS attempts and you could still get a full 60 points out of 60 (or 1, or A+ depending on your country).

So I think that the problem lies not only in the common disinterest of the student, but also because schools don't show the student WHY it is important and how to use all the great security stuff that was invented for a better cyber-world. I think there is a LOT of room for improvement.

Answer 3

Usually a presentation from the Security Response Team of a company captures the audience whether it is made out of students, managements or developers.

It has proven to be quite efficient (it was based on an informal initiative) in telling different stories. Some of these stories focused on some angry developers left back doors, others on some innocent "no one will exploit that!" or... and off course you will have to show how actually these different cases end up being reported by security professionals and how many person month were required to fix the issues.

Given said those stories, you can present the exploit and then teach them that weak code do not disappear, and then you introduce the secure programming or threat analysis or...

Answer 4

Part of the problem is that security is pervasive: studying "security" on its own barely makes sense. You have to study security in context. Contrast with "databases", where it makes sense to teach a semester course on the topic. I don't mean to say that a semester course on security is bad, just that it is insufficient. Most of the courses in the computer science curriculum I took could have spent a week discussing security implications of the subject matter:

• most math courses: relevance to crypto
• algorithms: crypto
• human computer interaction: psychology of security, security and usability
• computer architecture: crypto hardware, interfaces, hw support for secure OS
• operating systems: most aspects of the OS are security related
• etc.

Actually, I took business classes too, and it's applicable there just as much:

• operations management: physical security
• accounting: they only talked about debits & credits, they don't talk about why
• organizational behavior: again, psychology of security; corporate culture

It cuts across nearly everything. But instructors are already busy trying to pack all the information from their course into the students that there's no extra time to spend on something "peripheral". This would be one avenue of attacking the problem: persuade the instructors that security is an important topic to discuss as part of their course on X.

The problem doesn't seem all that different from the related problem that development managers face: how to get grads with basic skills, period. Some university faculty care about this a great deal -- a conversation with a friendly faculty member can help put some of the issues front and center. I spoke with a CS department chair and he was very interested in hearing about what industry was interested in from grads. His motivation was simple: to keep enrollment up he needed grads to get good jobs -- parents won't send kids to a school where they end up unemployable after graduation. If he talks to a dozen alumni and hiring managers from local companies and hears the same issues, he is going to make adjustments to the curriculum. Even tenured professors get hurt by budget and staff cuts resulting from dropping enrollment.

One approach to getting grads with basic skills is to hire interns. I've worked for a few companies where this is common practice, and it seems to work well for both sides: the intern has a more marketable skill set, earns good pay (compared to alternative student employment, say pizza delivery or retail), and expands their personal network; the company has someone with basic skills it can probably hire after graduation without large recruitment costs, interns are cheap (compared to the cost of hiring full-time professionals). This isn't a free lunch, though -- there are costs:

• You do have to recruit the interns, interview, go through hiring, etc.
• Interns don't know anything, and need a fair amount of attention from professional staff in order to become helpful.
• There's a risk of hiring bozos who spend all day surfing the web or chatting with friends.

This is a "selfish" approach: the company isn't doing anything to necessarily help the industry at large, it's only helping itself. But I think it does end up benefiting the industry because it tends to increase the skill level of the graduating talent pool. (In fact, we "lost" (failed to hire) a couple of interns post-graduation, and some other lucky company got a well-trained grad!)

I come from a programming / development background. One activity I participated in during school were programming competitions. I see that IISP has student membership; do you have student chapters at various schools? Could you organize some sort of security-related competition? I don't suggest it casually -- it would be a lot of work. It may not even develop the specific entry level skills you're seeking, but it could raise the awareness that you're looking for. Remember, it's only interesting if it is fun and challenging.

Possibilities:

• Teams compete to find holes in a given software package. Variant: source is available, audit the source code.
• Teams compete head-to-head to penetrate their opponents' network. Variants:
  • Impose restrictions, e.g. users must have remote access, wireless, etc.
  • Malicious insider -- opposing team controls a node on your network. Detect and respond.
• Teams compete to analyze malware, deploy countermeasures.

Answer 5

I think the best way to get people thinking of security as a real thing rather than abstract is to teach the real basic principals, divorced from computers. Start with physical security and the differences between that and computer security.

1. People dismiss security because so much of it is security theater: lockout after 3 failed attempts, physical access to machines, key loggers vs. draconian password policies.

2. Threat trees: let students develop their own threat trees. Is it more likely that someone will keylog the library machine or figure out their 12 char password that must change every 3 months and use 4 different classes of chars? Kids are great at pulling pranks and often have to subvert physical security, so tap into that.

3. Demonstrate scary exploits. At black hat they usually have a wall of shame showing all of the clear text accounts they sniffed (they block out the passwords and some of the address). An app that would should real-time clear-text sessions across the campus would hit home the importance of security.

4. Examples of exploited sites. Check out the cialis spam inserted into this blog. It's embarrassing. The spam links to the Canadian Pharmacy scam. The links are broken because the other machine has been fixed. It's a very organized and sophisticated scam supposedly out of Eastern Europe. They run very small webservers on cracked machines to keep from getting IPs blacklisted.

Answer 6

I don't share your premise that students don't want to hear about security. I teach an undergraduate computer security course. It is one of the most popular courses in our computer science department (not the most popular, but up there).

One thing to understand is that most colleges/universities are interested in teaching concepts and principles that will last a student a lifetime. In comparison, teaching skills that may be obsolete in 5 years is a lower priority. So, if what you want is skills training for the software-of-the-day, companies will probably need to provide that by training their hires. But if you want people who know how to think about security, who know how to think like an attacker, who are familiar with the fundamental principles of security -- then that's something that a well-designed college curriculum can provide.

I've talked to future employers of our graduates, and I've never heard them complain that students who take our security course come out as security Nazis. On the contrary, the most common comment I get from employers is: can you add more material on security into more of your courses?

I realize this differs from your own perceptions, but you did ask for more points of view. This is mine.

Answer 7

I agree with your assertion. We do seem to have two camps of students. We need to educate all students in the computer XX industry about the basics of security. At my university, we force all computer info sys (CIS) and computer info tech (CIT) majors to take my introductory infosec course. CIT major also have to take at least one follow on infosec course.

Requiring all students to take at least an intro infosec class is a first step toward improving the situation. I do not think it is sufficient, however. I think that the way the course is taught also matters. For example, I make a habit of reminding students that "Information security is not just computer security" at least once a week. I do this because I think that as technical people we tend to dive right down into the details of all the things we can do to abuse computer systems. It is kind of a way of trying to look like an alpha geek (Look what I can do, nobody is safe...). Focusing strictly on the fun tech stuff and ignoring everything else seems to drive a wedge between the two camps. The nazis eat it up and want to enforce ridiculous (and ineffective) policies upon graduation. The students who aren't looking for an infosec career just endure the class and continue to be clueless about security and also determined to resist the nazi's policies.

For me, I try to strike a balance between teaching students about fun cool infosec tech and helping them understand that infosec is so much more than pen tests, vuln scans, av, etc. I do have a fun playplace setup for them with a couple systems on an isolated network that they can hack away at. Even the students not interested in infosec seem to enjoy this. Hopefully they graduate a little wiser and without a hatred for all things infosec.

Answer 8

I wonder if graduates are the right place to start?

It is arguable that a good security professional (or indeed any professional) needs a good grounding in business at least, and probably in IT/IS. Taking someone from university and putting them straight into infosec means it is far more likely they will end up Security Nazi than not.

Perhaps the approach should be to focus on the team leader/junior manager level within corporates. They already know the corporate ropes, how to influence, persuade, and deal with politics - and are looking for their niche. Now if they're in IT, then they can probably go either the infosec or the IT sec route (or both); someone from a non-techie background might have to focus on infosec and ease themselves into IT sec over a couple of years. But that's where I'd put my energies if I was looking to ensure the leaders of the future were security-friendly.

Answer 9

I see the same issues you're seeing, but found a partial solution while working as operations security programs leader for a large multi-national. I was fortunate enough to have the support of a couple key executives and a really good starting program for new grads. The pre-existing approach was simple: this company would hire a block of newly graduated engineers and CS types, sign them to a 2 year contract then rotate them through each of several groups/positions over that time. They might, for example, spend a few months supporting a large trunking switch, then get several months writing new code for that same switch. Others might get some time developing new hardware, then spend time supporting network management. The decision around which groups each new grad would go to was a combination of skills, desires and needs, both the new employee's and the various organisation's.

The bit I added was to include a set of options for these new grads to receive the same types of real-world exposure to security. We put together plans for these new people to learn IT security from the IT security group, we had a couple incident response groups they could work with, and I even occasionally had a couple helping on policy. This way, when they landed where-ever (assuming they were offered a permanent position at the end of the program) they had some level of understanding of security and it's associated challenges in the real world.

All that said, I understand such a program is not realistic for most employers. It might be possible, though, to put together a couple summer-intern type positions that provide the same basic exposure, at a much reduced cost. My experience is that, as technical people gain exposure to the real challenges and opportunities in the security space, their approach becomes more reasonable and balanced. We quickly discovered it doesn't take a lot of time, either. It wasn't necessary they learn enough to actually do the job, only that they get a solid understanding of the reality. In most cases, a couple months (about the length of the summer break) with a security team provided more than enough experience to have a very positive result.