Trainee cyber-criminals wanted to help solve skills shortage

Trainee cyber-criminals wanted to help solve skills shortage
Hacking can, and should, keep us on our toes. Credit: Alexandre Dulaunoy, CC BY-SA

The world is already short of computer security experts, but by 2017 that shortfall is going to have reached about two million. Criminal hackers cause damage running to billions of pounds every year – just look at the attack on Sony Pictures, leaking unreleased films onto the web and threatening the company's entire system. If we don't do something about this skills gap soon, the costs we bear are going to keep spiralling upwards and we will be increasingly vulnerable to cyber attacks.

This issue was raised by a panel of experts at the House of Lords recently, the National Audit Office has stated that the shortage of IT skills is hampering the UK's ability to protect itself, and Mark Weatherford – from the US Department of Homeland Security – has also stated that the lack of people with cyber security skills requires urgent attention as there simply aren't enough people to hire. With hacking and cybercrime being such hot topics at the moment – and with the demand for cybersecurity experts growing at 12 times the rate of the overall job market – how has this happened?

It's been suggested that the information security skills shortage stems from how few university leavers enter the field. But there are plenty of degree courses with relevant titles, so why aren't the graduates of these degrees not getting the jobs?

At the moment, the blame game is in operation: industry blames academia for being too theoretical, and academia blames industry for wanting something different from what they provide. This isn't getting us anywhere, but there are a few changes that could make a difference.

Thinking like criminals

Courses need to be more vocational, something that unfortunately many academics and research funding organisations look askance at. But it's what's made our ethical hacking degree so successful: students don't just study theory, which of course is important, but conduct practical operations in a closed computer network lab, where the course focuses on getting the students to think practically and creatively in developing their experimentation skills. They need to learn to think how hackers think. We get them to look for a system's vulnerabilities, and to try and exploit any weaknesses they find by using their practical programming skills to test things out.

Although it might seem a bit unusual to breed a criminal mindset like this, the most effective way to build secure computer systems is to understand how you can break into them.

Making connections

As well as working on practical tasks in the lab, students need placements at some of the country's top security firms. In fact close links with industry is key, as that way universities can learn from companies what skills are needed so that courses can adapt to provide graduates with exactly what they'll need to succeed.

We desperately need more of these relationships – it's no good having companies asking universities for their best graduates if they don't tell universities what it is they need these graduates to be able to do.

But this transfer of knowledge needs to go further. Students need to hear from industry representatives about the industry. It's equally important that our students and graduates go back to their schools and talk about what they're doing. This opens they eyes of pupils to what the industry might hold for them, and offers a bit of inspiration for pupils and their teachers.

Historically, computer science taught at school has focused on using applications – learning packages like Microsoft Word, Excel or Access, without delving much into the underlying operating system or hardware technology that makes them possible. Some of today's pupils have no idea about the sorts of things that computer science incorporates, nor what computers are capable of. But mention "hacking" and they sit up and take notice.

Perhaps there is a certain amount of nervousness about the sort of courses must necessarily teach. But there is no security through obscurity – we have to teach the routes and mechanisms of attack in order to defend against those that would use them against us.

Explore further

Students to hack hardware, software and data to build security skills

This story is published courtesy of The Conversation (under Creative Commons-Attribution/No derivatives).
The Conversation

Citation: Trainee cyber-criminals wanted to help solve skills shortage (2014, December 3) retrieved 15 July 2019 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Feedback to editors

User comments

Dec 03, 2014
Although it might seem a bit unusual to breed a criminal mindset like this, the most effective way to build secure computer systems is to understand how you can break into them.

The downside is that this will also breed hackers. If out of a class of 100 students just one uses those skills for hacking then it may be a losing proposition. Because while one hacker can attack any number of companies, the 99 other students will just be able to protect 99 companies (if that).

In any case: defense is always one step behind offense. So the problem is likely to not go away - even with a large increase in cyber security people.

Dec 03, 2014
One thing in my 10 years of computer security experience is that management and directors are the biggest problem. They say thing like "Block it" or my favorite "Black hole it" and think a simple block with work.... cause most management never had to think of things like this in their 30+ years of work.

There is also a belief that network admins would be great security experts but they seem to think that if the threat comes from the network then that is the only thing that needs watching but they are wrong. There is a reason why WAF or layer 7 firewalls are all the rage these days.

There is also the fact that criminals hackers (or black hats) make multiples more in pay (millions vs if your lucky 6 figure salaries) then ethical hackers (white hats). And also the fact that criminal organizations can pull a 180 degree shift if needed to get things done and death is a good motivator too.

Dec 04, 2014
A good first step would be to cease glomming every practice related to computers into "computer science" as the author seems to do. I'm not aware of any computer science degree that requires training in Microsoft Word or Excel. Would he prefer problem solving skills or vocational training in how widely used technology works today?

On the security side, expect to require a diverse set of skills. And if you want to attract and retain bright, creative people, you'd better figure out ways to keep them challenged. It's a conundrum, because well run security is certainly much less exciting.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more