Robots, lock picking and #infosec

October 26, 2015 Dan Holden

boy mechanic

Five years from now, will large-scale breaches and the increasing threat of cyber terrorism still be occupying the headlines and mindshare of CISO’s and threat analysts or will it be some new type of threat or group? I’m going to wager that, in 2020, the biggest problem plaguing information security is unrelated to any of the threats making headlines right now. It’s a problem that’s just beginning to bubble up now and I believe will get far worse over the next few years. The problem won’t be the addition of new threats or threat actors per se, but the increasing lack of skilled workforce to support the growing information security industry.

The good news is that, as common citizens, we are all far more aware of information security issues than we were 5 years ago. If you read the news, more often than not there will be some story about a large breach with credit card or personal information stolen and sometimes disclosed. Or the headline will focus on geo-political related issues tied to malware campaigns such as Stuxnet or relations with China and the commonly held belief that they are purposefully stealing western intellectual property with the U.S. being a prime target.

The bad news is that we don’t seem to be attracting, or supporting in a fashion that scales, the next generation of information security experts and large-scale workforce that is needed to combat these issues that we all read so much about. I’m thinking back to when I first got into this industry in the 1990s: being a hacker was one of the coolest things a young person with computer interests could be. This was an era of hacker wars, easy vulnerabilities to exploit, and a total lack of security on any system, regardless of its location or criticality. I would say that the most important aspect of this generation was the investment in your hobby because you loved it, and you knew that this whole computer security thing wasn’t something that a professor was going to teach you, but that it took your own time and a sub-culture of people helping each other to learn it. The hacker culture is one of constantly learning and constantly challenging things. I firmly believe that even today with computer science degrees and the availability of so much information, the primary tool for being successful in this industry is the understanding that it’s your personal time, and a personal investment that gets you ahead. You can never replicate the big bang that is the beginning of a movement, or in this case an industry. But, can we, and do we, need to replicate the culture that made it all so exciting to begin with?

If the excitement of the 90’s is what’s missing in order to attract new talent then how do we replicate that? Back then, you were either a part of the scene or you weren’t, and this meant that many took what they learned and applied this to a future in penetration testing or product development. If the hacker mindset is the most important foundation for the industry, how do you ignite that spark?

As we see in professional sports today, the answer to the infosec skills shortage is to start young. You’ll see a trend among the veterans of the industry acquiring lock picking sets and a collection of locks in order to teach their kids this fascinating skill. They aren’t raising their kids to be cat burglars, but instead teaching them how to break something that is assumed at that age to be unbreakable. We seem to be so focused on allowing kids to create and build, that we don’t allow them to break anything anymore. We need to replicate the kid during the 80’s that took apart their VCR because they wanted to know how it worked, and I’m sorry, but tapping away on your mobile phone and spending the day on social media isn’t the foundation needed. The only area where young kids seem to be interested in hacking these days is video games, much like many during the 80’s and 90’s. Perhaps this is a place to start?

We are at a point where our every day lives are affected by security issues and this creates not only the demand for security professionals, but the opportunity for us as an industry to affect the youth and next generations. We need to take this more seriously than we have. Teach your kids lock picking, show them not only Star Wars but Hackers, and push them to question things more often. While this mindset seemed natural for Generation X, it hasn’t been for the millennials and these generational differences need to be recognized and accounted for when thinking about how to scale to the job market needs.

The post Robots, lock picking and #infosec appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
Comfortably Numb
Comfortably Numb

Last week it was revealed that an email account belonging to the Director of the CIA was hacked by teenager...

Next Article
ICYMI: Arbor’s Roland Dobbins NANOG presentation on the DD4BC extortion campaign

In this presentation, originally given at NANOG65, Arbor’s Roland Dobbins discusses details of the ongoing ...