By Juan
Manuel Haran
Are you
considering a career in cybersecurity? What learning path(s) should you take?
Does formal education matter? ESET experts share their insights.
With
cyberthreats on the rise, cybersecurity professionals are, unsurprisingly, a
hot commodity. According to a recent study by Cybersecurity
Ventures, there will be 350% growth
in open cybersecurity positions from 2013 to 2021 and it is estimated that, due
to the talent crunch, there will be 3.5 million job openings in the industry by
2021.
With that in
mind, one of our articles to mark this year’s Antimalware
Day features insights from several ESET security
researchers. We asked them a series of questions to learn how they built their
expertise and to gather their thoughts about the usefulness of formal education
versus self-study for becoming a security practitioner.
Learn all by
yourself?
While more
and more colleges and universities worldwide offer degree programs in computer
security, far from all academic institutions have launched such programs.
Indeed, many experts in the field are self-taught and/or have acquired their
skills through various non-academic courses and certifications.
ESET
Distinguished Researcher Aryeh Goretsky, who embarked on a career in IT security in the
late 1980s, notes that back then there weren’t actually any courses or
certifications specifically focused on computer security.
“Computer
security was taught, but it was largely in terms of models for access control,
and I think tended to focus more on the concept of securing multiple-user
computer systems and users’ access to them being seen as more of an atomic
model than as bits and pieces of a larger, more globally-interconnected system.
So, the people who were interested in the concept of cybersecurity, of how
disparate computers and networks might behave towards each other, kind of had
to self-teach. Some of that might come from reading standard computer science
and engineering and reference tomes, and learning about computer and network
operations, but some of that knowledge came from… shall we say, unofficial and
very hands-on experimentation,” he explains.
This is
echoed by Marc-Etienne
M.Léveillé, a malware
researcher at ESET’s lab in Canada who studied software development and
computer engineering. “The things I have learned in college or university
aren’t directly relevant for my position as a security researcher. I had to
learn about many aspects of security on my own,” he says.
This is no
doubt also the case with many other experts. There are a multitude of online
learning resources these days, including countless massive
open online courses (MOOCs)
for people with various levels of skills and experience. Also, social networks,
notably Twitter, and many other online services, including YouTube, offer great
opportunities for people keen to exchange knowledge and experience, ultimately
enabling them to learn from one another.
“It is true
that the technology and security community is growing and many people are happy
to share their knowledge, which allows newcomers to get support from
established professionals,” says ESET Brazil researcher Daniel Cunha Barbosa.
“While self-learning is a possible path and it is how many experts in the
industry received their training, it is not the only option,” he adds.
Indeed, while
security professionals need to continue to learn on their own and sharpen their
skills almost daily, many will agree that there’s an undeniable value in
academic training.
“If I had to
do it again, I’d still choose to go through college and university. Both gave
me the opportunity to meet people and participate in extra-curricular
activities such as competitions and security conferences that I enjoyed so
much. Some schools also offer internships, which also helps getting started in
the field,” says Léveillé.
Complete
article: