Speaking at Black Hat Europe in London, Nahman Khayet, security researcher and Shlomi Boutnaru, CTO at Rezilion, explored the current cybersecurity skills shortage and its link to the education system.
Khayet explained that there are three main characteristics of security experts, which are ‘thinking outside the box,’ ‘adversarial thinking’ and ‘technical knowledge.’
He also cited a quote from M Gladwell regarding the 10,000 Hour Rule, “…the key to achieving world-class expertise in any skill, is, to a large extent, a matter of practicing the correct way, for a total of around 10,000 hours…”
“This sentence has two meanings for us,” Boutnaru said. “The first, is we believe that each person in the world should practice and experience as much as they can in order to become an expert,” and the second is that “every cybersecurity expert should have a lot of experience in the industry before they actually become an expert.”
However, Boutnaru argued that teenagers studying computing in schools are suffering from limitations of the education system. They are being taught less technical material like safe internet use, privacy controls, password safety and computer safety, he added, but some “cybersecurity deep knowledge is missing” from the curriculum.
“What about network threats? What about denial of service? What about IP spoofing? What about code vulnerabilities, and others? If you think about it, a lot of teenagers are today developing applications for mobile, web apps, but they don’t have the basic understanding of those [aforementioned] specific threats. Why? Because we are not teaching them that.”
“Students, when they are not getting the right education of cybersecurity, they are not understanding (later on) when they apply for work in the industry the security risks,” said Khayet. “If we look at the characteristics of security experts, they lack all of them.
So, both speakers argued that there is a great need to upgrade the current approach to teaching cybersecurity to teenagers by:
- Adding practical cybersecurity training in schools as early as possible
- Exposing girls in middle school to female cybersecurity leaders systematically
- Teach cutting edge technology with hands-on experience
- Invest more in pedagogical concepts