Every year, I take part in talks for universities and schools. The theme is often breaking into infosec. I give advice to teens considering pursuing tech as a further area of study. I explain a typical working day for degree undergraduates. Sometimes I’m asked to give examples of conference talks. I get to dust off some oldies and give a snapshot of security research circa [insert year of choice here].
I’ve been doing this for about five years now, and it’s incredibly helpful for me and (hopefully) students too. I see real concerns from people who’ll end up being the next wave of researchers, writers, and communicators.
Get involved: benefits for the education space
If you work in security research and are considering doing something similar, you should! It’s helpful for many reasons:
- It gives you a solid idea of what the next generation find interesting, research-wise. Which bits of tech do they love? What do they think will be an issue down the line? Maybe they prefer virtual machines to bare metal. Perhaps we’ll have an hour-long debate over the rights and wrongs of paying malware authors. You won’t know until you try it!
- If you do any amount of public speaking, interviews, talks, whatever: it keeps you from going rusty. The Pandemic has shut down many conferences and sent more than a few online. If you’re unsure about doing online talks when your background is “real world only”, it’s helpful practice. Want to know what works in virtual spaces? This will definitely help.
- Schools and universities really get a lot from these events. It’s usually quite difficult for them to get people booked in to speak about things. From experience, educators will absolutely appreciate any outreach or help you can give their students. It’s a win-win for everybody.
"I thought it was all code"
Something I emphasise is that information security has a huge number of different backgrounds in its overall makeup. I’ve met many despondent students who felt their coding skills weren’t up to scratch. The students' impression is that everything is 100% coding or programming.
It's true, coding and programming can be incredibly difficult things to understand. Skills like reverse engineering malware can take years to perfect. There’s no guarantee of being able to keep pace with malware developments in the meantime, either.
Well, there’s lots of fun ways issues like that can be addressed.
Even so, “I thought you had to be a qualified coder / programmer” is something I hear all the time. If not that, they often feel a lack of skills in one area negates everything else they're good at.
It's quite a relief for them to find out this doesn't have to be the case.
The myth of the "expert at everything"
In media, security researchers are often presented as experts on all topics imaginable. The reality is people excel in their own little niche field and have a variable skillset for everything else. Experienced security pros know when to ask for help, and there's absolutely nothing wrong with it. You really don't have to know everything, all the time. This is another concern relayed to me by many students over the last few years.
The many paths to the security industry
When doing these sessions, a few key talking points come up time and again. Quite a few students have to be convinced that lots of security folk don’t necessarily even have technology qualifications. There’s also many roles which don’t involve any coding whatsoever. However, these are roles students haven't considered, because they didn't necessarily have any idea they existed.
Some of the deepest hardware knowledge I’ve come across is from people in sales teams. Do you like the idea of public-facing research? There’s blog and press opportunities for that. Is the idea of promoting your company’s research to a wide audience an exciting one? There’s probably a spot in marketing for you. At the furthest reaches of “no tech involvement whatsoever”, security organisations need people to design things. Maybe it’s time to dust off that design degree and start sending in your resume?
Whatever your skillset as a student, there is absolutely something you can do. That talent of yours will be a benefit to an organisation in the security space.
Thinking outside the box
One of the most interesting things about fresh talent is watching it pull apart new technology and highlight unforeseen dangers.
Look at some of the things we dig into on our very own blog. Web beacons, virtual/augmented reality, the Internet of Things, deepfakes, malign influence campaigns, securing accounts after someone's died, and much more. The industry as a whole is more open to new / different research than it’s ever been. It has to be, or bad people will be getting away with virtual murder while everyone twiddles their thumbs.
In the last few days we’ve seen a run on art related NFT theft. Try telling someone that 12 months ago and see what the reaction would be. Someone out there has an idea for a solution to this kind of problem. They just don’t know it yet. It’s up to us to encourage them and see what kind of cool solutions they can come up with.
Talking with teachers: Holly Smylie
Computer Science teacher Holly Smylie, who sat in one of our talks, has given some insight into how the industry can help students:
Open days and talks are great in terms of giving students access to positive role models from the industry such as yourself. It essentially gives them an exposure to experiences of infosec that they may otherwise not have had from their environment, meaning that it can make a massive difference in terms of their future career aspirations and later life chances.
I think that one of the greatest take away from your talk for my students was that although qualifications are obviously important, they aren’t the be all and end all. There are still other routes into the sector without the "usual qualifications". It allows them to think beyond an exact route into something they want to know more about. Also, I think that there is more that our industry could do in terms of addressing the gender imbalance - whether this is providing talks or networking between students and female experts in the industry.
Again, these role models for students at school and even uni-level via talks, open days, visiting companies, etc can often be the tipping point for female students who do not believe that they would succeed in this industry (as it is still very male dominated). Again, I think this just fits in with broadening female students' horizons to the world of infosec and giving them confidence that they will be just as valued as our male colleagues.
According to some predictions, there’s a huge number of jobs which will go unfilled into the next year. I’m not convinced the numbers will be as big as that. Even so, helping students of all ages with paths into the security industry can only be a good thing. The pandemic hasn't made technology learning easy over the last year. I'm glad we at Malwarebytes have been able to pitch in and give students some possible careers to think about.
Special thanks to Holly, and the schools and Universities we’ve run these sessions for. We wish your students success in the years to come.