How to build an army of cybersecurity experts
- 09 February, 2017 06:30
Over two years ago some companies that were hacked asked Dr Hossein Sarrafzadeh, the head of the Computing Department at Unitec, for help.
The organisations attacked were small to medium sized businesses, says Sarrafzadeh.
This incident prompted him to set up a course at Unitec teaching students on how to conduct ‘cybersecurity health checks’ for SMBs.
“I saw a need for it as New Zealand is unique in terms of the size of our companies,” he says.
“These organisations are major players in New Zealand’s economic growth, but often do not have the resources to undertake a cybersecurity health check for their own business,” explains Sarrafzadeh, who is also the director of the High Tech Transdisciplinary Research Network at Unitec.
“The students can go out with a better experience from studying, while the companies that can not afford a health check will have one,” says Sarrafzadeh.
The students in groups of three, together with an industry professional, perform the health checks for small and medium-sized businesses.
These, Sarrafzadeh explains, are typically businesses with four to five servers, around 15 to 21 stations. They check the operation systems and provide a report.
“The report on its own raises awareness and these students get experience while they are working,” he explains.
These experiences can then be augmented by training in security companies. “These companies can hire them after they graduate so the industry benefits,” he says.
If this programme is extended to the rest of the tertiary institutions, then we will have an army of students ready to check the health of a company
The health checks are conducted over three days. The students normally spend a day at the company to physically check the facility and systems.
For students involved in these health checks and getting subsequent training while studying, it is like being in a “continuous internship”.
“We are working so we can do more of these health checks, because our capability is limited,” says Sarrafzadeh, who is seeking more organisations to fund these health checks.
He says they are coordinating with business associations in Auckland and receive referrals from other SMBs they have helped.
“We have a class of 25,” he adds. “We can not do it for everyone who needs it. If this is extended to the rest of the tertiary institutions, then we will have an army of students ready to check the health of a company.
“Other universities, other polytechnics could do this and we are happy to share the template I created that is being used here.”
He says the programme has also prompted Unitec to design a new course, which prepares people to work in non-technical areas of cybersecurity.
The 'human capital crisis' in cybersecurity
For Sarrafzadeh, this collaborative approach is one way to manage “the human capital crisis in cybersecurity”.
This crisis, described in a report by the Center for Strategic and International Studies back in 2010, points out: “We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed, but also an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious acts.”
He further refers to an article from Forbes a year ago, citing a report from Cisco that there are around one million unfilled security jobs globally. The demand for these cybersecurity professionals is expected to grow to six million by 2019, with a projected shortfall of 1.5 million, according to Symantec CEO Michael Brown, who was quoted in the same report.
“2019 is not too far,” says Sarrafzadeh. “There is no way the institutions teaching or the industries training can produce that many so there will be a big shortage here and globally.”
He says one challenge is that companies hiring these people want experience. “They need them now and they need them today.”
“What can be done in New Zealand that could be different is not only to provide industry certification, but also link up with the industry so these people get the experience while they study."
“When it comes to cyberwar, we are are probably more vulnerable than anyone else if we don’t do anything about it,” he says. “So student armies of people being trained in this, is another area we should focus on for the future.”
His message to students and young professionals considering a career in cybersecurity?
“You will always have a job,” says Sarrafzadeh.
“I don’t see the job market slowing anytime soon, so people who study cybersecurity will definitely have their jobs lined up for them.”
He issues a related call to businesses. “Companies should work very closely with tertiary institutes like Unitec to train the workforce of the future before it becomes a crisis for us."
Send news tips and comments to email@example.com
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz