Skip to main content
banner image
venafi logo

Hacking Requires Exceptional Skills: Can IT Security Pros Keep Up?

Hacking Requires Exceptional Skills: Can IT Security Pros Keep Up?

hacker training
July 19, 2017 | Billy Spears

Ladies and Gentlemen, thank you for taking time to read this series on, ‘Why is the norm acceptable within technical fields?’ Throughout this series my objective is to question the status quo, challenging the norms of technical certifications, industry affiliations and degree programs while attempting to communicate opposing perspectives. If you have thoughts, specific points of view or feedback you would like to communicate with me, then please feel free to chime in. All perspectives are welcome. 

In today’s business culture, there is a growing number of humans that believe there are logical steps necessary to develop core comprehension of technical ability within the Information Technology, Cyber Security, Data Protection or Privacy fields. Why is a degree relevant? Is a technical certification necessary? What about organizational affiliations? Should you join, attend conferences, volunteer to present your perspective on the latest buzz? Does any of this directly link back to your position? Is any of it actionable?

How do the bad guys prepare themselves to penetrate systems and exfiltrate the crown jewels? Do you think they are expected to embark on the same traditional learning journey as our business culture? If they don’t, should they not be considered worthy of stealing our most sensitive data? Or, in the case of the best ways to use, or misuse, encrypted traffic, are the bad guys better trained than we are?

Why obtain a Computer Science degree? An argument could be structured to suggest a degree never actually expires. Each person possessing this degree is likely to be considered more credible, even years after they graduate and the core of what was learned is now stale. They are usually non-skill specific, instead focusing on the broader ‘why’, ‘what’ and non-technical ‘How’ factors. For example—Why do I need an IT Strategy? What is Infrastructure, Security, Applications, Networking or Architecture? What is a PKI or trust store?

When we look at staffing requirements, what are their respective responsibilities, expectations, and success paths? How do they support each other to benefit the company as a whole? Why are undergraduate level degrees an essential requirement for management level positions? Why do employers require an advanced level degree such as an MBA, in addition to the bachelor’s degree, for these roles? Do you think people with this level of education perform better, are better technical professionals or increase company profitability targets from their educational merits alone? Degrees do not require continuing educational courses to be maintained. Employers may pay a portion of your student debt obtained for acquiring the degree but normally not the entire cost.

What about potential employers that value certifications over degrees? Is this perspective beneficial or harmful? I have heard people suggest that Certifications are validation that a person understands and can demonstrate a common skill. Certifications are usually vendor specific. A few select examples are including, but not limited to— ISC, ISACA, ISSA, IAPP, Cisco, Citrix, Microsoft, Red Hat, AWS, ITIL, PMP, VMware…and the list goes on and on. These certifications are based on a specific skill, is less time consuming to obtain then a degree and are much less expensive. Certifications are usually funded by an employer for a specific purpose. They also come with required continuing education to maintain your qualifications each year. These courses can be costly and are one of many budget items that are scrutinized on an annual basis.

What about the bad guys? I am talking about Hackers, malicious insiders or anyone wishing to exploit weaknesses and monetize the information obtained for profit. Wait, are all hackers’ bad guys? What about ‘Ethical Hackers’? Isn’t that some sort of a contradiction? Are these the virtual superhero’s and villains of our time? What type of training or education does one need to become a superhero or villain? Most professional hackers have at least some basic computer skills with the ability to use the edit the registry and set their own network parameters. They have some Networking abilities and probably understand the functioning of DHCP, Subnetting, IPv6, DNS, Routers, switches, VLANs, OSI and MAC addressing. These individuals have advanced knowledge of the Linux operating system and can use Wireshark for network troubleshooting and analysis protocol. Topics like virtualization, databases and security concepts are second nature. Hackers have some degree of scripting ability and are able to use web applications to their advantage. Sometimes establishing their own website for the purpose of phishing. Except for a couple areas outlined above there isn’t a degree that would teach you those specific skills. There is an Ethical Hacker certification that covers several of these areas but isn’t all inclusive either.

Why aren’t companies seeking out and hiring these individuals to perform penetration testing and to strengthen network security and harden infrastructure or data governance activities? Could it be that these folks don’t have degrees or the appropriate certifications to be successful in a corporate environment? Could they become a corporate intelligence asset by navigating the dark web searching for potential cyberattacks and working with the appropriate personnel within the company to manage each risk appropriately to prevent negative impacts from occurring?

How much is your data worth? Do you know how to classify it? What about your data handling procedures? Does your company perform an analysis on the impact for privacy concerns with regards to data movement or system architecture? What does Privacy mean within your organization? How do you manage these types of risks? In the next post, we will break these concepts down and debate the rationale behind each one.

Thank you.
Billy Spears

Like this blog? We think you will love this.
compromised android platform certificate
Featured Blog

Compromised Platform Certificates Used to Sign Android Malware for Samsung, LG and Others

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Billy Spears
Billy Spears

Billy is the Chief Information Security Officer at loanDepot. He has more than 20 years as a collaborative business partner and possesses deep expertise across the cyber security, privacy, and risk management fields.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more