2019 has started as it ended 2018: with the world recovering its breath after a cyber attack. If Germany suffered earlier this month the oldest hack of its history, which uncovered data of hundreds of politicians, at the end of November it was the great Marriott hotel chain who revealed a similar attack, which could have affected 500 million customers. But before that the victims had been Singapore, Facebook, the banking system of Mexico… there is no target safe from hackers. The threat grows as companies and institutions around the world face another danger, just as pressing, which is the shortage of professional experts in cybersecurity. A field in which the self-taught has traditionally predominated, but which is beginning to make its way into the official formation of universities and other educational centers.
It is expected that nine out of ten companies will suffer a computer attack in 2019. And the costs are estimated at 11,500 million dollars this year. The data is overwhelming. For the bad, but also for the good. And is that the labor niche It gets bigger and bigger. Between now and 2022 job offers in cybersecurity will triple, according to the calculations of the specialized publication Cybersecurity Ventures. Forecasts indicate that by then there will be 1.8 million unfilled jobs worldwide, 350,000 of them in Europe, according to a survey by the Center for Cybersecurity and Education (ISC) ².
"It's not a bubble, it's the new paradigm. Rich countries will no longer produce consumer goods, but will generate wealth through information. Any company has to manage their data, store them and, above all, protect them ", explains Julien Mur, senior manager from the Information Technology and Life Sciences department at the human resources consultancy Hays. The expert points out the cause of this gap between supply and demand: "The transformation of the economy has occurred very quickly. A generation of cybersecurity professionals has not been formed in a decade. "
The speed of the changes joins the scarcity of scientific and technological vocations among young people, especially in the case of female students. "We need to promote STEM degrees [las carreras de ciencia, tecnología, ingeniería y matemáticas, por sus siglas en inglés], the boys see them as difficult ", explains Maite Villalba, researcher and director of the Master's Degree in Information and Communications Technology Security from the European University. "The drawback of the shortage of professionals in this field is not the same as in other sectors. It implies problems for companies, but also for citizens and for governments. In addition, there is a setback in the development of emerging technologies because companies and citizens will not dare to use them. "
The need for professionals and the growth of cyber attacks coexist with another contradiction. And although the Internet is full of information and resources to enter the terrain of cybersecurity, the tasks performed by these experts and what you need to know (and study) to become one of them remain an unknown to many students. Below is a guide to dispel the main doubts about how to become an expert in cybersecurity.
What does a cybersecurity professional do?
"Saying you work in cybersecurity is like saying that you work in technology. Within that there are many different profiles and not all are technological, "says Marta Beltrán, coordinator of the degree in Cybersecurity Engineering from Rey Juan Carlos University (URJC). Far from that stereotype of hacker that moves between shadows and illegality, the field of cybersecurity is much broader (and not at all obscure): auditors, developers, analysts, forensics … and yes, also hackers, although very different from the topic that is usually kept in mind.
"The different profiles of experts in cybersecurity can be defined according to whether they act to avoid attacks or to respond when they occur," explains Eduardo Arriols, professor of Degree in Software Engineering at the U-Tad University Center. The first group, that of professionals dedicated to preventing security incidents, is divided in turn into defensive experts, who specialize in securing systems, and offensive teams, that is, auditors who look for vulnerabilities, for example in a website or in an application, to determine if they are safe or not (what is called the hacking ethical).
Within this basic scheme fit, for example, developers of software safe; architects, analysts and consultants, who are responsible for defining the security needs (and solutions) of a technological project; experts in network protection; Specialist in malware, to develop tools that detect and eliminate them; experts and forensic analysts, responsible for investigating cyber attacks; cryptographers and cryptanalysts, who work in the encryption of information; security directors of a company –CISO or CSO, depending on the role they perform– …
The common point of all of them is that they are dedicated to solving problems. Creativity and innovation are two key elements in your toolbox, as they allow you to go one step ahead of the attackers. Diversity is also important. "People with high qualifications are needed, but also diverse teams", explains Maite Villalba, of the European University. "Working as a team is fundamental, and when different professions and areas come together, ideas come out that would not otherwise arise. That is why other profiles of the branch of social sciences are emerging, such as analysts in cyberintelligence or legal experts in cybersecurity. "
What should a cybersecurity expert know?
Pablo Ruiz Encinas, who is in his fourth and final year of the U-Tad degree, cybersecurity had always caught his attention, but he saw it almost as a kind of incomprehensible and inaccessible magic. "There is not a book that you can read and say you already know everything. It's all very diffuse and scattered, "he explains. "There is a lot of information, but it is not concentrated at one point and when you want to start there are many people who are overwhelmed because they do not know where to do it."
The widespread deficit of STEM vocations is a problem that worsens in the case of female students, who are more reluctant to pursue these careers, which in turn leads to a lack of cybersecurity professionals. "In this field, only 11% of the global workforce is women. In Europe we do not reach 7%, "says Maite Villalba, director of the master in cybersecurity at the European University.
The expert also coordinates a new European research project, Be @ Cyberpro, which aims to awaken the curiosity of the students to develop their career in the field of cybersecurity. "Women's roles are missing," says Villalba. "We want to eliminate stereotypes and show women who are working in cybersecurity, demonstrate that there is diversity and that it is a career in which we can all enter and contribute."
Although this problem can be extended to so many other professions, in cybersecurity it is especially complex because it is a knowledge area with a high technical load that, until recently, was not officially taught. The incorporation of cybersecurity as a training subject to the offer of studies of universities, business schools and other educational centers has forced us to define what an expert in this field should know.
The technological base is fundamental, because to avoid or respond to a cyber attack it is necessary to understand how they are produced. "You need, on the one hand, a general knowledge about networks and programming; and on the other hand, a specific knowledge in cybersecurity that covers computer security, legislation, forensic analysis, knowing how to secure a computer system (and not just analyzing it) … "enumerates Paco Marzal, coordinator of the U-Tad degree. "The profile of the student is usually very motivated people because it is a very demanding career".
What can I study to work in this field?
In Spain there are already 81 centers that offer specific training in cybersecurity, according to the guide prepared by the National Cybersecurity Institute (Incibe): master's degree programs, specialization courses, vocational training cycles, degrees in cybersecurity … Among so many offerings, what program to choose? The typical itinerary is the one that bets to study in the first place a race that contributes the technical base – the habitual one is a computer engineering or of telecommunications, although there are also experts who come from the branch of the mathematics or the physics -, to later to study a master's degree in cybersecurity.
The Incibe guide counts 47 postgraduate programs, with different surnames according to the field of specialization: computer forensics, hacking ethical, security management, fight against cybercrime … The institute itself collaborates with the University of León, the city where it has its headquarters, in its Master's Degree in Cybersecurity Research, which is already in its eleventh edition. The center has just launched this course two other masters in cybersecurity, one in the area of Law Y another to specialize in big data in safe environments. The focus of its flagship program, however, is research. "To advance it is necessary to know everything that is happening, but also to analyze the new techniques of the attackers," says Adriana Suárez, coordinator of the master's degree.
Faced with this option, the alternative of pursuing a specific degree in cybersecurity is opening the way, albeit timidly. The Rey Juan Carlos University has opened this course its degree in Cybersecurity Engineering, the first taught in Spain by a public university. In this way, they intend to tackle what they consider a problem: that cybersecurity is addressed as an addition, and not as a central piece, in the university. "We looked around and saw that in most of the developed countries where technology works for years have been imparting degrees of cybersecurity. Our bet was to create an engineering, very similar to computer science, in which safe technology was studied from the beginning, "explains its manager, Marta Beltrán.
The first promotion studies in their classrooms while outside, the options multiply. FP cycles are another gateway to the world of cybersecurity. And the specialization courses are for professionals with advanced knowledge who want to deepen in a specific area. Without forgetting the autodidact part, fundamental to be up to date in a sector in which to go ahead of the hackers it is an obligation. The Internet hosts a large community of experts and stakeholders in cybersecurity who share knowledge and resources: from groups in Telegram to websites where challenges are proposed (such as Hack The Box) and even competitions to be tested.
But although the outlook is promising – in options and opportunities – there are those who analyze it with a critical eye. "Up to a point that need for professionals is true because it is a field in which there has been no specific training until recently. But it is also true that when companies and the administration talk about the deficit it is because they offer very precarious positions, "warns Beltrán. "On many occasions, the game for cybersecurity is not as high as it should be: first we worry about things working well and then, if that, because they work safely."