Cybersecurity in Italy
First of all, a small disclaimer: any statement inside this article is based on my own personal point of view. I deliberately generalized and I am aware of the presence of certain exceptions in my country, but this sum up my opinion and there will be people that will be not aligned with those thoughts.
After almost 5 years inside the cyber-security field I would like to point out some elements, that according to my point of view, are not working in our Industry and in particular in Italy.
We do not have proper university courses or masters specifically designed to teach cyber security neither with the aim of building penetration testers nor security researchers.
Courses are outdated and the majority of teachers are not fully qualified, most of the time they are just basic Computer Science teachers keeping courses of web development and network infrastructure.
I hardly doubt that someone that never worked inside this field, that do not know how to carry out a penetration test and that is only able to explain some of the major vulnerabilities from a pure theoretical point of view can teach to a student how to act in practice. Moreover, most of the courses do not have any practical lab.
People that now came out of the university are lacking the very basics of the computer security, they usually know something about cryptography, but usually they only got forced to memorize full algorithms without fully understanding how they works, they know some of the major vulnerability in a web application (SQL Injection, XSS, CSRF) but must of the time they are missing even the OWASP Top 10; they know very little about standards, and they do not know where to start a very basic penetration test. I’m not speaking about not to know how to use a tools or a specific software, but they do not know what and where search for vulnerabilities.
We need some valuable, high qualified and technical skilled former penetration tester who can teach this job, we need to train the new generation and let it grow, giving support and sharing informations. An example could be Israel and its startup (keep in mind that in Israel most of the people are trained during the period in the army, a thing that I do not like).
Recruitment Agencies, HR, Business and marketing
As a penetration tester you will receive generic job offers in the world of IT Security, many of those are totally incompatible with your expertise and some of those are neither specific for PT jobs.
Agencies need to learn something about our job, because they can’t do their own without a very basic knowledge of our sector; they have to understand who you are and what kind of security expert they need to hire, they should be able to ask you about your job and to read your job description in order to make proper job offers.
Marketing agencies that do not have a basic knowledge of our job are just a waste of time and money for their customers. They cannot sell our skills if they do not know anything about them, they cannot estimate the right time for a penetration test; most of the time they just sell some “great fanciful” products or services that do not meet the client requirements or that are a pain to deliver because in the process of making offers they have daydreamed about some non-existent miraculous tools.
Experts and people who really knows stuff in Italy can be counted on the fingers of two hands, if a customer is planning to secure a very complex and critical system you can’t rely on novices. If you’d like to be sure that you are hiring someone who is technical skilled just put him on test. Reverse the trend, make a technical interview, build or buy some kind of automated platform or test environment and let your candidate play with it. Hire him based on his results and his past experiences, a degree is a secondary parameter, favor instead technical certifications (Offensive Security, eLearn Security, SANS, “CEH”, etc)
Managers and Technical Directors
People covering managerial roles need a lot of technical experience, being only able to manage people is insufficient. There is a need for someone who can foresee the ways of operating on a system, giving insights to the team, eventually helping with critical steps and requirements and with the ability to read and evaluate reports. A manager is someone the team can learn from.
Companies need to stop hiring and store junior testers alone. Juniors need to grow and need training on the job, they need to be supported by more competent people to be put side by side to a senior. Companies need to make investments on technical formation, paying for certifications, promoting public bug bounty, organizing internal CTF and training path and sending employees to security meeting events (Defcon, Black Hat, HITB, Derbycon, etc).
Junior Testers alone are more dangerous than useful, because they cannot fully understand risk derived by their actions.
In Italy we do not have a consolidated company in the Cyber Security market, most of them are former System integrators or Consulting firms where their core business is not the cyber security, they are moving to it (mainly because now it is trendy and because this sector do not fully take a hit during the 2007-2008 crisis and subsequent recession).
In Italy we have some highly talented individuals and some small companies which are like boutiques of cyber security, Hacking Team could be a familiar example. (Though I will not express my own opinion on the matter).
In this industry we have security firms selling products with fancy features like “advanced next generation firewall”, “heuristic and Bayesian anti malware”, “anti APT sand-boxed environments” and other “super cyber catching name”, stop selling bullshit; its only appearance, most of those things are just old re-branded products. There are some things that are working, most of them are at the early stage, need a lot of improvement, are freaking expensive and small and medium companies does not need them.
APTs are a reality, they can cause a lot of trouble and potentially destroy an entire company, but they are also expensive and need qualified personal to being performed. Anti APTs are a new debated solution, but they are basically useless since one of your employees will open a word file and enable the macro, cause of the lack of training.
Please, raise the bar, follow paths of other country about cyber security, adequate laws and agencies, apply EU directions in time and overall do not place “puppets” on key roles! We really need someone who knows stuff in this field.
Are you already a penetration tester? In that case my suggestion is to get in touch with the international community, write in a corporate or a personal blog, share your skills, attends security events, keep yourself updated, play CTFs, do bug bounty, write white papers and do researches. In one word: SHARE.
For all the people that are trying to learn and that like to work in this field
One of the key element of penetration testing is the ability of being able to analyze and find vulnerabilities of a system that you have never seen before. Practice and experience are essential, so if you are trying to enter in this field start to experiment (in a legal way) on your own; no one could be good at something without putting efforts and passion in it, you will be always behind who will experiments and has passion.
Create your own personal testing lab, try different tools and OS, learn to code (no matter what language you will learn, be good at it, because you will need to complete automated tasks).
In one word: TRY! You will never get any answer or result – as we say in Italy “pappa pronta” – without trying.
I always say that to be a penetration tester you probably need a wider knowledge compared to other jobs, you will need to test many different system, devices, OS, software and whatever you will have in your hands and you have to handle all of them.
It does not mean that you need to know everything, no one could, but you need to know a bit of everything, you need to be comfortable with every scenario you will face, you need to have an idea where to put your hands to start a penetration test.
Every good penetration tester has a wide horizontal knowledge base that allow him to range over different scenarios, on top of that base he builds a vertical knowledge for the specific sector he likes the most or he knows better. That is the key in becoming an expert.
Italy will hardly compete with other countries, within cyber security field, unless we start training people regarding cyber security risks, create appropriate training paths and level salaries in this field. This last step is essential, without it everything will be useless, we will spend a lot of energy (money and time) developing highly trained personal that will leave the country for a better job salary around the world.
That’s why I think that our industry is broken and it is not working.
Questions, comments, criticisms, whatever? Drop me a tweet @Void_Sec