The Information Security Industry - Education
In this post I want to take some time to talk about my general thoughts on the state of the security industry when it comes to training and education of junior resources. I’ve been working in application security for over ten years now and during that time I have had the chance to interview, train, and work with a lot of different people.
The state of the current crop of people joining the industry is, sporadic to say the least. The industry is also going through turmoil for perhaps the first time ever. As we navigate one of the most uncertain economic situations in a long time its a tough time to be getting into any industry. Perhaps to start, it is a good idea to take a step back and look to see how we got here.
ABOUT ME:
I started working at a security company named Security Compass back in 2010. I had gone to school for general systems admins stuff and got the chance to be a sysadmin for a security company for a few years. I eventually started working as a security consultant, thinking I would be more focused on network security. Fast forward almost 13 years, I have spent so much time looking at web applications that at this point I consider myself pretty competent at AppSec.
I also just want to provide the general caveat that everything I discuss from here on out is strictly opinion. I have many a hot-take that I need to get out before they boil over. You should consider that my thoughts are limited by my experience and biases - I’m probably wrong about a lot of things!
I am also only speaking really from one specific viewpoint within the industry. Security is a large and flexible concept, which as I talk about later is a problem in defining a good skillset for. I have no idea what the market and development pipeline is like for junior resources in, say, DFIR. My viewpoint is pretty limited to application security and pentesting in general.
THE INDUSTRY:
Back when I first started learning about the security in general , the industry was quite a bit different than it is today. The older, experienced people within the industry I spoke to would share war stories about tripping over the most basic of security findings, no authentication, easy code execution exploits, the type of stuff they teach you about that you never see out in the wild.
The professional side of the industry in the 2000’s was also different - there was very little formal security functions within most organizations. The people who were responsible for security were often doing it as a addition to their normal role (think the sysadmin who is responsible for securing their org's infrastructure).
When I was starting off in in the 2010s, security was in the process of being more formalized as a practice. More and more organizations were starting to define internal teams, identify the need for security training for their teams and realize they probably were sitting on a minefield of insecure systems. The solitary worker sitting in the basement was moved to to an office and given a budget to work with.
Around this time, the primary limiting factor was qualified personal. There just were not that many people out there who had the experience and skillset to go around. This led to a lot of the broad claims you see about the security industry such a the zero percent unemployment and “requirement for a million security professionals”.
Over a decade later and the security industry has become formal, streamlined and process driven. It is not uncommon for large organizations to have massive security teams or spend millions of dollars on security. Entire ecosystems for training and certifications have sprung up, university and college programs have been built and taught across the world. There is an endless amount of online information about security concepts, research and tools.
It has honestly been a pretty crazy transition. When I first started, it was common to need to explain and even argue with people that I worked with that something like an SQL Injection vulnerability was bad. Now there is a security company buying a sponsorship on the back wing of the Mercedes-AMG F1 car.
With this massively increased spending, availability of resources, and education and certification opportunities, surely people who come into the industry today are better off or more prepared, right? Well, in my opinion, no.
One example of how the paradigm has shifted within the industry: 10 years ago it was common for a security person to need to explain to a developer why a specific vulnerability was dangerous and worthy of being fixed. These days I much more often see a developer explaining to a security researcher why their bug report is nonsense.
I have thoughts on why that is, from issues in the way we teach security to people at school, to issues in how we approach certification.
Education:
Can you learn to be a hacker? Most people would say yes, of course! Can you learn to be a hacker sitting in a classroom? Well, thats a a bit more tricky.
Over the years I've seen endless discussion on this subject online: can you learn enough about security to be able to enter the workforce directly or should you need to start off in some other job to pick up more baseline skills?
I'll admit that my own opinion on this has changed quite a bit over the years. I used to think that you could learn enough at school to jump right into a security role but as I've grown I think the reality is a lot more muddy.
Regardless on what you think about this its pretty clear that the security education industry has pushed forward this idea that you can.
Here in Canada there are dozens of programs from local colleges, universities and technical schools offering security programs. They vary from short, 6-8 month technical programs to full on 4 year degree programs.
The longer programs cover a pretty wide range of topics and I've personally met many people who have graduated from them that have turned into excellent security professionals:
- Seneca's IFS Program: https://www.senecapolytechnic.ca/programs/fulltime/IFS.html
- Sheridans ISS Program: https://www.sheridancollege.ca/programs/bachelor-information-sciences-cyber-security
The shorter ones are more hit and miss. In a program that goes over several semesters you have a chance to actually learn concepts throughly and be able to use that information in a variety of contexts. A lot of the shorter programs that sell you on the idea that you will graduate and be able to walk into an industry job are often only giving you a thin veneer of understanding.
The reality is the claim of being able to easily get a job in security after graduating from a short technical course is currently a fantasy. That could change as the market turns but these programs are have lost a lot of their lusture, just like code bootcamps.
Knowing The Words:
If I had to distil down my frustration with various interviews I've done over the last several years is the feeling that a lot of people who are new to the industry lack any sense of deeper understanding of security flaws beyond the names of the vulnerabilities.
Through the stuff that is learned in school, or from public resources like OWASP or other online training content people are often quite familiar with what security findings are but they really struggle with the why and how. That nuance sadly is where the real work of the industry is.
Take for example, Cross Site Scripting - a classic vulnerability taught in pretty much every information security class. If you are speaking to a junior in the industry they will be able to "speak the words" about it - its an injection issue where you can put a payload like <script>alert()</script> into a search bar and if its vulnerable it will return a popup.
Great! That is a fair enough description of the issue but what I've seen is that as soon as you start probing into the why many peoples understanding falls apart. What is the script language that is used for XSS attacks? Is an XSS attack client-side or server side? Why does CSP work? Why does your browser have automatic protection for Reflective XSS issues but not stored?
Many, many junior people in the industry only know how to do one thing: replay the mechanical steps required to identify vulnerabilities (running scanning tools, copy/pasting payloads). The results of this task are often distributed without any form of analysis or consideration.
It is not uncommon for me to see security findings that can be dismissed as worthless after a few moments of analysis. Anyone working in a bug bounty program can attest to the sheer magnitude of garbage reports they get. In many of these cases if the person who made the report had ever created a web application before or been responsible for configuring a system they would understand the context that they got wrong.
Imagine you were a doctor who had only really learned the names of specific diseases or illness during your training. You might be able to smile and nod through a few conversations but as soon as the situation demanded more of you it all falls apart.
For me the most obvious case of this is the OWASP Top 10. The OWASP Top 10 is a listing of 10 vulnerability categories that are meant to represent the most common classifications of vulnerabilities in web applications. In practice this term is used as a bludgeon to describe everything from testing methodology to risk ratings to a marketing term.
People will say they are an "expert" on the topic of the OWASP Top 10, but what does that even mean? Knowing the types of security flaws in common applications is fairly useless in evaluating the security flaws that exist in the thing you are evaluating. Going back to the doctor example, how reassured would you feel if your doctor assured you that they were familiar with the top 10 diseases that humans were getting in 2025?
Are we expecting too much?:
One counter to what I've said above is that it is unfair to expect much from someone without any practical experience. That is some truth to that but the reality of the industry at this point in time is that nothing is going to be very fair.
There are a lot of people looking to get into the industry right now. Security is a profession that has received a lot of interest from all around. It is a career stream that was used by many second career programs and as we have discussed earlier there are multiple school programs churning out new graduates every year.
The security industry, after seeing a massive amount of growth has slowed down. Security saw large scale layoffs for the first time a few years ago and this injected a significant amount of people out into the industry looking for work. There is more competition for jobs and you have to prove your abilities to get a solid job.