Golden SANS Generation - Retaining Future Cyber Stars

Offering the prospect of a “Rewarding Career in Cybersecurity”, the SANS academies offer a place to learn, develop and retrain.

Infosecurity was recently given the opportunity to talk to tutor James Lyne and student Conor Kelly about what the process of being in the SANS academy is like, and what it is training. We started by asking Conor what his academic background was, and what he was up to before he ended up in the SANS academy. 

Conor Kelly: I got a degree in chemistry and neuro science and was figuring out what to do with my life. I was working in a bar and trying to find a job.

Dan Raywood: Were you specifically interested in working in cybersecurity, or technology generally?

CK: I always thought it was a cool industry, but I had no knowledge or links on how to get into the industry. Friends recommended me to the SANS course and I applied for it on a whim and got into the academy. I didn’t think a lot of it until I turned up.

James Lyne: I had a lot of people comment that as it is such an opaque industry, it’s quite hard to get initial qualifications to get recognized and get in. Everyone is looking for the resume with five years' experience and ‘XYZ’ and there is a small pool of people who have it. Something that turns up which promises a full paid scholarship and 10 weeks of training to get you into the industry was so completely different to everything else out there, it almost looks too good to be true.

CK: It honestly did!

DR: Tell me what the retraining academy is about.

JL: Structurally it is built on several years of running academies privately, for government and large businesses, and we took people with raw potential and limited experience to the position of junior intermediate practitioner. We built a syllabus that took some of the best known compliments of SANS training, such as modules on ethical hacking and built in Capture the Flag events to give them more opportunity to enter the industry with the confidence that they understood what security was.

This is by no means the end of a journey, it is getting you into the junior intermediate level and there are many years that can be spent specializing in different domains. We found a wealth of people who were not in the traditional recruitment circles for security - they were from diverse backgrounds with applicable skills to cybersecurity domains.

Conor studied what appeared to be an irrelevant degree for cybersecurity, but had that ability to absorb information, to retain facts and pull together different strands of information to solve new problems and dissect issues and find approaches that others would not try. That was what made the training academy unique and why we are certain about it going forward.

"I had no knowledge or links on how to get into the industry"

DR: You can’t step straight into the position of CISO, you need to gain experience. but is that sort of position a future ambition for you?

CK: I’m building a knowledge base purely for knowledge sake as it were. The reason why I have so much fun with [the academy] is because the main drive I have is I love learning new things. I don’t have career ambitions of becoming a CSO, but I just want to be as good as possible as I can be at this. That is the only real drive I have, and that is just me.

JL: Over time you become more senior and more influential and I think that is ultimately how you can end up in those roles with that context of what security really means, as you’ve been there and done it.

DR: Is that what SANS is enabling, that step up the ladder?

JL: Yes, one thing that attracted me to work more closely with SANS over the past few years has been the focus on the skills issue and building that next generation as that is something I really care about. I’m a firm believer that when you think about the future of a strong security industry, [it will be] an industry of people who are prepared to deal with all of the crazy new ways we are going to use technology.

One key to success is having a lot more diversity in thinking, in skills and in opinion. Having people with deep technical skills and specialisms is really important: also having people who are able to communicate those ideas to the outside world, and having people who have a background in risk assessment and understand how to quantify and how to make big risk decisions, that really matters.

You need that smelting pot of different skills, backgrounds and experiences, but at the core there has to be some shared understanding and some shared ‘paid dues’ of what security is, how this stuff happens. So things like the retraining academy, where we bring in a group of people from a more diverse space that wouldn’t have come into security anyway, and empower them to learn those fundamentals and help them specialize is hugely important to build that diversity. 

DR: Do you think that we’re at a stage yet where cybersecurity is being recognized as a career?

JL: We’ve crossed that chasm. Go back six or seven years there was frustration that we wished we could get more attention outside of IT to the rest of the world and the board, and that certainly happened maybe even too much in some respects! Since then there has been a steady professionalization and an awareness of this as a career and we’ve not completed the journey, as in many people’s eyes cybersecurity is one job and they don’t see the many jobs such as a security researcher or web application penetration tester.

We’ve got people to realize that there is a career here and there is a skills gap that’s been touted heavily, but not with the granularity on how to truly develop and getting young adults to say “that’s a job I’d like to do, that’s a career I’d like to get into.” Most of the time it’s not even on the shopping list of roles that you would consider for university or for internships.

DR: What learning modules are significantly popular within SANS at the moment?

JL: Penetration testing is perennially popular as for lots of people, their first exposure to security is to hack things and find flaws as it is actually fun and glamorized by movies. That being said, the most popular is Security Essentials and making sure members of staff speak the same language and know what terms mean so they can be an effective security team. It sounds more mundane, but it is incredibly important.

DR: To conclude, Conor which modules did you most enjoy?

CK: Security Essentials was very valuable to learn and I did need that knowledge, and in terms of the courses I enjoyed it was 504 (on Hacker Techniques, Exploits & Incident Handling training) which was fun, but after that it was a Metasploit module where we got to learn how to use that. The most fun I had was learning actual, practical hacking techniques.

"The future of a strong security industry will be an industry of people who are prepared to deal with all of the crazy new ways we are going to use technology"

What’s Hot on Infosecurity Magazine?