“It is not so very important for a person to learn facts, for that he does not really need a college. He can learn them from books. The value of an education in a liberal arts college is not the learning of many facts, but the training of the mind to think something that cannot be learned from textbooks” - the words of Albert Einstein, circa 1921, in response to Thomas Edison’s assertion that a college education was useless.
Einstein had a point: facts are helpful, but it is generally possible to look them up fairly easily – and it was thus even in the times before Google. In IT in general and cyber security in particular, the ability to think, reason and analyse is a much more valuable thing. Understanding the way your systems work, and the technologies on which they rely, is immensely valuable – and a dying skill.
In 2015 the UK Government announced that it would be phasing out ICT (Information Communication Technology) at GCSE and A-level. Online news site Schools Week quoted the Government at the time as pushing for “more academically challenging and knowledge based” courses such as the Computer Science GCSE and A-level. And this was exactly the right thing to do: this correspondent studied A-level Computer Science, which included a great deal of theoretical material and explanation of how things worked; when I went on to study Comp Sci at university, much of the material for those three years was first principles, how-stuff-works theory: comparisons between RISC and CISC processor architectures, vast collections of data structures, the theory of computation, how to analyse the complexity (=efficiency) of an algorithm. My sixth-form experience contrasted markedly with that of my stepson some years later: his ICT A-level was all about how to use applications, and his coursework seemed largely to comprise PowerPoint presentations and a project that was based around creating a Microsoft Access Database.
If you understand things from first principles, and you have a decent ability to reason and be logical, you have the ability to step outside what you know. These skills allow you not just to find out new things (Google can do that for you) but to figure out new things. The ability to diagnose problems appears to be dying off among IT people – particularly first-line service desk staff whose roles have a tendency to degenerate into a boring cycle of answer the phone, log the ticket, assign it to a second-line support person, rinse and repeat. And this is entirely the wrong thing to do.
Many years ago, when ADSL broadband was still in its infancy, I had lunch with a senior manager in a major broadband supplier. He told me that the organisation had recently shaken up its approach to customer support and had eradicated the whole first-line support layer and now had people with skillsets equivalent to second-line engineers answering the phone. First-time fixes skyrocketed and customer satisfaction went the same way … yet all that had happened was that people with a bit of gumption and some diagnosis skills were being put closer to the customer.
Not so long ago I was asked to look into a “security issue”. The web filtering software was telling a user that a site was inaccessible, despite that site having been fine since the beginning of time. It was a “security issue” because the web filtering proxy server was managed by my team: if the security team’s software says there’s a problem, it’s clearly down to the security team to fix it. Step one was to try it myself … no, definitely not working. OK, let’s try it from my personal Mac which isn’t on the company network … no, still not working, so it’s not our proxy that’s broken. So let’s “ping” the site to check it’s up … hang on, the name isn’t resolving to an IP address. Let’s see if the name server is responding … ah, the domain as a whole isn’t resolving. A quick WHOIS check showed that the domain registration had expired the previous evening.
This sounds basic because it is. But people with ability to reason about problems, work back to first principles and diagnose a problem are a dying breed. And this is a crying shame, because the world is a worse place as a result.
The point is, though, that these skills are exactly what we need in security. Attackers are being more and more cunning than ever before, and they continue to come up with new, innovative ways of attempting to invade our systems and steal our data, and by definition we can’t read about them via Google because nobody knows about them yet. As security people we need these skills: and on a personal level, anyone who has – or who develops – such skills has a head start in the job market (or the queue for internal promotion) than those who don’t.