Monday, October 26, 2015

Apprenticeship and Infosec

So how do you learn to be an infosec professional? Honestly, most of the leaders in the field these days were the stuckie, (i.e. the guy who didn't say "not it" quick enough), in the office when a security person was needed. While infosec academic programs exist, the reality is almost all security positions require experience. As a friend put it on Twitter, "Schools can do a great job on teaching technology, but methodology and process require more than book knowledge." Now, even strategy and process can be taught academically as military and criminal justice degrees show. But the reality is, even after completing basic training or your criminal justice degree, you're still a rookie.

The reality is infosec is much more like a traditional profession than newer, technical, professions.  And most traditional professions are based around apprenticeship.  If you were going to DO something in the old days, you didn't learn it so much in the university as the back of a current practitioner's shop.

And that's still the case in many careers.  A welder who can weld what others cannot is valuable.  Air traffic controllers have a median pay of $122k/year.  Even in highly educated careers, the education is really just an introduction to the on-the-job training.  Medical doctors have residencies.  Engineers must study under a Professional Engineer to become one.  Teachers student teach.  Nurses precept.

So what about information security?  What really needs to be taught in a classroom?  Probably the basic controls and technology, though not in any depth as it'll have changed by the time the student enters the field anyway.  Probably general strategies and some basic processes.  After that though, why is there not a formal, controlled, apprenticeship process for information security as there is for so many other fields?  Why do infosec students not practice engineering security, working incidents, and gathering intelligence the same way doctors practice internal medicine, surgery, and triage medicine?  We all know the apprenticeship is happening one way or another, so why not formalize it? 

Marisa Fagan suggested a mentorship program almost half a decade ago and not much has changed since then.  Still, we've all matured a bit.  We now understand the importance of working with the large, existing institutions where we used to go it alone.  Maybe it's time to make apprenticeship an expected and formally defined part of the information security curriculum.