The reality is infosec is much more like a traditional profession than newer, technical, professions. And most traditional professions are based around apprenticeship. If you were going to DO something in the old days, you didn't learn it so much in the university as the back of a current practitioner's shop.
And that's still the case in many careers. A welder who can weld what others cannot is valuable. Air traffic controllers have a median pay of $122k/year. Even in highly educated careers, the education is really just an introduction to the on-the-job training. Medical doctors have residencies. Engineers must study under a Professional Engineer to become one. Teachers student teach. Nurses precept.
So what about information security? What really needs to be taught in a classroom? Probably the basic controls and technology, though not in any depth as it'll have changed by the time the student enters the field anyway. Probably general strategies and some basic processes. After that though, why is there not a formal, controlled, apprenticeship process for information security as there is for so many other fields? Why do infosec students not practice engineering security, working incidents, and gathering intelligence the same way doctors practice internal medicine, surgery, and triage medicine? We all know the apprenticeship is happening one way or another, so why not formalize it?
Marisa Fagan suggested a mentorship program almost half a decade ago and not much has changed since then. Still, we've all matured a bit. We now understand the importance of working with the large, existing institutions where we used to go it alone. Maybe it's time to make apprenticeship an expected and formally defined part of the information security curriculum.
No comments:
Post a Comment