In short, a security professional is someone who is very good at technology and people. We will not specify the technology stacks here; they vary greatly from direction to direction.
In general, a security professional needs basic knowledge and skills in the following areas:
- development and testing. The security person who works in the development team will have to find bugs and fix them. Not all errors, of course, but of the nature that affect the stability of the system;
- building an architecture. A cybersecurity specialist is one of those who put forward requirements for the architecture of the future product and monitor their implementation.
- risk management. It is not enough just to know IT, you need to understand what risks will arise when using a particular technology by the end user.
- psychology. People do not always treat data in the way that a security person would like. Moreover, people are different. By culture, education, yes, banally – by age. It is necessary not only to know the typical behavior of different groups of customers, but also to be able to predict their behavior in a certain situation. We are talking about both external clients and internal ones, that is, employees. And these people need to be persuaded to handle their data in accordance with the required level of security.
- legal framework. Which base we are talking about depends on the specialization. For example, those who are struggling with Internet phishing need to know in which case and how you can forcibly close a fraudulent site.
A cybersecurity specialist is an IT specialist, a developer, a tester, a risk manager, a psychologist, a lawyer, and a person who can tell in clear language about each of these areas of knowledge. This definition contains a significant part of the answer to the question “Why are such specialists sorely lacking?” because it is very difficult to find a person who understands all this.
What does a cybersecurity professional do?
Based on the previous section – what just does not do. However, let’s try to structure its work using the examples of our specialists. It is clear that all of the above is not about an employee in one position. The specifics of work in cybersecurity depend on the structure. Somewhere there will be more work with code and architecture, somewhere with testing, somewhere even with documentation.
Participates in product development
A cybersecurity expert is part of every product team. It is clear that people make products, and people tend to make mistakes. The task of the expert is to find these mistakes and teach people so that they at least do not repeat themselves. Security expert practically lives in the development team, without his participation there is not a single stage – from planning the architecture to the release.
The specialist formulates requirements, monitors their implementation, analyzes risks, passes acceptance tests, analyzes the code and helps to fix bugs. This is how each of our products becomes safe. Not 100% (there are no such things), but as close to this value as possible.
Participates in testing
There are external and internal tests.
The internal ones are a kind of “Cossacks-robbers” for the team. There are “intruders” who, knowing the insides of the system, try to hack it, and there are “security” who need to keep the system intact and identify the hacker. And this is not only about finding weaknesses, but also about training the team.
There is also a practice when not the development team itself is divided into “red” and “blue”, but a third-party organization is invited. Its specialists are trying to get inside the system. Our organization is BI. ZONE is a subsidiary of Sber. With its help, it is easy to understand how secure the external perimeter of any service and a separate business structure is.
In most cases, such tests are known in advance. And testers, logically, never reach the end. They find a vulnerability and show it – that’s where the testing ends.
Fights phishing
During the pandemic, Russia came out on top in the world in the placement of phishing resources and malicious mailings. In the first six months of 2021, more than 36 million attempts by Russian users to go to various phishing sites were prevented, of which more than 300 thousand attempts of users to go to pages that mimic the largest financial organizations.
Work is underway with these sites, including on the division of domain names. By the way, PHishing resources are also handled by BI. ZONE. However, no matter how hard we try, the work does not stop: we close sites, scammers create new ones.
A separate story is fraud on the phone. In the first half of 2021, 57% of Russians received calls from phone scammers. Every tenth Russian suffered financial damage. Fighting phone scams is extremely difficult, and a key part of the job is customer training.
Teaches employees and customers
Part of our job is to constantly train all employees to be able to comply with cyber hygiene. For example, recognize phishing emails. We simulate the actions of scammers, for example, we send a newsletter with a “subscription” to an online cinema or a “promotion” from SberBank Avia. Bank employees receive this letter, and we observe their reaction.
And it is clear that before testing you need to teach – not just the general adequacy is checked, but also the application of specific rules. To make them easier to fit in the heads, we came up with a special program – “Cybersecurity Agent”. In fact, this is a game that is created on the basis of cybersecurity rules. It is significant that before its implementation, 80% of employees opened a phishing email. Now there are only a few percent of them, mostly beginners.
External clients also need to be taught. There is a block “Security” on our website, a training section and a channel in the mobile application SberBank Online, posts and activities in social networks, publications in the media and much more. Cybersecurity specialists are also involved in all this – they prepare content, check it, and sometimes communicate directly with customers.
Protects against insider threats
It also happens that the fraudster is really an employee of the bank. No one is immune from an internal violator.
Therefore, a separate set of technologies is aimed at preventing the actions of such people, identifying them and reducing the potential damage from their actions. There is control over the handling of data, control of employees with privileged access to information systems and a number of other measures.
How to understand that a specialist can count on employment in cybersecurity?
From the experience of hiring, we can say that the value of a cybersecurity specialist is determined by four factors. In descending order of importance, these are:
- Experience.
- Expertise.
- Knowledge.
- Horizon.
Most candidates lack expertise and experience. Basically, for this reason, only 5% of candidates reach from interview to hiring. We can give some recommendations to those who want to try themselves in this area.
First of all, answer for yourself the question “What am I an expert in?” At the same time, remember what we wrote in the first section about who a cybersecurity specialist is. Maybe you don’t have serious experience in development and testing, but you do have experience in risk management? This is also an option, do not hesitate to talk about it.
The second important point: as mentioned above, positions in cybersecurity are different in functionality. We expect the candidates to say for themselves what they would be interested in, and at the same time be able to show and describe what was done with their heads and hands. Maybe in the end you will be an unsuitable candidate for the current position, but in a week another one will open, just the optimal one.
The third point is the knowledge of technologies, especially those that are available to Sber customers at least at the user level. Agree, it is strange to go to develop the security of products about which there is not even a basic idea.
And fourth, we look closely at the ability to think and speak. This, by the way, is becoming a characteristic requirement for the vast majority of positions in cybersecurity. At least for those who want to grow older than a junior.
How to become such a specialist?
You can go to university, you can learn yourself – we have different examples of specialists. If you look in this direction, then your guidelines are: professional certification and a lot of self-study.
By the way, there is an understanding in the world that the Russian school of programming and the development of special technical means of information protection is quite strong. And there is a certain hunt for our experts in this area.