Ilio Kolochenko, CEO of High-Tech Bridge, a Swiss information security company, gave the keynote address on governments' role in cybersecurity this past Sunday at the Regional cybersecurity Summit in Oman.
Before his speech, he talked with CSO about why self-taught hackers are generally superior to those who go through a formal certification program, and why compliance with cybersecurity standards will remain low unless governments make it very painful to ignore it.
A recent story in The Independent said the UK's Government Communications Headquarters (GCHQ), through approval of certain Master's programs, had created, "the first certified degrees for spies." Is it accurate to call a degree in cybersecurity a degree in spying?
I'd say not. Obviously some governments' activities may be reasonably called "spying", but we should not forget that national security experts are required to use intrusive techniques to protect the nation's interests.
It's like calling a policeman or a soldier in the army a "killer" because he has a gun. The main thing is to make sure that governments protect citizens and do not abuse their power.
Will the GCHQ initiative raise the level of cybersecurity skills and/or spying?
I don't think classes or a certification will significantly change the cybersecurity situation in the entire country. But, that such a program exists at schools, colleges and universities means that people will understand that it is important.
What do you think the quality of the degrees will be?
Many schools are sponsored by companies, organizations, NGOs that offer various types of certifications in cybersecurity, hacking, and ethical hacking. Some programs are quite good, and some are relatively poor.
A company called EC-Council, which has been around since 2001, became famous because of its program called a CEH (Certified Ethical Hacker) Diploma. It offers a good overview of hacking and information security for those who want to enter IT or infosec, but it's not very advanced. They're doing a good job teaching people how to protect themselves by showing them how they can be hacked.
But personally I'm a bit skeptical of them. When they say their program is CEH, it's a bit too much. They have been hacked themselves, in recent years. They should change their certification to something different, because when you say I am a CEH, it means much more than they are actually teaching you.
The other problem is that many people just get the diploma to improve their CV. They're learning the answers by heart just to pass. They don't care to become more sophisticated in anti-hacking and security.
Certification is still useful because it assures that a person has skills and capacities, but if the priority is the diploma and skill is something to get later, I don't think this is going to make our security better.
Sign up for CIO Asia eNewsletters.