November 30 is the International Day of Information Protection. This is probably a good reason to talk about one of the most closed services of any financial structure. Let us warn you right away: we are unlikely to open America to those who are already working in this area. But for those who are not yet familiar with it, it may well be interesting.
First, a few numbers
90% of all fraudulent activities now occurs in cyberspace.
We counted 3 million open vacancies in cybersecurity worldwide last November. This year, statistics were not compiled, but something suggests that the situation has worsened rather than improved.
A strange discrepancy, it would seem? Scammers go online, and security officials seem to be in no hurry to go where any company is waiting for them with open arms.
From experience, we can say this: there really is this gap. The market demand for cybersecurity specialists is significantly higher than the number of people who can close it. Actually, this is why cybersecurity is now one of the most promising IT specializations.
Who is a cybersecurity professional and what should he know?
Difficulties begin already here. In short, a security professional is someone who is very knowledgeable about technology and people. We will not indicate the technology stacks here, they vary greatly from direction to direction. In general, a security professional needs basic knowledge and skills in the following areas:
development and testing. The security officer who works in the development team has to find errors and fix them. Not all errors, of course, but of the nature that affect the stability of the system;
building architecture. Cybersecurity specialist – one of those who put forward the requirements for the architecture of the future product and monitors their implementation;
Management of risks. It is not enough just to know IT, you need to understand what risks will arise when using a particular technology by the end user;
psychology. People do not always treat data the way a security officer would like. Moreover, people are different. By culture, education, but banal – by age. It is necessary not only to know the typical behavior of different groups of clients, but also to be able to predict their behavior in a certain situation. We are talking about both external clients and internal ones, that is, about employees. And these people also need to be convinced to handle their data in accordance with the required level of security;
legal framework. What kind of base we are talking about depends on the specialization. For example, those who are fighting online phishing need to know when and how to forcibly close a fraudulent website.
Cybersecurity Is an IT specialist, a developer, a tester, a risk manager, a psychologist, a lawyer, and a person who can speak in understandable language about each of these areas of knowledge. This definition contains a significant part of the answer to the question “Why is there an acute shortage of such specialists?” Because it is very difficult to find a person who understands all this.
What does a cybersecurity specialist do?
Proceeding from the previous section – what he does not do. However, let’s try to structure its work using the examples of our specialists. It is clear that everything listed below is not about an employee in one position. The specifics of working in cybersecurity depend on the structure. Somewhere there will be more work with code and architecture, somewhere with testing, somewhere in general with documentation.
Participates in product development
A cybersecurity expert is on every product team. It is clear that products are made by people, and people tend to make mistakes. The task of the expert is to find these mistakes and teach people so that they, at least, do not repeat themselves. The security officer practically lives in the development team, without his participation not a single stage takes place – from architecture planning to release.
The specialist formulates requirements, monitors their implementation, analyzes risks, passes acceptance tests, analyzes the code and helps to fix bugs. This is how each of our products becomes safe. Not 100% (there are no such things), but as close as possible to this value.
Participates in testing
There are external and internal tests.
Internal – a kind of “Cossack robbers” for the team. There are “intruders” who, knowing the insides of the system, try to hack it, and there are “security guards” who need to keep the system intact and find the hacker. And this is not only about finding weak points, but also about team training.
There is also a practice when not the development team itself is divided into “red” and “blue”, but a third-party organization is invited. Its specialists are trying to get inside the system. Our organization is BI.ZONE – a subsidiary of Sberbank. With its help, it is easy to understand how secure the external perimeter of any service and a separate business structure is.
In most cases, such tests are known in advance. And testers, which is logical, never get to the end. They find the vulnerability and show it – this is where the testing ends.
During the pandemic, Russia came out on top in the world in the placement of phishing resources and malicious mailings. In the first six months of 2021, more than 36 million attempts by Russian users to go to various phishing sites were prevented, of which more than 300 thousand attempts to navigate users to pages mimicking the largest financial organizations.
Work is underway with these sites, including the division of domain names. By the way, BI.ZONE is also involved in phishing resources. However, no matter how hard we try, the work does not stop: we close sites, scammers create new ones.
A separate story is phone fraud. In the first half of 2021, 57% of Russians received calls from telephone scammers. Every tenth Russian has suffered financial damage. Tackling phone fraud is extremely difficult, and customer education is a key part of the job.
Teaches employees and clients
Part of our job is to constantly train all employees to be cyber-hygienic. For example, to recognize phishing emails. We simulate the actions of fraudsters, for example, we send a newsletter with a “subscription” to an online cinema or a “promotion” from SberBank Avia. Bank employees receive this letter, and we are watching their reaction.
And it is clear that before testing, you need to teach – not just the general adequacy is checked, but also the application of specific rules. To make them easier to fit in our heads, we have come up with a special program – “Cybersecurity Agent”. In fact, this is a game that is created based on the rules of cybersecurity. It is significant that before its implementation, 80% of employees opened a phishing email. Now there are only a few percent of them, mostly newcomers.
External clients also need to be taught. There is a “Security” block on our website, a training section and a channel in the SberBank Online mobile application, posts and activities in social networks, publications in the media, and much more. Cybersecurity specialists are also involved in all this – they prepare the content, check it, and sometimes communicate directly with customers.
Protects against internal threats
It also happens that a bank employee is really a fraudster. No one is immune from an insider.
Therefore, a separate set of technologies is aimed at preventing the actions of such people, identifying them and reducing the potential damage from their actions. There is control over data handling, control of employees with privileged access to information systems and a number of other measures.
How do you know if a specialist can count on a job in cybersecurity?
From our recruiting experience, we can say that the value of a cybersecurity professional is determined by four factors. In decreasing order of importance, these are:
Most of the candidates lack just the expertise and experience. Basically for this reason, only 5% of candidates make it from interviews to hiring. We can give some recommendations to those who want to try themselves in this area.
First of all, answer for yourself the question “What am I an expert?” That being said, remember what we wrote about in the first section about who a cybersecurity specialist is. Maybe you don’t have serious experience in development and testing, but have experience in risk management? This is also an option, feel free to talk about it.
The second important point: as mentioned above, positions in cybersecurity are different in functionality. We expect that the candidates themselves will say what they would be interested in, and at the same time will be able to show and describe what has been done with their head and hands. Maybe in the end you will turn out to be an unsuitable candidate for the current position, but in a week another, just the optimal one, will open.
The third point is knowledge of technologies, especially those that are available to Sberbank customers at least at the user level. Agree, it is strange to go to develop the safety of products, about which there is not even a basic understanding.
And fourth: we look closely at the ability to think and speak. This, incidentally, is becoming a characteristic requirement for the vast majority of positions in cybersecurity. At least for those who want to grow older than a junior.
How to become such a specialist?
You can go to university, you can learn on your own – we have different examples of specialists. If you look in this direction, then your guidelines: professional certification and a lot of self-study.
By the way, there is an understanding in the world that the Russian school of programming and the development of special technical means of protecting information is quite strong. And there is a certain hunt for our experts in this area.
If you are looking towards cybersecurity as your field of work, learn and get some sleep. You will have to study all your life and after you enter this sphere. But there will be no time to sleep off. The enemy does not sleep 🙂