Phannarith Ou, a friend of mine who works for the Ministry of ICT in Cambodia and founder of Cambodia CERT, recently wrote about his experience engaging with university students.
In his article, he talked about the challenges that IT students face in Cambodia, primarily the lack of security courses available to them and, as a consequence, the lack of capacity of Cambodia’s cybersecurity industry. As such, more effort is needed to build capacity and awareness of the industry at the tertiary level.
During my recent trips to conferences, forums, and workshops in Islamabad, Kuala Lumpur, Phnom Penh and Male, I took the opportunity to visit local universities to give security presentations to students and lecturers. Normally, I get about one to two hours to talk about anything related to cybersecurity. I try to not spend too much time talking about basic concepts that are already covered in textbooks.
Instead, I like to spend time telling stories about how security incidents are being managed, share some interesting findings from my honeypots, or point to some useful resources online. There were a few times where I also did a short desktop exercise – making the session interactive.
Like Phannarith, I think engaging with the university community is important. I get the opportunity to:
- Share and explain recent threats, and the challenges faced by security response teams or law enforcement agencies. This is a good chance to speak about best current practices, the inner workings used for some recent incidents, and problem-solving skills used to mitigate on-going threats.
- Highlight useful tools, including projects on Github or supported by Google Summer of Code. Showing these examples will hopefully encourage students to try things out for themselves (for example running a honeypot or cuckoo sandbox) or contribute directly to some of the projects.
- Promote the global and regional security community and conferences and where they can learn more. For example, communities like APCERT, OWASP, FIRST and organizations such as ENISA, APWG, and the ShadowServer Foundation.
- Talk about APNIC and how we fit into the cybersecurity ecosystem with other stakeholders. In addition to that, I also mention some of the initiatives and activities we support such as Ready to ROA, our training and e-learning resources, security issues discussed by network operators at our conferences, and cybersecurity research grants.
Ultimately, I hope from these engagements, students will have a better appreciation of the challenges and opportunities in cybersecurity.
At the same time, I hope they realize that strong knowledge in networking, operating systems, programming, problem-solving and communication are also essential. Furthermore, I also hope that a few of them will be motivated to explore these more. Who knows, some of them may pursue a career in cybersecurity and fill the growing need for cybersecurity professionals in many economies today.
So far, I’ve received lots of positive comments from both the lecturers and students and it is great to find some students following me on Twitter (@adliwahid) and some emailing me questions.
If you’re a security professional, I encourage you to make the effort to spend time visiting and talking to students at local universities and colleges to share your experience.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.