Timo Goosen is a penetration tester, developer and chapter lead for online community the Open Web Application Security Project (OWASP), which creates freely-available articles, methodologies, documentation, tools, and technologies in the field of Web application security. He will share his experience as part of a panel discussion at the ITWeb Security in Finance Forum 2016 on the legal framework and implications of non-compliance specific to financial institutions. He writes:
Not enough competition
Where is SA in terms of infosec talent management and development and what do we still need to learn?
I sometimes think about what the future could possibly hold for the information security industry in South Africa. We have a very good track record of producing some of the most successful programmers and sometimes programmer/entrepreneurs born in South Africa who have made it big.
Theo de Raadt, a software engineer who lives in Canada, is the founder and leader of the OpenBSD and OpenSSH projects. Mark Shuttleworth, who lives on the Isle of Man, is an entrepreneur and space tourist who became the first citizen of an independent African country to travel to space. He funded and founded Canonical in 2004, and provides leadership for the Ubuntu operating system. Elon Musk is the founder, CEO and CTO of SpaceX; co-founder, CEO and product architect of Tesla Motors; co-founder and chairman of SolarCity, co-chairman of OpenAI; co-founder of Zip2; and founder of X.com, which merged with PayPal of Confinity.
The sad truth, however, is that while South Africa produces some of the greatest infosec professionals in the world, we also lose them at a phenomenal rate. In my opinion there is not enough competition in the local infosec market. There are few well-known names that appear to control the market and this stunts growth and development in the industry as competition tends to drive innovation.
Why does South Africa produce good infosec professionals? Firstly we grow up as South Africans with security built into our everyday movements and our everyday life, life in South Africa can be violent at times and most of us have witnessed or been victim to a violent crime of some sort. Due to living in this kind of environment we have been raised to be more security conscious in our approach to things. Even organised crime in South Africa is causing South Africans to become more security conscious, especially from a cyber security perspective. By way of example, a friend of mine recently had her IPhone stolen and kept getting phishing e-mails to her ICloud e-mail from the syndicate that stole her phone trying to phish for her Apple ID password.
Another factor that causes South Africa to produce good infosec professionals is the lack of resources in general. We have to grow up with a 'can do' attitude and learn to get things done with limited resources, thus preparing us for the international world where resources aren't limited, but time is.
The last factor in producing good infosec professionals is the quality of engineering and computer science departments in South Africa. South Africa has produced many exceptional developers and infosec professionals through world class education, then incubated their practical skills through world-class companies and start-ups.
A big problem I see is we as infosec industry professionals are too focused on our own priorities, there are very few organisations in South Africa that focus on sharing information and knowledge as a whole. We need a South African equivalent of the Chaos Computer Club that we see in Germany. This club provides a platform where fathers and sons/daughters can come together to discuss information security topics and share their knowledge. They also run several services that benefit the country as a whole: 1. Tor Exit Nodes (an anti-censorship effort), 2. conferences, 3. camps, and the list goes on. Members from The Chaos Computer Club are on occasion called to Parliament to comment on matters of cyber security and privacy issues.
Sharing research
There are very few organisations in South Africa that allow their employees to share their research or code openly in an open source format. Sharing information or code on github is not just good for a company from a marketing perspective, but also puts South Africa in the spotlight on the international scene. We obviously don't live in a perfect and ideal world where you can share all of your research and code as open source and still make a profit, but sharing one or two small projects won't hurt. The few companies that do share their code and research in South Africa have seen a huge benefit and received international recognition. One of these companies follows a 20% time model as used by Google by doing 80% work that provides income for the company and 20% work that is released as open source or presented at international conferences. This is an excellent model and helps retain talent as people get to bring their own ideas to life and to exercise their passion. This model is obviously hard to implement especially in a tough economy so my guess is that 20% time in reality is more like 10% time, which is better than no time at all.
Another question we need to ask ourselves is: What are we doing to attract new talent to the infosec industry? The reality is that we are not doing much to attract or even to retain talent in the industry. Many developers switch from writing code to becoming penetration testers, if they are lucky enough to be offered the opportunity. Unfortunately many entry-level penetration testing jobs offer a lower salary to what the typical developer is used to. The result is that many people will end up working as penetration testers, but for international companies that allow them to work remotely, thus this talent is being used elsewhere and South Africa loses out.
The second problem I see in the South African infosec industry, especially in the penetration testing scene, is the lack of diversity. In an ideal world the government should be creating incentives for businesses to create programmes where they share or transfer those skills with the previously disadvantaged. We need a much more diverse industry that is much more inclusive. There are a few female infosec professionals in South Africa and they are extremely good at what they do and it will probably be a short while before all of them are "captured" from South Africa by foreign companies.
Sometimes it feels like the infosec industry in South Africa is like a burger flipper industry. This might sound rather insulting, but we tend to focus so much on getting good at one thing that we forget to continue our learning and we produce a string of professionals that can only do one aspect. This reminds me of the fast food industry where people are given one repetitive task to do and nothing else, where there is no growth and where they are easily replaceable.
The criminal side of the information security industry is far more innovative than the legal industry. They keep innovating at an amazing rate. The legal infosec industry seems to be reactive to the criminal infosec industry. While we are still trying to figure out how a previous threat worked, the blackhats are working on a new type of threat. We are just reacting which is a very backwards way of thinking.
The incentives are also all wrong. An example that I like is Zerodium, which buys zero-day exploits. Security researchers are more incentivised to sell their work to sites like Zerodium than they are to report security bugs to vendors. Kaspersky recently started an open bug bounty programme for their desktop software, a very good move in the right direction. I am unsure as to what we can do about this on the local scene, but there is definitely something worth thinking about. Imagine finding a security issue in Kaspersky, who are you going to sell it to: Kaspersky of Zerodium? (Note: Zerodium is legal in most countries, while participating in bug bounty programmes is not).
We still have a long way to go before SA is seen as a player in the information security industry. While my opinion may currently seem very negative, I have also seen some positive, where developers/IT professionals have left the country only to return with tons of experience and knowledge. I hope that we will see a big boom in the industry locally, but also see more happening in the infosec community as people start to see the value of sharing information.
Share