One of my responsibilities is to train new IT Security folks. For the last 10 years it has been 1 or 2 per year. We are a university. We are chronically underpaid. But, we have excellent access to young, intelligent, motivated people. I prefer to start with somebody who has several years of experience in IT. But, I work with whatever I get.
Teaching professionalism takes the longest. Next, is teaching attitudes. Teaching skills is easy. The single hardest thing to teach is how to not deceive yourself. To see what is in front of you. And, to then see what it implies and what happens next. If they can’t learn it, I have to teach them to be something else.
Part of the problem is, almost everybody stops trying to see their environment as a single consistent whole. Once you give up on consistency, you break the world up into pieces and don’t connect the bits to each other. Afterwords, you develop blocks to perception and analysis. I call two of the most common of these blocks: “Magic Box” and “I’m Too Dumb”.
Magic Box is where they compartmentalize an entire area of human activity as free of constraints. After they classify it as magic, they can no longer draw rational conclusions about anything involved with it. I’m Too Dumb is where they limit themselves by believing that some processes, people or sources are beyond their ability to analyze or predict. The I’m Too Dumb block prevents them from subjecting those processes, people and sources to common sense analysis and scrutiny. The funny thing is that I have trained several people that actually had extraordinary genius. That didn’t prevent them from having these blocks. Nor did it render them any less susceptible to self delusion.
Both of these blocks are reduced by having them complete challenging tasks that are outside their previous experience. And the task must be solidly anchored in reality, with real world feedback and consequences. If their previous technical experience is limited, I always have them spec out, build and maintain their own PC. Then I force them to to install, understand, and control Linux. It is not that these skills are a required subset of the security field. It is that the sense of accomplishment, understanding, control, and mastery is essential for what comes next.
There is one critical skill that I have never successfully taught. At least, it doesn’t impact their ability to do security. No matter what I do, they always call me up after they get a new job and tell me how much more they are making than I am.