The second survey on the digital habits of large companies, published on 4th October by Econocom, SIA Partners and Ifop proves it: companies have widely invested in data security (87% of the companies feel “fairly advanced” or “very advanced”). This is actually one of the Chief Data Officers’ main responsibilities (mentioned by 83% of the respondents).
How are people in charge of network and system security for large companies trained? How are emerging technologies such as blockchain and IoT incorporated into this training? Hervé Debar (head of the department for networks and telecommunications services at Télécom SudParis) answers these questions.
Hervé Debar has been a lecturer at Télécom SudParis, the universal engineering school of the Institut Mines-Télécom, since 2009. Head of the “Networks and telecommunications services” department, he also supervises the “system and network security” option. For twenty years prior to teaching, he had various jobs in the R&D department for French and foreign industrial groups.
You teach the next heads of IT security of large companies. What is this course like?
The engineering course we offer takes three years to complete, during which a semester and a half is devoted to a speciality. For the students who chose the “security” option, there are 450 hours of training.
Our training consists of two parts: network security and system security. We introduce the students to various attacks to illustrate defence mechanisms, and together we implement tools for verification, encryption, and protection for all the data confidentiality. We also work on detection, technical and organisational audits, and on the security of operating systems and online applications. We try to cover all the areas of IT systems and network security.
Part of the training is in the form of a project: students must complete a task which will prepare them for their future career. Besides, most of those projects come from companies we work with. This year’s works deal with:
- darknets, network spaces which are supposedly invisible and used by pirates,
- blockchain (a transparent, secure technology for storing and transmitting information which works without a central control body),
- security alert management and understanding the attacks as they are reported by the detection centres,
- the protection of personal data on smart grids (“smart” electricity providing networks, i.e. that use IT technology to optimise production, supply and usage).
Each year we receive 24 students whom we provide with professional equipment – which we couldn’t supply to a bigger class – but which students will use again later in the workplace.
skills that are valuable on the labour market
Which career path do cybersecurity graduates follow?
More than 70% of them will work in the security sector, both in France and abroad, with 70% within large service groups or large industrial groups.
Our students are recruited by three sectors: the groups which design or incorporate security products (Airbus Defence & Space, Thalès, etc.), those which apply security solutions or systems (digital companies or banking groups, to carry out audit or security centres operations) and auditors through organisational projects that comply with legislation and standards and through ethical hacking.
The labour market is tight for those types of profiles. To give you an idea, for my 24 students, I receive between 80 and 100 job offers and just as many internship offers. Almost every week I’m contacted by companies that want to get in touch with the students. There is also a high demand from students. They realise that it’s a promising sector and they are increasingly choosing these types of courses. This tension on the market, which already existed 5 or 6 years ago, has increased with the publication of several guides and a reference list of core skills by the ANSSI, with the first decrees of the law for military planning, which force organisations of vital importance to adopt IT security, and with well-known issues such as attacks on connected vehicles. Basically, demand is extremely high.
Do you discuss emerging issues such as IoT security for example?
We do. As a matter of fact, this year we have created a new 3-hour class on IoT protocol security, with a Ph.D. student working on it.
-> Further reading: What are the issues of securing the ecosystem of connected objects? An interview with Jean-Claude Tapia, Chairman of Digital Security, the first CERTTM dedicated to IoT security.
We also discuss cryptology –with blockchain for instance– and virtualisation, a fairly recent subject which has a strong impact in terms of security, but also in terms of command protocols in industrial control, such as the factory of the future or the connected car.
Every year, we have a few projects during which groups of 5 or 6 students go into a subject in depth. But these classes are merely an introduction to all these new subjects. Understanding how an industrial control protocol works is a hard task, because standards are complex and obscure. We ourselves are building our knowledge of such technology.
How do you choose the issues to cover with the students?
We see them emerge, but there are also employers who contact us or work with us to clear these issues and improve our skills together. We work alongside the local network: both large groups and SMBs in the Greater Paris area, because the aim of the course we offer is first and foremost to train professionals. We are also involved in poles of competitiveness such as Systematic.
IT security is a rapidly-changing sector. Can you picture what your training will be like in a few years’ time?
In 5 or 10 years, our training will still deal with cybersecurity, because there’s a need for it and there will be for a long time. Today, there is both a deficit of trained staff and a strong increase in demand. We’ll continue to develop this training from a practical standpoint, i.e. by having the students work directly on platforms, in environments and with the most recent equipment possible, so that they get used to what they will be working with on the professional market.