Cyber Media: In the context of increased cyber attacks on both CII facilities and commercial resources, how has the demand for information security services changed? Which ones, in your experience, are preferred?

Svetozar Yakhontov: It is possible to divide the demand into supply-generated demand and demand generated by practical information security, new regulatory requirements, incidents that have occurred.

In the first case, these are third–party SOC services. Despite the decade of existence of commercial SoCs, demand in the country is still formed more by supply.

In the second case, the demand for DDoS protection services based on practical needs has grown. Also, tender sites are full of announcements of procurement procedures for local technical support of solutions from foreign manufacturers as a substitute for previously available vendor technical support.

The rest either remained as it was, or was temporarily postponed until the solution of the priority tasks of migration to the IT and information security infrastructure available in the new realities.

Cyber Media: In the view of many people, an information security specialist is a white hacker who fights cybercriminals and constantly searches for vulnerabilities in his infrastructure, promptly eliminating them. How does this stereotype differ from reality?

Svetozar Yakhontov: As in other professions, the image formed by cinema is rather different from everyday reality.

Information security functions are regulated. The implementation and monitoring of the implementation of regulations are routine tasks. Naturally, special situations are superimposed on the daily routine: urgent corrections of the causes and consequences of false positive triggers of protective equipment (this is when colleagues from IT departments resort and complain that everything has stopped working due to blocking of protective equipment), testing and implementation of new protective equipment, and work with real incidents.

In a small organization with only one and a half information security specialists, the functions are completely blurred – the specialist deals with the development of internal organizational and administrative documentation, and the preparation of reports for industry regulators, and the administration of protective equipment, and interaction with related departments, and feeds fish, and waters flowers.

Such a wide range of tasks has its advantages: you can acquire a wide range of knowledge and practical skills in a relatively short time (1.5-3 years). And in conditions of low competition for the position of head, there are more chances to get the position of the latter with the rotation of personnel.

There are also disadvantages – you can become a specialist in one organization, when you switch to a new job in another organization, it turns out that knowledge and skills are limited only by the list of tools and questions available at such a first job.

In a large IT-dependent organization, which has significant industry requirements for information security, the nature of the work can be completely different.

In such organizations, it is possible to grow "up" – the importance of interaction with other departments will increase: IT, legal services, business.

And "horizontally" – to develop strong technical expertise, interaction more with manufacturers of information security tools and technologies.

In recent years, a career in information security has become more technocratic – specialists with strong technical expertise and sufficient communication skills have more chances for a managerial position than just pleasant sociable managers.

Cyber Media: And where is the romance with hackers?

Svetozar Yakhontov: Such romance can occur either in specialized organizations engaged in threat intelligence, or in large banks that have their own division with such tasks. Or in the relevant departments of law enforcement agencies.

Cyber Media: In large organizations, again, more often in banks from the TOP 20, there are departments that are engaged in identifying and eliminating vulnerabilities. What does it look like?

Svetozar Yakhontov: Option one: we bought a commercial vulnerability scanner, launched it on the network, received N-million responses (the bank is large, there are many devices and systems). After checking the scanner settings (something somehow found a lot of things), you will have to accept that the world is full of holes, and get to work: 

• classify the found vulnerabilities according to the degree of criticality;
• eliminate false positives;
• compare critical vulnerabilities with the threat model;
• create a plan to eliminate vulnerabilities;
• request available security updates from the system manufacturer;
• make a test plan for such updates and compensatory measures;
• achieve the allocation of resources to create a test zone (you can't install an untested update on a combat system without testing);
• to ensure the allocation of resources for conducting vulnerability exploitation tests and other tests specific to the system.

Then, finally, output such an update to the combat network and make sure that the update was installed everywhere.

Option two: we ordered a commercial penetration test from "white hackers" from a specialized organization.

Having delayed the deadlines three times, the "white hackers" will give a report on the vulnerabilities found. Then – as in the first version. The peculiarity is that such "white hackers" will find, the system manufacturer may not consider it a vulnerability and refuse to provide a fix. After all, there is no such vulnerability in the CVE registries yet. Then a months-long correspondence begins with the expectation of a release.

And dealing with vulnerabilities becomes routine. A routine that requires the use of professional knowledge, a creative approach in working with participants in the process. If in the first year and a half you learn to perform routine tasks with the muscle memory of your fingers (there are no muscles in your fingers, it will be done "by itself" quickly), you will have time and energy for a creative approach to tasks.

There is a universal recipe for not getting stuck in an unpromising routine: work hard, work well, study constantly. And in 1.5 years you will become a specialist. After 3 years, he will become a strong specialist, solving problems that others rather cannot solve. In 6 years – to become, perhaps, the best in the industry. These are qualitatively different career and professional opportunities.

Cyber Media: What role does self-education play in the work of an information security specialist?

Svetozar Yakhontov: Self-education should become a natural habit. Information security is an expert area of expertise. Both technologies and knowledge in this area are constantly being supplemented.

To get a chance for a young specialist to get a job in a large IT-dependent company (a large bank, a telecom operator), today it is not enough to have a diploma of graduation in the specialty.

By the time you start your career, it is significant to already have one or two certificates of completion of training in applied courses of an information security equipment manufacturer in demand in the industry.

It is better to give priority to basic technologies (knowledge of industrial DBMS application techniques will also be useful in information security). Knowledge of at least one popular programming language, even interpreted scripting, will also be a plus. They will take in some project to "plug holes" in local automation, and this is already a practical task solved in a team with experienced colleagues.

When you have already gained a foothold in the workplace, you will have to study a lot outside of working hours. On the way to and from work, with printouts and textbooks in hand, driving should become the norm. What you didn't finish at the university – you'll have to catch up quickly.

And the best help in such self–education is to be surrounded by strong specialists. 80% of the answers to the question "how to approach the solution of a new unfamiliar task?" you can get it from them.

Cyber Media: Many experts note non-regulation as a lack of work in the field of information security. Attackers, as a rule, "time" their attacks to Friday evening or weekends, holidays. An illustrative example is the Log4j vulnerability, which deprived the security guards of "New Year's holidays". What, in such conditions, helps a specialist not to burn out?

Svetozar Yakhontov: The information security industry does not have its own specifics of the recipe “how not to burn out". There are universal principles. When you wake up, make your bed. With this, an orderly day begins, there is a sense of solvability of tasks, until the end of the day. Feeling the result is the best prevention of burnout.

Update and supplement the circle of communication periodically – also prevents the feeling of being blinded. It is important to feel life through new observations. Find an interesting outdoor hobby.

I do not impose, I share my observation – I joined mountain tourism with colleagues in the industry. Even after a week of adventures outside of civilization and communication, thoughts calm down, anxiety that someone will call or write about "everything has fallen again!" disappears.

Cyber Media: Now all spheres of life are somehow affected by the geopolitical crisis. In your opinion, what should profile specialists prepare for now?

Svetozar Yakhontov: There is an opinion that it is necessary to update knowledge about *nix operating systems. So knowledge should always be updated. Perhaps, in these circumstances, new career chances appear for young professionals if they have completed courses on *nix and practice solving professional tasks on them.

But it is not worth hoping only for this. It is necessary to look at the changes not only globally, but also under the microscope, in a substantive way. It turns out that a confident knowledge of basic technologies is applicable in solving any problems.

A problem is a task for which there is not enough resource to solve. Information, money, people, time, will. Learn. Save money for courses and new hobbies. Work in an organization that generously allocates money for information security.

Update and supplement your social circle, appreciate colleagues, help each other. Do not waste time on minor matters, you will not do everything, do what is important. Got up – make the bed, this is the first thing that happens every day, the rest will catch up.