In 2019, Capital One revealed a data breach affecting 100 million US customers and a further six million in Canada. That same year, almost two-thirds of small businesses in the UK – some 130,000 establishments – fell victim to some form of cyber crime. Meanwhile, in India, a mobile malware dubbed “Agent Smith” quickly infected about 25 million devices.
With his eye on this 2019 landscape, Bogdan Księżopolski launched CyberSkiller. He’d spent years teaching college students the ins and outs of cybersecurity, including as Cybersecurity Department Head at a Polish university, and had a PhD in Computer Science in his pocket.
The idea was to launch a platform that could remotely and fully train a new wave of cybersecurity specialists via hands-on exercises in a virtual lab. In this way, anyone could sign up and start learning cybersecurity from anywhere — all you’d need is a laptop and a WiFi connection.
The odds of getting a job after completing a program like CyberSkiller are extremely high right now: in Poland, there’s a shortage of about five thousand specialists, and this number will double to ten thousand next year. Internationally, the shortage is in the ballpark of 4 million unfilled roles and growing.
We spoke to Bogdan about launching CyberSkiller, what’s happening in the market, and what he thinks is really our greatest digital threat.
The hackers were out in force in 2019. What did you see in particular that galvanized you to start CyberSkiller?
The global digitization of the world is obvious, and IT systems have to be well-protected. But there are really no cybersecurity specialists on the market. I saw it during my lectures at university — almost everybody is interested in the topic, but only about 1% of the students go on to work in Cybersecurity.
I asked myself, why so few? The problem is that the universities do not really know how to teach Cybersecurity. They don’t have the infrastructure for hand-on exercises that would illustrate the problems, teach students about the real vulnerabilities of IT systems, and show the methods for protecting them.
— Bogdan Księżopolski
Theory is not enough, but in many cases universities leave it at just that or just do simple exercises. That is why we created CyberSkiller, a platform with hands-on exercises, which can be accessed anytime from anywhere.
How many students do you have on CyberSkiller?
We started our courses at two universities in Poland last year, and this past winter semester we had 100 students. Now in the summer semester, we’ll have 500 students. And, there are a few universities that are in the process of reviewing and also possibly rolling out our solution in Poland and Singapore.
What’s the most common misconception about cybersecurity?
Very few people understand what cybersecurity is. You might say that it’s cyberspace protection, but where is this cyberspace? I have the impression that cyberspace is like a Yeti — everyone has heard of it, but no one has seen it. So how can we protect something that we can’t point out?
Today cyberspace is everywhere, in every domain of our lives. For example, at home, your intelligent light bulb could allow unauthorized access to your home network. Your car could be opened without your permission by using a remote key system, and at work your sensitive data could be stolen just because you clicked a link. Or your computer data can be encrypted, and you’ll be asked to deposit money in the form of BTC, all because you clicked something in the email again. There’s endless such examples.
To be able to protect yourself in cyberspace, you need to know where this cyberspace is, and we can only do it when we have contact with it — when we touch it. Of course, either we have to gain such knowledge and skills ourselves or we’ll need cybersecurity specialists who will know how to warn us and protect us.
What are the advantages of CyberSkiller for students and professors compared to other learning methods?
The main advantage is that CyberSkiller teaches practical cybersecurity. Why is this so important? Most cybersecurity education programs mainly teach theory. Of course, knowledge is needed, but without practical illustrations it is difficult to understand how things really work.
The problem with getting a practical education is that there is nowhere to practice — there is no infrastructure where you can examine the weaknesses of systems, where you can learn to use a variety of tools used for penetration tests. Such tests are actually nothing more than hacking, and you can’t do it on the Internet. It’s illegal.
— Bogdan Księżopolski
The second key difference is good quality educational videos showing how to solve the task, and also containing a theoretical discussion. I haven’t found anything similar on the market during my 20 years of experience in cybersecurity education.
How do you make sure all the learning resources are up to date in such a fast-paced field like cybersecurity?
Cybersecurity is a field that is closely related to technologies and…people. Technologies really change quickly, but the principles of IT systems operation and their weaknesses are largely unchanged. The situation is similar with the people who support IT systems.
Awareness of society’s cybersecurity and habits are key in this area, and also remain largely unchanged. Understanding how IT systems work, how they are connected to each other, and what habits people have allows you to gain some intuition in this industry. This is good because getting basic knowledge and of course learning IT systems testing tools allows you to work in this industry for a long time.
Of course, some attacks do involve new technologies and new attack vectors. On the CyberSkiller team, we’re vigilant about this topic because the people who create our virtual laboratories are still on the front lines in the fight against hackers. To this end, we’re constantly adding materials to existing courses that address what is currently key. Sometimes we create shorter courses. For example, we are currently working on the topic of smart contracts in blockchain technology.
How will the cybersecurity job market change in the next five years?
Now in the era of COVID-19 pandemic, the demand for cybersecurity specialists will continue to increase significantly, and this will affect our cybersecurity and privacy since those jobs will go unfilled unless we train more specialists. Emerging IT systems will just not be sufficiently secured. I think cybersecurity education should be a priority today, and fortunately, in many countries that’s already becoming the case.
Okay, last question. In your opinion, what is the greatest threat to our cybersecurity?
In my opinion, it’s the lack of awareness about cybersecurity in society and the lack of specialists in the field. If we fail to equip society with this knowledge, then we’ll still be vulnerable to cyber threats.
Society must develop habits that will be the first level of protection. Good habits could reduce the effectiveness of cyber attacks by up to 50%. The question is how to increase such awareness? Currently, various methods are used, including company-wide trainings and social campaigns, but in my opinion, that’s not enough.
We need to start cybersecurity education much earlier. For example, today the first specialized courses are taught at the university level during the third year of study. The students we talked to say that’s definitely too late. A cybersecurity education should start at the high school or even the elementary school level. Of course, this must be done in an accessible way, so children and teens can pick up good habits. If we succeed there, then these habits and this vigilance will be transferred to adults.
***
Lightning round
1. MVP on your desk: Keyboard
2. Least secure popular app: A mobile banking app, but I won’t say which bank
3. Ideal # of teammates: It depends on the project, but I like 5-person groups
4. Last podcast you streamed: “How to Become a Cybersecurity Specialist?”
5. Favorite city: Barcelona*
*”There is the sea, Gaudi’s monuments, tapas, and you can go to a FC Barcelona game and see Messi in action. I think I could live there.”
***