The next generation of security professionals will need to know how computers work at a hardware and software level if they hope to combat hackers, according to James Lyne, global head of research at Sophos.
Lyne made the claim during a keynote speech at InfoSec 2015, arguing that the growing complexity of cyber attacks means that security professionals need a more robust knowledge of computing.
"I spend a lot of time talking to people at universities, businesses and the press. Doing this I've notice a phenomenon in our community. We're an astonishing group of tech users, but tech has become far more black box than ever before," he said.
"Many remember the days when computing was hard and you'd have to work to get even a game working. But that's not the case anymore. The issue is that this leads to a lack of understanding of underlying computing principles."
Lyne explained that not even security professionals may understand how these background computer processes work.
"You can be a great security researcher or penetration tester without it, but we've missed an opportunity. It can make you a better researcher, penetration tester and defender," he said.
This would help security professionals react more quickly to mitigate cyber attacks, and let penetration testers spot exploits before the hackers, according to Lyne.
"Within weeks of practice and learning you can be opening up the metasploit programme and understanding what is happening," he said.
"This isn't about becoming an exploit writer. This can be a valuable skill for us. Understanding attacks makes us better at incident response.
"As penetration testers we can do better than just relying on other people's tools, and start spotting problems before they are exploited."
Lyne said that this is a problem as improvements to computer systems' background security has forced hackers to become more sophisticated than ever, creating a disparity in skills between the white and black hat communities.
"Exploitation, the basic notion, is that through some operation you're able to trick a computer to ignore the normal parameters of execution to do your bidding. This could be denial of service or exploitation of code," he said.
"This used to be woefully simple. You could just go about modifying memory and there was little to stop you. A large portion of the security industry came about because Microsoft made horrible decisions that allowed manipulation of memory.
"But today they've done a great job putting in mitigations. This started with Windows XP SP2 with Data Execution Prevention. Modern exploitation now requires special concepts."
Lyne's comments follow widespread reports of a cyber skills shortage, the tackling of which has long been a goal of the UK government with its Cyber Security Strategy.
The government has launched several initiatives to identify and recruit next-generation white hats from non-typical sources. These include the Cyber Security Challenge and the Cyber First recruitment programme.
GCHQ ran its first open recruitment drive for skilled cyber professionals in May in a bid to overcome the skills deficit.
The Oxford, Cambridge and RSA examination board, meanwhile, has pitched a revamped computer science GCSE curriculum that places cyber security at its core.
Lyne told V3 that he hopes the curriculum will lay the groundwork for universities to start training IT students in security alongside background computing architecture.
"I have met people who have been professionals in security for 10 years but don't know any [background computing processes], and penetration testers who don't know how to do anything but use automated tools to create scripts," he said.
"Enterprises are moving past this via things like automation. If you can have the knowledge as a penetration tester to know how exploits work, you can do more to help mitigate damage before the bad guys even know the possibility is there."
Growing the UK cyber industry is a central goal of the newly elected Conservative government.
A new RSA report urges coders to sign a 'Hippocratic Oath' before embarking on AI programmes.
IT security vendor believes APT33 is working for the Iranian government
Darktrace pushes machine learning to take some of the pressure off of IT and security teams
Google also gets its hands on HTC's IP in a non-exclusive deal