I see entry level security skills as a problem for industry - what can we do about it?

One of the things I've been most impressed by in the last few years is the new focus on security as being a balance between cost and risk. A security solution should not be implemented if the cost exceeds the risk of exploit, and both costs and risks can be hard to diagnose.

The thing I like most about this core concept is that it basically mandates the idea that there is no "one size fits all" solution. Designing security is as much a craft as designing a solution or a peice of software. It offers a middle ground between (1) clueless and (2) nazi.

When presenting it to an audience new to security, I like to put it out there as a challenge - the challenge is making something that is secure within reason for the functionality it must provide to meet it's goal. Geeks like puzzles and this is a pretty cool puzzle when you get down to it.

If I had all the funding and time I could wish for, I'd craft a security concentration for both undergrad and grad programs that introduced security topics as a set of puzzles. I'd start with "what was the problem that caused this technology to be used?", and then "how does the technology work?" and "what problems can it cause?"

As far as the questions go:

What do you see students and graduates interested in?

They want meaningful work and a chance at a good job in the industry. I think security can be presented as both things. If you view security not as saying "no" all the time, but as coming up with clever solutions that let people get their jobs done efficiently but with little risk to the business, then I think the work is exceedingly meaningful. Also, I've never lacked for a job as a security nerd, so I'm always glad to speak from personal experience on that one.

What would work in your company / university / organisation?

I'm probably an outlier - I work for a defense contractor. Security is such a part of our corporate culture that I have problems envisioning the world without it. The thing I find most often, though, is that geeks suck at rote process - and there's a LOT of aspects of security (especially physical security) that requires slavish adherance to security details. To a point, I can motivate people to figure out ways to "engineer-proof" things - for example - "what can you do to make sure that you lock up the secure thing in the big metal safe at the end of the night?" Sometimes folks come up with really creative solutions.

What is the biggest win for you?

Personally, I love the challenge. I like making secure things work, and security is an added part of the fun. I also really, really like seeing the light come on for newer engineers when they start thinking like a security nerd. And one of the things I like about my corporate culture is that helping other people to think through security for themselves is a big part of the job and the social contract.

What are you fed up with hearing about?

I'm a little fed up with being told the rules are "stupid". They may be tedious, but if you think they are stupid, then you generally aren't seeing a big enough picture.

Sadly, on the other end, I'm also tired of being told that the mandates of a highly secure working environment mean that someone can't move quickly. Secure does not equal slow, especially not when I wonder if the only reason for slowness is red tape.

Well I certainly can tell my share of the "student ethos" because I too did not care (or did not care enough) about security. Add the fact that I was a bit more involved into security than my student friends, you can tell where this is going.

The main problem I had was simply that at school, you are told how stuff works and how you ought to do it performance-wise. What you don't get told is what you should never do security-wise. Also the course is so tight that you are actually jumping around to cover as much as possible but without really getting into a subject.

At school we did some projects for our final diploma but you only get rated on time planning, project completion and working state. Never are you rated on security issues. Your project could be susceptible to even the most primitive SQL-Injection or XSS attempts and you could still get a full 60 points out of 60 (or 1, or A+ depending on your country).

So I think that the problem lies not only in the common disinterest of the student, but also because schools don't show the student WHY it is important and how to use all the great security stuff that was invented for a better cyber-world. I think there is a LOT of room for improvement.

Usually a presentation from the Security Response Team of a company captures the audience whether it is made out of students, managements or developers.

It has proven to be quite efficient (it was based on an informal initiative) in telling different stories. Some of these stories focused on some angry developers left back doors, others on some innocent "no one will exploit that!" or... and off course you will have to show how actually these different cases end up being reported by security professionals and how many person month were required to fix the issues.

Given said those stories, you can present the exploit and then teach them that weak code do not disappear, and then you introduce the secure programming or threat analysis or...