What's Behind the Cybersecurity Jobs Shortage? (medium.com) 137
In 1999 cybersecurity pundit Bruce Schneier answered questions from Slashdot's readers.
24 years later on his personal blog, Schneier is still offering his insights. Last month Schneier said that warnings about millions of vacant cybersecurity positions around the world never made sense to me" — and then shared this alternate theory. From the blog of cybersecurity professional Ben Rothke: [T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp....
In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.
Rothke's post offers two conclusions:
24 years later on his personal blog, Schneier is still offering his insights. Last month Schneier said that warnings about millions of vacant cybersecurity positions around the world never made sense to me" — and then shared this alternate theory. From the blog of cybersecurity professional Ben Rothke: [T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp....
In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.
Rothke's post offers two conclusions:
- "Human resources needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."
- "So is there really an information security jobs crisis? Yes, but not in the way most people portray it to be."
A thankless job (Score:4, Informative)
The security specialists I've worked with don't think it is a good job.
The company will be unwilling to take appropriate measures to keep software up to date and deploy protectives. Employees routinely get their credentials filched by commonplace phishing attacks. You are going to find out that your infrastructure has been infiltrated and people will blame you. It isn't the kind of work that a person with a lot of knowledge about computer science will aspire to.
Re:A thankless job (Score:5, Informative)
Most security experts are supposed to keep up on the latest threats and recommend / oversee implementation of countermeasures to minimize those threats and keep management apprised of the probability and severity of potential issues. It's almost more clerical than technical, though obviously without technical competence you can't do it properly.
The ones who really impress me are the proactive ones who find threats before the swarms of malicious hackers around the world - many state-funded - and provide fixes.
Re: (Score:2)
It's almost more clerical than technical
CISO is a management-level position and is largely a management function. Knowing the tech stuff helps a lot, but I've seen good CISOs who are by no means technical experts in security. The same way the department lead doesn't need to know the ins and outs of whatever his department does - his job is leading people, managing projects and budgets, etc.
Re:A thankless job (Score:5, Insightful)
I've never had a good manager who wasn't competent in the area he was managing. Not one. (Well, I'm only talking about a sample size of about 5, but still....)
People selling management training claim that this knowledge isn't necessary, but I don't believe them. It *IS* true that a good manager requires lots of management skills, but that's definitely not all they need.
Re: (Score:3)
It's definitely both. Technical and management skill sets don't overlap in most people, and for large enough projects the management skills are more important than the technical... but if the technical are there too it's just so much easier for everyone.
When you have a technically adept manager, you don't have to choose between teaching them everything as you bring issues to their attention, or having them guess which issues brought to them are actually the most important. A non-technical manager turns a
Re:A thankless job (Score:4, Insightful)
The same way the department lead doesn't need to know the ins and outs of whatever his department does - his job is leading people, managing projects and budgets, etc.
Probably why half of them get lead off cliffs or down deep dark holes that have no end until projects get cancelled when they cost so much because the people leading have no idea what the fuck they are doing.
Re: (Score:3)
Well, it gets better. At least in certain companies. Our CISO only half-joked lately when he said, he wants a rubber-stamp reading "For Security Reasons" because it's the fast pass to approval.
But yeah, most of what you said still holds true for many companies.
Re: (Score:3)
It isn't the kind of work that a person with a lot of knowledge about computer science
Is cyber security (outside of research) really a career area that any people in CS aspire to? It seems more aligned to something like information systems. I'm not sure understanding big-O notation, or the merits of DFS vs BFS in tree searches, or parsing complex grammars helps much in the cybersecurity space.
There is shortage of pay (Score:5, Insightful)
Re:There is shortage of pay (Score:4, Informative)
When I was in my 20s, I'd sleep on the floor of the client's office if I couldn't stay awake 48hrs straight. I'd bring a laptop with me on vacation and ignore my wife to finish up a project.
I am no longer in my 20s, and I am done with that shit. The things I learned were valuable, but I could have done that in other ways than sacrificing my life to the company - and it wasn't that I worked for a brutal employer, it was all self-motivated stuff.
Now I want to go home at the end of the day and forget about work until I'm back on the clock. I just barely tolerate being in the on-call rotation. I still want to do my best for the client, but my best efforts are contained within my scheduled working hours, as they should be.
You could not pay me enough to work like I did when I was younger. And I don't think a decent manager should let someone do it voluntarily, either.
Re: (Score:2)
Re: There is shortage of pay (Score:5, Funny)
Sadly, my landlord doesn't take glamor as payment.
Re: There is shortage of pay (Score:2)
Pays well too, at least in my own experience.
But you can avoid the SOC thing (I did) by being an analyst in another domain first. After being a network engineer for 2.5 years I switched to being an IAM analyst, and on my own accord picked up a lot of software development skills, basically for the purpose of automating my own job simply because I hated doing the same crap over and over again, and not because somebody asked me to. After two years of being analyst I was promoted to security engineer (though I
Re: (Score:2)
Maybe so, but why would I want to do a "grunt job" with the associated work hours and stress when I am already an established admin?
And you pretty much have to be an established admin to be considered for that position, because security is the "and then on top of that" game.
I.e. "if you want to do security for a network, you have to be a network admin and then do security on top of that".
Re: There is shortage of pay (Score:2)
Because if you're good enough at security you won't be doing the repetitive stuff for very long. It took me about a year, though I would have moved past it even sooner than that if I hadn't gotten sick that year (had an event that took me out of work for two months) which caused me to miss a lateral move.
Re: (Score:2)
How do I answer that without stepping on the toes of a coworker... well, some are happy with that position. I couldn't and wouldn't. Then again, I never had it, when I started, the whole industry didn't really exist and SOC was something you put on a foot when it gets cold...
The thing is, not everyone is cut out for that work. That's not to put anyone down or to belittle "mere" network and OS admins or container solution managers, but the problem is, if you want to be good at security, it will take over you
Re: (Score:3)
Hell, taking my current job was a big risk in and of itself. I was already at a job where they really needed me so it had great security
Sorry for latching on this little part of that long reply, but there was little I could say to the rest that isn't just "yeah, I get what you mean", but this right there is the kernel of the shortage problem.
The people you really need in security are exactly the people that already have a pretty stable career going that you'd now ask to abandon this and risk it all for a big "maybe" in a completely different field that they may or may not like and be able to do.
Re: (Score:2)
Head over to hackthebox.com, pass an OSCP, wave it in front of companies hiring.
Yes, it's that "easy".
Re: There is shortage of pay (Score:2)
None of the security hiring managers I've run across seem terribly interested in certs for all but the most entry level roles. Having a CISSP literally did me no favors to get my current job.
Re: (Score:2)
A CISSP is not a certificate to open a door. Unless you want the door to the CISO office to open. That's a certificate you will very likely want to show off when you're trying to land a CISO position, not one in a SOC.
The OSCP would probably also not help a lot if you want to work in a SOC, it's more something you want to show off if you want to become a pentester. There are different certifications for the different security positions a company needs. I mean, you wouldn't want to get a CCNA to get a progra
Re: (Score:3)
A CISSP is not a certificate to open a door. Unless you want the door to the CISO office to open. That's a certificate you will very likely want to show off when you're trying to land a CISO position, not one in a SOC.
That's nice considering I've never worked in a SOC. In fact, I actually had a cert that was more aimed at working in a SOC (namely the CCNA Cyber Ops cert, and no, that's not a networking cert) prior to starting infosec, and that also didn't help me either.
And while the CISSP is more of a managerial cert, there are actually a lot of concepts that I apply to the engineering role, namely when I advise the governance teams on what kind of policies they should adopt. They often claim that their policies follow
Re: (Score:2)
As I noted in the article, most HR generalists don’t know how to hire information security people.
Often the one thing they can use as a qualifier are certifications.
To which many people have been asked: Are you CISSP?
Reasonable assessment (Score:2)
Every time I meet one of these security experts, I ask them the same question. What kinds of problems do they solve? I've never gotten a straight answer. They know the lingo, but don't seem to know the engineering.
Re: (Score:3)
What answer would satisfy you?
Re: (Score:2)
This is not too surprising, since it takes a lot of skill to evaluate the quality of a security product (hello, Lastpass, although a quick search of "Lastpass vuln" should tell you everything you need to know, that's skill), but any executive can be impressed by the slickness of an advertisement. Gotta get that Intel stuff inside my c
Re: (Score:3)
This is sadly not wrong.
I worked in malware analysis and anti-malware development for a while. Our boss routinely said "we don't say a bad word about the competition. If someone asks what you think about Norton, tell them you like the box art".
Re:Reasonable assessment (Score:5, Informative)
The power of marketing is real.
I've been the external security expert at a number of fairly big tenders. Some of the slick presentations I've seen - man, I wish my presentations were half as good as those. They really, really, did sell their product well. And they weren't even lying, they were just experts at presenting what they had to offer in the best possible light and it does make such a difference in your impression. Took quite a bit of work to cut through that and come to a mostly objective estimate of the actual product quality.
tl;dr: If you have a great product, do and spend a shitload of money on marketing. Because the inferior products all do.
Re: (Score:2)
Any direct answer. For fuskc sake, I have security stories and I don't claim to be an expert.
Re: (Score:2)
That's essentially what I'm asking: What does a 'straight answer' look like to you? It's a very broad question, after all.
Re:Reasonable assessment (Score:4, Interesting)
The problem is that my job description has nothing to do with my everyday work life. Also, it's like asking "the computer guy" what problems they solve. It depends highly on what kind of field they work in.
So what problem do I solve? Well, if you ask the people I work for they'd say I don't solve problems, I create them. And yes, part of my job is to tell them to fix something, so I create problems for them. My job is to find security gaps in our systems, point out what they are, assess the severity, recommend ways to fix them and supervise that these fixes are implemented and that they are sufficient to take care of the problem at hand.
You could say the problem I solve is the problem you'd have if someone with nefarious intentions found that problem instead of me.
Re: (Score:2)
You could say the problem I solve is the problem you'd have if someone with nefarious intentions found that problem instead of me.
Reminds me of a billboard advertising a cybersecurity company: "Call us before you need us"
Paper pushers. (Score:5, Informative)
Checking the boxes to make the sale (Score:2)
Re: (Score:2)
Re: (Score:2)
That’s precisely the point. See what I wrote in:
The continued fallacy of the information security skill shortage
https://brothke.medium.com/the... [medium.com]
To which I have never encountered a single company that paid market rates, that had trouble finding good information security people.
Re: (Score:2)
In management? Yeah. They have the requirement "one pentest per product per year" and they will get one pentest per product per year. Check. They don't give a rat's ass whether you find something, if anything, they'll hire the worst company that doesn't find jack shit because that way they don't have to fix anything.
If you are good you will hate the job (Score:5, Informative)
1) list what you need to secure
2) list who might want it, how they might use it, what tools and access they might have, how motivated they are
3) list how they might get it
4) provide mitigations
5) prove 4 prevents 3
Most companies I worked at skipped step 1 and went straight to step 4. So you might have secure software but leave some pretty obvious things insecure. Or have something one department assumed was very secure while other departments knew it was completely untrusted data. It makes for a completely thankless job.
Here is an example. The certificates in UK smart meters are signed by Certicom. The certificates have a meet in the middle hash attack vulnerability that is prevented by having a random field, called the index number, in the certificate. Certicom generates the index number. No one told them it was supposed to be random thus the meet in the middle attack is trivial to implement.
Re: (Score:2)
From the point of a security engineer, security in a company will always be crap. The only question is whether it's good enough.
From my experience as a consultant, I can tell you what you did there already beats at least 90% of the industry when it comes to security handling. The other 10% are finance and banking.
Re: (Score:2)
More than I can explain... (Score:4, Interesting)
My position of 5 years was just shit canned 2 weeks ago due a slowing economy brought on by high interest rates and reluctant consumer spending. So far I've applied for 12 high level cybersecurity positions and have only heard back from one of them, so it makes me wonder if these open positions are just sitting open to justify H1B visa's. I'm no spring chicken, worked in the industry since 1998 and directly in cybersecurity for over a decade. I also wonder if ageism is starting to come into play since anyone with half a brain can figure out my rough age based on years of experience.
Re: (Score:2)
If you look youthful you can shave 5-10 years off your age by leaving off the dates of your college and dropping the oldest work experience off your resume. Only the last 10 years are going to be interesting to the employer anyway.
Re: (Score:2)
Cost center fall guys, not profit center... (Score:5, Insightful)
Security only costs money. It doesn't make companies any money. Insisting on secure code disrupts release schedules. Security engineers have essentially no actual power. Salaries are below average. Companies hire as few security engineers as they possibly can get away with. I see tons of job openings for sales-oriented "solutions architects" out there. Very few security-related jobs. Nearly all of them just terrible.
Security engineers, credentialed or not, are the "Mall Cops" of the software world. Not because they're dumb - just that they're disrespected.
Re: (Score:3)
Security only costs money. It doesn't make companies any money. Insisting on secure code disrupts release schedules. Security engineers have essentially no actual power. Salaries are below average. Companies hire as few security engineers as they possibly can get away with. I see tons of job openings for sales-oriented "solutions architects" out there. Very few security-related jobs. Nearly all of them just terrible.
Security engineers, credentialed or not, are the "Mall Cops" of the software world. Not because they're dumb - just that they're disrespected.
It was bad enough when the tents were a solid 75 yards away from the row of outhouses 30 long. Distance it seems was the best way to mitigate the smell. Users of said toilets kept throwing water bottles down the hole. Pump trucks would show up and blow head gaskets trying to clean the outhouses because the water bottle just happened to be the exact size of the hose. Boom-chug-chug...chug. There goes another one.
Problems pile up quite deep when the respect stops coming. Like the trucks did for a while.
Re: (Score:2)
Security only costs money. It doesn't make companies any money.
I couldn't disagree more.
Take encryption as a trivial example. That's a security feature, right? Now try to imagine online banking, e-commerce or e-government without TLS. Now try to tell me those things don't make (or save) money.
Re: Cost center fall guys, not profit center... (Score:5, Insightful)
They do not directly make money. Just like the electric bill costs money, but indirectly enables TLS.
When you are counting beans, you don't take into account (ha ha) any complexity. A solid gold bean is interchangeable with a rotting disease-filled bean.
Re: (Score:2)
Like testers, and support, and IT, and...
Except those guys at the top. THEY earn their money
Re: (Score:2)
Re: (Score:2)
If any company was going under for a security breach it would have been Target or Sony. But as you note, no one really cares.
Re: Cost center fall guys, not profit center... (Score:2)
Target estimated that the cost of the breach was $200-300M. It didnâ(TM)t bankrupt them, but it was plenty painful.
Re: (Score:2)
Re: (Score:2)
Likely similar to calculations for music and software piracy loss where they count every download as a lost sale which is ridiculous.
Re: (Score:2)
The ROI of security is your goodwill and the fact that you don't have to pay fines out the ass and spend days recovering from a meltdown.
And if you say that won't happen, why do you have insurance against various other catastrophes that may affect you?
Re: (Score:2)
The problem is that when faced with the possibility of paying fines and spending days doing recovery, a lot of companies only see the certainty of money lost paying for proper security to begin with. It's kind of like Alaska Flight 261 - the airline deliberately chose to skimp on maintenance and save those costs because a crash was considered a "meh, it'll never happen" event.
Re: (Score:2)
The question is, would you actually bet your company on that?
There is no shortage. (Score:4, Interesting)
It's a lack of culture. We all know this, we just haven't come to regularly spell it out for the uninformed. Yet.
A project lead who can barely tell a client from a server or stateful from stateless, let alone explain what a user account is and what you actually need it for is still a very common thing. Such a person couldn't tell an expert in auth/auth and encryption from some clueless n00b who can barely design an UI and can't go beyond clicking together some prohibitivly shitty WordPress plugins. He thus will pick the latter because he cheaper and doesn't make these annoying demands that we must do best practices and "decouple auth auth", whatever that is.
Today's IT generally is ruled by people who are at the level of some primitive jungle tribe thinking they can make reasonable decisions on how a highway bridge must be built. The results are the exact equivalent of those empty super-scary "leaves you speechless" 50 story apartment buildings in China where the walls break when you pick at them with a fork.
It's a lack of culture. And until the idiots with a degree who lead IT projects but don't even know how to use the clipboard are prohibited from touching a keyboard before they've got their basic computer drivers license this idiotic bullshit will continue.
The name for that is "Cargo Cult IT" and it's only getting worse.
Re:There is no shortage. (Score:5, Interesting)
We recently had to pentest a project with an atrocious session handling problem. Really, it felt like testing the DVWA. Almost every single mistake you could make, security-wise, in your webpage was in there. When I confronted the "developer" (I'll use the term loosely here), I quickly noticed that he doesn't really understand a lot about web development and it eventually turned out that he frankensteined together the page from SO answers, with very little understanding what the hell was going on.
How that guy cheated his way through the hiring process is beyond me. But hey, in the kingdom of the blind, the one eyed is king and if HR does the hiring, the person who can throw some buzzwords at a computer illiterate gets the job.
Cargo-cult programming is a huge security issue. Because answers at SO generally don't give a fuck about security, what matters is that "it works".
Re: (Score:2)
You want "every single mistake that could be made"? Look at that cloud certificate MS has recently stolen: All of Azure open to the attacker because they made every stupid security mistake possible. The rot goes deep enough that in many cases the patient cannot be saved anymore.
As to Cargo-cult coding, I expect that Artificial Idiocy will only make that one much worse.
Re: (Score:2)
That wasn't every possible mistake that could be made, that was just one single really big one. :)
And AI will only make my job easier and way, way more fun.
Re: (Score:2)
From my own experience, another problem is the Dunning-Kruger effect. Lots of otherwise competent folks think, "I'm a good sysadmin, there's not much to this security stuff". Too many people in IT are unwilling to admit they don't know everything, and if they do, it's often not accepted as a valid answer and they're told to do the work anyway.
Re: (Score:2)
Indeed. Can also be nicely observed here on /., time and again.
Re: There is no shortage. (Score:2)
I'd assume that many people here are like me in that their slashdot personality is much different from their work personality.
Though I could name a few names, like rsilvergun and his sidekick narcc, opportunist, the evil atheist, and a few others who have this incredibly distorted view of how the world works, which is usually accompanied by an incredible amount of defeatism, and I could see these guys having a hard time getting jobs even if their IRL personality is more mellow.
A few examples:
"They're just l
"Labor shortages" are usually industry lies. (Score:2)
Re:"Labor shortages" are usually industry lies. (Score:5, Interesting)
Well, in this particular case I happen to have some insight into the matter and ... it's both.
Yes, you're right, they don't want to pay more than absolutely necessary, but salaries aren't THAT bad either. We do get quite the money for what we do. I don't want to say that we're sorely underpaid. The problem is a very different one in this particular case, and it's nothing you can solve by outsourcing either. Not only because, well, do you want to outsource your security of all the things to a country that is potentially hostile to you, or one that has a track record of fake callcenters and scam artists?
The problem is that security is the endgame of IT. As a pentester, you're expected to not only know every technology out there, from various different databases to various different webservers, operating systems, programming languages (and the code the different compilers render because you're expected to disassemble and read it), container solutions (and the orchestration software various companies attached to them), cloud services (and I mean every single one of them out there, from Azure to Alibaba), esoteric programs, bells, whistles, hopes, dreams and whatever else some idiot project manager could dream up. You're also expected to know it better than the person who set it up and programmed it. You're expected to have a deeper understanding and know what the wiring under the board looks like, because that's where the potential security problems reside. To force an analogue, you're not just expected to know how to allocate memory dynamically and know "buffer overrun bad", you have to know why the buffer overrun is bad, how to spot it, how to exploit it and how to fix it.
For every single technology mentioned up there. Essentially, what they'd want from you is to know more about DB2 than IBM, more about Azure than Microsoft and more about OpenShift than anyone at RedHat.
And I don't mean "pick one". The expectation is ALL THREE. And then some.
As you might imagine, such people are rather rare.
Re: (Score:2)
The size of the company changes little, because larger size means more different technologies. What it does not mean is more personnel.
Re: (Score:3)
This
I actually am a security expert with a bit of reputation and a pretty good CV. I get regular calls from headhunters. By experience, my first question is the salary that is offered for that position, and in 90% of the cases, both the headhunter and me have a good laugh about that together and end the call there.
These 90% of companies are either not serious about security or they don't understand that the decade or two of experience you need to actually be an expert in a non-trivial field comes at a price
The Answer Lies in Show Business (Score:3, Insightful)
Look up the "high concept" pitch. "It's just like Game of Thrones, but with cartoon dinosaurs." That's the only way to present ideas to executives.
The reason this is necessary is because half the country is illiterate and the other half is wired up on psychotropic medications. They have neither the attention span nor the ability to emerge from the fog of Xanax and screwdrivers to truly understand anything.
Your boss' wife wears a mumu and works their waffle iron like the Tropicana slots. So he prefers to play slap and tickle with his college-age secretary. If the door to his office is closed its because he is wearing nothing but black socks and a quart of Jergen's. That's the only thing he has the mental energy to comprehend.
Discussing cybersecurity with these people is like explaining linear algebra to a room full of golden retrievers. The job market is lost. It's never coming back. Right now America couldn't build dogshit if we crashed a dump truck full of scrambled eggs into a kennel.
That about cover it?
Supply and demand (Score:2)
In my experience so far... if you have experience in systems engineering, and software design and implementation, and attempt to get into security... and the security salaries are all way below what you would be offered if you stayed in those fields... it sends a strong signal that security is just for show:
1. They'd rather not spend the money hiring when it could be used on the feature side.
2. They have not empowered security to actually do anything, so they don't want to over-hire in that group (in terms
EU and NIS (Score:2)
Re: (Score:2)
Fun fact: ICT services management (business-to-business) is a critical sector. A ton of companies with any branch in the EU are going to be in for a nice surprise.
Re: (Score:2)
have a cybersecurity position
They'll do what countless companies with such a regulatory demand have done before:
1. Create a "CISO" role on paper
2. give it to someone who is low maintenance, won't cause any actual trouble or stir up anything
3. continue with business as usual
Re: (Score:2)
Re: (Score:2)
Not this time. There are real penalties in place. And the GDPR is starting to really get enforced and has more than a bit of overlap.
Re: (Score:2)
I predict it's gonna be filled the same way porn mags filled the "head editor" position.
Around here the "head editor" (kinda like the CEO) or porn mags were personally and criminally responsible for the content of the porn mag. If it was in any way forbidden (something that was essentially codified as "I know it when I see it" bull in the law), they went to jail. The idea of course was that nobody has the balls to actually issue any porn mags.
The solution? They hired street bums as the "head editor" who kne
Re: (Score:2)
Nice trick. I doubt it will work this time though. Not having a qualified person in that position could well make the board liable.
Re: (Score:2)
"Oh, we were lied to! He looked like the perfect candidate, hey, we're (insert industry here), not security, how should we have known that he's lying?"
Re: (Score:2)
Yeah, _that_ is going to work. Don't forget the regulators have heard it all and the only thing stopping them from acting was politics. The risks and damage from IT insecurity have gotten a bit too large for that to continue. On the other hand, politicians are generally the least trustworthy, most corrupt assholes. So who knows.
Re: (Score:2)
That one will get interesting, agreed. And at least in some countries "paper pushers" will not do it because they have finally understood how bad the risks are and how much productivity is lost every year.
Behind every Cybersecurity professional... (Score:2)
...is a management team hell-bent on half-ass supporting that business-critical effort.
While marketing freely enjoys justifying budgets on little more than clickbait hype, selling the needs of proper security is a different animal altogether. Even in a world that reinforces daily why executives should respect the risks being laid out by the very professionals they hired to protect them in the digital realm. Instead executives walk around with the bravery of that party drinker that hasn't wised up with a D
Re: (Score:3)
You can tell by looking at the org chart. Where does the CISO sit? If he's under the CEO, great. If he's under the CFO, not so great. If he's under the CIO, run. Run fast, run far.
Re: (Score:2)
You can tell by looking at the org chart. Where does the CISO sit? If he's under the CEO, great. If he's under the CFO, not so great. If he's under the CIO, run. Run fast, run far.
A CEO is needed in a company, since somebody's gotta lead. A CFO is often required. So is an identified "officer" or two of the company for regulatory purposes.
The CISO/CSO is often that optional executive that until the hack actually happens, is more viewed as a liability than an asset. Much like they view the non-revenue generating budget behind the position, sitting on the "wrong" side of corporate tax deductions. Splitting the executive bonus pool with that expensive department that doesn't "do much
Re: (Score:2)
This is why in certain companies here, C-Levels are personally (that means, with their own, private stash) responsible for security breaches if they can't show that they took reasonable step to avoid it if a security breach happens.
CEOs tend to be way, way more happy to spend company money than to risk their private funds, it turned out.
Re: (Score:2)
Impressive. Sounds like a standard worth repeating and hopefully without the need for some nationalized effort like a union as the alternative.
The American CEO:worker bee pay inequity, would likely increase from 300:1 to 500:1 in response to such a personalized 'attack', and invent an entire market of cybersecurity insurance to handle any personal liability, with those policy costs provided by the newly sponsored Cybersecurity Payroll Protection Act, collected under "mandated fees" for select worker classe
Re: (Score:2)
There is considerable leeway for what constitutes a "reasonable step" to avoid it, and I don't know of a single case where someone actually had to put the crowbar to their own wallet, but it means that they can't just ignore it. Which is good enough.
All IT professionals should do security... (Score:4, Insightful)
What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp...
Yep. A lot of "cybersecurity specialists" are people who haven't got a clue about the systems they are testing. They have some port-tester and a couple of other tools that they know how to use, and that's it.
Every developer and programmer should be aware of cybersecurity issues. Just to name an example: as a profession, it is embarrassing that things like SQL injection still exist - much less as one of the biggest weaknesses out there. Anyone who writes SQL code should automatically write it in a way that avoids that vulnerability.
The same goes for other IT professions. For example, the people doing network engineering should know the vulnerabilities they need to avoid. That should be baked into their education.
In my first semester programming courses, I teach students that their data classes are responsible for the quality of their data: all attributes are private and setter-methods are paranoid. In my database lectures, they use PreparedStatements, with an explanation of why. In my web service lectures...well, you get the idea. I'm not any sort of security "expert", but this is basic stuff and needs to be treated as such.
Re: (Score:3)
I'm not any sort of security "expert", but this is basic stuff and needs to be treated as such.
90% of security issues are software quality issues or user (interface) issues.
The remaining are the weird edge cases that involve hardware bugs, side-channels, timing attacks and other stuff that you'd have to be clairvoyant to know when making the thing.
Re: (Score:3)
As one such "cybersecurity specialist", let me tell you what it's like.
Around Thursday, you get the info that next week, you're gonna test an application written for a technology you have never even heard of. The reason you're doing it is that your manager thinks he remembers you once did a job some years ago with something that sounded like the technology.
So you spend the next weekend frantically trying to get as much information about that technology as you possibly can, you read whitepapers, you try to g
Re: (Score:2)
Every developer and programmer should be aware of cybersecurity issues.
Developers should naturally think defensively: How will this call fail? What action should it take in case it fails? What does it pass back to the caller? How should the system handle an abend? But too many don't give a shit. I have horror stories of a major blood testing system that didn't check returned error codes, and one case where I found that a key called function returned a particular value in all circumstances, which was a violation of all that is holy. When I brought it to the attention of
Re: (Score:2)
And you do all of those things, you really do your best, bottom to top, all the way through, then this happens:
https://www.theregister.com/20... [theregister.com]
Seems a little arrogant for an arm-chair "educator" to claim "a lot" of industry "haven't got a clue". All software has something unintended lurking inside.
competence (Score:2)
[T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp....
Let me translate that:
There is no shortage of people who CLAIM to be "cybersecurity experts" and position themselves so no easy checks can show that they're full of shit. As soon as you go to the jobs that require ACTUAL expertise and experience, you find that real experts are hard to find.
Or, in other words: Same as in any other field that recruiters etc. sell as high-salary, hot market. I wouldn't even be surprised if it's the same people who every couple of years re-invent themselves as whatever expert i
Re: (Score:2)
Security is a very attractive field. Most of all, it's (currently) pretty well paid, at least for the select few super stars who actually bring a ton of experience to the table. So of course that's attractive. Much like medicine or law were in the past. You would see those star lawyers that rake in the millions and you say, "yeah, I want that!"
So people go out and try to figure out how to get into the industry. If they're smart, they'll do a 4 year college degree on security. If they're less smart, they do
The real problem (Score:2)
lack of entry level jobs (Score:2)
I got a degree in cybersecurity, then reality kicked in:
1) There are almost no entry level jobs. The one that i saw were SOC jobs that paid terrible and most of them were on the graveyard shift.
2) The good jobs were not entry level and most of them required non entry level certs like CISSP
3) A lot of the good jobs were as contractors to US agencies which required special clearance which can only be attainable by US citizens, therefore eliminating all foreign talent.
Needless to say, I had to switch careers.
need IT, CODEING and more skills sounds like H1B (Score:2)
need IT, CODEING and more skills sounds like H1B BS with an big list of skills at low pay so that only an H1B can fill the role.
can't do updates as that will / may messup code (Score:2)
can't do updates as that will / may messup code.
lot's of times with some software you can't do OS updates / update base library's as they need to be testing and rolled out as part of the bigger update. So no auto os updates and at other times an long wait for some updates to happen.
Re: New topic, same problem (Score:2)
Re: (Score:3)
Well, the shortage isn't exactly fake, But the GP has a point. Companies want the ready-to-use "product", and that product is already in use in another company. And they are not willing to pay for that "product" to come over to them.
That is a problem.
Then again, our company is indeed willing to train you, but we can't train you from scratch. And security is the end-game of IT. "entry level" here means you are already a good engineer, be it that you know networking, development or operating systems administr
Re: (Score:2)
If you think managers will let AI take their jobs, think again. AI is supposed to take your job, not theirs.
If AI could take any job it should, CEOs would already be a thing of the past. Actually, CEOs would have vanished with the invention of the magic-8-ball.
Re: (Score:2)
You are forgetting about the vacuity of manager-think. Managers frequently have managers. The managers on top are always looking over their flock of under-managers to pick out the ones most likely to threaten the upper-manager's job. The under-manager, to survive, needs to not present such a threat and somehow make their over-manager look good. If the over-manager figures a bot could replace even one of their under-managers, then s/he get the bot and replace the under-manager.
This brings the bot to the atte
Re: (Score:2)
OMG, it's managers all the way down...