Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security IT

What's Behind the Cybersecurity Jobs Shortage? (medium.com) 137

In 1999 cybersecurity pundit Bruce Schneier answered questions from Slashdot's readers.

24 years later on his personal blog, Schneier is still offering his insights. Last month Schneier said that warnings about millions of vacant cybersecurity positions around the world never made sense to me" — and then shared this alternate theory. From the blog of cybersecurity professional Ben Rothke: [T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp....

In fact, security roles are often not considered entry-level at all. Hiring managers assume you have some other background, usually technical before you are ready for an entry-level security job. Without those specific skills, it is difficult for a candidate to break into the profession. Job seekers learn that entry-level often means at least two to three years of work experience in a related field.

Rothke's post offers two conclusions:
  • "Human resources needs to understand how to effectively hire information security professionals. Expecting an HR generalist to find information security specialists is a fruitless endeavor at best."
  • "So is there really an information security jobs crisis? Yes, but not in the way most people portray it to be."

This discussion has been archived. No new comments can be posted.

What's Behind the Cybersecurity Jobs Shortage?

Comments Filter:
  • A thankless job (Score:4, Informative)

    by ZipNada ( 10152669 ) on Saturday October 21, 2023 @10:50PM (#63942909)

    The security specialists I've worked with don't think it is a good job.

    The company will be unwilling to take appropriate measures to keep software up to date and deploy protectives. Employees routinely get their credentials filched by commonplace phishing attacks. You are going to find out that your infrastructure has been infiltrated and people will blame you. It isn't the kind of work that a person with a lot of knowledge about computer science will aspire to.

    • Re:A thankless job (Score:5, Informative)

      by Baron_Yam ( 643147 ) on Saturday October 21, 2023 @11:04PM (#63942927)

      Most security experts are supposed to keep up on the latest threats and recommend / oversee implementation of countermeasures to minimize those threats and keep management apprised of the probability and severity of potential issues. It's almost more clerical than technical, though obviously without technical competence you can't do it properly.

      The ones who really impress me are the proactive ones who find threats before the swarms of malicious hackers around the world - many state-funded - and provide fixes.

      • by Tom ( 822 )

        It's almost more clerical than technical

        CISO is a management-level position and is largely a management function. Knowing the tech stuff helps a lot, but I've seen good CISOs who are by no means technical experts in security. The same way the department lead doesn't need to know the ins and outs of whatever his department does - his job is leading people, managing projects and budgets, etc.

        • Re:A thankless job (Score:5, Insightful)

          by HiThere ( 15173 ) <[ten.knilhtrae] [ta] [nsxihselrahc]> on Sunday October 22, 2023 @08:17AM (#63943371)

          I've never had a good manager who wasn't competent in the area he was managing. Not one. (Well, I'm only talking about a sample size of about 5, but still....)

          People selling management training claim that this knowledge isn't necessary, but I don't believe them. It *IS* true that a good manager requires lots of management skills, but that's definitely not all they need.

          • It's definitely both. Technical and management skill sets don't overlap in most people, and for large enough projects the management skills are more important than the technical... but if the technical are there too it's just so much easier for everyone.

            When you have a technically adept manager, you don't have to choose between teaching them everything as you bring issues to their attention, or having them guess which issues brought to them are actually the most important. A non-technical manager turns a

        • Re:A thankless job (Score:4, Insightful)

          by stealth_finger ( 1809752 ) on Monday October 23, 2023 @09:32AM (#63945511)

          The same way the department lead doesn't need to know the ins and outs of whatever his department does - his job is leading people, managing projects and budgets, etc.

          Probably why half of them get lead off cliffs or down deep dark holes that have no end until projects get cancelled when they cost so much because the people leading have no idea what the fuck they are doing.

    • Well, it gets better. At least in certain companies. Our CISO only half-joked lately when he said, he wants a rubber-stamp reading "For Security Reasons" because it's the fast pass to approval.

      But yeah, most of what you said still holds true for many companies.

    • by hazem ( 472289 )

      It isn't the kind of work that a person with a lot of knowledge about computer science

      Is cyber security (outside of research) really a career area that any people in CS aspire to? It seems more aligned to something like information systems. I'm not sure understanding big-O notation, or the merits of DFS vs BFS in tree searches, or parsing complex grammars helps much in the cybersecurity space.

  • by sinij ( 911942 ) on Saturday October 21, 2023 @10:53PM (#63942913)
    Entry cybersecurity job usually means working at SOC. This involves putting out fires and often seriously encroaches on your personal life. Yet, you don't get paid more than people that go home on time and are not expected to be on call on weekends. So why would anyone want to switch from already established careers as sysadmin, coder, or crypto mathematician to go through all of that hassle? That why there is a shortage.
    • by Baron_Yam ( 643147 ) on Saturday October 21, 2023 @10:58PM (#63942919)

      When I was in my 20s, I'd sleep on the floor of the client's office if I couldn't stay awake 48hrs straight. I'd bring a laptop with me on vacation and ignore my wife to finish up a project.

      I am no longer in my 20s, and I am done with that shit. The things I learned were valuable, but I could have done that in other ways than sacrificing my life to the company - and it wasn't that I worked for a brutal employer, it was all self-motivated stuff.

      Now I want to go home at the end of the day and forget about work until I'm back on the clock. I just barely tolerate being in the on-call rotation. I still want to do my best for the client, but my best efforts are contained within my scheduled working hours, as they should be.

      You could not pay me enough to work like I did when I was younger. And I don't think a decent manager should let someone do it voluntarily, either.

    • by bjoast ( 1310293 )
      It's because low level SOC analysts are easy to find. They don't have to have a computer science background or even know that much about how a computer really works in order to do their job. They need only very basic understanding, and because there are a large number of people who want to get into computer security, because it's the hot thing right now, security companies will have an unending stream of future SOC analysts to pick from.
  • Every time I meet one of these security experts, I ask them the same question. What kinds of problems do they solve? I've never gotten a straight answer. They know the lingo, but don't seem to know the engineering.

    • by narcc ( 412956 )

      What answer would satisfy you?

      • My observation is that companies buy security products (anti-virus, penetration testers, etc) more based on the quality of the advertising than on the quality of the product.

        This is not too surprising, since it takes a lot of skill to evaluate the quality of a security product (hello, Lastpass, although a quick search of "Lastpass vuln" should tell you everything you need to know, that's skill), but any executive can be impressed by the slickness of an advertisement. Gotta get that Intel stuff inside my c
        • This is sadly not wrong.

          I worked in malware analysis and anti-malware development for a while. Our boss routinely said "we don't say a bad word about the competition. If someone asks what you think about Norton, tell them you like the box art".

        • by Tom ( 822 ) on Sunday October 22, 2023 @05:10AM (#63943257) Homepage Journal

          The power of marketing is real.

          I've been the external security expert at a number of fairly big tenders. Some of the slick presentations I've seen - man, I wish my presentations were half as good as those. They really, really, did sell their product well. And they weren't even lying, they were just experts at presenting what they had to offer in the best possible light and it does make such a difference in your impression. Took quite a bit of work to cut through that and come to a mostly objective estimate of the actual product quality.

          tl;dr: If you have a great product, do and spend a shitload of money on marketing. Because the inferior products all do.

      • Any direct answer. For fuskc sake, I have security stories and I don't claim to be an expert.

        • by narcc ( 412956 )

          That's essentially what I'm asking: What does a 'straight answer' look like to you? It's a very broad question, after all.

    • by Opportunist ( 166417 ) on Sunday October 22, 2023 @04:25AM (#63943201)

      The problem is that my job description has nothing to do with my everyday work life. Also, it's like asking "the computer guy" what problems they solve. It depends highly on what kind of field they work in.

      So what problem do I solve? Well, if you ask the people I work for they'd say I don't solve problems, I create them. And yes, part of my job is to tell them to fix something, so I create problems for them. My job is to find security gaps in our systems, point out what they are, assess the severity, recommend ways to fix them and supervise that these fixes are implemented and that they are sufficient to take care of the problem at hand.

      You could say the problem I solve is the problem you'd have if someone with nefarious intentions found that problem instead of me.

      • You could say the problem I solve is the problem you'd have if someone with nefarious intentions found that problem instead of me.

        Reminds me of a billboard advertising a cybersecurity company: "Call us before you need us"

  • Paper pushers. (Score:5, Informative)

    by oldgraybeard ( 2939809 ) on Saturday October 21, 2023 @11:08PM (#63942935)
    There is more interest in checking all the boxes on the paper work showing everything is being done vs actually doing what needs to be done.
    • Often when I hear that there is a job shortage for a particular field, I interpret that statement to mean there’s a shortage of people that want to work that job for the salary being offered. After spending 5 years in cybersecurity, I became somewhat disillusioned by the accounting and sales nature of job. Understandably, customers want to see basic certifications like SOC 2 Type 2 and ISO 27001. The challenge is that obtaining these certs is somewhat trivial, subject to carefully worded responses to
      • Your first paragraph seems to be constrained to a GRC function in cyber. There really aren't many skills shortages there, as the baseline prereq/skills needed to be successful is relatively small. While GRC does serve a necessary purpose, it is mostly checkbox activity and sadly, many companies do constrain their "cyber" orgs do this role, as either technically-driven cybersecurity functions are deemed too expensive or unnecessary for their line of business or size of the company. Your second paragra
      • That’s precisely the point. See what I wrote in:
        The continued fallacy of the information security skill shortage
        https://brothke.medium.com/the... [medium.com]

        To which I have never encountered a single company that paid market rates, that had trouble finding good information security people.

    • In management? Yeah. They have the requirement "one pentest per product per year" and they will get one pentest per product per year. Check. They don't give a rat's ass whether you find something, if anything, they'll hire the worst company that doesn't find jack shit because that way they don't have to fix anything.

  • by FeelGood314 ( 2516288 ) on Saturday October 21, 2023 @11:10PM (#63942937)
    I worked in a senior position at one of the most important security companies in the world. Our security was crap. It was significantly better than our competitors but it was crap. Our internal security procedure was to have myself and another guy test the products for two weeks, patch the errors we found and declare the product secure. (This seems to have been more than what our competitors did because we discovered they would leave open the common type errors we found in our competing products). The part that drove me nuts is we had no systematic way of proving our products secure. My training was:
    1) list what you need to secure
    2) list who might want it, how they might use it, what tools and access they might have, how motivated they are
    3) list how they might get it
    4) provide mitigations
    5) prove 4 prevents 3

    Most companies I worked at skipped step 1 and went straight to step 4. So you might have secure software but leave some pretty obvious things insecure. Or have something one department assumed was very secure while other departments knew it was completely untrusted data. It makes for a completely thankless job.

    Here is an example. The certificates in UK smart meters are signed by Certicom. The certificates have a meet in the middle hash attack vulnerability that is prevented by having a random field, called the index number, in the certificate. Certicom generates the index number. No one told them it was supposed to be random thus the meet in the middle attack is trivial to implement.
    • From the point of a security engineer, security in a company will always be crap. The only question is whether it's good enough.

      From my experience as a consultant, I can tell you what you did there already beats at least 90% of the industry when it comes to security handling. The other 10% are finance and banking.

  • by sizzlinkitty ( 1199479 ) on Saturday October 21, 2023 @11:16PM (#63942943)

    My position of 5 years was just shit canned 2 weeks ago due a slowing economy brought on by high interest rates and reluctant consumer spending. So far I've applied for 12 high level cybersecurity positions and have only heard back from one of them, so it makes me wonder if these open positions are just sitting open to justify H1B visa's. I'm no spring chicken, worked in the industry since 1998 and directly in cybersecurity for over a decade. I also wonder if ageism is starting to come into play since anyone with half a brain can figure out my rough age based on years of experience.

    • by twimmel ( 412376 )

      If you look youthful you can shave 5-10 years off your age by leaving off the dates of your college and dropping the oldest work experience off your resume. Only the last 10 years are going to be interesting to the employer anyway.

      • I have done the same thing and removed the first few jobs I had after college. You can still see where I went to college but not when. I have also touched up the gray hair I am starting to get, before going on interviews. I had one interview where I could tell he was trying to figure out my age, and asked what I like to do in my free time. Tell them stuff you used to do in your younger days. I only told them that I liked that stuff, not that I actually do that stuff still.
  • by StevenMaurer ( 115071 ) on Saturday October 21, 2023 @11:19PM (#63942947) Homepage

    Security only costs money. It doesn't make companies any money. Insisting on secure code disrupts release schedules. Security engineers have essentially no actual power. Salaries are below average. Companies hire as few security engineers as they possibly can get away with. I see tons of job openings for sales-oriented "solutions architects" out there. Very few security-related jobs. Nearly all of them just terrible.

    Security engineers, credentialed or not, are the "Mall Cops" of the software world. Not because they're dumb - just that they're disrespected.

    • Security only costs money. It doesn't make companies any money. Insisting on secure code disrupts release schedules. Security engineers have essentially no actual power. Salaries are below average. Companies hire as few security engineers as they possibly can get away with. I see tons of job openings for sales-oriented "solutions architects" out there. Very few security-related jobs. Nearly all of them just terrible.

      Security engineers, credentialed or not, are the "Mall Cops" of the software world. Not because they're dumb - just that they're disrespected.

      It was bad enough when the tents were a solid 75 yards away from the row of outhouses 30 long. Distance it seems was the best way to mitigate the smell. Users of said toilets kept throwing water bottles down the hole. Pump trucks would show up and blow head gaskets trying to clean the outhouses because the water bottle just happened to be the exact size of the hose. Boom-chug-chug...chug. There goes another one.

      Problems pile up quite deep when the respect stops coming. Like the trucks did for a while.

    • by Tom ( 822 )

      Security only costs money. It doesn't make companies any money.

      I couldn't disagree more.

      Take encryption as a trivial example. That's a security feature, right? Now try to imagine online banking, e-commerce or e-government without TLS. Now try to tell me those things don't make (or save) money.

    • Like testers, and support, and IT, and...

      Except those guys at the top. THEY earn their money

    • by rastos1 ( 601318 )
      So you have no locks on your house?
  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Sunday October 22, 2023 @12:16AM (#63943015)

    It's a lack of culture. We all know this, we just haven't come to regularly spell it out for the uninformed. Yet.

    A project lead who can barely tell a client from a server or stateful from stateless, let alone explain what a user account is and what you actually need it for is still a very common thing. Such a person couldn't tell an expert in auth/auth and encryption from some clueless n00b who can barely design an UI and can't go beyond clicking together some prohibitivly shitty WordPress plugins. He thus will pick the latter because he cheaper and doesn't make these annoying demands that we must do best practices and "decouple auth auth", whatever that is.

    Today's IT generally is ruled by people who are at the level of some primitive jungle tribe thinking they can make reasonable decisions on how a highway bridge must be built. The results are the exact equivalent of those empty super-scary "leaves you speechless" 50 story apartment buildings in China where the walls break when you pick at them with a fork.

    It's a lack of culture. And until the idiots with a degree who lead IT projects but don't even know how to use the clipboard are prohibited from touching a keyboard before they've got their basic computer drivers license this idiotic bullshit will continue.

    The name for that is "Cargo Cult IT" and it's only getting worse.

    • by Opportunist ( 166417 ) on Sunday October 22, 2023 @04:47AM (#63943235)

      We recently had to pentest a project with an atrocious session handling problem. Really, it felt like testing the DVWA. Almost every single mistake you could make, security-wise, in your webpage was in there. When I confronted the "developer" (I'll use the term loosely here), I quickly noticed that he doesn't really understand a lot about web development and it eventually turned out that he frankensteined together the page from SO answers, with very little understanding what the hell was going on.

      How that guy cheated his way through the hiring process is beyond me. But hey, in the kingdom of the blind, the one eyed is king and if HR does the hiring, the person who can throw some buzzwords at a computer illiterate gets the job.

      Cargo-cult programming is a huge security issue. Because answers at SO generally don't give a fuck about security, what matters is that "it works".

      • by gweihir ( 88907 )

        You want "every single mistake that could be made"? Look at that cloud certificate MS has recently stolen: All of Azure open to the attacker because they made every stupid security mistake possible. The rot goes deep enough that in many cases the patient cannot be saved anymore.

        As to Cargo-cult coding, I expect that Artificial Idiocy will only make that one much worse.

        • That wasn't every possible mistake that could be made, that was just one single really big one. :)

          And AI will only make my job easier and way, way more fun.

    • From my own experience, another problem is the Dunning-Kruger effect. Lots of otherwise competent folks think, "I'm a good sysadmin, there's not much to this security stuff". Too many people in IT are unwilling to admit they don't know everything, and if they do, it's often not accepted as a valid answer and they're told to do the work anyway.

      • by gweihir ( 88907 )

        Indeed. Can also be nicely observed here on /., time and again.

        • I'd assume that many people here are like me in that their slashdot personality is much different from their work personality.

          Though I could name a few names, like rsilvergun and his sidekick narcc, opportunist, the evil atheist, and a few others who have this incredibly distorted view of how the world works, which is usually accompanied by an incredible amount of defeatism, and I could see these guys having a hard time getting jobs even if their IRL personality is more mellow.

          A few examples:

          "They're just l

  • And shameless ones at that. It's econ 101 that the price goes up if demand is not met, until it is met. But companies bitching about not being able to find employees are not offering more and more money for them, they're just sitting around trying to mindfuck governments into subsidizing them.
    • by Opportunist ( 166417 ) on Sunday October 22, 2023 @04:57AM (#63943241)

      Well, in this particular case I happen to have some insight into the matter and ... it's both.

      Yes, you're right, they don't want to pay more than absolutely necessary, but salaries aren't THAT bad either. We do get quite the money for what we do. I don't want to say that we're sorely underpaid. The problem is a very different one in this particular case, and it's nothing you can solve by outsourcing either. Not only because, well, do you want to outsource your security of all the things to a country that is potentially hostile to you, or one that has a track record of fake callcenters and scam artists?

      The problem is that security is the endgame of IT. As a pentester, you're expected to not only know every technology out there, from various different databases to various different webservers, operating systems, programming languages (and the code the different compilers render because you're expected to disassemble and read it), container solutions (and the orchestration software various companies attached to them), cloud services (and I mean every single one of them out there, from Azure to Alibaba), esoteric programs, bells, whistles, hopes, dreams and whatever else some idiot project manager could dream up. You're also expected to know it better than the person who set it up and programmed it. You're expected to have a deeper understanding and know what the wiring under the board looks like, because that's where the potential security problems reside. To force an analogue, you're not just expected to know how to allocate memory dynamically and know "buffer overrun bad", you have to know why the buffer overrun is bad, how to spot it, how to exploit it and how to fix it.

      For every single technology mentioned up there. Essentially, what they'd want from you is to know more about DB2 than IBM, more about Azure than Microsoft and more about OpenShift than anyone at RedHat.

      And I don't mean "pick one". The expectation is ALL THREE. And then some.

      As you might imagine, such people are rather rare.

    • by Tom ( 822 )

      This

      I actually am a security expert with a bit of reputation and a pretty good CV. I get regular calls from headhunters. By experience, my first question is the salary that is offered for that position, and in 90% of the cases, both the headhunter and me have a good laugh about that together and end the call there.

      These 90% of companies are either not serious about security or they don't understand that the decade or two of experience you need to actually be an expert in a non-trivial field comes at a price

  • by The Cat ( 19816 ) on Sunday October 22, 2023 @12:42AM (#63943037)

    Look up the "high concept" pitch. "It's just like Game of Thrones, but with cartoon dinosaurs." That's the only way to present ideas to executives.

    The reason this is necessary is because half the country is illiterate and the other half is wired up on psychotropic medications. They have neither the attention span nor the ability to emerge from the fog of Xanax and screwdrivers to truly understand anything.

    Your boss' wife wears a mumu and works their waffle iron like the Tropicana slots. So he prefers to play slap and tickle with his college-age secretary. If the door to his office is closed its because he is wearing nothing but black socks and a quart of Jergen's. That's the only thing he has the mental energy to comprehend.

    Discussing cybersecurity with these people is like explaining linear algebra to a room full of golden retrievers. The job market is lost. It's never coming back. Right now America couldn't build dogshit if we crashed a dump truck full of scrambled eggs into a kennel.

    That about cover it?

  • In my experience so far... if you have experience in systems engineering, and software design and implementation, and attempt to get into security... and the security salaries are all way below what you would be offered if you stayed in those fields... it sends a strong signal that security is just for show:

    1. They'd rather not spend the money hiring when it could be used on the feature side.
    2. They have not empowered security to actually do anything, so they don't want to over-hire in that group (in terms

  • There is NIS directive in EU. To be updated by NIS2 in near future. It requires providers of critical infrastructure to have a cybersecurity position. That means hospitals, railways, water treatment facilities, power and gas distribution companies, ISPs, municipalities, government departments and agencies, police, army, banks ... Notice that lot of that are organizations where money is tight. In a tiny country of a 5-15 million citizens there ma be ~10000 of such organizations. I have no doubts that there i
    • by Njovich ( 553857 )

      Fun fact: ICT services management (business-to-business) is a critical sector. A ton of companies with any branch in the EU are going to be in for a nice surprise.

    • by Tom ( 822 )

      have a cybersecurity position

      They'll do what countless companies with such a regulatory demand have done before:

      1. Create a "CISO" role on paper
      2. give it to someone who is low maintenance, won't cause any actual trouble or stir up anything
      3. continue with business as usual

      • by rastos1 ( 601318 )
        That won't be so easy. The NIS requires reporting all incidents to the government agency, independent audits every 2 years, fixing issues found during previous audit, ... Non-compliance could lead to fines, loss of license, exclusion from procurement by the state, ...
      • by gweihir ( 88907 )

        Not this time. There are real penalties in place. And the GDPR is starting to really get enforced and has more than a bit of overlap.

    • I predict it's gonna be filled the same way porn mags filled the "head editor" position.

      Around here the "head editor" (kinda like the CEO) or porn mags were personally and criminally responsible for the content of the porn mag. If it was in any way forbidden (something that was essentially codified as "I know it when I see it" bull in the law), they went to jail. The idea of course was that nobody has the balls to actually issue any porn mags.

      The solution? They hired street bums as the "head editor" who kne

      • by gweihir ( 88907 )

        Nice trick. I doubt it will work this time though. Not having a qualified person in that position could well make the board liable.

        • "Oh, we were lied to! He looked like the perfect candidate, hey, we're (insert industry here), not security, how should we have known that he's lying?"

          • by gweihir ( 88907 )

            Yeah, _that_ is going to work. Don't forget the regulators have heard it all and the only thing stopping them from acting was politics. The risks and damage from IT insecurity have gotten a bit too large for that to continue. On the other hand, politicians are generally the least trustworthy, most corrupt assholes. So who knows.

    • by gweihir ( 88907 )

      That one will get interesting, agreed. And at least in some countries "paper pushers" will not do it because they have finally understood how bad the risks are and how much productivity is lost every year.

  • ...is a management team hell-bent on half-ass supporting that business-critical effort.

    While marketing freely enjoys justifying budgets on little more than clickbait hype, selling the needs of proper security is a different animal altogether. Even in a world that reinforces daily why executives should respect the risks being laid out by the very professionals they hired to protect them in the digital realm. Instead executives walk around with the bravery of that party drinker that hasn't wised up with a D

    • You can tell by looking at the org chart. Where does the CISO sit? If he's under the CEO, great. If he's under the CFO, not so great. If he's under the CIO, run. Run fast, run far.

      • You can tell by looking at the org chart. Where does the CISO sit? If he's under the CEO, great. If he's under the CFO, not so great. If he's under the CIO, run. Run fast, run far.

        A CEO is needed in a company, since somebody's gotta lead. A CFO is often required. So is an identified "officer" or two of the company for regulatory purposes.

        The CISO/CSO is often that optional executive that until the hack actually happens, is more viewed as a liability than an asset. Much like they view the non-revenue generating budget behind the position, sitting on the "wrong" side of corporate tax deductions. Splitting the executive bonus pool with that expensive department that doesn't "do much

        • This is why in certain companies here, C-Levels are personally (that means, with their own, private stash) responsible for security breaches if they can't show that they took reasonable step to avoid it if a security breach happens.

          CEOs tend to be way, way more happy to spend company money than to risk their private funds, it turned out.

          • Impressive. Sounds like a standard worth repeating and hopefully without the need for some nationalized effort like a union as the alternative.

            The American CEO:worker bee pay inequity, would likely increase from 300:1 to 500:1 in response to such a personalized 'attack', and invent an entire market of cybersecurity insurance to handle any personal liability, with those policy costs provided by the newly sponsored Cybersecurity Payroll Protection Act, collected under "mandated fees" for select worker classe

            • There is considerable leeway for what constitutes a "reasonable step" to avoid it, and I don't know of a single case where someone actually had to put the crowbar to their own wallet, but it means that they can't just ignore it. Which is good enough.

  • by bradley13 ( 1118935 ) on Sunday October 22, 2023 @01:57AM (#63943085) Homepage

    What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp...

    Yep. A lot of "cybersecurity specialists" are people who haven't got a clue about the systems they are testing. They have some port-tester and a couple of other tools that they know how to use, and that's it.

    Every developer and programmer should be aware of cybersecurity issues. Just to name an example: as a profession, it is embarrassing that things like SQL injection still exist - much less as one of the biggest weaknesses out there. Anyone who writes SQL code should automatically write it in a way that avoids that vulnerability.

    The same goes for other IT professions. For example, the people doing network engineering should know the vulnerabilities they need to avoid. That should be baked into their education.

    In my first semester programming courses, I teach students that their data classes are responsible for the quality of their data: all attributes are private and setter-methods are paranoid. In my database lectures, they use PreparedStatements, with an explanation of why. In my web service lectures...well, you get the idea. I'm not any sort of security "expert", but this is basic stuff and needs to be treated as such.

    • by Tom ( 822 )

      I'm not any sort of security "expert", but this is basic stuff and needs to be treated as such.

      90% of security issues are software quality issues or user (interface) issues.

      The remaining are the weird edge cases that involve hardware bugs, side-channels, timing attacks and other stuff that you'd have to be clairvoyant to know when making the thing.

    • As one such "cybersecurity specialist", let me tell you what it's like.

      Around Thursday, you get the info that next week, you're gonna test an application written for a technology you have never even heard of. The reason you're doing it is that your manager thinks he remembers you once did a job some years ago with something that sounded like the technology.

      So you spend the next weekend frantically trying to get as much information about that technology as you possibly can, you read whitepapers, you try to g

    • Every developer and programmer should be aware of cybersecurity issues.

      Developers should naturally think defensively: How will this call fail? What action should it take in case it fails? What does it pass back to the caller? How should the system handle an abend? But too many don't give a shit. I have horror stories of a major blood testing system that didn't check returned error codes, and one case where I found that a key called function returned a particular value in all circumstances, which was a violation of all that is holy. When I brought it to the attention of

    • And you do all of those things, you really do your best, bottom to top, all the way through, then this happens:
      https://www.theregister.com/20... [theregister.com]

      Seems a little arrogant for an arm-chair "educator" to claim "a lot" of industry "haven't got a clue". All software has something unintended lurking inside.

  • by Tom ( 822 )

    [T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp....

    Let me translate that:

    There is no shortage of people who CLAIM to be "cybersecurity experts" and position themselves so no easy checks can show that they're full of shit. As soon as you go to the jobs that require ACTUAL expertise and experience, you find that real experts are hard to find.

    Or, in other words: Same as in any other field that recruiters etc. sell as high-salary, hot market. I wouldn't even be surprised if it's the same people who every couple of years re-invent themselves as whatever expert i

    • Security is a very attractive field. Most of all, it's (currently) pretty well paid, at least for the select few super stars who actually bring a ton of experience to the table. So of course that's attractive. Much like medicine or law were in the past. You would see those star lawyers that rake in the millions and you say, "yeah, I want that!"

      So people go out and try to figure out how to get into the industry. If they're smart, they'll do a 4 year college degree on security. If they're less smart, they do

  • "[T]here is not a shortage of security generalists, middle managers, and people who claim to be competent CISOs. Nor is there a shortage of thought leaders, advisors, or self-proclaimed cyber subject matter experts. What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this
  • I got a degree in cybersecurity, then reality kicked in:

    1) There are almost no entry level jobs. The one that i saw were SOC jobs that paid terrible and most of them were on the graveyard shift.

    2) The good jobs were not entry level and most of them required non entry level certs like CISSP

    3) A lot of the good jobs were as contractors to US agencies which required special clearance which can only be attainable by US citizens, therefore eliminating all foreign talent.

    Needless to say, I had to switch careers.

  • need IT, CODEING and more skills sounds like H1B BS with an big list of skills at low pay so that only an H1B can fill the role.

  • can't do updates as that will / may messup code.

    lot's of times with some software you can't do OS updates / update base library's as they need to be testing and rolled out as part of the bigger update. So no auto os updates and at other times an long wait for some updates to happen.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...