And as soon as you mention cyber security, there will be confusion over whether you're referring to front line SoC analysts, application security engineers, malware analysts, threat hunting, DFIR specialists, vulnerability researchers, security architects, etc. The skills, knowledge and barrier to entry are wildly different among various sub-domains.
The nature of skilled cyber security is that it requires a deep understanding of computer architecture and programming as a prerequisite. If you don't understand how computers work at a fairly low level, you're going to have a tough time truly understanding security enough to contribute.
There's also a huge industry around certification and compliance that adds almost no value. I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence). They're the security equivalent of a 6-week coding bootcamp. Mostly just a cash grab.
Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
Preach. The number of times I have had to explain basic computer to a cissp is larger than I’d like to admit.
If you want that, hire a hacker.
You're tempting me to go on a very long rant about your comment right there. Those two certs are horrible but here are plenty of difficult certs with practical exams like offensive security certs and even SANS these days but damn shame on you if you use someone's certs as a negative indicator or an indicator of anything other than they or their employer paying a large sum of money to validate some knowledge or skill.
> Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.
Right, and you will accept github accounts and HTB accounts on a resume? How many company's HR will let you? How do you know people aren't buying those accounts to get a job? (Certs are proctored).
You can teach yourself a lot of things, I did. But there was a crapton of stuff I had to learn responding to incidents and trying to solve real world problems that you just can't learn sitting at home. I don't disagree with what you said about being self taught, but that only means they are motivated and have potential. Certs and experience is how you prove that potential enough to get an interview, it is the manager's job to grill them and make sure their cert isn't b.s. after that.
I have seen talented people with or without degrees and/or certs and with varying backgrounds from school teachers and geologists to masters degrees.
It's rare to have more than 100 applications for security jobs. So my take is that security managers themselves need to learn security well or hire people whose opinion they can rely on. And then use certs and experience to priorize the stack, do phone interviews and practical online tests to filter out applicants and do an extensive in person (or over zoom) technical interview to hire the right talent.
If I may add another perspective, the culture in the US is particilarly horrible. In certain other countries, they have tons of talented hackers who get paid shit (well, at least not as good as the US).
It is listed as a requirement (or similar) on a lot of info sec jobs, but as far as I can tell it's like a lot of other job spec items; nice to have but not required.
Maybe there are companies who insist on it, but I'm not sure I would want to work for anyone that had such a rigid idea of its value. Could always get it again if I really needed to, only took me 2 weeks of study to pass originally. Possibly it has more value for more junior people.
Elsewhere I've said why cybersecurity is a losing battle and a significant part of the problem is the educational and HR side of things [0].
There's a motivation and engagement problem. Generally, people have no idea what cybersecurity is. It scares them, and they either don't want to talk about it or will let any random "expert" assuage or distract them. That's made fertile ground for a flourishing certificate and compliance racket of clueless gatekeepers who only make things worse, because the field is so deep and dynamic this stuff is ossified before the ink is dry.
I also see that it's an entirely reactive affair. People and companies will spend zero attention and money on cybersecurity until they get hacked, then run around spending their fortune like there's no tomorrow of stupid things. This attracts opportunists who are often as bad as the ransom-ware gangs that preyed on them in the first place.
Unpleasant as it is to say, it's the fault of the companies who do not value the deep and hard won knowledge of those who could help them... a cohort who are growing older and giving up caring.
And frankly, universities are fucked, to put it as politely as I can. At least in Britain, nobody who can do this stuff wants to be within a clear country mile of these crumbling institutions with their awful pay and working conditions and total lack of vision.
Elsewhere we have military and intelligence groups playing at 1980s "cyberwars", completely missing that the real war is going on within our culture.
So what we're left with is a technologically over-extended society that cannot meet the maintenance needs of its structure.
As educators, sadly we might set many young people up for failure and struggle since the expectations and demands of "the industry" don't match what they can deliver. Consequently the high churn leads to even more disaffection and panic in the industry.
Worse still is the fate of women in cybersecurity. Again and again I've seen equally qualified candidates go into a firm on the same pay grade, the guy gets out on "pen-testing" and the woman gets put on front line support (read: stress and abuse hell). The women are almost universally demeaned and given "agreeable" public facing work, while the men are streamed into "technical" roles. The tragedy is, it's usually the females who seem to understand the higher-level strategic and operational wisdom that is so desperately missing.
[0] https://www.linuxtoday.com/developer/why-we-cant-teach-cyber...
My only disagreement is with the culture aspect and treatment of women. I'm just not seeing what you're describing. Our industry is so starved for talent that anyone who shows interest and competence is immediately welcomed and allowed to choose the path that most interests them.
Not to say bad apples don't exist, but they're the exception, not the rule.
For what it's worth, 10 years ago I wouldn't have seen gender disparity because we simply wouldn't have had those women on the programme in the first place - so progress of course, but in small steps.
I suppose it's also amplified by being in an area where we're so desperate to grow good people that it feels galling and frustrating to see anyone left by the wayside in such times. Maybe I am not noticing the young lads who are similarly sidelined, but are less vocal.
I find it incredibly unrewarding.
On the front lines, most situations tend to be adversarial or highly stressful. This is the case even when your primary intention is to provide teams with the time and resources they need to address problems effectively - it can be an exhausting process to establish trust and camaraderie with your non-security peers given preconceptions about security in many organizations.
Engaging with the business and executive levels is even more challenging. I often wish that all managers were mandated to earn a CISSP. And while I respect the role of the CFO, as they ultimately shoulder all the risk, I just wish CPA’s would stay away from CISO positions, they’re not helping.
Having said that, I've never worked anywhere that actually did it, or even claimed to, so I'm speaking from a position of ignorance...
I have been in infosec longer than my HN account and I am a technical person, and that's all I ever want to do.
There are companies actually and seriously concerned about gettinf hacked, there are companies that are concerned about getting sued when they get hacked (not much care about it otherwise) and then you have the in-betweens where upper management and the board do give a damn but middle management politics gets in the way, security is driven by managers who want to buy products and vendors and then go cheap on talent and whine about talent shortage.
When it comes to hiring talent, actual skills to my surprise are of little consequence. Even managers that know better just fill seats with bodies and they wonder why when they do get the rare talent, that environment where skills/talent isn't rewarded can't retain skilled people.
Another problem is security managers often moved over from IT or they haven't done anything technical in recent decades. They think it's like hiring help desk or network admins.
And don't get me started on the "return to office" bullshit. It wouldn't be so bad if that didn't imply return of office politics. People skilled in inter-personal politics (read: brown-nosing) get ahead and fester a culture hostile to technically passionate people. Best I can put it is, imagine wanting an HN experience but you get an instagram experience but in real life.
At my work I have found talented people and referred them but the whole anti-remote work stuff gets in the way. My self included, I will work for as little as half my current pay, if not less, to be allowed to work remotely full time.
As far as actual talent shortage, I would say there is more of a pay shortage. Plenty of people who can fill a seat but actual hackers are rare.
Most HNers who are into SWE, with a sprinkle of networking knowledge and enough humility to do entry level security work would make a killing in security (which has many sub-fields) in my opinion.
Too comment starts by saying it's a talent shortage. A management talent shortage? Sure. But for skilled workers it is a pay shortage, not that I personally have any complaints but managers prefer getting 10 untalented people over 2, as if it adds up.
I've always been an architect who can code, and I haven't had any problems getting work. Everywhere I've worked has had problems finding technically skilled security people. As I move towards more management roles I am feeling a bit more insecure...
