I'm a fairly new computer science graduate and it has been hard to find a cyber security job that doesn't require a clearance. I've done a bunch of ctfs and reverse engineering, but I just don't see many roles out there that are meant to train people like me that will give me an interview. So it's being a programmer for me until that changes.
I have 25 years of experience in security, encompassing both product and I.T. security in technically focused IC roles.
I find it incredibly unrewarding.
On the front lines, most situations tend to be adversarial or highly stressful. This is the case even when your primary intention is to provide teams with the time and resources they need to address problems effectively - it can be an exhausting process to establish trust and camaraderie with your non-security peers given preconceptions about security in many organizations.
Engaging with the business and executive levels is even more challenging. I often wish that all managers were mandated to earn a CISSP. And while I respect the role of the CFO, as they ultimately shoulder all the risk, I just wish CPA’s would stay away from CISO positions, they’re not helping.
I am a DevSecOps Engineer. I am so incredibly swamped with Dev and Ops that I don't get to do nearly enough security.
Schneier is on the money again and it's painfully true.
Elsewhere I've said why cybersecurity is a losing battle and a significant part of the problem is the educational and HR side of things [0].
There's a motivation and engagement problem. Generally, people have no idea what cybersecurity is. It scares them, and they either don't want to talk about it or will let any random "expert" assuage or distract them. That's made fertile ground for a flourishing certificate and compliance racket of clueless gatekeepers who only make things worse, because the field is so deep and dynamic this stuff is ossified before the ink is dry.
I also see that it's an entirely reactive affair. People and companies will spend zero attention and money on cybersecurity until they get hacked, then run around spending their fortune like there's no tomorrow of stupid things. This attracts opportunists who are often as bad as the ransom-ware gangs that preyed on them in the first place.
Unpleasant as it is to say, it's the fault of the companies who do not value the deep and hard won knowledge of those who could help them... a cohort who are growing older and giving up caring.
And frankly, universities are fucked, to put it as politely as I can. At least in Britain, nobody who can do this stuff wants to be within a clear country mile of these crumbling institutions with their awful pay and working conditions and total lack of vision.
Elsewhere we have military and intelligence groups playing at 1980s "cyberwars", completely missing that the real war is going on within our culture.
So what we're left with is a technologically over-extended society that cannot meet the maintenance needs of its structure.
As educators, sadly we might set many young people up for failure and struggle since the expectations and demands of "the industry" don't match what they can deliver. Consequently the high churn leads to even more disaffection and panic in the industry.
Worse still is the fate of women in cybersecurity. Again and again I've seen equally qualified candidates go into a firm on the same pay grade, the guy gets out on "pen-testing" and the woman gets put on front line support (read: stress and abuse hell). The women are almost universally demeaned and given "agreeable" public facing work, while the men are streamed into "technical" roles. The tragedy is, it's usually the females who seem to understand the higher-level strategic and operational wisdom that is so desperately missing.
[0] https://www.linuxtoday.com/developer/why-we-cant-teach-cyber...
Oh boy, this is quite the issue alright.
I have been in infosec longer than my HN account and I am a technical person, and that's all I ever want to do.
There are companies actually and seriously concerned about gettinf hacked, there are companies that are concerned about getting sued when they get hacked (not much care about it otherwise) and then you have the in-betweens where upper management and the board do give a damn but middle management politics gets in the way, security is driven by managers who want to buy products and vendors and then go cheap on talent and whine about talent shortage.
When it comes to hiring talent, actual skills to my surprise are of little consequence. Even managers that know better just fill seats with bodies and they wonder why when they do get the rare talent, that environment where skills/talent isn't rewarded can't retain skilled people.
Another problem is security managers often moved over from IT or they haven't done anything technical in recent decades. They think it's like hiring help desk or network admins.
And don't get me started on the "return to office" bullshit. It wouldn't be so bad if that didn't imply return of office politics. People skilled in inter-personal politics (read: brown-nosing) get ahead and fester a culture hostile to technically passionate people. Best I can put it is, imagine wanting an HN experience but you get an instagram experience but in real life.
At my work I have found talented people and referred them but the whole anti-remote work stuff gets in the way. My self included, I will work for as little as half my current pay, if not less, to be allowed to work remotely full time.
As far as actual talent shortage, I would say there is more of a pay shortage. Plenty of people who can fill a seat but actual hackers are rare.
Most HNers who are into SWE, with a sprinkle of networking knowledge and enough humility to do entry level security work would make a killing in security (which has many sub-fields) in my opinion.
Too comment starts by saying it's a talent shortage. A management talent shortage? Sure. But for skilled workers it is a pay shortage, not that I personally have any complaints but managers prefer getting 10 untalented people over 2, as if it adds up.
I would love to get into the field, but sadly around here even with MS putting in a new data center just 20 minutes away from me, there is a lack of job postings for one, and two; when there are job postings the "required" skills necessary to even garner a glance are absolutely outrageous. They basically want an entry level with a master's degree. So I agree 100 percent with this article, lower the bar or spots wont be filled.
As the article points out, there is a real shortage of good people with technical security skills, not so much managers.
I've always been an architect who can code, and I haven't had any problems getting work. Everywhere I've worked has had problems finding technically skilled security people. As I move towards more management roles I am feeling a bit more insecure...
Is the shortage perhaps because all the job postings require a CISSP? I'm an architect and a coder. If I spend any time at all getting certs, they will be cloud-related.
There’s lots of people who can recite owasp but few people who can actually engineer and show leadership and do mentoring to make a more secure product and service.
Nit: it's not a jobs shortage, it's a talent shortage.
And as soon as you mention cyber security, there will be confusion over whether you're referring to front line SoC analysts, application security engineers, malware analysts, threat hunting, DFIR specialists, vulnerability researchers, security architects, etc. The skills, knowledge and barrier to entry are wildly different among various sub-domains.
The nature of skilled cyber security is that it requires a deep understanding of computer architecture and programming as a prerequisite. If you don't understand how computers work at a fairly low level, you're going to have a tough time truly understanding security enough to contribute.
There's also a huge industry around certification and compliance that adds almost no value. I've never known any experienced security professional who places any value in CISSP, CEH, etc. (In fact they're often a negative indicator of competence). They're the security equivalent of a 6-week coding bootcamp. Mostly just a cash grab.
Coincidentally, all the best security minds I know are mostly self taught when it comes to the security aspect, having pivoted into it from a dev background. The types of people who spend their free time reverse engineering anything they can get their hands on or practicing CTFs.