How Can Businesses Close 'The Cybersecurity Gap'? (venturebeat.com) 179
Companies can't find enough qualified security personnel, and fixing it requires "a fundamental shift in how businesses recruit, hire, and keep security talent," according to a VentureBeat article by an Intermedia security executive:
The trickle of security students emerging from post-secondary schools may not be fully prepared to tackle complicated security issues -- what we need are people who can protect businesses environments from everything from spam and BYOD vulnerabilities to complex threats like APTs and spear phishing. Second, certain companies may not know what to look for in a professional. Third, when skilled professionals are hired, they can often be overworked to the point where they don't have the time to keep up with the latest developments in the field -- and even in their own security tools... The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with. Here, companies need to do two things: step-up their advocacy when it comes to promoting cybersecurity careers, and look internally for employees who have the skills and desire to take on a security position but need the training and support to succeed...
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
Finally, businesses need to recognize that security threats today go well beyond just one department. Every employee should be responsible for knowing what to look for in an attack, how to report a suspected threat, and how they can simply disengage from content and files they deem suspicious. Basic security training needs to become a part of the onboarding process for any employee -- especially for those in the C-Suite, where a greater number of spear-phishing attacks occur.
The article also cites a study which found "about a quarter of all cybersecurity positions are left unfilled for about six months."
General "Buck" Turgidson: (Score:4, Funny)
Re: (Score:2)
Unlike mineshafts, any reasonably competent CompSci or Engineering grads, or existing employee autodidacts can take an interest in cybersecurity and become a valuable asset.
Re: (Score:3)
More H1B's anyone? (Score:5, Insightful)
It doesn't matter if they know nothing, as long as the manager gets his bonus and is gone before the fallout of their crappy work becomes clear.
Re: (Score:2, Interesting)
Pure unadulterated bullshit.
Companies are unwilling to pay for the talent that is available. Companies have bimbo HR ladies (who are blowing the CEO for their cakewalk job) write up buzzword bingo self-contradictory job requirements while they have no idea what the job actually requires.
Though I should not be quite so disparaging, writing believable (on the sur
Re: (Score:2)
You may be a good network network security professional, but if you speak the way you write, I think I know the cause of your problems
Re:More H1B's anyone? (Score:5, Insightful)
My first thought was how can businesses possibly be considered to taking IT security seriously when their first and only impulse is how to do things even cheaper than they do now?
I'm still amazed at the dichotomy between shaving pennies and then the utter panic when there is downtime or a security breech. If its so important that you basically can't do business without properly functioning IT systems then why is it treated as if they don't want to spend money on it? Do they really think it's free?
H1Bs are of course just one example of this mindset.
Re:More H1B's anyone? (Score:5, Insightful)
When was the last time any manager told you to look for security problems?
That's why we don't have secure software.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Do the basics... (Score:2)
Re: (Score:2)
>> How Can Businesses Close 'The Cybersecurity Gap'?
Easy peasy.
These companies just need to switch to linux, and use a few safe protocols ( like SSH)
Re: (Score:2)
Easy peasy. These companies just need to switch to linux, and use a few safe protocols ( like SSH)
If you think security is setting up a bunch of linux boxes and calling it good, you're gonna have a bad time. Just today I had to reach out to one of our vendors about a blind sql injection vulnerability on the login page for their shiny new linux appliance. Also the page was encrypted, but encryption does not fix broken code. It just encrypts the traffic exploiting the broken code.
Re: (Score:2)
Oh yes. That would help so incredible much. And then make sure all developers, designers and architects either get some real basic understanding on security and have somebody competent they can ask. In most cases, that will be a consultant, as even large enterprises cannot keep in-house experts current. There is just not enough variance in one application landscape. Consultants, on the other hand, see a lot of different situations in a lot of different places.
Of course, the question of getting competent IT
Re: (Score:3)
...so in other words, hire someone competent while you empty out the storage locker?
When I cleared out the storage closet for a local hospital, I found a 56" plasma TV that cost $10K brand new and was "lost" for seven years because it was buried in 600-sqft of IT crap. When I brought it to the attention of the IT manager, he had his IT guys test it and then put it up on the wall that it was originally supposed to go on. :/
Re: (Score:2)
Heh, I got one better.
I was working full time for a government contract at JSC, one month they moved our department to a room with risers that was originally a server room. While prepping the room maintence found 2 spools of a few miles worth of fiber optic cable that they didn't even know was there, and had been sitting there unused for 7 years....I think it was estimated around 100k or something ridiculous.
Re: (Score:2)
Most I ever found was a mummified mouse.
Re: (Score:2)
PS/2 or even serial?
Re: (Score:2)
I'll cross 'em, you knock 'em in ...
Re: (Score:3)
Was that just before they fired you three months early because you were doing the janitor's work?
Nope. I finished the one-year contract three months ahead of schedule and fired myself. Thank God that I did. I've never worked in a hostile environment where every single person hated the IT department. I had to point out to everyone that I was a contractor and I was there to help them.
Re: (Score:2)
the basics should start by looking at your identity and identity management, if you are reliant on network security you have already lost.
I'm sure identity management is quite effective against SMBv1.
https://support.microsoft.com/en-us/help/3185535/guidelines-for-blocking-specific-firewall-ports-to-prevent-smb-traffic-from-leaving-the-corporate-environment [microsoft.com]
Re: (Score:2)
security is about depth, Identity is the most critical, then server config, lastly network.
I've seen that list in reverse order: network, server and identity. Maybe I've read too many Cisco books.
Re: (Score:2)
identity and identity management
Sounds good, but "identity management" has become such a meaningless buzzword that beyond "we installed Active Directory", any attempt to "look into" identity management will lead you down an endless rabbit-trail of "Identity Provider" vendors, and SSO, and OpenID Connect, and more standards that nobody asked for or needed.
Re: (Score:1)
The only security you need to worry about with creimer is putting a padlock on the fridge...
... only on slashdot would some asshole think this was funny ...
Fund education, talk to educators (Score:5, Insightful)
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.
People outside the USA will have no loyalty to the USA and only work for money or to help their faith/cult/own government.
Thats not good for US security.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
Help get US education to a good standard so US students can find work. Or get further education to keep their skills up.
Re: (Score:3)
Ensure they have the software and tools that are needed over the short courses to allow students in the USA to transition to the workforce.
Be careful not to be too specific on what tools to use. My community college taught all flavors of Java because local technology companies insisted that they wanted C/C++ programmers with Visual Studio experience and there was no money to renew the Microsoft site license. The dean offered to teach C/C++ under Linux but the administration stuck to the surveys. When the site license got renewed, none of the computers could run Visual Studio .NET (the latest and the greatest at the time). The dean had us boot
Re:Fund education, talk to educators (Score:4, Insightful)
"Talk to university and vocational education staff around the USA. Tell them what you need."
They have... They want high skilled people that will accept very low wages and not complain about it.
There are skilled people out there, the companies dont want to pay for them.
Re: (Score:2)
No need to pay university wages to people who have only done vocational courses.
Re: (Score:3)
They don't need more security guards though.
Re: (Score:1)
People outside the USA will have no loyalty to the USA
And neither should people in the USA. Loyalty gets you fucked over with low salary increases and poor conditions. You have to make them earn your loyalty.
Its very hard to find out what some foreigner did in their own nation for years. What complex issues do they bring to your company?
If you need to use FUD to compete, you have a serious problem.
Re: (Score:2)
Are they a criminal?
Are they entering the profession just to obtain or sell or give away secure information later due to their politics, faith or due to poverty?
Kind of hard to find that out if they can obfuscate, hide or totally invent a work history in another nation.
Or enter a nation with another persons identity. Always best to look over every applicants work history in great detail.
Some due diligence
Re: (Score:2)
People outside the USA will have no loyalty
No. No Americans! Americans are too stupid to do computer jobs in America. If you believe otherwise, you're a racist.
Never shortages, or surpluses, only at arbitrary p (Score:5, Insightful)
You can have all the diamonds, gold, and tungsten, you want, when you pay the market price. The same is true for labor. Eventually, people will stop doing what they were doing, and start doing what you want them to do, if you pay them enough.
Eventually, everything evens out when prices become high enough, new producers come on-line, and new (consumable?) resources are discovered, or extraction method are invented. How long does it take for someone to become a security expert? Five years? At least with human resources, there isn't the same concern with extraction, and consumption, costs. If they're already good at software development, and building infrastructure, maybe a year?
Seriously, this is like BASIC economics - they can close the gap by paying them vastly more, thus encouraging software developers to specialize in security. Using contractors is the short term version of this.
When prices become high enough, I'll start bidding on security contracts. As it is, if companies would rather fill those positions with W2s, and not contractors, and leave the work undone.
This title is seriously demonstration a lack of economic knowledge.
I have the answer and it is a SIMPLE answer. (Score:5, Insightful)
Want to close the Cybersecurity gap? It is very easy.
STOP BEING CHEAP ASSHOLES AND START PAYING FOR REAL SKILLED IT PROFESSIONALS.
This means the IT department on it's own Makes MORE than the CTO does. Yes the guys that are actively fighting the bad guys deserve a LOT more than the waste of space in the executive seat. Quadruple your IT budget, Start actually buying real fucking equipment and real security suites and software. Hire PROVEN EXPERTS that cost a lot of money.
InfoSEC that is effective is NOT CHEAP. Stop treating IT as the bastard red headed step kids. and start treating them as the Mission Critical staff they really are.
That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time they suggest cutting the IT department's budget. If you hire and pay for the best, then you don't have the security problem that the companies that try and half ass it by paying as little as possible.
These executives know this, they just dont want to do it. and until they start making executives personally responsible for data breaches, it will not change. Yes personally responsible, if these assholes can get multi millions then they also deserve to carry all the personal financial risk.
Re: (Score:2)
Removed unnecessary clause:
That and kick the CTO and CFO in the nuts, both those assholes deserve a good hard kick in the groin any time
Re: (Score:2)
That's really odd. Generally department leads always seek budget increases and fight tooth and nail against the slightest decrease as it lessens their power and influence in the company.
So why would any CTO want to cut ITs budget when it's something they actively manage?
Guess they just put the difference into their bonus.
Re: (Score:2)
Problem is that the cost/benefit ratio of spending enough money to do really good security doesn't work out. Managers see companies like Ashley Madison have the most horrendous security failures, resulting in their customers being blackmailed or getting divorced, and yet somehow they come out of it just fine and even claim to have gained additional users.
Re: (Score:2)
The problem with a "just spend more money" argument is that for a business, information security is just risk management. If it costs the business more for security than it does to deal with a breach, it doesn't make sense to have the security.
Part of the problem is that breaches that leak customer information can screw over customers (or whoever they're storing data about) a lot more than the business, so the cost of the breach is externalized to some extent. Maybe we need legislation that straight up requ
Re: (Score:2)
Simple Solutions (Score:1)
Stop using Windows.
Stop using unqualified, cheap foreign labor.
Make penalties for data loss attributed to hacking massive, and direct them at the board of directors, CEO, CFO, and CTO of any company.
Make geoblocking simple and easy to apply.
Enforce open source software standards to prevent the insertion of backdoors.
Enforce encryption, banning unencrypted website traffic (http).
Update by default.
Well for starters they can stop (Score:2)
Does your business even NEED to be digital? (Score:4, Informative)
That's the first thing you should probably consider. Is the cost of physical paperwork and security less than the cost of implementing proper cybersecurity?
I see so many businesses trying to go digital when it's horribly obvious that they have no business doing so nor would their business actually benefit from such a thing.
One way to fix this (Score:2)
If your company wants US customers invest in US staff that are cleared to work in the USA.
Cover contractors too and ensure most of the security staff have a full, legal background in the USA.
That would fund US tech education, make US education responsive to the needs of US tech firms and create jobs in clearing staff background work.
Not a criminal? Loyal to the USA? Not on social media doing things that are not legal?
That would open a pat
Bollocks, this reactionar approach is simply wrong (Score:2)
Meaning abstraction makes security harder as there will be proportionally less people understanding the system compared to all p
Step One -- Stop Requiring Advanced Degrees (Score:5, Informative)
Quoth the article:
Anyone who is any good at cyber security didn't learn it in school. Most of what they know they learned on their own. The IT field lends itself to an apprenticeship model more than most other modern professions.
Stop requiring degrees, as they aren't relevant to the actual work. I'd much prefer candidates with an AA and skills in communication, critical thinking, probability, and logic along with some certifications and core understandings:
CCNA Routing & Switching to show you have at least a basic grasp of networking fundamentals.
Something from SANS (GIAC) gets my attention. A CISSP will help get you an interview.
Develop some skills in a Linux shell, with command-line tools. I need to know you know more than "I click the 2nd option in the 3rd menu".
Understand the basics of required policies -- PCI, HIPAA, NIST 800-53, NYDFS, CJIS. Know what they are and where they apply. You don't have to memorize them, as that stuff can always be looked up.
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
For companies, they also need to accommodate more telework, flexible work schedules, and better pay. I'm sorry, but an InfoSec specialist with 5 years experience should be making about TWICE as much as a Project Manager or HR Specialist with 5 years experience. Starting pay for InfoSec should be at least 25% higher than most other professions -- simply based on supply and demand.
Re: (Score:3, Informative)
I'd really like to see some sort of certification that focuses on basic skills in Wireshark, Nessus, NMAP, and a solid understanding in DNS.
This is the CEH(https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/) and OSCP(https://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/)
CISSP is a pile of shit. Its a management certificate, nothing else. A monkey can pass that test and judging by the CISSP's I know, frequently do.
Re: (Score:2)
CISSP is effectively a PMP cert for infosec. ISC2 has done an excellent job MARKETING it as the end-all/be-all, to the point where I see HR types going "What's a GIAC ? Don't you have a CISSP ?
As Sister Mary Elizabeth repeatedly told us at Holy Guardian Angels Elementary. . . . it makes Baby Jesus cry. . .
Re: (Score:2)
Re:Step One -- Stop Requiring Advanced Degrees (Score:4, Insightful)
Experience with any vulnerability scanner, really. Nessus, Qualys, Rapid 7, OpenVAS, whatever. The key is to learn how to interpret the reports, dig down into the results, and figure out what is really a problem and how to fix it.
I'm happy to teach junior people, but if someone is claiming to be an experienced analyst or senior InfoSec specialist and just hand me a canned Nessus report, I'm going to be looking to replace you. I can schedule the default reports, I 'm not willing to pay a premium to do that.
While zero-day vulns and movie-plot hacks get all the attention and press coverage, the simple truth is that vast majority of compromises happen due to improperly patched and misconfigured systems.
If you can weed thru a few hundred pages of scanner output to tell me which systems are missing what patches as opposed to patched but need a registry update or config change, that is valuable. Which are false positives and why? How can we prioritize what limited resources we have to get the most impact?
Attention to detail and critical thinking I'll pay a premium for and vulnerability scanner output is a great place to demonstrate that. But keep handing me canned reports and I'll replace you with a script.
What city are you in? (Score:2)
Perhaps we should talk. I've been working in and around security for 20 years. Currently I develop a scanner which competes with Nessus and Rapid 7. We run comparison scans comparing our product to those two weekly. Where are you located?
Re: (Score:2)
Washington, DC
charlesDOTeDOThillATgmail.com
Re: (Score:2)
I'm usually also a proponent for not requiring college degrees for IT, but infosec is one area where I think there's an argument for one. A good education in computer science will help understand some of the low-level details of how hardware and software work, which in many cases is where vulnerabilities live.
Not everyone in the IT/security dept. needs that, of course, but for once, it's not entirely without value.
Re: (Score:2)
post-secondary schools what about tech schools?? (Score:2)
post-secondary schools what about tech schools??
No the HR people just pass them over but if you went the the theory loaded schools you get pass in and then the hiring people say they don't know anything and then the HR starts the H1B want ad's
The solution is simple (Score:3)
2) Seriously consider remote workers.
3) Hire more than one person.
4) Consider people who are outside the "security" realm. A lot of sysadmins have to do security by default and know just as much about it as a person with the cert.
Here we go again... visas (Score:2)
here we go again..
Step 1 - Exclaim shortage of some IT skill in the media (and of course don't raise compensation to the market clearing rate or train anyone)
Step 2 - Send to same media various disaster stories and threats to civilization due to said 'shortage'
Step 3 - Lobby congress for Visas from some third world country (probably India, but could be elsewhere)
Step 4 - Get rid of all your Americans currently in the roles (hey, they were useless anyways!) and replace with cheaper said visa workers
Step 5 -
It's about avoiding risks (Score:2)
Just create evicence based awareness. Make sure that users understand the risk that's involved in using office files or using Adobe software. Those 2 points alone would help a great deal.
Hire me! (Score:2)
And don't be so cheap.
Before a white hat, you have to be a grey hat (Score:3)
Before a white hat, you have to be a grey hat.
However this is all highly illegal these days.
And yes, I admit to having broken into some U.S. Air Force computers just to look around, back before there were "criminal trespass" laws, and it became illegal as hell to "go in and look".
Perhaps you'd have more security experts available, if they'd already leaned to think like a grey hat by doing.
You really have to think somewhat sideways or slantwise in order to know how to look for security holes, so that you can then plug them. Because most holes are in the gaps between what systems are intended to do, and what you can actually make them do instead.
Re: (Score:2)
Before a white hat, you have to be a grey hat.
However this is all highly illegal these days.
That used to be the case but nowadays there is many resources for sharpening peoples hacking skills without violating the law. Exploit Exercises [exploit-exercises.com] has several isos with examples of misconfigurations, buffer overflows and format string vulnerabilities for linux. Metasploitable 2 [sourceforge.net] and Metasploitable 3 [rapid7.com] have multiple web and system vulnerabilities for both linux and windows respectively. And Vulhub [vulnhub.com] has hundreds more vulnerable by design systems for people to practice with.
While not as instructional as a whole s
Re: (Score:2)
Yes. Prior to 1984.
Did you know Minuteman Missile launch control computers were basically IBM 360's with an additional "fine countdown mode" instruction?
Hard to hack a typewriter (Score:1)
Re: (Score:1)
I once hacked a web-accessible thermostat control for a large popular restaurant 3,000 miles away. I was able to control it all. It had the default username and password.
Instead of being a total asshat and setting the heat and AC to cycle at opposite ends of the clock to make a rollercoaster of climate control that also ran up their heat/AC costs... I tracked down the owner and informed him of the situation. He said thanks and that was it.
2 years later... that thermostat is still wide open to the web (if
Nobody wants the job (Score:3)
A security professional is the person who has to argue with management that the cheapest hardware and software are insecure, then has to somehow make them secure after management ignores everything they said, then gets the blame when the company's systems get hacked.
Basically, they're hired on as the red headed stepchild, then ushered out as the scapegoat.
Why the fuck would anyone in their right mind want that as their career?
It's not "there aren't enough people" (Score:2)
The fundamental problem facing the skills gap, however, is that there aren't enough people coming into the field to begin with.
The fundamental problem with business computer security is that businesses (and their executives) don't really value security. First, they won't pay for it. If you ask them to buy any security products, they want to buy the cheapest one. If you ask them to pay for a security product that isn't 100% necessary, they'll say no. If you ask them to hire a security expert, they'll complain about that expert's salary. If you present them with a security audit that includes a lot of problems, they won't fund t
Cyber Command Alums (Score:2)
It is pretty simple (Score:2)
Start holding upper management and their bonuses accountable.
Otherwise it is going to take regulatory action to force companies to maintain a minimum level of security.
People just don't care until disaster hits.
There is a simple solution (Score:2)
Use the following list (Score:2)
2) Hire qualified IT personal
3) Fire anyone in IT who doesn't have security focus
4) Fire any developers, who focus in security development and who don't have security focus
5) Make sure your CTO is an expert and qualified
6) Allow training for all in house IT and development staff
7) Pay your staff properly so they want to do a proper job
8) Don't allow BYOD, IT controls the devices, not the end user
9) Lock down your infrastructure and design it properly for security
Simple, Pay Them What They're Worth (Score:2)
Money and interest (Score:2)
Management. They're not willing to pay for someone(s), they don't want to listen to the answers, and then they complain about the cost.
When something happens, instead of putting was was tailored for them in place, they go so overboard that it interferes with the employees' ability to do work.
And then they point to that, and say they can't afford that, again.
Re: (Score:2)
Re: (Score:2)
That's just a left handed way of asking that all candidates be good bullshitters. I just consider: I do have more than five years experience claiming experience that I don't have, decades, if you get down to it.
5 years at something six months old...translated...tell me 'sweet little lies', but no big ones (stern voice).
It's one of the more honest things employers put in job ads. It's one of the most basic things you can just have or not (effective bullshitting). It would suck to find it was a job requi
Re: (Score:2)
That's just a left handed way of asking that all candidates be good bullshitters. That's just a left handed way of asking that all candidates be good bullshitters.
It's a right handed way for technology companies to claim to the government that they can't find qualified Americans to hire and need to hire foreign workers instead. Never mind that foreign workers are any more qualified than American workers.
Re: (Score:2)
Could be, if part of a long, very specific purple unicorn type list. Those jobs are easy to recognize.
If part of a more normal required skills list, it translates as: 'Provide bullshit as needed. No dogooders.' Believe me, I know how to spot those jobs...
Re: (Score:2)
"That's just a left handed way of asking that all candidates be good bullshitters."
Which exactly the kind of people required for "cybersecurity" anyway.
There are only two kinds of "cybersecurity":
1) Passive, after the fact, which you will find on Microsoft shops. this kind of "security" is based on buying and more or less implementing the "securi-crap" programs and appliances from the vendor with the highest marketing budget. For that you don't need "cybersecurity experts"; any windows monkey with a bit o
Re: (Score:2)
Even in the best of setups, you need someone to monitor the intrusion detection and test patches and updates. Effective 'ground up security' requires extra granularity of permissions. This has a cost as well, even done efficiently.
And it's all worthless if someone lets a stranger tailgate past a card reader and that stranger finds a logged in machine he can plug a rubber ducky into. So add in the cost of real physical security. Don't forget that background checking the janitorial staff isn't free.
Re: (Score:2)
"Even in the best of setups, you need someone to monitor the intrusion detection"
What requires that the ones monitoring (or getting alerts) to be different people than the ones getting the operating envelope ones?
"test patches and updates"
That's what QA is for (if even QA is required instead of being part of a developer's or system administrator duty: you coded/designed/deployed it? You make sure it fits the requirements).
"Effective 'ground up security' requires extra granularity of permissions."
Which is pa
Re: (Score:2)
Good luck with that. Yikes.
No security staff, test your own damn code, 'architects' and project managers do security, admins 'validate' everything they deploy.
Who runs backups? The receptionist?
Re: (Score:2)
"Who runs backups? The receptionist?"
The backups are never the problem.
Testing them is.
And, of course, nobody runs the backups: they are automated. The results are tested by junior staff and validated by senior sysadmins.
Re: (Score:2)
Get out while you can. The closer you're to the CISO chair, the sooner.
Such companies will sink. Get off the fire ship while you can.
Re: (Score:3)
If you want 5 years experience in a field that exists for 6 months, I know that I do not want to work for you, since you don't even know what you want. How should you know what you can reasonably expect?
This is security, baby, not Webdesign. I can actually choose who I want to work for, I needn't take a job with a company that I KNOW is shit.
Re: (Score:2)
If you don't need to bullshit, don't. But someone genuinely unqualified can make a jump, if they can backfill the bullshit once on the job fast enough.
In other words, if you have six months and they're asking for five years, don't. But if you have zero? Go for it...
Re: (Score:2)
One could say if you have zero experience and claim 5 years, and do it with a company that requires those 5 years when the technology has been out 6 months, you sure deserve each other.
Re: (Score:2)
Exactly my point. The trick is to move on once you've got actual solid experience, as the place surely sucks. Also assumes you've got the basic understanding to backfill the practicals quick enough. I pulled this off a couple of times when I was younger.
I have 30 years professional experience 'figuring shit out' by now...not much scares me...it can't be worse than Netmare 2 was. Also: I've seen what the average 'seasoned, certified pro' produces.
Re: (Score:2)
I always wondered if the "seasoned" in some resumes had anything to do with culinary preparation. Because it very often has nothing to do with experience.
Re: (Score:2)
'Certified' is too obvious to riff on.
Re: (Score:3)
As such, you want the best possible service for the lowest possible cost.
I once worked at a Fortune 500 company that insisted that the help desk provider "double the performance for half the cost" as the primary metric. Last I heard they went through six help desk providers, downsized from 30 people to a half-dozen, and still haven't met that metric..
Re: (Score:2)
Any type of infrastructure management is NEVER a cost center. It can easily charged back to the user(s) of the infrastructure as a cost of doing business. So if a company always looks at IT management as a cost center, then they are doing their books wrong as they can easily charge back the cost to the users of the infrastructure.
Re: (Score:2)
I've seen them capitalize IT. Called the entire expense system R&D. For about a decade, then sold the place, the worthless 'steaming pile' of software and the loan, to an even bigger group of vultures.
I think I personally lasted about two years...undeleting files off the state regulators scratch floppy disk when asked to print a file...good times. Never found anything I could trade on, just more sleaze, and the real dirt on 'the partners'.
Re: (Score:3)
That will be their made in the USA public face if they ever have to face congress for hours of questions.
Any questions will be taken back to their team.
Multinational brands do that a lot. Just enough expert staff in the USA to comply and win contracts.
They don't need or want low or mid level US staff if most of the work can be
Re: (Score:2)
Many companies are advertising for senior positions which of course is beyond the experience level of someone breaking into the field. Its very difficult to slant an application to these requirements.
If it's not a pretty large company or a specialized security firm, they don't know what skill set they're looking for so they go way overboard on the listed qualifications.
It seems that all of the senior people would already have jobs.
Yep, and why would they want to work somewhere as the token security person anyway, when they could be somewhere with a budget and people who listen to their recommendations?
My personal feeling is that companies should train their own people but--let's be honest--they wouldn't pay them what they're worth at that point anyway.
Re: (Score:2)
So for someone who has been in s/w and specification development for many years would have a hard time accepting this kind of salary.
It sounds like this comes from personal experience. If you have some years in IT in general you could leverage that to getting your CISSP. the ISC2 requires 5 years experience in two of the eight domains [isc2.org]. Since it sounds like you were a developer before you can claim experience in software development security, and another likely domain would be Identity and asset management if your applications had login requirements.
From there go sit for the CISSP (after a bit of self study if needed). Then if you pass
Re: (Score:3)
"We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us."
Taking advantage of yours!!!???
You mean, they used your systems to find a new employer and hacking their systems so they got more than they deserved'
Why didn't you sue them to hell!!!???
Or was it that, as you was paying quite below market rates, your trainees didn't had any problem to find someone other paying better than you?
Re: (Score:2)
This attitude is why companies no longer train people. Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people.
Well there are really only two problems when it comes to training:
1) You train your people and they leave.
2) You don't train your people and they stay.
Number one is much better. Much better.
Re: (Score:3)
"This attitude is why companies no longer train people."
No. Companies no longer train people because they are myopic beyond salvation.
"Paying people a large salary for months while they're not productive then having them backstab you is why companies stop training people."
No. It is paying peanuts while training them and then pretending to continue paying peanuts once they are trained why they flee.
You can:
1) Pay them peanuts while on training and automatically rise their wages to current market value once
Re: (Score:2)
Re: (Score:2)
We've thought about training, but the three guys we did hire and train all left for higher paying jobs immediately after taking advantage of us.
The moral is that it doesn't matter if you trained them or not; pay them what they are worth. The companies they went to seem to have solved their staffing problems.
Re: (Score:1)
You know. If you can't find anyone, and people you train leave for other employers. You might need a more attractive package for those positions, and it sounds as though you are not practicing basic logic.