Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Government IT

America Tries to Fill 600,000 Vacant Cybersecurity Positions (axios.com) 75

Concerned about America's cybersecurity preparedness, the White House "is accelerating efforts to fill nearly 600,000 vacant cybersecurity positions in the public and private sectors bogging down efforts to protect digital infrastructure," reports Axios: Following a deluge of ransomware attacks targeting critical government and corporate infrastructure this year, clogs in the talent pipeline are leaving federal, cash-strapped local governments and Big Business even more susceptible to hacking. The issue has emerged repeatedly in Senate and House hearings but received little public attention until recently...

Microsoft...has pitched in by providing free cybersecurity curriculum to every public community college. A nonprofit, Public Infrastructure Security Cyber Education Systems, provides university students hands-on experience: monitoring real-time data on local government networks...

A job-tracking database funded by the Commerce Department shows there are nearly 600,000 U.S. cyber job openings nationwide.

The Department of Homeland Security recently launched a federal recruiting tool aimed at courting young, diverse talent. DHS currently has about 1,500 cybersecurity-related vacancies, affecting the agency's efforts to protect the homeland. A Senate audit found key agencies across the federal government continue to fail to meet basic cybersecurity standards, with eight of them earning a C- in the report.

Historically, local and federal government entities have struggled to compete with private sector companies, where bidding wars for talent are commonplace.

This discussion has been archived. No new comments can be posted.

America Tries to Fill 600,000 Vacant Cybersecurity Positions

Comments Filter:
  • Maybe they should be looking in Russia or China?
    • If they would really pay 600.000 people in those places a living wage, and get them to do something useful (yeah, not working on cyber security), perhaps the attacks would go down...
      • Re:Look abroad (Score:5, Insightful)

        by postbigbang ( 761081 ) on Monday December 06, 2021 @09:15AM (#62051759)

        It's true. No one wants to spend money because the finance dept knows that such things are a burden on sales.

        So, there's lip service, lots of great marketing about work conditions, and the pay and working conditions suck. Employees will drag their feet about doing the right thing, will continue to open phishing emails and click on any old link.

        Execs will continue to take the corporate jets wherever, click on any old link, thinking themselves immune.

        And who will get the blame for the sloth, the under-funding, and the insanity? The underpaid overworked and super-stressed security personnel.

        • I work in cybersecurity, and I don't find it particularly stressful. And it pays rather well. In fact, I like doing this much more than the IT work I did before. Actual people work in this field rather than the ego driven demonspawn you typically find in IT. Plus there's a much more broad set of backgrounds that work in it rather than just people with computing backgrounds. For example, we'll have lawyers collaborating with engineers to revise security policies. Or we might have people with a marketing back

          • You're one of the lucky ones, and prove that it can be sane. The orgs that I work with seem far more crazed than the one you work for. Congratulations!

  • by bradley13 ( 1118935 ) on Monday December 06, 2021 @07:49AM (#62051587) Homepage

    First, that represents around 0.5% of the entire US workforce. For a specialized technical job? Alternatively: that is around 50% of the number of people working in software development. That's not even remotely realistic - that's a number pulled out of...a dark hole.

    "it's necessary to consider those who have the right technical skills and attitude but may lack a traditional educational background, or years of formal experience in the industry".

    So, if they have neither the education nor the experience, where are they supposed to have gained the skills?

    Women hold only 20% of all cybersecurity jobs

    Of course, we have to get this statistic. Poor women. They only make up 60% of college students, more than half of the medical students, more than half of the law students, etc...

    Can we stop worrying about people's plumbing, now?

    • Re: (Score:2, Insightful)

      Comment removed based on user account deletion
      • by eepok ( 545733 )

        CRT? Like EVERYONE is using flat panel monitors today. Why would CRT matter?

        • ... flat panel monitors ...

          They're all black. You didn't notice the lack of difference, which is entirely the point of Critical Race Theory. It's an idea, a very obvious idea, that's been around for a few decades but has been given a new name and a lot of misinformation.

    • by AmiMoJo ( 196126 )

      First, that represents around 0.5% of the entire US workforce. For a specialized technical job?

      There are a lot of IT people out there because most modern businesses rely heavily on it. Having said that, some of those vacancies will be part time so 2 or 3 of them could be filled by one person.

      There is some technical stuff to master, but a lot of this job is just telling people what they don't want to hear and convincing them of the need to spend money or degrade services and tools in the name of security.

      So, if they have neither the education nor the experience, where are they supposed to have gained the skills?

      Given that it's cybersecurity, they mean hackers and former black hats.

      Can we stop worrying about people's plumbing, now?

      It's not the plumbing, it's

      • by DarkOx ( 621550 ) on Monday December 06, 2021 @09:08AM (#62051745) Journal

        There is some technical stuff to master, but a lot of this job is just telling people what they don't want to hear and convincing them of the need to spend money or degrade services and tools in the name of security.

        Speaking as someone who has a job doing mostly exactly that - let me just say emphatically: nope nope wrong, completely wrong and demonstrably proven so over the last decade!

        This was an important first step to take when most organizations had no security expertise. We are past that at everywhere but the smallest shops now. Doing more of this really won't change a thing. You really think there was nobody at the 'Colonial Pipeline' that was unaware what a security shit show it was? I'd bet heavily there was someone tasked with IT security, who absolutely did know about at least the top line deficiencies but was unable to get anyone to listen. Now maybe that was because they were not effective communicating or making the business case or more likely it was combination of prevailing culture and rules both internal and external around culpability and liability that meant nobody would listen.

        Nope until some negligent liability standards are introduced, and people get past of the culture of 'hey would not it be cool if ... automatically' and 'how can we reduce friction' nothing changes. Fundamentally its all at odds with security. We are not mostly fighting buffer overflows these days. Most of the big disasters are result of lateral movements and bad assumptions about authorization and authentication state. The Feds have the 'we need a top down change' part right but they are the worst offenders themselves because the vary same twits think gee would not it be great if someone could check you drivers license and access your medical records at the same time, they way they'd know you've had you 18 covid jab before they let you in the door; than act like they are all blameless when there is massive medical record disclosure because something happened at the Iowa DMV.

        The fact is more security awareness training for devs and architects ins't really going to do much at this point either. The missing piece is figuring out how to make it more important to them to think about security than to try out the syntax sugar feature of the week or this years exciting new one size fits all 'pattern'. While we still do need to get some legacy stuff out of the way and replaced with things built with some security in mind, we also need to admit we have to much churn at this point and it would be better to really map out the common pitfalls with the tools we are using now before jumping to the next set of unknowns. This is again a culture thing not a we don't have enough infosec people problem.

        So, if they have neither the education nor the experience, where are they supposed to have gained the skills?

        Given that it's cybersecurity, they mean hackers and former black hats.

        Yes that is what they mean and its profoundly ignorant too. There is no doubt a small group of these people who can add some real value. The vast majority of them are blackhats and "hackers" or were because they are profoundly anti-social and can't function well on any project where they have to work with others. The two major things missing from InfoSec are "soft skills" and "integrity" a bunch of ex CDC guys are precisely the wrong pool to tap. There is another thing outsiders don't understand about the "InfoSec community" Its all about peacock displays and grandstanding and name recognition and name dropping - probably worse than finance. Most of the biggest names are people who developed an almost unhealthy fixation on one specific things that was impactful and ride the wave of that there after. They are one trick ponies, they have a deep understanding of Kerberos replay attacks or something but can otherwise barely set the time on their watch.

        It's not the plumbing, it's things like toxi

        • by AmiMoJo ( 196126 )

          You are basically saying men are more able to cope with hostile relations than women.

          No, I'm saying that women face some unique problems that men don't. Like the aforementioned time off for children thing.

        • > You really think there was nobody at the 'Colonial Pipeline' that was unaware what a security shit show it was?

          Colonial Pipeline was shut down by order of management. The only damage caused by external actors was to the companies Entertainment Systems. The management should be held personally liable for the damage they caused -- or better yet they should be hanged by the neck until dead on Public Television ...

        • Yes that is what they mean and its profoundly ignorant too. There is no doubt a small group of these people who can add some real value. The vast majority of them are blackhats and "hackers" or were because they are profoundly anti-social and can't function well on any project where they have to work with others. The two major things missing from InfoSec are "soft skills" and "integrity" a bunch of ex CDC guys are precisely the wrong pool to tap. There is another thing outsiders don't understand about the "InfoSec community" Its all about peacock displays and grandstanding and name recognition and name dropping - probably worse than finance. Most of the biggest names are people who developed an almost unhealthy fixation on one specific things that was impactful and ride the wave of that there after. They are one trick ponies, they have a deep understanding of Kerberos replay attacks or something but can otherwise barely set the time on their watch.

          Don't know if I'd go with "profoundly ignorant." Profoundly ignorant would be hiring script kiddies off Discord or 6-Week Cybersecurity Boot Camp graduates.

          Proper hackers, of the "blackhat" variety or otherwise, often become such because they desire a deep understanding of how things work, which includes understanding how to break things. There's a rather small subset of the population that possesses the innate skill of thinking sensibly about security and the desire to "Own" things, to take full control

        • It's not the plumbing, it's things like toxic culture

          Perhaps, but if accept that view there is sexist implication there as well. You are basically saying men are more able to cope with hostile relations than women.

          Look out everyone, if toxic culture exists, WE'RE sexist for pointing it out.

          I'm totally gender blind, so I take my interviewees out to lunch at Hooters because the wings are great (this is true story, VP of Infosec did this, go find it on Glassdoor), and if a woman doesn't like that, SHE is sexist, all of you are sexist, definitely not me, I love beautiful woman. My team loves women so much we usually go out to strip clubs for lunch on Fridays. If you don't want to work here YOU'RE sexist!

          I can hear you

        • Bravo, go to the front of the line. I've been cyber for 15+ years. Here is the other hurdle we need to get over: management's fixation with buying a tool that a vendor sold to them that will make them "secure".

          Guess what doesn't get budgeted for: O&M out year cost, training or hiring to run and maintain the tools, and the expertise and distraction of attempting to integrate the "tool" into the security stack and get the logging into a coherent fashion for the corporate SIEM to digest and make sense

      • to have a baby etc. USA needs better rights for workers the EU has workplace protections for women who are pregnant

    • And yes they would probably need about 3 to 6 months worth of training. Maybe a full year before their highly effective. But that's not what this is about. The demand for college degrees is so the companies can request cheap H-1B labor and flood the labor market to lower wages.

      In the '80s and '90s when there was money to be made in computers and programming there were hundreds of thousands if not millions of people trained up in a matter of months. I worked with several we're getting ready to retire now
    • The 0.5% doesn’t seem off— 1:200 is about what I would expect. The idea of filling that many positions is a joke though if you are trying to find quality. Even 60k is a really difficult quantity to try to train and fill.

      It is surprising to me just how hard it is for most people to understand security. For the most part it is not [universally] trainable either, at least in my experience.

    • by edis ( 266347 )

      First, that represents around 0.5% of the entire US workforce. For a specialized technical job? Alternatively: that is around 50% of the number of people working in software development. That's not even remotely realistic - that's a number pulled out of...a dark hole.

      It's vacancies. Demand. Number can well depict state of demand.

  • by RightwingNutjob ( 1302813 ) on Monday December 06, 2021 @07:52AM (#62051601)

    Story from a friend:

    Build a security product. Try to sell product to government. Wait to jump through government cybersecurity hoops. Hire former military dude who knows how to jump through hoops. By the time the last hoop is cleared, the original bid is several years old and several versions behind what your top people are actually working on.

    Story from my own past:

    Set up an air-gapped set of linux boxes on the cheap and on the quick to get something done. Have it work fine for a few years. Get told from top down that system can't be airgapped anymore and needs to get plugged in to something with a cybersecurity requirement. Read requirement. See that it requires nothing newer than an old version of Redhat. Request waiver on grounds that porting code to old version of redhat would take too long and might not fully work given hardware driver requirements. Request denied. Watch IT monkeys blessed to do cybersecurity fail to make it work with redhat. Watch them call up redhat and get a consultant on site. Watch consultant sit and do crossword puzzles for 3 months while junior engineer tries to get port to work. Project stalls for 4 years. By then it's a newer version of redhat that's allowed.

  • by methano ( 519830 ) on Monday December 06, 2021 @07:54AM (#62051607)
    There's no way we need 600,000 cyber security people in the US. We need like 10 people to figure out how to do cybersecurity right. Then we just copy and paste.
    • It depends on how you approach it, but documentation of the system and processes is usually what makes it a full-time job. Data exfiltration protection is also a significant ongoing effort. Secure by design systems are one way to start, but that fell out of favor due to the complexity of maintaining it.

  • by The Evil Atheist ( 2484676 ) on Monday December 06, 2021 @07:54AM (#62051611)
    That's like Australia trying to overcome drought by building more dams.

    At some point, you're solving the wrong problem.
    • That's like Australia trying to overcome drought by building more dams.
      At some point, you're solving the wrong problem.

      It's amazing how often that happens though. Animal rescue is the relatively safe to talk about one that I always use as an example. Finding homes for millions of unwanted pets is a bandaid where the proper solution would be to prevent the creation of so many unwanted pets by fixing pets, etc... There are plenty of other more politically charged situations as well where we are trying to put bandaids on the solution instead of fixing the root problems that are causing the situation.

  • This sounds like 600,000 people to do patch management and monitor backups. Which might not be too far off from ideal on the Windows side.

    I can tell you, from consulting, most people want to check a box and hire a body they can assign to other duties, not security.

    People with critical trade secrets and other startups that can be crushed with one espionage event are the only ones who really care about security. And if you're good at security often you find that Internet attackers weren't the top risk. There

    • by AmiMoJo ( 196126 )

      600k vacancies does not mean you need 600k people. A lot of them will be temporary contract jobs, or part time. Someone to come in periodically and do an audit, maybe some pen testing.

      That how it works for things like ISO9000. You get checked out every year to make sure you are doing it right, and that certification is required to get contracts with other companies. In this case it will likely become a requirement for business continuity insurance.

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Monday December 06, 2021 @08:05AM (#62051635)

    Everyone in the first world is expected to be able to read and write. To some degree. This came about roughly 100-200 years ago and today is widely regarded as a good thing if not taken for granted without any second thought.

    If you want security in non-trivial digital affairs - such as encryption, signing and real-world legally applicable auth/auth you have to establish such procedures as a cultural technique, defined by universal standards - just like reading and writing. Along with the open standard defaults as deemed by independent experts as "The way to do things" (TM). As long as that doesn't happen, no army of "Cybersecurity Experts", no matter the size will solve the security issues that plaque an ubiquitousIT in first-world society today.

    It's that simple.

    • I'm sorry I only learned to write and not read, so I have no idea what you're talking about.

      Similarly to how some "security" focused types only learned to "update and patch" ad infinitum without learning to figure out if it's worth the time and disruption to do so at the expense of allowing a bigger open hole to remain open.

    • I've often used the same analogy when it comes to code quality.

      When it comes to security, it would definitely help for companies to start treating it as a cultural issue and talk do training on things like the CIA triangle (Confidentiality, Integrity & Availability for those unfamiliar), especially when it comes to organizational security.

      But when it comes to product and systems security, I think one of the fundamental problems is that security is an implicit product requirement that is never deal with

    • It doesn't help that way, WAY too many people are just allowed to scream "I don't care, I just want it done NOW!" and they'll get it, allowing them to get around basic security steps.

      End users don't care about how it's done, and since the end user is a customer, and "tHe CuStOmEr Is AlWaYs RiGhT", it leads to this behaviour being acceptable and encouraged.

      Try telling users "no, you have to do it this way" and see how well that goes. More so when it's your higher ups at work.

      We have rules for banking, vehicl
  • by PopeRatzo ( 965947 ) on Monday December 06, 2021 @08:22AM (#62051657) Journal

    Are cybersecurity jobs good jobs? Are the people who work in them happy? I mean I don't know, but it seems to me that the set of skills required for cyber security is definitely portable to other careers.

    I have no idea, so I'm asking you, how does the pay/working conditions/quality of life compare? I was just reading some article about the conditions some game devs work under, and I can imagine a situation where people just start moving away from jobs in certain technology-related fields.

    • In some cases it's more of an PHB thing. Need to get the funds to upgrade, need to pay $550K+ to replace that factory floor hardware so we can get rid of that XP system running it.

    • Comment removed based on user account deletion
    • Check out my lengthy comment below - "I worked as a pentester and hated it".
    • Are cybersecurity jobs good jobs? Are the people who work in them happy?

      It's a fascinating subject as a researcher or possibly a consultant.

      It can be utterly horrifying as the sole IT security person in a company, responsible for everything but without the authority to fix the underlying problems.

      Most of those 600,000 positions will tend toward the horrifying end of the scale, I expect.

      I'm in the process of building out a software lab where we'll run test builds of all our applications under constant controlled attack from all directions.

      That's fun. Dealing with the real life

    • After you have qualified you'll be happy, but then you'll have to keep training and learning continuously. If the salary is worthwhile then fine but some people might think all the extra work to maintain their skillset is a hassle. If you want to stay at the bleeding edge then security becomes a way of life - you can't do it part-time, at least that's my perspective from observing forums
    • The answer to you question is pretty much impossible to give. There are so many different areas of cybersecurity and each has it's own set of good and negative things. In many ways the company you work for is even more important. I've been in the field 25 years and here's a basic breakdown of my experience oldest to current.

      IAM administrator @ Big Blue: Tedious work call it a mix of tier 1 help desk and jr. system administrator. On-call rotation about once a month with the number of calls varying. More c

  • Here's the answer... (Score:4, Interesting)

    by Bruce66423 ( 1678196 ) on Monday December 06, 2021 @08:23AM (#62051661)

    'aimed at courting young, diverse talent'

    rather than 'talent'.

    That was easy!

    • Unlike the US Armed forces, ever see a big company doing intake aptitude tests to train up what they need? They did that for COBOL and Assembler code - once. Now they just put up their hands and say we want experienced(list of buzzwords). Ever see many over 45year olds? no? No, workforce planning is not done. There was also that remote managed sysadmin software (the one that had fatal backdoors) showing they would like to ditch talent if they could. . And CIO's are treated like shit, and have their budgets
      • Actually cybersecurity tends to do exactly that. You can find plenty of job listings that only ask for something really basic, like a security+ cert, or in some cases even no cert at all, and unless it's a mid-tier position or higher, they won't require any actual cybersecurity experience.

      • Not really. Cybersecurity requires you to think outside of the box therefore young people, whose intelligence is optimised for discovery and finding creative methods of penetration perform best at cybersecurty jobs. Older people no longer have the right type of intelligence for these kind of jobs to perform optimally.
        • by gweihir ( 88907 )

          Not really. Cybersecurity requires you to think outside of the box therefore young people, whose intelligence is optimised for discovery and finding creative methods of penetration perform best at cybersecurty jobs. Older people no longer have the right type of intelligence for these kind of jobs to perform optimally.

          Bullshit. Penetration testing is a very, very small part of IT security and it is typically done according to some script. And no, IT security does not require you to "think outside the box". It does require you to actually understand the box and keep current on the characteristics and problems of the box and that is where most people already fail.

          • First off, some companies will not take people on their payroll, and insist on some external shell company, as direct payroll is investor and buyback friendly. You will also find some of the best are now rather old. Secondly, where i am, the security clearance costs a lot, and they baulk at that. Thirdly, Solarwind's is back in the news, and management does not want to migrate off it , and they would also say the 1990 Chrysler Imperial was a great car. Sticking to duds, and putting up with vendors who thin
            • by gweihir ( 88907 )

              First off, some companies will not take people on their payroll, and insist on some external shell company, as direct payroll is investor and buyback friendly. You will also find some of the best are now rather old. Secondly, where i am, the security clearance costs a lot, and they baulk at that. Thirdly, Solarwind's is back in the news, and management does not want to migrate off it , and they would also say the 1990 Chrysler Imperial was a great car. Sticking to duds, and putting up with vendors who think you are stuck. Big companies are pissed be cause smart insurance companies are no longer covering/paying the ransoms, quitting that policy line.

              Well, not seeing what that has to do with my statement, but yes. The basic problem is management. Whether it is management not hiring security people or management hiring cheap/incompetent security people. And management not letting security experts make security decisions. That Solarwinds is not bankrupt by now is, for example, an utter disgrace and a testimony to the utter and complete incompetence of management, because Solarwinds has conclusively proven they cannot do it. Having a bit of insight into th

    • by gweihir ( 88907 )

      'aimed at courting young, diverse talent'

      rather than 'talent'.

      That was easy!

      You know, sounds a bit like they are looking for people starring in porn. For IT security people they would have had to ask for "experienced, competent professionals", so they cannot really be looking for those.

  • The US govt spends incredible resources ensuring that their systems are compliant with mostly meaningless reqts rather than actually secure.
    They could hire far fewer people if they had the authority to concentrate on the right things.
    COE speaks from experience.

  • by jellomizer ( 103300 ) on Monday December 06, 2021 @09:00AM (#62051727)

    Most of the job requirements that are posted are very poorly explained or written. Often asking for skills that are nearly impossible to get, or wanting that one particular person (often the person who left the company because they felt undervalued). Or they have requirements that are outdated, or are so filled with Buzzword, that an experienced candidate wouldn't be able to keep up, without some googling. I remember a decade ago, Full Stack Developer was a big thing. I saw this, and I was like, Is there a programming language called Fall Stack, I wonder how I missed it. Then after some searching it was oh, just a developer who can create and maintain the software.

    If you want Experience Talent, don't try to make your company seem like the Hip and trendy company, if you want experienced developers, just be upfront on what the job is, and what you are expected to do, how much will you pay and what benefits they are. After 25 years of professional experience, bean bag chair, and pinball machines do not appeal to me.

  • by TheCowSaysMoo ( 4915561 ) on Monday December 06, 2021 @09:13AM (#62051755)

    Checking the linked "job-tracking database" [cyberseek.org] for more info, it turns out they have a list of the "Top Cybersecurity Job Titles":
    1. Cybersecurity Analyst
    2. Cybersecurity Manager
    3. Cybersecurity Consultant
    4. Software Developer
    5. Systems Engineer
    6. Network Engineer
    7. Penetration & Vulnerability Tester
    8. Systems Administrator
    9. Cybersecurity Specialist

    So, let me fix that title for you: "America Tries to Fill 600,000 Vacant IT Positions." Of course, that doesn't quite have the right amount of fear-mongering, does it?

  • "a federal recruiting tool aimed at courting young, diverse talent"

    Sounds like they want young cheep ignorant.

    Definitely against aged well paid experienced people.

    Age discrimination? In federal government, thought it was just in public sector.

    • by gweihir ( 88907 )

      Sounds like they want young cheep ignorant.

      Indeed. And, because this is security, ineffective. If you actually have security problems, it is better to not hire anybody inexperienced and go for consulting instead. What these idiots are trying to do will just perpetuate the problem and probably make it worse.

  • by devslash0 ( 4203435 ) on Monday December 06, 2021 @09:42AM (#62051833)
    Don't get me wrong. It's a fascinating subject and I absolutely love research, pwning boxes, bounties and do all of them regularly on my own time. I just can't imagine, working 9-5 in the cybersecurity industry. Here's why:

    - Delays. The teams are always late and unprepared for pentests despite saying they are. You're always waiting for someone.
    - ...and then have to catch up with work on your own time to meet deadlines and expectations.
    - Too much dealing with people: scoping calls, chasing requirements and environments, follow-up calls and assisting in issue resolution. Sometimes these calls are going on for months.
    - You stop doing any creative work in the field. There's just no time for it on the job. You are just expected to fire all your guns at the target, report and move on.
    - ..which means that the job is highly repetitive. The guns are someone else's. Same tools and techniques 99% of the time, just different targets.
    - Tonnes of paperwork and reporting.
    - Teams are always defensive and reluctant to acknowledge and fix issues.
    - The job is too open ended. You never get any closure. You can't ship a feature, sit back, relax and marvel your creation.
    - You have to commit a lot of personal time to study new threats which has a highly negative impact on your personal life.
    - You can't do your job remotely and live anywhere.
    - You lose a lot of time on commuting to client premises.
    - Due to all the above, terrible work-life balance. You never disconnect.
    - Finally, you don't feel like you belong anywhere. You move among different teams and meet a lot of people but you don't feel at home anywhere, don't develop any long-term work relationships.
    • The work model is busted. It's not you. You are just living in a failed state, that is living in a great big fantasy. It's this shitty environment in which we're stuck. Don't enable it. Stand fast!
  • by endus ( 698588 ) on Monday December 06, 2021 @10:08AM (#62051901)

    As usual with the glut of these articles we've been seeing lately, the government (and industry for that matter) gets it completely wrong. This reeks of "hire security people to go off and do security things so we can be secure". It doesn't work that way and it never has. If you want good cybersecurity you need...

    1.) Yes, *some* competent and experienced cybersecurity people.

    2.) For the rest of the entity to *listen* to the cybersecurity team and do what they say. Cybersecurity professionals still need to work on saying "yes, but..." instead of "no", but the rest of the business could also ask, "is there a secure way to meet these requirements which we have actually decided to write down for once" instead of just going off and doing it with shadow IT, requesting an exception, etc. Business can also stop insisting on hiring consultants in hopes that they will undermine what the security team, who are already paid millions of dollars every year, have been telling them for years. It's wasteful and the consultants just say the exact same thing the security team says anyway. There are frameworks which will inform and validate the approach to doing IT right and operating according to one of them is 100% nonnegotiable. Hire a consultant when your security team starts saying "what we're doing is pretty solid...but" not when they are still saying, "the network looks like it's run by infants and catastrophic ultimate doom is nigh".

    3.) Competent IT leadership. No more putting business guys in charge of the IT department because they make the numbers work and don't complain too loudly. You have to have leadership that is aware that we have things called "computers" now and that these "computers" need to be properly set up and maintained or they take the entire business down with them. No more tech debt. Period. The only discussion on patching which should occur is around prioritization based on criticality and ensuring that the SLAs for deploying patches are compatible with other business objectives given the resources available.

    4.) Money. All of these things run on money. There is still a mentality that computers are these things we need to put money in to once in a while when they start complaining, but once we do that everything will be fine for a while. No. Using technology to run your business comes at a cost. That cost is ongoing and not as low as you'd like it to be. The information security team and the IT department need adequate and predictable funding. If this seems too yucky, then go back to running your business on paper.

    5.) Incentives. Your CIO's goals cannot all be "meet the numbers" and "develop technical solutions to support the changing business". You need to have metrics on security, and the metrics need to be part of people's bonus structure.

    • by gweihir ( 88907 )

      That is an excellent summary. Of course, the people that screwed this up and continue to screw it up will not read it.

  • Or rather plan for 10-20 years to do it. Otherwise you will get people that are worse than leaving the positions open.

    It was stupid to not hire these people in the past and now there is a price to pay for that. A high price.

  • ...federal recruiting tool aimed at courting young, diverse talent.

    Would that diverse talent include age diversity?

  • Seeing as how a great many breaches are reportedly due to phishing attacks and other forms of social engineering, or the exploitation of zero-day vulnerabilities, how would these half-million additional people solve the problem? The only sensible mitigations I am seeing are the ones that assume bad actors are already in your network, and that attempt to limit or prevent whatever damage they might do and restrict information they would get access to. There are numerous companies that make a business out of h
  • Most local Government jobs exclude highly skilled, certified, IT Security applicants because they require a bachelors degree just to sit for the exam. They exclude applicants with Associate Degrees, recent relevant Certifications, and a decade of experience. Candidates who do meet their requirements would never work for the ridiculously low salaries they offer.
    • ... they require a bachelors degree ...

      This year, most clerical vacancies required a certificate in administration. Originally, state/local government was the trainer for all office staff. The good personnel left for private employment and the idiots stayed and ran the government. That stopped in the 90s and now we have many competent governments (voters still choose incompetent ones, sometimes repeatedly). That down-side is its difficult to get training: Employees have to pay for it themselves. Combine that with too many people in the wor

  • Eliminate drug tests, rigid schedules, dress codes, endless meetings, open plan offices and all other bullshit rules that make work unpleasant

  • Fuck 'em. Cough up some economic and social contracts that enable us to prosper like a normal society should. I don't feel sorry for the US. They had plenty of opportunities to fairly pay its workforce. Instead they chose 20 years of fuckin useless unproductive war, and the atrocious enabling of a financially bloated and thieving and scheming financial industry that is simply a cancerous drain on the entire world economy. You made your shitty plans. Now stew in them like you made me and the rest of my progr
  • Turns out there just aren't enough smart people around to service all the legions of stupid people who have been added to the population over the past 20 or 30 years.

  • The concept of Cyber Security and it's implementation is by and large, if not entirely, a fools errand.

    Take for example common house hold security of the 80's. The common house has a pin-tumbler lock; which is almost trivial to pick open. The same can be said for the dead bolt in the door. Beyond that, there may be a safe in the house, of a certain difficulty to bypass; but, generally, in situations like these, it's the state of the surrounding community, that ultimately determines whether one is to b
  • ... clogs in the talent pipeline ...

    'Capitalism provides' means ransom-ware criminals are better prepared than governments/corporations that de-prioitized cyber-security and fixated on 'ticking the boxes'. The result is a slow and weak defense against skilled attackers. With poor cyber-security being a non-issue for 20 years, there is a lot of insecure software for criminals to exploit and for corporations to rebuild/replace.

    Notice no-one is identifying the clogs, the lack of micro-economic forces, the cause of career 'illiquidity'. Ever

  • Recently, I began to have some disturbing thoughts about work. It seems to me that they could fire me, although there were no prerequisites for it. To solve this problem which is really preventing me from living and working productively, I decided to give CBD oils [blessedcbd.co.uk] a try. I've heard many great reviews on CBD supplements and they really work because I gradually calm down.

God made the integers; all else is the work of Man. -- Kronecker

Working...