Wanted: Skilled Workers To Combat the Rise in Cyber Crime (ft.com) 82
As a growing number of hackers target companies, organisations and industries with debilitating attacks, more skilled cyber security workers are urgently needed to combat the threat.ÂFrom a report: ISC2, the world's largest association of cyber professionals, estimates that the cyber security workforce in 2022 stood at about 4.7mn people globally. But a further 3.4mn roles remain unfilled. "The gap is massive," says Clar Rosso, ISC2's chief executive. "This shortfall is felt more acutely in countries such as India where digitisation is rapid. But even in the US, only 69 per cent of cyber roles are filled, according to Cyberseek, a website that provides data about the cyber security job market."
Beyond a talent shortfall, existing workers are underskilled. A UK government report this year found that 50 per cent of UK businesses -- some 739,000 in total -- have a basic cyber skills gap, meaning that those in charge of cyber security lack the confidence to carry out the technical measures that protect against the most common digital attacks. Previously, it was thought that a company's IT team could take care of all cyber security concerns. But "over time, it became clear that this needed specialised attention," Rosso says, adding that, after some high-profile ransomware attacks over the past couple of years, "business executives are now paying attention."
Beyond a talent shortfall, existing workers are underskilled. A UK government report this year found that 50 per cent of UK businesses -- some 739,000 in total -- have a basic cyber skills gap, meaning that those in charge of cyber security lack the confidence to carry out the technical measures that protect against the most common digital attacks. Previously, it was thought that a company's IT team could take care of all cyber security concerns. But "over time, it became clear that this needed specialised attention," Rosso says, adding that, after some high-profile ransomware attacks over the past couple of years, "business executives are now paying attention."
what about updateing old software and other tools? (Score:2)
It seems like an lot of hacks lately have done with useing buggy software to hack in.
Re: (Score:2)
Yes, because not only can we only protect against a single kind of crime and we should choose carefully which one it is (personally, I think beating with doorknobs in sacks is what we should concentrate on), it's also something companies are here for and not, say, the police...
Re: (Score:2)
Re: (Score:2)
Unless it's outlawed globally it won't solve anything, and even then it still can't be stopped. People can still exchange it for cash in person.
Re: (Score:2)
Mind formulating a law outlawing crypto currency without affecting all other forms of money lau..., I mean, embezzl... I mean, investment?
It's like trying to formulate a law against charlatans swindling gullible people out of money without effectively outlawing religion.
Re: (Score:3)
Unplug things that have no business confronting outside network exposure. Sure remote access to the water cooler is great - until it isn't and your water is now all over the floor.
So when do I get to unplug the CxOs again?
You act as if the water cooler has been traditionally responsible for leaking the corporate HR data. Not really. PEBKAC is still the main problem area.
Re: (Score:2)
Wait for his next heart attack, then go visit him in the hospital. You might want to disable the heart monitor first, saves the nurses a panic attack.
You want an employee...or a scapegoat? (Score:5, Interesting)
When it comes to a planet's economy seemingly slowing day by day, removing more and more opportunities for morally-sound employment, the risk of cyber crime will be on the considerable rise. As we've already seen.
Since a lot of cyber criminals attack from not-my-legal-jurisdiction, are companies looking to hire actual employees to fight against cyber crime, or are they looking to hire a scapegoat to take the fall when the inevitable happens?
Interview wisely.
Re: (Score:3)
Look at the recent MoveIt! attacks. SQL injection. Somewhere I guess it was taking code posted to a website and executing it, in a database account with write permissions. If you can sell the data on the Internet, how much does bad code from a programmer cost? Things really have to be designed from the ground up with security in mind. Being responsible for security like its some sort of saran wrap you can just cover a bad project with would a horrible, doomed job.
Re: (Score:3)
Things really have to be designed from the ground up with security in mind.
And yet all you have to do is look at the "security" within the IoT industry, to see exactly how that plays out in reality. Profits come before security. No matter what.
Being responsible for security like its some sort of saran wrap you can just cover a bad project with would a horrible, doomed job.
Yup. Exactly why I posed the question. Interview wisely.
Re:You want an employee...or a scapegoat? (Score:4, Informative)
And yet all you have to do is look at the "security" within the IoT industry, to see exactly how that plays out in reality. Profits come before security. No matter what.
No, that's because the IoT industry is full of startups that are retarded, and the investors wonder why they never last. I've been doing cybersecurity for four years now, and I know how it generally plays out:
- Some salesman makes a pitch to some derp within the company who doesn't know shit about security, possibly by spamming them after harvesting their email and job role on linkedin, which salesmen like to think of as their personal amazon storefront with every user being a customer looking to be sold to.
- Said derp talks up about how cool this "thing" is and how much they need it, so one of several things happens:
- Buy it and just start plugging it into the network or other devices and just use it without telling anybody, and because there were no policies or measures in place to protect against shit like this, something bad happens
- Same as above, but because the security team put both policies in place and technical measures (examples: USB whitelisting and dot1x) to prevent that, they ask the service desk for support, and (whether intentional by the service desk technician) it makes its way to us where we start asking questions, it gets blown wide open, and they possibly face reprimand
- Same as above, only they happen to be a high level manager, where either you have a CSO or a security aware COO who shuts them down, or they're told to settle it with the legal department (where they'll often withdraw their request outright,) or they get some kind of special exception (companies like these are hopelessly doomed to eventually run into an incident, but there are far fewer of those these days as most have learned by now)
- Because of good internal cybersecurity awareness campaigns, said derp knows better than to try using it first and will ask first, and often insist, but if after it's vetted and the security team tells them what's wrong with it, they demand the salesperson address the issues before a purchase is made, where often the salesperson will meet with us and we ask them and their own engineers questions, who often answer "I don't know" to everything we ask even though they supposedly designed the stupid thing, where it becomes obvious to the derp why we don't allow this shit and they look for another vendor with competent engineers.
That last scenario only happens when you have a sufficiently competent cybersecurity team, which isn't only made up of engineers, but also security business analysts, lawyers that understand regulations as they apply to cybersecurity, a competent SOC, and security devops. THAT is why there's such a demand for it.
Yup. Exactly why I posed the question. Interview wisely.
I personally haven't seen the reason you're giving this warning happen anywhere but the management level. I could see it happening if, for example, a security analyst or engineer made some sort of elementary mistake that directly lead to a major incident, then yeah, they'd get shitcanned just as they would in any other line of work.
Re: (Score:3)
I personally haven't seen the reason you're giving this warning happen anywhere but the management level. I could see it happening if, for example, a security analyst or engineer made some sort of elementary mistake that directly lead to a major incident, then yeah, they'd get shitcanned just as they would in any other line of work.
First off, your whopping four years of experience has failed to show you that 95% of the problems you're tabling, have existed for decades. Long before IoT represented itself as the P.T. Barnum of a whole new industry.
Lastly, if you fail to see how my warning applies to anywhere but management AND you see how anyone else below that can be shitcanned for a "major incident"...tell me there manager, the fuck makes you think you head can't roll?
Being a scapegoat means you're the one who gets shitcanned when th
Re: You want an employee...or a scapegoat? (Score:2)
First off, your whopping four years of experience has failed to show you that 95% of the problems you're tabling, have existed for decades. Long before IoT represented itself as the P.T. Barnum of a whole new industry.
Just to clarify, four years is as long as it has been in my actual job title. My overall experience with cybersecurity goes further back. Not only that, you haven't the foggiest idea what I even do, or even what my experience is.
Lastly, if you fail to see how my warning applies to anywhere but management AND you see how anyone else below that can be shitcanned for a "major incident"...tell me there manager, the fuck makes you think you head can't roll?
Let's suppose it does, for whatever reason. Suppose I'm this scapegoat in your little fantasy here. It would be very easy, with my particular skillset and background, to get another job somewhere else in basically no time at all. No joke, even McDonald's would pay somebody like me w
Re: (Score:2)
The reason for the crappy security situation in IoT is simply that you have people there that were never in any way trained in IT security, hell, in IT in general, and suddenly they need to perform as if they were.
Take your average TV set designer. Make it an expert, someone who has been doing this from back when CRTs were the rage. He's good at it. He can design a solid, well working TV. In comes marketing and demands that their TVs now have to be "on the internet", because that's one checkbox they can tic
Re:You want an employee...or a scapegoat? (Score:4, Insightful)
When it comes to a planet's economy seemingly slowing day by day, removing more and more opportunities for morally-sound employment, the risk of cyber crime will be on the considerable rise. As we've already seen.
Sure, if you ask the "sky is always falling" types, who persistently believe that we're living in the worst times in history. But those guys also never make it anywhere because they're Negative Nancies who always carry a bad attitude with them at work and then wonder why they never make it anywhere, or worse, eventually get fired for poor performance or for constantly being an ass to their coworkers, or both.
Either way, this has nothing to do the rise of cybersecurity incidents. It's a combination of several things:
- Belligerence on the part of state actors, particularly Russia, China, and North Korea. To them, it IS morally sound employment because they believe serving their dear leader is the righteous thing to do.
- These skills are relatively easy to obtain -- the barrier to entry is low because you can literally just start doing it whenever you want, and there is no minimum skill level to pull off anything significant. Your victims aren't going to make sure you're a certified hacker before you're allowed to hack them -- it doesn't work that way.
- They can be pulled off from anywhere, but what makes this most significant is the host countries of lone actors or even gangs rarely, and often never (particularly for the three I mentioned) prosecute. In fact sometimes they actively encourage it, as we already know Putin has. Prosecuting them from a western country can be difficult, as it usually requires them getting wealthy enough from their misdeeds that they can afford to travel to another country that isn't a total shithole like their own -- and yes, Russians know they live in a shithole even when they won't admit it -- and when they do travel, that's when they often get caught and extradited to a country who holds jurisdiction over their victims.
- The countries they come from are poor as fuck to begin with. The pay they can get with legitimate jobs, even jobs that are considered highly skilled here, often doesn't even pay what some western countries consider a minimum wage, and they never even have gotten decent pay there, mainly because of the actions of their own governments that they often wholeheartedly support.
Re: (Score:2)
When it comes to a planet's economy seemingly slowing day by day, removing more and more opportunities for morally-sound employment, the risk of cyber crime will be on the considerable rise. As we've already seen.
Sure, if you ask the "sky is always falling" types, who persistently believe that we're living in the worst times in history. But those guys also never make it anywhere because they're Negative Nancies who always carry a bad attitude with them at work and then wonder why they never make it anywhere, or worse, eventually get fired for poor performance or for constantly being an ass to their coworkers, or both.
I'm guessing you haven't worked for Government. Like ever. There's an actual valid reason we have the concept of Insider Threat being so pervasive in the most theft-prone industries where the data is of critical importance. In those arenas, every person you allow in your doors, is the proverbial enemy and constitutes a "threat". Employees merely stay that way.
Grasp there are valid threats in the world that require actual security. Not that pretend shit they have in a social media bubble, with hallways
Re: (Score:2)
I'm guessing you haven't worked for Government. Like ever.
If that was a bet, you'd have lost. Former soldier, actually.
There's an actual valid reason we have the concept of Insider Threat being so pervasive in the most theft-prone industries where the data is of critical importance. In those arenas, every person you allow in your doors, is the proverbial enemy and constitutes a "threat". Employees merely stay that way.
And that's why you always do two things:
- Harden your infrastructure and software against internal threats
- Shouldn't need to be said, but don't hire shitheads to begin with. Generally the more competent the organization, the less likely you'll find yourself working with shitheads.
The government isn't exactly what I'd call competent. It really depends on what government entity you're referring to and the people running it, but too often they get p
Re: (Score:2)
Shouldn't need to be said, but don't hire shitheads to begin with. Generally the more competent the organization, the less likely you'll find yourself working with shitheads.
Which brings us back around to geekmux's "Interview wisely."
Re: (Score:2)
That would apply to the employer then, not his intended audience.
Re: (Score:2)
Re: (Score:2, Insightful)
The rapidly spiraling power law distribution of wealth is such that redistribution of wealth from the rich to the poor is a moral imperative.
In a socio-eco-political climate where a dwindling minority have burgeoning wealth and power to tax the people, weaken government, limit their pay, and destroy jobs, I condone people ripping-off im/amoral corporations as needed to survive, but only in moderation. There is no easy means of reform of a system manipulated and manufactured consent controlled by the infi
Re: (Score:2)
In a socio-eco-political climate where a dwindling minority have burgeoning wealth and power to tax the people, weaken government, limit their pay, and destroy jobs, I condone people ripping-off im/amoral corporations as needed to survive, but only in moderation
What kind of moderation? The same amount of moderation the ultra-wealthy use? IOW, none at all? I can get down with that.
Now, let's make the very short list of moral corporations (should fit on a business card without having to use less than 9 point type) so we know who not to target.
Re: (Score:2)
What kind of moderation? The same amount of moderation the ultra-wealthy use? IOW, none at all? I can get down with that.
Does that mean you have none either? I mean the wealthiest tend to be pretty fit these days and aren't abusing drugs.
Re: (Score:2)
Abuse is in the lung or the vein or the nose of the beholder.
Plenty of the wealthiest people have expensive drug habits. They just happen to have access to better drugs than most poor people. It's pretty easy to get a prescription for pretty much anything by shopping around, if you can afford it.
It's also a lot easier to be fit when you've got a personal chef and a personal trainer on call. Conversely, it's also easier to be rich, because people are more likely to trust you.
Re: You want an employee...or a scapegoat? (Score:2)
I can see the job posting now (Score:5, Funny)
Can’t possibly understand why there’s a worker shortage. It’s a conundrum.
I wouldn’t want that job even if it paid 300k per year.
Re: (Score:3)
That hasn't ever been my experience in this field. If it does happen, it's because the hiring manager wasn't allowed to write the job description, because they already well know the realities of trying to hire in this area.
Re: (Score:2)
Re: (Score:2)
I see two ads a week asking for 5 years experience doing a certain job that ends with "This job will suit a recent graduate".
Employers where I live do not value labour.
Re: (Score:2)
Re: I can see the job posting now (Score:2)
Re: (Score:2)
I can't say that this is the norm. Does it exist? Hell yes. But it's far from the usual. Mostly because there are way, way more than enough "normal" ads that nobody would even consider responding to bullshit like that.
The problem is a different one. There simply are not enough security people around for the demand.
@hdyoung .. nice one .. bookmarked :) (Score:2)
- quote -
‘Highly skilled workers needed to combat new cyber threats that didn’t exist 5 years ago. Must have 25 years experience combating these specific threats. Workers over 45 need not apply. Must work long hours with zero budget control, answer to bosses that dont understand cyber, and no remote-work policy. 75k per year. Job will last until next recession.
Can’t possibly understand why there’s a worker shortage. It’s a conundrum.
I wouldn’t wan
Skip the Cops and Train technical for Security (Score:2)
In my workplace, they hired mostly ex-military and government "security-enjoyers". They love to use "cop talk" and take an adversarial approach to things. They don't have much technical experience. This makes them good at parroting policy, but not as effective as you would want, and slow to learn and cooperate.
I'd like to see more technical folks trained up in security, but, like management, who in their right mind would go there.
Re: (Score:2)
You're kidding, right? What dimwit hires cops and military to do information security?
That's like hiring a meth cook for a fine dining restaurant, just because he's got the "cook" label doesn't mean he knows what you need.
Re: (Score:2)
In my workplace, they hired mostly ex-military and government "security-enjoyers". They love to use "cop talk" and take an adversarial approach to things.
I'd hate to imagine hiring anybody for any kind of security role whatsoever (information or otherwise) who doesn't take an adversarial approach. Every time I look over code or review some kind of device, the thought of "how I'd break this" is constantly on the back of my mind. If you don't do that, you can never be any good at security.
Sure (Score:4, Interesting)
I know plenty of people with the skills to do this or who could get those skills with about 6 months of training that have zero chance of getting a job in the field because they're not an H1B or a kid fresh out of college with a four year comp-sci.
Back in the '80s when you couldn't just bring in as many Indians as you wanted they took us and sent us to what are now called boot camps and gave us good paying jobs. By the early 2000s that was over and now all I hear is how there is this labor shortage that never seemed to exist until they had access to a nearly unlimited supply of cheap labor they could bring in as long as they could convince Congress and voters
IBM did all of that. (Score:2)
IBM did all of that, not very long ago: https://www.nytimes.com/2017/0... [nytimes.com]
The same IBM that did this: https://www.nytimes.com/2022/0... [nytimes.com]
Re: (Score:2)
I know plenty of people with the skills to do this or who could get those skills with about 6 months of training that have zero chance of getting a job in the field because they're not an H1B or a kid fresh out of college with a four year comp-sci.
Nah...that's just you dude. Both infosec jobs I've had hired many people who only had documented experience doing other IT work and nothing else at all. That was me as well when I started in 2019, at age 38. While I've worked with a few people who were hired fresh out of college, only one I know of had a CS degree, and all of them had previously done a paid internship. I don't even have one a CS degree myself, or even anything close to it, or even any education directly related to cybersecurity. I've also y
Combat cyber crime (Score:3)
Expectation: Beat hackers over the head with a $5 wrench,
Reality: Telling some irate PHB to stop clicking on links in emails and insisting that he changes his password to something more secure than "12345".
Re: (Score:2)
Re: (Score:2)
You can. That's what that $5 wrench is for. After judicious application of said tool to the main processing unit of the PHB, either the system smarts up or breaks down for good, either way, no further security infractions are possible and the problem is resolved.
Instant Experience, just add ? (Score:3)
> Beyond a talent shortfall, existing workers are underskilled.
Co's don't want to pay for training and thus try to buy instant experience. But if everyone has the same lazy idea, then there will be a shortage of instant experience. Then they cry H1B! Dumbass PHB's.
There are 5 platforms behind most the fraud... (Score:3, Interesting)
American-owned platforms are allowed to profit from transnational organization crime. Investigation cannot stop it, this is a job for legislation.
Re: (Score:2)
There are 5 platforms behind nearly all the fraud; Facebook, Twitter, Twitch, Reddit and Google.
No, the platforms are gmail, outlook mail (formerly hotmail), AOL mail, yahoo mail, and whatever your local mailserver is.
Because that's how hackers really get in: phishing.
What's the pay? (Score:2)
But a further 3.4mn roles remain unfilled. "The gap is massive," says Clar Rosso, ISC2's chief executive.
If there were such a "massive" gap, shouldn't their pay skyrocket to the level of C-suites? Oh, wait, CEO's pay is still 100x of a security expert? Gee, wonder why we don't have a shortage of CEOs.
In other news, "Wanted: high speed internet access for $! a month", I bet there is also a "massive gap" unfilled there.
Re: (Score:2)
Re: (Score:3)
All the money in the world cannot buy something that doesn't exist in sufficient supply. What you can get that way, though, is a LOT of pretenders who will gladly tell you that they're the best and greatest.
And then the question is, do you have someone around who knows enough about security to at least identify such an imposter?
Re: (Score:2)
All the money in the world cannot buy something that doesn't exist in sufficient supply. What you can get that way, though, is a LOT of pretenders who will gladly tell you that they're the best and greatest.
And then the question is, do you have someone around who knows enough about security to at least identify such an imposter?
Good question. Now try to apply this to CEOs. How to explain the skyrocketing of CEO pay, going from a few dozens times of the average worker, to over 100+ times of an average worker in the past 40 years? Didn't that attract boatloads of CEO imposters? How do companies identify CEO imposters and why can't that work for security experts? Why don't they tune down CEO pay back to, say, "just" 20x that of average workers to fix the imposter problem, which seemed to be a good approach for security experts?
Wh
Re: (Score:2)
How do you explain skyrocketing pay for people who determine their pay themselves? Gee, what could possibly be the reason, I wonder...
Supply and demand sure doesn't explain it, considering the going price of a magic-8-ball.
Re: (Score:2)
If there were such a "massive" gap, shouldn't their pay skyrocket to the level of C-suites? Oh, wait, CEO's pay is still 100x of a security expert? Gee, wonder why we don't have a shortage of CEOs.
I can't speak for all but the average CEO pay is roughly 3x mine. Well short of 100x. At the same time, there's a lot more of us than there are CEOs.
Scapegoats wanted (Score:3)
The first two are mostly clerical developer functions where you can work inside some goal oriented developers group, but for the last one, I pity the poor souls that have to secure a whole legacy infrastructure, with or without the users' cooperation, and who will carry the blame of any intrusion, DDOS or ramsomware attack.
Re: (Score:2)
That last one is easy to solve: Either you get the full backing of your CISO or quit on the spot.
I'm way too expensive to be a fall guy. If you want that, there's a bum down at the bus stop, he'd certainly take that job gladly.
nothing new under the sun (Score:2)
What I am decoding from this is:
Decades of 'I NEED ACCESS TO ALL THE DATA, ALL THE TIME, EVERYWHERE!' from the csuite, (with resulting attack surface and single point of failure when credentials get stolen. (Not if, when. It's a matter of time before mr big and important csuite guy who's idea of password rotation is to change the last two digits in his password, and who just cant wrap his head around the idea of 'attack surface', to have his credentials stolen through credential re-use, or a phishing attack
Re:nothing new under the sun (Score:4, Insightful)
And this is why you want to be a consultant rather than an employee. As a consultant, you're not only way too expensive to ignore, they also explicitly bought you to tell them they're dorks, so now they can only choose between being dorks because you told them so or because they hired you.
If they want smart people (Score:2)
They should abolish drug testing, dress codes and rigid schedules
Re: (Score:2)
Come to think of it, they did pretty much that at my current job.
That way I learned that yes, there are people who should not wear Metallica shirts. Like, say, 60 year old managers.
Outlaw cryptocurrencies (Score:2)
Corps should copy disaster carpetbaggers: slavery (Score:2)
As a shitty example of corporate greed reminiscent of Scientology: 500 skilled tradespeople (all men from India) were held captive in concentration camps in Mississippi and Texas without sanitation, heat, or sufficient food. They were given frozen blocks of rice and not allowed to leave the fenced-in camp except chaperoned visits to Walmart. Most of them paid around $20k each under the fraudulent promise of US green cards.
https://www.theguardian.com/us... [theguardian.com]
Sounds like trying to solve the wrong problem
The elephant in the room (Score:4, Interesting)
Now, reading through the replies here, we've had all sorts of answers. Not enough money, the whole deal is just a scapegoat-job, the industry doesn't understand security, PHBs who want to have all-access everywhere who click every shit sent their way... all very right. But not the core of the problem. Those are all problems companies could actually fix, if they wanted to.
They can't fix one problem, though.
The key problem is that security is one of the most difficult things you could do in IT if you want to do it right. it's the "and then on top of that" job of IT. If you want to secure a technology, you have to know that technology, and then on top of that, security. You can't sensibly pentest a webpage without knowing (almost) as much about HTTP, HTML, various programming languages etc as the person who created it, if not more (since you have to be prepared for whatever technology they may use), and then on top you're required to know how to secure it. If you're trying to audit a compiled program, you're not only required to know a lot about the language used (trust me, there's a world of differences between C++ and C# programs), you're also dealing with first of all dismantling (decompiling) it. Think having to debug foreign, uncommented code, just way worse.
And so on.
To make matters worse, it's really hard to determine whether someone you hire is actually good or whether he's just very good at pretending. Because it takes a security expert to know one. Sadly that's no exaggeration. A halfway decent pretender can talk circles around your average HR goofball and look like the lovechild of Schneier and Shamir.
The problem with security is not one of money. Security is actually paid pretty well if you're dealing with the right companies. It's not even clueless. click-happy managers and shoestring budgets, those problems can also be solved if the companies commit to it. The problem is a lack of talent and a lack of ability to identify pretenders.
Not a problem you can throw people at (Score:2)
Re: (Score:2)
Why don't you have a Yubikey for accessing your bank?
I have one. My bank doesn't support them. My broker doesn't support them. My other broker doesn't support them. My other bank doesn't support them. The institutions which should care the most about them are the very worst at supporting them, as a sector.
I used to carry it on my keyring until its own lanyard severed the loop through which it passed. I checked and some time recently Yubikey finally created a device they say can survive being carried on a keyring, but that's a recent development.
Now they
It's the result of their actions. (Score:2)
Re: (Score:2)
Well, there are businesses that think they can't afford security and their are businesses that think they can't afford to be without.
The latter ones tend to exist longer.
IT could take care of it (Score:2)
It's all bullshit. (Score:2)
I've been in the game since the 90's. I've seen it all.
There's a ton of guys who have the hard skills, can rip apart code, capture the flag etc, and there's also a ton of guys who recently conpleted their CISSP and or degree with security major, and therein lies the problem.
There's hardly anyone up the stack, so to speak. SOC guys, network guys, devsecops etc are dime a dozen.
The guys on north of 300k are not keyboard jockeys.
Can't "staff our way out of this" (Score:2)
We cannot continue to try to throw bodies at the consequences of bad software. Eventually, we'll need more cybersecurity workers than there are people, particularly given the growth of IoT kinds of things.
Instead, we need to make software/systems much more secure, and reduce the attack space. That starts by holding companies and individuals liable for vulnerabilities. Right now, there's no financial incentive to secure systems. Consider: would you accept bridge failure at the same rate we get software
What they get wrong... (Score:1)
Re: (Score:3)
Headlines like this really bug me. There are many facets to this problem, but at the core of it lies upper management. They seem to be stuck on the mindset that you can either be secure or you can have a successful business. Why not both? It is possible, and with a good risk management system in place, it can be a reality too.
So much this. A lot of the breaches lately have been obvious lately, dumb backdoors for testing left in place, or ex employees credentials left on the machine, simple crap like that. So bed that the admonitions for Grandma and her simple password don't matter much any more. Why hack he, when the company will give away the CC and other info millions at a time.
If you have a credit card, the hackers have it. They just have so many it is like a reverse lottery if yours is chosen to use.
Sure, unplug everything and burry it 100 feet underground with a hardwired self-destruct on it for ultimate security. Or, on the other hand, use 8 character passwords so non-technical users can remember them easily. Like most things, the successful businesses realize the sweet spot is the middle ground.
Again, this. A decent l
A big part of the problem: It's agonizingly boring (Score:2)
How much does it pay? (Score:2)
If you aren't willing to pay the wages needed to retain highly skilled and specialized workers then you aren't going get them.
Being actually useful (Score:2)
I'm an experienced Devops guy and I know my fair share about the mechanics of encryption, authentication, logging etc. Maybe not state of the art but RSA and AES era stuff.
What cert/learning can I get that would make me actually useful in responding to a security incident involving linux or networking ?
What about getting to the point where I can answer questions like "how should we approach disk encryption" ?
Sure, I can google for answers and form an opinion, but surely there's a way to become a recognized
They are a joke (Score:2)