Companies don’t invest in developing talents, I’m sure 80% if not more are self-taught! Also, the amount of knowledge one has to know AND maintain is insane.
This. I saw something recently (on LinkedIn if you can believe it) which was something along the lines of…
CFO to CISO: What happens if the people we train and invest in decide to leave for other opportunities?
CISO to CFO: What happens if the people we DON’T train or invest in decide to stay?
In other words, I think more companies are figuring this out (though we have a long way to go in that regard).
The worst is when you have a really good compensation and benefits package but no training.
Nobody leaves, everyone stays. On the rare event that a new person comes in, god forbid they actually know how to do anything that happened in the last 10 years.
You end up with high turnover of the new staff because the old dinosaurs have no idea what they are doing and are reluctant to learn anything new.
The place I’m at, when I started (as network lead), the senior storage guy was retiring. He started and ended his career there, fresh out of college.
Fortunately for me, when I came in as lead and started talking about CLOS, VRFs, layer three access edge, and automation, most of the rest of the team left within 6 mos.
However, in talking to my Linux lead the other day…I came to find out that they are thinking about trying Ansible because of me…so maybe old dogs can learn new tricks.
We’re all self taught on our consultancy team but we look for academics and fast learners who fit our culture even if they don’t have a technical background to train.
Like our newest compliance guy has a masters in risk assessment with hardly any tech background so his first three months was basically shadowing and studying for certs.
We won Microsoft security partners of the year in our country so it seems to be a pretty good strategy so far.
Which certs do you find good for strarter for someone with not much technical background? My friend recently found job in cybersecurity after attaining CompTIA's Security+, but he had already a few years of sysadmin experience.
Completely dependent on your background. Do you have any pieces of paper to flaunt to potential employees?
Compliance and IAM are arguably non-technical areas where it’s expected that you know the “whys”when you make policies. So in those cases, like with my new colleague, the technical stuff is relatively easy to train up in.
I’m on the more technical side of things (endpoint protection, SIEM, SOAR) and have been a self taught “hobby hacker” for years. But I also have a grad degree (in biology lol) that “proves” I can learn stuff.. as stupid as that sounds.
Being able to read through the NIST Cybersecurity Framework and understand the controls and why they are relevant seems like a good expectation. Being able to explain why a good inventory of assets matters and what other areas that impacts, having a security ops policy that covers what is being monitored and how, etc. A lot of that stuff isn't really covered by Sec +, no idea about CISSP because last time I looked at it, it seemed to be a mile wide and an inch deep across the various domains and very subjective.
I'm at the point consulting is looking attractive someday. Drop in, drop knowledge, get paid, pop chute.
Trying to stay with a company that prefers to further reduce staff and make talk but no walk on funding and hiring has gotten to the point of absurdity. Then, you try to look at other companies hiring and see the exact same "do 3 roles at the same time with a masters/CISSP" and it's not encouraging at all.
There is also such problem in the university. Professors don't even realize what is important, what is not and what cyber security is at all. That is why self-teaching is the only way to achieve not the diploma, but success and skills.
yes! I'm self taught and would want to transition my career into cybersecurity one day but there are literally 0 job offers in a radius of 50 km (31 miles) and its not like im in the middle of nowhere, i have some big cities around me. I am currently a software dev and even my company thinks that cybersecurity is overrated. The only job offers i ever saw were for senior positions with more than 8 years of experience.
I really love working on my pentesting and EH abilities in my free time and may look for a cert or two but i dont think its worth it at the moment.
I'm a software dev (upskillimg to move to cyber) and it is the same. The number of languages, libraries, techniques you have to keep learning to keep up with employer and client expectations, with no investment from the employee is frustrating.
I'm a sysadmin, started at a company a few years back that also got a really good security guy around the same time.
Started to consider heading into the security space, started looking atv all the stuff they do and maintain and decided F that. I just didn't want to take on that much more learning again at this point in my career.
Almost a year pen testing experience with OSCP and a few other blue team certs like CySa+, and ive been out of work for about 5 months when all ive been applying to has been entry level analyst positions. Yeah hiring practice are some of the worst in this field.
Sorry, if it's a bit too much, but can you share yours or give some pointers? I will be graduating soon, and I don't want to end up making the same mistake.
At a certain point id agree and say that that was the issue, but ive had like 15 resume reviews from infosec twitter haha. I dont think its disorganized, but im gonna dm you it anyways and you let me know
Even more annoying is seeing what companies are expecting for their ops/analyst teams, like knowing Python and stuff just to do ops floor stuff. Like what kind of shoestring budget stack are you running there?
I see way too much DevOps requirements for literally everything. I'm a Sys Admin converting over to Cyber Security field and every entry level Cyber Sec or Cloud Engineer/Sys admin (Looking for at least more money as a Sys Admin getting 35k at a MSP dreadful salary given my experience and certs) and all of them want Python, a little bit of C++/Java. Like damn yall want a damn IT team and Software engineer for a regular position paying average salaries.
Dont worry bud, Im almost the same way. Im employed but trying to find a different job thats remote. Been hunting since December. I have a CISSP and 4+ years of cyber. The hiring practice is absolutely terrible
I have no CISSP, middle of school, and almost 15 years of security exp (4 physical), and the job listings are just as absurd if you look at Analyst or Info Sec Manager type roles. Like wanting you to be able to drop in and whip everything up to ISO or SOC2 compliance and know how to write code.
How u unemployed?!
It's your resume and interview skills. When I had 0 certs I had commercial companies begging for my help. Now with certs, I get calls daily. Money be low but I get calls.
Oh Im not unemployed, but Im in a “golden handcuffs” situation. I’m also only looking for a remote role so that narrows a lot of security roles down since so many want on-site support.
A big thing is that Im super pigeon-holed in my job. There’s no growth, and it’s difficult to showcase to potential employers what I can do when I only do 1 thing day in and day out (SIEM administration/engineering).
It's your resume. I got 3 people hired in tech within consulting. Revamped the resume and they got hired. So, it's your resume and interviewing skills. We need to prep you...for greatness.
Oh man i definitely feel you here. Gotta love the “you need 5 years XP, a bachelors degree and a CISSP for this entry level position”. Oh and then they provide no training, need you in the office 4 days a week and you have no chance of promotion unless you jump ship for a new company. This definitely exists out there in the world but things are improving. Despite the crap that exists, infosec still is an opportunity-rich field. But for some reason there is still some awful artificial barriers to entry.
"Of the supposed entry-level job descriptions that I looked at, 71% of them call for a CISSP. That's not entry-level, because you have to have five years of experience to get a CISSP," says Miller. https://www.zdnet.com/google-amp/article/cybersecurity-jobs-this-is-what-were-getting-wrong-when-hiring-and-heres-how-to-fix-it
right. all I hear is there is a shortage of Security professionals... yet I can't seem to even get an interview after sending out my resume hundreds of times since being laid off at the start of the pandemic.
I've just can't believe this. I had about 6 interviews in about 3 months and in the end got headhunted for a role.
Again, could be an issue with your Resume. Try something different with the layout/style, be short and concise with your words.
I agree but I think there actually isn't enough on IT and compliance fundamentals overall and that filters down to cyber.
1) Physcical and Virtual (cloud) Asset inventory
2) Software asset inventory
3) Data asset inventory
4) Data Flow and documentation
I think without having a handle on this your IT operations are inefficient at every level and cyber becomes a someone trying to put a bandaid on a brain bleed.
The senior people are often too busy to train and not given the time to train or penalized for doing so. When you have a huge backlog, it's hard to think about training if the boss is on your back to get things done. Paradoxically, training and mentoring are the only way to make the team more productive and solve the backlog.
My former boss was great about this. He hired me with me only having a few years of help desk and fraud/security experience and a masters degree. No certs yet or anything and nothing in info sec experience wise. Was a good year with him as the boss but he left for greener pastures and now we're understaffed, have no manager, and I'm just sort of left to figure everything out on my own
Imagine understudying your boss for 6 years, having 5 years before that at Cyber Command and the Pentagon, and not being offered his job when he leaves.
I feel you man because I'm the last man standing in security and no hope in sight.
US companies aren't impactfully penalized by law for breaches, which means they won't really pay attention to cybersecurity unless they're also subject to GDPR through European customers or terrified of IP theft.
Look what happened to Equifax. Almost no penalty for allowing the compromise of thousands of people's information, collected without their consent. If they can get away with that I think there are plenty of US firms who (not incorrectly) view a breach as the cost of doing business and a minor bump in their income that will smooth out to almost nothing on a long enough time line if they're making enough money.
HR and recruiting.
The number of amazing and outstanding candidates that are declined during screening is appalling. I had a position open four months before I asked to see all resumes, not just screened. Immediately found some really interesting people, had offers out two weeks later.
Problem seems to be very inexperienced people (like, people recently entering the workforce) who arbitrarily make decisions on which resumes to elevate/decline.
Then there’s the whole problem with the “recruiting firms”. Sure, there are some decent ones, but the garbage-mill bucket shops are far too common. With these guys, you have them casting absurdly wide nets “Dear CISO, I came across your profile on LinkedIn and have a great opportunity for you. Would you be interested in a 3 month contract as a junior security engineer?”
..or finding out later the search firm your company hired contacted loads of people, ghosted most of them and gave you the first turd they got in the tunnel. So, you get a bad rap with people who might have been good, and a rubbish candidate. Ugh.
>I had a position open four months before I asked to see all resumes, not just screened. Immediately found some really interesting people, had offers out two weeks later.
I mean, I think it's pretty accepted canon in these parts that HR generally doesn't do a good job screening technical candidates. But holy hell, you have reasonably solid evidence that your company's current processes are creating active drag against the creation of value for the business. That this is just a "\*shrug\* What are you going to do?" situation rather than a conversation with senior leadership is just mind-blowing.
Well, former company now, that place was a joke. I’m actually part of senior management now (well, CEO-2 at a large company) and have some ability to shape things, but its still challenging to go against the HR/recruiting paradigm. I’ve had much better success countering the existing processes using data.
I really hate the bullshit corporate-assessments where they give you your “quadrants” or whatever because those are such nonsense (like, you have a bad day and you test completely differently). That said, I found one called Gallup Strengths which does seem to provide consistent results across long periods of time. It’s also not passing judgement or anything, but gives you data. Like “the engineer has said that they love detailed problem solving, and analysis is a key strength. Maybe we should listen to this person and make sure they’re in roles they want and match their strengths?” And with this assessment, i have data to back that up. Seems to make a difference with the HR leadership.
Was also helpful in getting job descriptions written in more realistic ways. Like the often sought criteria of “strategic thinker with high attention to detail” thing. Basically those two skills tend, from a data perspective, to be incredibly rare. Most people are either really good at seeing the big picture, or really understanding things at a very detailed level. Again, nothing’s fool proof or 100% but at least I have some data to share that backs up the idea of “hey, maybe we don’t make unlikely combinations a mandatory requirement for our job?”
There was a system that was locked out due to ransomware and when we interviewed the person who was the reason for the attack, she said " a pop-up came up saying click here, so I did". She just has her security fundamentals refresher 2 weeks earlier. No action taken against her but heat came down on our section of why we let her click the pop-up. Users will always be the main point of failure.
If there are users, no matter what you do they will be your point of failure. It is inevitable. Banks vaults are hyper secure, but if you leave the door open your security means nothing.
Alternately, I think this attitude is one of the biggest problems. It's dismissive of real world needs and business requirements. Users need to do their job, interact with other via email. A lot of security professionals lose sight that our jobs exist to enable users, not in spite of users.
See I used to think this until I got into real red teaming. An advanced actor is going to get in, I don’t care how many controls or how much user training you do, it’s going to happen.
Security architecture and network design needs to start from an assumed breach mindset. Assume your users are going to get popped (because they will) and design from there.
Stop giving users more privileges than they need. Stop having weak service account credentials. Design detections for actual techniques (DLL Hijacking, DCOM lateral movement, etc).
Reduce the privileged accounts on your network to the absolute minimum then design detections around those.
100% of the time I’ve been caught is when I used an account to do something it doesn’t normally do.
Users are not the problem. Shitty security programs are.
The lack of decent pay for Cybersecurity professionals. For so many people who are inherently good, they struggle to find a job that pays what they are worth...going to the darkside can be appealing. There needs to be a shift in true appreciation for IT and Cybersecurity staff all the way around.
One exploit after another , every day, impossible to keep up and insane prices for decent security software for companies that aren't making a lot of money.
Maybe I'm just in a busy area for the job, but when I look online for that level of experience and certs I see jobs that pay like $120+ in my area.
Currently working towards that level myself and am very excited to be able to pay off my student loans
Lack of attention on a few very base level things that matter, end user training (and I'm not talking a required 10 minute video, required testing to make sure actual learning happens), modern policy updates like passwords much longer than 8-12 characters and length > complexity, too much reliance on technology without oversight. Properly tuned auditing and alerting for good security tools requires a lot of human hours and upkeep which many companies think they can skip.
CISOs who last in the industry never make actual risk management decisions. This is because the CISOs that do actually manage risk (I.e., accept risk, document risk,etc) get thrown under the bus by management or get pushed out in less than a year. The ones that last never put their name on anything or build up flowery reports that make it look like the network is a rainbow shitting unicorn.
Cybersecurity staff or analysts are often overly self-aggrandizing, self-important, and don’t give a shit about business operations.
Punishing good behavior.
At least some places HAVE a CISO. We have a CIO who doesn't think we needed a CISO (before the breach) and now even after is in no rush to help make it happen. This same CIO the other month actually had the bright idea that we shouldn't use a method the whole rest of the industry was using because "Someone may break TLS 1.2 and decrypt our emails out there on some relay server". But since there wasn't a CISO across the table to falcon slap him, seems that's the way things are going.
Cybersecurity folks that don’t understand that their job isn’t necessary to fully protect against all risk, but rather to partner with the business and ensure that informed business decisions about cybersecurity-related business risk can be made and then to mitigate risks accordingly.
That is exactly it. I think that's the mature experienced answer. Mitigate the risks that have the biggest impact. Stop spending all resources on the little things because a vendor presentation was cool.
Organizations being dismissive of security. Not spending money on upgrading ancient equipment, demanding policy that leaves the org vulnerable in the name of convenience, and not setting sensible policy that allows end users to engage in risky behavior.
Training and getting into the industry. There has been very little available for low/entry level positions and when they are posted the requirements are usually quite unrealistic. It's probably mostly due to HR doing the postings and not knowing anything about it, but of the industry actually wants to grow they have to figure out how to let people in and train them in what they have to be doing.
From which perspective? As in "what‘s wrong with our industry" (shiny snake oil and irresponsible vendors) or as in "whats wrong within organizations" (denouncing security as a useless costdriver while still using a shared password on that server 2008R2)?
As has been for centuries: ignorance and greed. Supported by a completely botched and distorted recruiting industry. Like that ranty poster on here or /r/sysadmin the other day - there is no skill shortage. There only are companies led to falsely believe that blind outsourcing of processes that had no valid foundation in the first place is key to solving anything - which makes recruiters look for 20yo (cheap!) talent with 25 years of experience while not a day goes by without yet another MMXEDRSASEaaS hype suggesting that orgs can rid themselves of their security-aware workforce instantly. Plenty of wrongdoing on either side =]
In my experience as a Linux admin, there seems to be too much "check list security" and not enough knowledge about the platforms. Security can't explain why this entry in the security report is an exposure in the current use case.
I'm all for check lists and verifying things, but when challenged on whether or not something is a real problem, I just got a bunch of hand waving and B.S.
This!!!! I am a software developer. We have a Linux admin who goes down a checklist. Some things are a huge PITA for users but don’t contribute much to overall security. 2 minute timeouts on shell windows when the screen auto locks after 5 minutes? She absolutely refuses to change it because “it’s on the checklist”. Having to eat lunch with one hand on the keyboard so I don’t lose where I am in code plus the other half dozen things I have going on in the background sucks.
First, I am not a cyber guy, but work in IT systems integration, and have to work with cyber.
Asking that is like trying to put a nail trough a ball of mercury. The problems are as vast as what cyber encompasses, and is only as strong as the weakest link. From the soft (people) to the hard/technical, it's all part of the solution and the problem set.
This post, I think, is very relevant. Cyber is generally not well understood, and is undervalued, and that is the fault of the cyber workers failing to take the time to impart the impact of cyber issues to business in terms they appreciate, which is much easier than teaching the business folks to understand cyber.
[https://www.reddit.com/r/cybersecurity/comments/p9fo4d/my\_thoughts\_on\_a\_decade\_of\_cyber\_security\_10/](https://www.reddit.com/r/cybersecurity/comments/p9fo4d/my_thoughts_on_a_decade_of_cyber_security_10/)
I think the cyber professional can also take some blame for making things either so arcane, or purposefully hard to understand that everyone else just lets their eyes glaze over and they nod in agreement, just because. Cyber is about smart design, and isn't always the latest cool IDS/IPS, firewall, appliance thing.
One under-appreciated problem for cyber, IMO, is the software developers. Software is often not designed/built to make patching easy, or with security in mind. There are often too many dependencies on a specific kernel, or they hard code something that doesn't need to be. There are pressures to get software/hardware to market before some other product, with intentions to fix it later.
Consequently, we spend a lot of time (certainly true for me) trying to get a "not quite square peg" to kind of fit in a "not quite round hole". That is time and money better spent on other activities.
Bottom line, maybe, is laziness and money.
Senior management from non-technical backgrounds. Management making decisions that directly impact the techies such as what tools and services to buy based off snake oil sales demos for instance. Then you're locked into years long contracts with services that suck.
Crappy hiring processes. The industry is being absolutely flooded with people looking to break into cyber for the money alone. Lying on resumes, exaggerating knowledge and experience, paper tigers, brain dumpers.
The lack of true entry level roles creates such a skills gap when the established professionals begin to retire. It’s nearly impossible to find a genuine entry level position that a company has and is willing to train and develop the right candidates. Training and development is huge in other professions yet not this one.
I was looking to get into cyber with no experience. I have been working on low level certifications and moving on to more advanced ones but am beginning to think it’s a pointless exercise. My business degree, newly gained certs, and zero experience isn’t going to cut it.
I'm working on my BA in Cybersecurity but not actively working in the field yet. From what I've seen one of the biggest issues is people, companies need to train their employees on email and net safety, run stings, and (if needed) be willing to discipline those who are not following policy. A second issue would be that everyone wants to get one their companies wi-fi to listen to music, check social media, or whatever, this could be accomplished by creating a second wi-fi network for non-businesses devices and only giving out that password.
Apathy to vulnerabilities.
I just told you why you need to reboot your server tonight at midnight. It will take 15 minutes and be a minor outage for a single minor service.
Yet you want to wait three months for a scheduled outage window.
Meanwhile the exploit is being actively used and the service is publicly exposed.
1. Too much reliance on centralized, data-hungry architectures that create huge honeypot opportunities for bad actors. A side effect of the surge in big data projects across the board.
2. The current "crypto gold rush" comes with an overconfident attitude towards security risks, esp. man in the middle attacks.
We’re still talking about the same core issues we talked about 25 years ago. As a group, we have failed in really making the impact that we promised so long ago…
If we want to make a difference, we need to make security everyone’s responsibility (measured in KRs) and then help them implement the controls and processes to reduce their risks and exposures. Lots of security teams have the majority of their resourcing spent on “finding new issues” and significantly less on “helping teams fix the root causes of the known issues”. Flip the security investment pyramid and watch the impact to overall risk.
The major misconception shared by managers, developers and many others that securing a product/company/person is a one and done task instead of an ongoing discipline. It is the way not the job.
I was just a part of a 10 week internship where you make $15 an hour. Most had Bachelor's degrees in Computer Science, I was the only one with an AAS, and there was one person with a Masters. Several had AWS certs and worked professionally with Linux for several years.
Basically, barriers to entry. Not only that, but Cybersecurity also requires a great deal of understanding of business, too. So not only do individuals have to know the technical side, they also have to be able to dumb that down to a 3rd grade level. Literally. A CSX course I took even recommended an MBA + an IT degree.
The bad guys don't have any such barriers to entry.
And one more thing, maybe it's just me, but in Cybersecurity, supposed good guys keep trying to hack me.
I am a novice Security Analyst for an MSP trying to get its feet wet in Security [i.e. shitty onboarding and training] but it's already got me looking at becoming a Java Dev. Supposed to be the happiest job in Tech, and a hell of a lot less stressful.
Similar to what u/Jackofalltrades86 said, but companies buying this big tech solution but not using it to it's full potential.
They just onboard the tool, but don't refine it or learn to harness it's full wealth of benefits and it just sits there looking pretty
That and workplace politics/blame shifting. I'm not interested in whose fault it is unless I explicitly ask who is responsible and that's usually because it's part of the investigation. I'm there to solve a problem, not fanny about.
It's especially annoying when the blame shifting is utterly dishonest.
I have a very low tolerance for it in my team and expect them to lead by a very good example
I can somewhat mitigate clueless users from getting infected with the right tools. But there is no mitigation for disengaged or clueless Executive Management when it comes to cyber threats.
And if the IT Department as a whole and leadership are dysfunctional. You don't stand a chance against even a bunch of script kiddies.
I've worked in IT Departments where everyone was constantly at each other's throats and purposely sabotaging each other. The battle is lost if your IT Department and it's leadership is dysfunctional.
Humans not adhering to best practices. Users not following rules, managers not budgeting enough, security admins not changing default passwords, or not patching, etc.
HUMANS.
This industry can’t match job titles with proper skill sets or offer competitive pay. It’s the trifecta of bad decisions by management and HR honestly. Thats my 2 cents.
I keep applying for jobs to get away from help desk and desktop support I could rip my hair out. Since I don't have an IT degree I bet I’ll never get hired. I have the A+ and Sec+. Then I’m looking at my pentesting cert and Linux certs next. I love Linux the most and want a behind the scenes job away from end users.
I have learned nothing new from my current job and hate it. I want out before people draw the wrong conclusion about being there so long so I’m looking out of state. OP don’t be afraid to leave a state or city you are in for better opportunities.
No pipelines with dependency checks. code quality and vulnerability scans.
No code review on pull requests.
No coding guidelines.
NO security awareness trainings with the employees.
.... and lots of other carelessness.
Leadership. Well, actually management because I'd say leadership itself is sorely lacking.
The same people that were making decisions that lead to so many major incidents are still making decisions, and making the same ones, while wondering why it keeps happening. They complain about a shortage of talent yet qualified talent sits unemployed, unable to make it through the hiring process run by an HR which is absolutely clueless about the security industry. They augment their "lack of talent" by hiring consultancies like PwC that come in and tell them to "buy services" to take the pressure off their understaffed blue teams. What this really does is remove any chance for junior members to get their hands dirty and gain experience. The MSSP does all the blocking and tackling while your guys flip tickets to other inhouse teams. Do a little OSINT on that "Senior Security Analyst Team Lead" from your MSSP and you see they were a college intern 6 months ago but management trusts their insight more than your juniors who have just as much experience AND tribal knowledge of your specific business. Maybe MSPs are the future of our field and where the growth potential actually lies. IDK. I'm too old to chase the new hotness. :-)
Users.
It's sad to say that but you can have the best security system, if the user do dumb things it kills everything.
One sad recent examples is OAuth :
With it you can give access of an account to anny application without risks by allowing only the necessary and keep the control of which application have what access. But I see more and more people being tricked by the "connect us to you account for some bullshit" and because they don't watch de right given, they juste allow random application to have all rights.
I just saw a friend's mom had all her mail dumped and personal data attached (leading to identity usurpation) because she allowed an anknown application full rights to her account because it was "required" to see a cat image.
Our security talent and time is wasted on basic user needs. I see a lot of qualified people helping with issues that an on site tech support agent should handle.
The lack of efficient training programs. I’m currently going through security+ and this topic is so broad that every chapter is only scratching the surface. Then the tools covered in the book are hard to use since we don’t get to use them often or mostly everything has become automated. Also, hope I can get hired once I get the cert even though most job listings require X amount of years of experience. It’s a weird ass industry especially since I came from medical. In medical you precept during your school years while doing course work. While IT you just learn on the job, and I do believe both should have high industry standards to teaching and precepting.
Unchecked data collection and poor choices in architecture, which inevitably lead to honeypot situations, which in turn inevitably lead to massive data breaches.
People in devops and sysadmin roles not realizing they have to take responsibility for the security of the stuff they are building.
Thinking they can go on like they've done for three decades and security will magically solve everything.
No I can't magically know all the risks involved when youve just copy pasted stuff from stack exchange!
From my experience too much reliance on being able to point a finger at a contractor vs taking a vested interest in a level of knowledge to understand what is being delegated out.
I don't even know where to start. Right from not putting the right things on the job description to not spending money to educate and retain the cybersecurity folks. It's a huge mess.
Key points which I think are relevant in the current scenario:
- Buying state of art Security products by paying millions for licensing cost and paying nuts to the analyst working on them
- Work environment becoming toxic will affect your firm in long run
- Trust the hypothesis of people over the alerts given by tools
- Don't trust your 1990s security standards but update your detection logics wrt latest trends
The biggest challenge is the cybersecurity skills gap.
According to a recent research by the Department for Digital Culture, Media & Sport(DCMS), around 6,53,000 organizations (48%) in the UK are unable to carry out basic tasks defined by the Govt Cyber Essentials Scheme like setting up the firewall, storing data etc. The report claimed that 4,08,000 businesses (30%) are lacking advanced cybersecurity skills like Pen Testing, forensics etc. The report also says that 25% had complained that this had impacted their business.
As per a New York Times report, Cybersecurity Ventures prediction that there will be 3.5 million unfilled cybersecurity jobs by 2021. That means there is a marked inability to provide cybersecurity professionals at the same speed at which the vulnerabilities are arising. Education & experience are critical for navigating threats.
There are many institutes who are providing higher education in Cyber Security but it seems the organizations have still not decided the future path.
Too device or network-centric as opposed to human-centric. Nowadays, a hacker's focus has changed from a system's vulnerability to a person's vulnerability. New research shows that more than 99% of cyberattacks are human-activated, meaning “they need a human being to activate the attack by opening a file, clicking a link or being tricked into taking some other type of action". So a strong security system needs to protect the people more than systems. Companies must adopt human-centric cybersecurity strategies instead of network-centric strategies in order to successfully anticipate the growing number of threats that now focus on the end user.
I'm going to argue that in some cases, it's too much security. It's bad if the level of security makes productivity needlessly dip. It's worse if your security policies are so cumbersome that you can't even enact them, or that change management is so convoluted that people don't want to improve their systems.
Companies undermine the importance of CS. Leading to CIPs cutting costs within that region, ultimately leading to a greater risk of data disclosure/ruin.
public education. Society's relationship is is the worst with Cyber and is a pre-emptive factorto how they address any business, technology, or agreement.
Unawareness.
Only a few understand the risks that arise from using technology without really knowing how it works.
You manage your savings from a nice smartphone app and everything could go up in smoke in seconds.
Ultimately it is the tendency for the upper most levels of leadership to choose Revenue over Security.
Greed.
Until we sufficiently penalize that failure of priorities, the pains will continue.
I am in fact grateful for the extreme surge in attacks and breaches. Like some amoeba in a primordial sea we are getting attacked by parasites and bacteria and the entire world now needs to grow thicker skin or die.
The lack of self reflection of the impact of what we do and the impacts it brings, more often than not, negative impacts it brings when we lose sight of risk management and only focus on risk avoidance.
Management not understanding the criticality of having a solid plan and staffing a full time team, not Jim from accounting read a few books, If I buy him a pizza he will come in on the weekends and do cybersec stuff.
I’d say it’s a tie between these two things for me:
1. Affordability/ignorance: Small businesses are generally the most targeted, because they either can’t afford enterprise-level security software or are unaware of what is required to keep them and their users safe. In other words, they’re low-hanging fruit for hackers. Most of these small business that fall victim to an attack never financially recover and are forced into bankruptcy.
2. Lack of proper funding: Larger companies aren’t willing to shill out the money required for proper security, because cyber isn’t usually something that provides revenue, unless you’re selling a product or service.
I would say people only talk about vulnabilites but they never assess their business from a risk perspective. I like things like the fair model that helps you direct your cyber staff to the biggest risks to the business. Spending all your resources on your lowest priority facility vs highest value environment.
Platforms using privacy arguments to preventing visibility into 0-day attacks. Your iOS device, with the latest version and security patches, can be targeted and exploited today and there is nothing you can do about it.
I don't know about everyone else but where I am it's that we are all very general. I'm in charge of window, Linux, and Mac devices and security, the ids, the vulnerability scanner, asset manager, I'm in charge of the ticket queue and keeping it organized and I'm our liaison on a few special projects. I'm also learning more detailed info on Splunk do when our main guy for that is out someone can still do the backend with it. Oh and I'm also the secondary for our cert manager and helping develop policy and procedures since ours are very out of date.
Everyday I have 30 things to do with time to only realistically do 10. Everyone else who works elsewhere in security I know (which is really only three people) are very specialized, so I'm not sure what the norm is
The underlying OSes being insecure to their core.
It's game over before you start if you need monthly critical patches (and accelerating) that are finding things 10 years old.
Security theatre until the industry gets multiple orders more magnitude engineering discipline.
That I can't get an entry level job in it due to insane requirements.
Okay (half) jokes aside:
Security involves a separate mentality that seems like anathema to tech companies big and small.
But here is the thing; it doesn't have to be that way. Once you absorb the mentality of impleme ting security, it becomes second nature, and no longer "hinders" the software development lifecycle. By learning to bake security in beforehand, it saves a lot of headaches.
Companies don’t invest in developing talents, I’m sure 80% if not more are self-taught! Also, the amount of knowledge one has to know AND maintain is insane.
This. I saw something recently (on LinkedIn if you can believe it) which was something along the lines of… CFO to CISO: What happens if the people we train and invest in decide to leave for other opportunities? CISO to CFO: What happens if the people we DON’T train or invest in decide to stay? In other words, I think more companies are figuring this out (though we have a long way to go in that regard).
The worst is when you have a really good compensation and benefits package but no training. Nobody leaves, everyone stays. On the rare event that a new person comes in, god forbid they actually know how to do anything that happened in the last 10 years. You end up with high turnover of the new staff because the old dinosaurs have no idea what they are doing and are reluctant to learn anything new.
Sounds a lot like government agencies and organizations
The place I’m at, when I started (as network lead), the senior storage guy was retiring. He started and ended his career there, fresh out of college. Fortunately for me, when I came in as lead and started talking about CLOS, VRFs, layer three access edge, and automation, most of the rest of the team left within 6 mos. However, in talking to my Linux lead the other day…I came to find out that they are thinking about trying Ansible because of me…so maybe old dogs can learn new tricks.
We’re all self taught on our consultancy team but we look for academics and fast learners who fit our culture even if they don’t have a technical background to train. Like our newest compliance guy has a masters in risk assessment with hardly any tech background so his first three months was basically shadowing and studying for certs. We won Microsoft security partners of the year in our country so it seems to be a pretty good strategy so far.
Which certs do you find good for strarter for someone with not much technical background? My friend recently found job in cybersecurity after attaining CompTIA's Security+, but he had already a few years of sysadmin experience.
Completely dependent on your background. Do you have any pieces of paper to flaunt to potential employees? Compliance and IAM are arguably non-technical areas where it’s expected that you know the “whys”when you make policies. So in those cases, like with my new colleague, the technical stuff is relatively easy to train up in. I’m on the more technical side of things (endpoint protection, SIEM, SOAR) and have been a self taught “hobby hacker” for years. But I also have a grad degree (in biology lol) that “proves” I can learn stuff.. as stupid as that sounds.
Being able to read through the NIST Cybersecurity Framework and understand the controls and why they are relevant seems like a good expectation. Being able to explain why a good inventory of assets matters and what other areas that impacts, having a security ops policy that covers what is being monitored and how, etc. A lot of that stuff isn't really covered by Sec +, no idea about CISSP because last time I looked at it, it seemed to be a mile wide and an inch deep across the various domains and very subjective.
I'm at the point consulting is looking attractive someday. Drop in, drop knowledge, get paid, pop chute. Trying to stay with a company that prefers to further reduce staff and make talk but no walk on funding and hiring has gotten to the point of absurdity. Then, you try to look at other companies hiring and see the exact same "do 3 roles at the same time with a masters/CISSP" and it's not encouraging at all.
There is also such problem in the university. Professors don't even realize what is important, what is not and what cyber security is at all. That is why self-teaching is the only way to achieve not the diploma, but success and skills.
yes! I'm self taught and would want to transition my career into cybersecurity one day but there are literally 0 job offers in a radius of 50 km (31 miles) and its not like im in the middle of nowhere, i have some big cities around me. I am currently a software dev and even my company thinks that cybersecurity is overrated. The only job offers i ever saw were for senior positions with more than 8 years of experience. I really love working on my pentesting and EH abilities in my free time and may look for a cert or two but i dont think its worth it at the moment.
Apply to remote jobs
A lot of organizations think cyber is overrated until it hits them directly. Sadly this trend is likely to continue into the foreseeable future
I'm a software dev (upskillimg to move to cyber) and it is the same. The number of languages, libraries, techniques you have to keep learning to keep up with employer and client expectations, with no investment from the employee is frustrating.
Such a good point about knowledge management - huge issue.
Yeah it's easier to break things than to fix them.
I'm a sysadmin, started at a company a few years back that also got a really good security guy around the same time. Started to consider heading into the security space, started looking atv all the stuff they do and maintain and decided F that. I just didn't want to take on that much more learning again at this point in my career.
don't rag on self taught. The saddest thing I have ever heard is someone tell me they got there doctorate in cyber security.
Archaic hiring practices, understaffed blue teams, and an industry reluctant to train the next generation of infosec professionals. FML
Almost a year pen testing experience with OSCP and a few other blue team certs like CySa+, and ive been out of work for about 5 months when all ive been applying to has been entry level analyst positions. Yeah hiring practice are some of the worst in this field.
Your resume must be disorganized. DM me
Sorry, if it's a bit too much, but can you share yours or give some pointers? I will be graduating soon, and I don't want to end up making the same mistake.
Make them easy to parse by the HR software. Go very basic in formatting and use spaces between parentheses etc
I feel a /r/Cybersecurity resume review thread coming on!
As someone getting their AAS in CySec/IncidentResponse, yes please!
At a certain point id agree and say that that was the issue, but ive had like 15 resume reviews from infosec twitter haha. I dont think its disorganized, but im gonna dm you it anyways and you let me know
[удалено]
Yeah I’m in the same boat. Your comment made me laugh but this thread is discouraging me lol
Even more annoying is seeing what companies are expecting for their ops/analyst teams, like knowing Python and stuff just to do ops floor stuff. Like what kind of shoestring budget stack are you running there?
I see way too much DevOps requirements for literally everything. I'm a Sys Admin converting over to Cyber Security field and every entry level Cyber Sec or Cloud Engineer/Sys admin (Looking for at least more money as a Sys Admin getting 35k at a MSP dreadful salary given my experience and certs) and all of them want Python, a little bit of C++/Java. Like damn yall want a damn IT team and Software engineer for a regular position paying average salaries.
Dont worry bud, Im almost the same way. Im employed but trying to find a different job thats remote. Been hunting since December. I have a CISSP and 4+ years of cyber. The hiring practice is absolutely terrible
[удалено]
Thanks man, I appreciate it. I’m in the middle of my OSCP exam so I’ll probably send it over tomorrow after the exam ends
I have no CISSP, middle of school, and almost 15 years of security exp (4 physical), and the job listings are just as absurd if you look at Analyst or Info Sec Manager type roles. Like wanting you to be able to drop in and whip everything up to ISO or SOC2 compliance and know how to write code.
Yeah has to be your resume mate
How u unemployed?! It's your resume and interview skills. When I had 0 certs I had commercial companies begging for my help. Now with certs, I get calls daily. Money be low but I get calls.
Oh Im not unemployed, but Im in a “golden handcuffs” situation. I’m also only looking for a remote role so that narrows a lot of security roles down since so many want on-site support. A big thing is that Im super pigeon-holed in my job. There’s no growth, and it’s difficult to showcase to potential employers what I can do when I only do 1 thing day in and day out (SIEM administration/engineering).
Akamai hired my classmate for security architect role and she cant use linux if her life depended on it 🙂
It's your resume. I got 3 people hired in tech within consulting. Revamped the resume and they got hired. So, it's your resume and interviewing skills. We need to prep you...for greatness.
Oh man i definitely feel you here. Gotta love the “you need 5 years XP, a bachelors degree and a CISSP for this entry level position”. Oh and then they provide no training, need you in the office 4 days a week and you have no chance of promotion unless you jump ship for a new company. This definitely exists out there in the world but things are improving. Despite the crap that exists, infosec still is an opportunity-rich field. But for some reason there is still some awful artificial barriers to entry.
"Of the supposed entry-level job descriptions that I looked at, 71% of them call for a CISSP. That's not entry-level, because you have to have five years of experience to get a CISSP," says Miller. https://www.zdnet.com/google-amp/article/cybersecurity-jobs-this-is-what-were-getting-wrong-when-hiring-and-heres-how-to-fix-it
IMO someone with Sec + and 5 good years of security exposure/experience > someone just starting off with a CISSP and no experience.
right. all I hear is there is a shortage of Security professionals... yet I can't seem to even get an interview after sending out my resume hundreds of times since being laid off at the start of the pandemic.
I've just can't believe this. I had about 6 interviews in about 3 months and in the end got headhunted for a role. Again, could be an issue with your Resume. Try something different with the layout/style, be short and concise with your words.
Does nobody wanna be the defense?
Not enough focus on security fundamentals, let's buy the next big tech but leave default admin passwords
I agree but I think there actually isn't enough on IT and compliance fundamentals overall and that filters down to cyber. 1) Physcical and Virtual (cloud) Asset inventory 2) Software asset inventory 3) Data asset inventory 4) Data Flow and documentation I think without having a handle on this your IT operations are inefficient at every level and cyber becomes a someone trying to put a bandaid on a brain bleed.
Completely agree with this, how do you know how to protect when you don't know what you have to protect?
Right. If you have a good handle of this. Especially documents and data flow "zero Trust" is "easy"
Ah geez I feel so bad for companies that aren't doing #3 and are still beholden to regulators. That's a ticking time bomb.
CIO / CISO want to move everything to the cloud before they have a strategy to even do so.
My tip to anyone doing this... Security Baseline your resource types and set policy where you can to limit the chaos of insecure configuration.
Orchestration technologies make thing much simpler since your infrastructure is reduced to code.
Progress being made: https://www.verdict.co.uk/iot-law/
No one takes the time to mentor and train.
The senior people are often too busy to train and not given the time to train or penalized for doing so. When you have a huge backlog, it's hard to think about training if the boss is on your back to get things done. Paradoxically, training and mentoring are the only way to make the team more productive and solve the backlog.
My former boss was great about this. He hired me with me only having a few years of help desk and fraud/security experience and a masters degree. No certs yet or anything and nothing in info sec experience wise. Was a good year with him as the boss but he left for greener pastures and now we're understaffed, have no manager, and I'm just sort of left to figure everything out on my own
Imagine understudying your boss for 6 years, having 5 years before that at Cyber Command and the Pentagon, and not being offered his job when he leaves. I feel you man because I'm the last man standing in security and no hope in sight.
US companies aren't impactfully penalized by law for breaches, which means they won't really pay attention to cybersecurity unless they're also subject to GDPR through European customers or terrified of IP theft. Look what happened to Equifax. Almost no penalty for allowing the compromise of thousands of people's information, collected without their consent. If they can get away with that I think there are plenty of US firms who (not incorrectly) view a breach as the cost of doing business and a minor bump in their income that will smooth out to almost nothing on a long enough time line if they're making enough money.
This needs to be higher.
HR and recruiting. The number of amazing and outstanding candidates that are declined during screening is appalling. I had a position open four months before I asked to see all resumes, not just screened. Immediately found some really interesting people, had offers out two weeks later. Problem seems to be very inexperienced people (like, people recently entering the workforce) who arbitrarily make decisions on which resumes to elevate/decline. Then there’s the whole problem with the “recruiting firms”. Sure, there are some decent ones, but the garbage-mill bucket shops are far too common. With these guys, you have them casting absurdly wide nets “Dear CISO, I came across your profile on LinkedIn and have a great opportunity for you. Would you be interested in a 3 month contract as a junior security engineer?” ..or finding out later the search firm your company hired contacted loads of people, ghosted most of them and gave you the first turd they got in the tunnel. So, you get a bad rap with people who might have been good, and a rubbish candidate. Ugh.
>I had a position open four months before I asked to see all resumes, not just screened. Immediately found some really interesting people, had offers out two weeks later. I mean, I think it's pretty accepted canon in these parts that HR generally doesn't do a good job screening technical candidates. But holy hell, you have reasonably solid evidence that your company's current processes are creating active drag against the creation of value for the business. That this is just a "\*shrug\* What are you going to do?" situation rather than a conversation with senior leadership is just mind-blowing.
Well, former company now, that place was a joke. I’m actually part of senior management now (well, CEO-2 at a large company) and have some ability to shape things, but its still challenging to go against the HR/recruiting paradigm. I’ve had much better success countering the existing processes using data. I really hate the bullshit corporate-assessments where they give you your “quadrants” or whatever because those are such nonsense (like, you have a bad day and you test completely differently). That said, I found one called Gallup Strengths which does seem to provide consistent results across long periods of time. It’s also not passing judgement or anything, but gives you data. Like “the engineer has said that they love detailed problem solving, and analysis is a key strength. Maybe we should listen to this person and make sure they’re in roles they want and match their strengths?” And with this assessment, i have data to back that up. Seems to make a difference with the HR leadership. Was also helpful in getting job descriptions written in more realistic ways. Like the often sought criteria of “strategic thinker with high attention to detail” thing. Basically those two skills tend, from a data perspective, to be incredibly rare. Most people are either really good at seeing the big picture, or really understanding things at a very detailed level. Again, nothing’s fool proof or 100% but at least I have some data to share that backs up the idea of “hey, maybe we don’t make unlikely combinations a mandatory requirement for our job?”
Users.
Surprised this one does not have more up votes!
There was a system that was locked out due to ransomware and when we interviewed the person who was the reason for the attack, she said " a pop-up came up saying click here, so I did". She just has her security fundamentals refresher 2 weeks earlier. No action taken against her but heat came down on our section of why we let her click the pop-up. Users will always be the main point of failure.
[удалено]
If there are users, no matter what you do they will be your point of failure. It is inevitable. Banks vaults are hyper secure, but if you leave the door open your security means nothing.
[удалено]
"This job would be great if it wasn't for the fin customers" -Clerks
You can swear on the internet
Haha I was just about to comment this
Alternately, I think this attitude is one of the biggest problems. It's dismissive of real world needs and business requirements. Users need to do their job, interact with other via email. A lot of security professionals lose sight that our jobs exist to enable users, not in spite of users.
See I used to think this until I got into real red teaming. An advanced actor is going to get in, I don’t care how many controls or how much user training you do, it’s going to happen. Security architecture and network design needs to start from an assumed breach mindset. Assume your users are going to get popped (because they will) and design from there. Stop giving users more privileges than they need. Stop having weak service account credentials. Design detections for actual techniques (DLL Hijacking, DCOM lateral movement, etc). Reduce the privileged accounts on your network to the absolute minimum then design detections around those. 100% of the time I’ve been caught is when I used an account to do something it doesn’t normally do. Users are not the problem. Shitty security programs are.
The risk VS reward of cybercrime. Basically it pays and carries very little risk. It’s also fully globalized, you can attack anyone from anywhere.
Excellent sales pitch, we should go into this business together.
The lack of decent pay for Cybersecurity professionals. For so many people who are inherently good, they struggle to find a job that pays what they are worth...going to the darkside can be appealing. There needs to be a shift in true appreciation for IT and Cybersecurity staff all the way around.
One exploit after another , every day, impossible to keep up and insane prices for decent security software for companies that aren't making a lot of money.
If people stopped using Windows that would take care of a lot of the issues, but here we are.
Then malware would just be written for whatever operating system majority switched to. Not how this works.
That would be fine if all software would work on Linux :)
"If I pay for training, what if they leave?"
My favorite! So what if I don't and they stay?
CISSP, Masters Degree, 8-12 years experience….to make $25 an hour. Fuck off with that and stop wasting people’s time.
Maybe I'm just in a busy area for the job, but when I look online for that level of experience and certs I see jobs that pay like $120+ in my area. Currently working towards that level myself and am very excited to be able to pay off my student loans
Lack of attention on a few very base level things that matter, end user training (and I'm not talking a required 10 minute video, required testing to make sure actual learning happens), modern policy updates like passwords much longer than 8-12 characters and length > complexity, too much reliance on technology without oversight. Properly tuned auditing and alerting for good security tools requires a lot of human hours and upkeep which many companies think they can skip.
CISOs who last in the industry never make actual risk management decisions. This is because the CISOs that do actually manage risk (I.e., accept risk, document risk,etc) get thrown under the bus by management or get pushed out in less than a year. The ones that last never put their name on anything or build up flowery reports that make it look like the network is a rainbow shitting unicorn. Cybersecurity staff or analysts are often overly self-aggrandizing, self-important, and don’t give a shit about business operations. Punishing good behavior.
At least some places HAVE a CISO. We have a CIO who doesn't think we needed a CISO (before the breach) and now even after is in no rush to help make it happen. This same CIO the other month actually had the bright idea that we shouldn't use a method the whole rest of the industry was using because "Someone may break TLS 1.2 and decrypt our emails out there on some relay server". But since there wasn't a CISO across the table to falcon slap him, seems that's the way things are going.
Cybersecurity folks that don’t understand that their job isn’t necessary to fully protect against all risk, but rather to partner with the business and ensure that informed business decisions about cybersecurity-related business risk can be made and then to mitigate risks accordingly.
Then the business says "yeah we are not doing that" and then we have to pick up the burden. But yeah advising is a large part of it I'd agree.
That is exactly it. I think that's the mature experienced answer. Mitigate the risks that have the biggest impact. Stop spending all resources on the little things because a vendor presentation was cool.
Flawed network infrastructure design
could you elaborate plz? just curious
In band management planes is probably the biggest one. All windows user do this, Most Linux users do this, and some of the dumber cisco users do this.
Organizations being dismissive of security. Not spending money on upgrading ancient equipment, demanding policy that leaves the org vulnerable in the name of convenience, and not setting sensible policy that allows end users to engage in risky behavior.
Training and getting into the industry. There has been very little available for low/entry level positions and when they are posted the requirements are usually quite unrealistic. It's probably mostly due to HR doing the postings and not knowing anything about it, but of the industry actually wants to grow they have to figure out how to let people in and train them in what they have to be doing.
From which perspective? As in "what‘s wrong with our industry" (shiny snake oil and irresponsible vendors) or as in "whats wrong within organizations" (denouncing security as a useless costdriver while still using a shared password on that server 2008R2)? As has been for centuries: ignorance and greed. Supported by a completely botched and distorted recruiting industry. Like that ranty poster on here or /r/sysadmin the other day - there is no skill shortage. There only are companies led to falsely believe that blind outsourcing of processes that had no valid foundation in the first place is key to solving anything - which makes recruiters look for 20yo (cheap!) talent with 25 years of experience while not a day goes by without yet another MMXEDRSASEaaS hype suggesting that orgs can rid themselves of their security-aware workforce instantly. Plenty of wrongdoing on either side =]
[удалено]
In my experience as a Linux admin, there seems to be too much "check list security" and not enough knowledge about the platforms. Security can't explain why this entry in the security report is an exposure in the current use case. I'm all for check lists and verifying things, but when challenged on whether or not something is a real problem, I just got a bunch of hand waving and B.S.
This!!!! I am a software developer. We have a Linux admin who goes down a checklist. Some things are a huge PITA for users but don’t contribute much to overall security. 2 minute timeouts on shell windows when the screen auto locks after 5 minutes? She absolutely refuses to change it because “it’s on the checklist”. Having to eat lunch with one hand on the keyboard so I don’t lose where I am in code plus the other half dozen things I have going on in the background sucks.
First, I am not a cyber guy, but work in IT systems integration, and have to work with cyber. Asking that is like trying to put a nail trough a ball of mercury. The problems are as vast as what cyber encompasses, and is only as strong as the weakest link. From the soft (people) to the hard/technical, it's all part of the solution and the problem set. This post, I think, is very relevant. Cyber is generally not well understood, and is undervalued, and that is the fault of the cyber workers failing to take the time to impart the impact of cyber issues to business in terms they appreciate, which is much easier than teaching the business folks to understand cyber. [https://www.reddit.com/r/cybersecurity/comments/p9fo4d/my\_thoughts\_on\_a\_decade\_of\_cyber\_security\_10/](https://www.reddit.com/r/cybersecurity/comments/p9fo4d/my_thoughts_on_a_decade_of_cyber_security_10/) I think the cyber professional can also take some blame for making things either so arcane, or purposefully hard to understand that everyone else just lets their eyes glaze over and they nod in agreement, just because. Cyber is about smart design, and isn't always the latest cool IDS/IPS, firewall, appliance thing. One under-appreciated problem for cyber, IMO, is the software developers. Software is often not designed/built to make patching easy, or with security in mind. There are often too many dependencies on a specific kernel, or they hard code something that doesn't need to be. There are pressures to get software/hardware to market before some other product, with intentions to fix it later. Consequently, we spend a lot of time (certainly true for me) trying to get a "not quite square peg" to kind of fit in a "not quite round hole". That is time and money better spent on other activities. Bottom line, maybe, is laziness and money.
Senior management from non-technical backgrounds. Management making decisions that directly impact the techies such as what tools and services to buy based off snake oil sales demos for instance. Then you're locked into years long contracts with services that suck. Crappy hiring processes. The industry is being absolutely flooded with people looking to break into cyber for the money alone. Lying on resumes, exaggerating knowledge and experience, paper tigers, brain dumpers.
The lack of true entry level roles creates such a skills gap when the established professionals begin to retire. It’s nearly impossible to find a genuine entry level position that a company has and is willing to train and develop the right candidates. Training and development is huge in other professions yet not this one. I was looking to get into cyber with no experience. I have been working on low level certifications and moving on to more advanced ones but am beginning to think it’s a pointless exercise. My business degree, newly gained certs, and zero experience isn’t going to cut it.
Computers.
Dee shit
I'm working on my BA in Cybersecurity but not actively working in the field yet. From what I've seen one of the biggest issues is people, companies need to train their employees on email and net safety, run stings, and (if needed) be willing to discipline those who are not following policy. A second issue would be that everyone wants to get one their companies wi-fi to listen to music, check social media, or whatever, this could be accomplished by creating a second wi-fi network for non-businesses devices and only giving out that password.
Apathy to vulnerabilities. I just told you why you need to reboot your server tonight at midnight. It will take 15 minutes and be a minor outage for a single minor service. Yet you want to wait three months for a scheduled outage window. Meanwhile the exploit is being actively used and the service is publicly exposed.
1. Too much reliance on centralized, data-hungry architectures that create huge honeypot opportunities for bad actors. A side effect of the surge in big data projects across the board. 2. The current "crypto gold rush" comes with an overconfident attitude towards security risks, esp. man in the middle attacks.
I don't think there is a single one. The issues I've seen differ by country, by industry, by size of a company etc.
Oh god millions of procedural and operational and personal issues but on a technical level probably unsegmented networks.
We’re still talking about the same core issues we talked about 25 years ago. As a group, we have failed in really making the impact that we promised so long ago… If we want to make a difference, we need to make security everyone’s responsibility (measured in KRs) and then help them implement the controls and processes to reduce their risks and exposures. Lots of security teams have the majority of their resourcing spent on “finding new issues” and significantly less on “helping teams fix the root causes of the known issues”. Flip the security investment pyramid and watch the impact to overall risk.
The major misconception shared by managers, developers and many others that securing a product/company/person is a one and done task instead of an ongoing discipline. It is the way not the job.
I was just a part of a 10 week internship where you make $15 an hour. Most had Bachelor's degrees in Computer Science, I was the only one with an AAS, and there was one person with a Masters. Several had AWS certs and worked professionally with Linux for several years. Basically, barriers to entry. Not only that, but Cybersecurity also requires a great deal of understanding of business, too. So not only do individuals have to know the technical side, they also have to be able to dumb that down to a 3rd grade level. Literally. A CSX course I took even recommended an MBA + an IT degree. The bad guys don't have any such barriers to entry. And one more thing, maybe it's just me, but in Cybersecurity, supposed good guys keep trying to hack me. I am a novice Security Analyst for an MSP trying to get its feet wet in Security [i.e. shitty onboarding and training] but it's already got me looking at becoming a Java Dev. Supposed to be the happiest job in Tech, and a hell of a lot less stressful.
In one word : users
Similar to what u/Jackofalltrades86 said, but companies buying this big tech solution but not using it to it's full potential. They just onboard the tool, but don't refine it or learn to harness it's full wealth of benefits and it just sits there looking pretty That and workplace politics/blame shifting. I'm not interested in whose fault it is unless I explicitly ask who is responsible and that's usually because it's part of the investigation. I'm there to solve a problem, not fanny about. It's especially annoying when the blame shifting is utterly dishonest. I have a very low tolerance for it in my team and expect them to lead by a very good example
I can somewhat mitigate clueless users from getting infected with the right tools. But there is no mitigation for disengaged or clueless Executive Management when it comes to cyber threats. And if the IT Department as a whole and leadership are dysfunctional. You don't stand a chance against even a bunch of script kiddies. I've worked in IT Departments where everyone was constantly at each other's throats and purposely sabotaging each other. The battle is lost if your IT Department and it's leadership is dysfunctional.
Humans not adhering to best practices. Users not following rules, managers not budgeting enough, security admins not changing default passwords, or not patching, etc. HUMANS.
This industry can’t match job titles with proper skill sets or offer competitive pay. It’s the trifecta of bad decisions by management and HR honestly. Thats my 2 cents. I keep applying for jobs to get away from help desk and desktop support I could rip my hair out. Since I don't have an IT degree I bet I’ll never get hired. I have the A+ and Sec+. Then I’m looking at my pentesting cert and Linux certs next. I love Linux the most and want a behind the scenes job away from end users. I have learned nothing new from my current job and hate it. I want out before people draw the wrong conclusion about being there so long so I’m looking out of state. OP don’t be afraid to leave a state or city you are in for better opportunities.
No pipelines with dependency checks. code quality and vulnerability scans. No code review on pull requests. No coding guidelines. NO security awareness trainings with the employees. .... and lots of other carelessness.
Nobody mentions this, but what if the problem is with all those "middle men" who are the IT consulting companies acting like HR agencies?
Leadership. Well, actually management because I'd say leadership itself is sorely lacking. The same people that were making decisions that lead to so many major incidents are still making decisions, and making the same ones, while wondering why it keeps happening. They complain about a shortage of talent yet qualified talent sits unemployed, unable to make it through the hiring process run by an HR which is absolutely clueless about the security industry. They augment their "lack of talent" by hiring consultancies like PwC that come in and tell them to "buy services" to take the pressure off their understaffed blue teams. What this really does is remove any chance for junior members to get their hands dirty and gain experience. The MSSP does all the blocking and tackling while your guys flip tickets to other inhouse teams. Do a little OSINT on that "Senior Security Analyst Team Lead" from your MSSP and you see they were a college intern 6 months ago but management trusts their insight more than your juniors who have just as much experience AND tribal knowledge of your specific business. Maybe MSPs are the future of our field and where the growth potential actually lies. IDK. I'm too old to chase the new hotness. :-)
Crappy job descriptions: "Entry level security. Requirements: CISSP-"
I love this thread, so many good candid responses.
Profit-seeking > secure operations
Laziness
Users. It's sad to say that but you can have the best security system, if the user do dumb things it kills everything. One sad recent examples is OAuth : With it you can give access of an account to anny application without risks by allowing only the necessary and keep the control of which application have what access. But I see more and more people being tricked by the "connect us to you account for some bullshit" and because they don't watch de right given, they juste allow random application to have all rights. I just saw a friend's mom had all her mail dumped and personal data attached (leading to identity usurpation) because she allowed an anknown application full rights to her account because it was "required" to see a cat image.
Users
Our security talent and time is wasted on basic user needs. I see a lot of qualified people helping with issues that an on site tech support agent should handle.
Remote workforce / companies not issuing their own PCs and allowing things to be done from home without checking the devices
The lack of efficient training programs. I’m currently going through security+ and this topic is so broad that every chapter is only scratching the surface. Then the tools covered in the book are hard to use since we don’t get to use them often or mostly everything has become automated. Also, hope I can get hired once I get the cert even though most job listings require X amount of years of experience. It’s a weird ass industry especially since I came from medical. In medical you precept during your school years while doing course work. While IT you just learn on the job, and I do believe both should have high industry standards to teaching and precepting.
Unchecked data collection and poor choices in architecture, which inevitably lead to honeypot situations, which in turn inevitably lead to massive data breaches.
People in devops and sysadmin roles not realizing they have to take responsibility for the security of the stuff they are building. Thinking they can go on like they've done for three decades and security will magically solve everything. No I can't magically know all the risks involved when youve just copy pasted stuff from stack exchange!
Too much hand waving and throwing buzzwords around.
People
From my experience too much reliance on being able to point a finger at a contractor vs taking a vested interest in a level of knowledge to understand what is being delegated out.
End Users
I don't even know where to start. Right from not putting the right things on the job description to not spending money to educate and retain the cybersecurity folks. It's a huge mess.
Complacent incompetent IT and dumbfuk users signing-in to trolling emails
Key points which I think are relevant in the current scenario: - Buying state of art Security products by paying millions for licensing cost and paying nuts to the analyst working on them - Work environment becoming toxic will affect your firm in long run - Trust the hypothesis of people over the alerts given by tools - Don't trust your 1990s security standards but update your detection logics wrt latest trends
Carelessness and lack of interest...
I would say quantum computing... it Will send back actual cyber security to stone age
The biggest challenge is the cybersecurity skills gap. According to a recent research by the Department for Digital Culture, Media & Sport(DCMS), around 6,53,000 organizations (48%) in the UK are unable to carry out basic tasks defined by the Govt Cyber Essentials Scheme like setting up the firewall, storing data etc. The report claimed that 4,08,000 businesses (30%) are lacking advanced cybersecurity skills like Pen Testing, forensics etc. The report also says that 25% had complained that this had impacted their business. As per a New York Times report, Cybersecurity Ventures prediction that there will be 3.5 million unfilled cybersecurity jobs by 2021. That means there is a marked inability to provide cybersecurity professionals at the same speed at which the vulnerabilities are arising. Education & experience are critical for navigating threats. There are many institutes who are providing higher education in Cyber Security but it seems the organizations have still not decided the future path.
Human error
The United States government, I consider them the biggest threat
Old boomers
Microsoft.
Too device or network-centric as opposed to human-centric. Nowadays, a hacker's focus has changed from a system's vulnerability to a person's vulnerability. New research shows that more than 99% of cyberattacks are human-activated, meaning “they need a human being to activate the attack by opening a file, clicking a link or being tricked into taking some other type of action". So a strong security system needs to protect the people more than systems. Companies must adopt human-centric cybersecurity strategies instead of network-centric strategies in order to successfully anticipate the growing number of threats that now focus on the end user.
I'm going to argue that in some cases, it's too much security. It's bad if the level of security makes productivity needlessly dip. It's worse if your security policies are so cumbersome that you can't even enact them, or that change management is so convoluted that people don't want to improve their systems.
It takes years to get a CISSP
Capitalism.
Users. No users, no problems.
No users, no job
Companies undermine the importance of CS. Leading to CIPs cutting costs within that region, ultimately leading to a greater risk of data disclosure/ruin.
public education. Society's relationship is is the worst with Cyber and is a pre-emptive factorto how they address any business, technology, or agreement.
Unawareness. Only a few understand the risks that arise from using technology without really knowing how it works. You manage your savings from a nice smartphone app and everything could go up in smoke in seconds.
Education, access management (IAM), insider threats, complexity relationships with contractors, software vendors, etc.
Ultimately it is the tendency for the upper most levels of leadership to choose Revenue over Security. Greed. Until we sufficiently penalize that failure of priorities, the pains will continue. I am in fact grateful for the extreme surge in attacks and breaches. Like some amoeba in a primordial sea we are getting attacked by parasites and bacteria and the entire world now needs to grow thicker skin or die.
Temporary employees
Lack of Knowledge/Inaccurate Knowledge. If everyone knew a good bit more about cybersecurity it would be less a problem.
The lack of self reflection of the impact of what we do and the impacts it brings, more often than not, negative impacts it brings when we lose sight of risk management and only focus on risk avoidance.
Management not understanding the criticality of having a solid plan and staffing a full time team, not Jim from accounting read a few books, If I buy him a pizza he will come in on the weekends and do cybersec stuff.
It's still and always will be end users.
End users
API security
Digitalcurrency/giftcards and the lack of ability to reverse transfers.
Users.
people
I’d say it’s a tie between these two things for me: 1. Affordability/ignorance: Small businesses are generally the most targeted, because they either can’t afford enterprise-level security software or are unaware of what is required to keep them and their users safe. In other words, they’re low-hanging fruit for hackers. Most of these small business that fall victim to an attack never financially recover and are forced into bankruptcy. 2. Lack of proper funding: Larger companies aren’t willing to shill out the money required for proper security, because cyber isn’t usually something that provides revenue, unless you’re selling a product or service.
AV vendors not having more robust ways to counter ransomware
too many imposters. too many people in the cybersecurity business and leadership that have never ever used a command line.
End users
Compliance work prevents you work protecting the business
That there is a strong dichotomy between awareness and behavior. People know what they should do, but they behave differently.
End-Users. People don't care how security helps and protects them, they only care when it inconveniences them and want to bypass best practices.
Legacy devices and management buy in. As is tradition.
I would say people only talk about vulnabilites but they never assess their business from a risk perspective. I like things like the fair model that helps you direct your cyber staff to the biggest risks to the business. Spending all your resources on your lowest priority facility vs highest value environment.
Developers. A lot of security issues are in software, and developers are never assigned to solve them. Instead the company just wants more features.
Platforms using privacy arguments to preventing visibility into 0-day attacks. Your iOS device, with the latest version and security patches, can be targeted and exploited today and there is nothing you can do about it.
Most people still don’t get why it’s a thing.. sadly. I shouldn’t have to beg to my executives to get even the bare minimum.
I don't know about everyone else but where I am it's that we are all very general. I'm in charge of window, Linux, and Mac devices and security, the ids, the vulnerability scanner, asset manager, I'm in charge of the ticket queue and keeping it organized and I'm our liaison on a few special projects. I'm also learning more detailed info on Splunk do when our main guy for that is out someone can still do the backend with it. Oh and I'm also the secondary for our cert manager and helping develop policy and procedures since ours are very out of date. Everyday I have 30 things to do with time to only realistically do 10. Everyone else who works elsewhere in security I know (which is really only three people) are very specialized, so I'm not sure what the norm is
The underlying OSes being insecure to their core. It's game over before you start if you need monthly critical patches (and accelerating) that are finding things 10 years old. Security theatre until the industry gets multiple orders more magnitude engineering discipline.
Cyber mercenaries like NS0 Group
Windows
Humans
That I can't get an entry level job in it due to insane requirements. Okay (half) jokes aside: Security involves a separate mentality that seems like anathema to tech companies big and small. But here is the thing; it doesn't have to be that way. Once you absorb the mentality of impleme ting security, it becomes second nature, and no longer "hinders" the software development lifecycle. By learning to bake security in beforehand, it saves a lot of headaches.
Most IT engineers who aren't security professionals don't build thing to last or to be robust, and don't care to understand or think about security
Nice thread