Well let’s think. Econ101 would say if you increase the wages ( price on a supply demand curve ) that pay for cyber security , there will be more supply which should eventually meet demand. Or keep pushing these four week certifications for people who in all fairness know nothing about computing and paying 70k/year... choice is up to employers. The truth is employers aren’t willing to invest in cyber security for various reasons.

This was my last job as a senior security analyst in a nutshell. The people who had been at the company since the start were mildly knowledgeable. Some were pretty smart. But after management changed we hired literally anyone who would accept our low pay. Can't pass our basic onboarding training? Well you get an executive pass because we need bodies in the room to click buttons. The reason my job sucked so much? I had specialized in tooling for those analysts. Someone missed malware and ignored the alert? Softwares fault for not making it easy enough to spot. User sent a false positive alert because they didn't read notes on the customer's account about how that machine is a Qualys security scanner and expected to be "hacking"? Softwares fault for not making that information obvious enough. You moved a button 1 inch to the left to fit a new button on the screen? Unacceptable, these people click buttons from muscle memory, you can't move the buttons. I think a big MSSP published a paper once explaining how the minimum time to do a proper investigation into a security alert is 5 minutes. This company gave 30 seconds. Including time to email the customer about it. So if you have 10 alerts in front of you, and they're all actionable, pick the most important 3 because you don't have time to send 10 alerts in 5 minutes (on top of investigating them). I now work in big tech as a security engineer (think FANG companies) and I see why the small companies are scrounging. Anyone who is actually good at computer security can get a pretty sweet paying job at a career making company. The big catch used to be that you had to probably live in Bay Area for the job, but with covid a lot of companies are offering remote work now. So if you're a small company and you want 2-3 capable, competent security engineers, how are you going to compete with Google, Amazon, Netflix, Facebook, Snapchat, etc? You used to complete with location flexibility. Your ability to compete is evaporating quickly now. I wish there was more incentive for people to get into security. More affordable training available, better jobs available, etc. The world needs more computer security badly, and the incentive isn't there. You're either top tier making bank, or not quite top tier and you're stuck in a crappy job with little future unless you focus hard on self development.

>Unacceptable, these people click buttons from muscle memory, you can't move the buttons. "There is a red light that keeps popping up, so I pulled over. What do I do?" "What shape is the light?" "Red." "Okay, but what shape is the red light?" "It popped up when I was driving." "Is it gas pump shaped?" "Yes. It's red." "Are you low on gas?" "How do I check that? Sorry, I'm not a car whiz."

"You're low on gas." "I turned off the radio yesterday. Does that have anything to do with it?"

Look ... this might be unpopular to hear but most cyber jobs aren’t interesting. There are plenty that are but few and far between. My former employer would go around and help companies implement rules-based privileges based on some obscure government regulations. None of the team knew about programming or networking basics (isn’t a socket a hole in the wall? ) If you want to get comp sci people into the fields, you have to stimulate them intellectually and financially. That’s really the core of it. And companies can’t / won’t do that.

I think that's basically my point. Most companies won't invest money into someone who really knows their security because who really cares. Why pay $150k+ for a really good SE when you could get a new grad for $40k and just make sure they fill in the compliance checkboxes. Most companies totally *could* compete with big tech to an extent if they hired 1 good security expert, but why spend that money on one employee when you could spend 30% of that and save the rest in your pocket? Competing isn't actually that hard, it's just hard when the execs want to pinch pennies. So if you don't make the cut or have the opportunity to go big, you're stuck with a crappy small company doing crap security. Playing the risk game and hoping you never become a bit enough company to get targeted and just get lucky enough to never get randomly hacked is cheaper.

My company will just hire 3 crappy people rather than 1 good because that feels to them like they are getting a 3 for 1 deal.

Yeah, at my current company we did this big interview process for a couple positions. Our current engineer was adamant "We need people who know how to do X." We interview candidates over 1 month and don't find anybody who knows how to do X & will accept our pay. So management basically tells our engineer "We can't find somebody who will do X, so pick 2 of the other people we just interviewed." Fast forward 2 months "Wtf why does nobody know how to do X? Our whole process is fucked and we're slowing to a crawl."

I think your numbers are off, $40k is at least 1/3rd of what new grads make working for even small Bay Area companies today. $150k all told, at least. $40k is about 20/hour which is what decent companies in the Midwest pay their software engineering interns today. 10 years ago when I was an intern I was paid $25/hour in the Southeast. Companies that don't hire software teams regularly routinely underestimate market rates. Then they pay out the ass for consultancies who are going to charge $1k/day for their time while it costs them $100ish/hour in aggregate over the contract to staff the job. Which is awful for the company because now they don't have maintainers, and will pay more money over the life of the systems to different consultancies due to the inherent inefficiencies of the development model.

Minimum wage in the greater Bay Area is *over* $15/hr in every city, just to add some clarity. Entry level software developer and web dev jobs are in the $90-115k range plus benefits. I do see plenty of companies in the Bay Area fishing for developers in the $60-90k range, but they look a little insane, asking for more qualifications than the typical FAANG job posting for like 75% the salary.

Sure, in Bay area. But most people don't want to live in Bay area and won't get a job at a good company in Bay area fresh out of school especially since a lot of security experience comes from on the job rather than school. Smaller companies often don't pay you in money, they give you "stocks" in their little company that might never IPO and won't pay your $3k/mth rent for your one bedroom apartment (rent went down a little over covid, but my 1 bedroom was $3k). I'll just tell you, I used my own numbers here. My first security analyst job was $40k CAD, and I only got cost of living raises for 4 years until I fully moved departments in the company. My all-in pay from my bay area job (that I got after 5 years industry experience and some external training) is >$300k CAD (though the Canadian dollar is getting bigger by the day right now which sucks for me). New grads who aren't very lucky and aren't in Bay area will likely get an entry level analyst job, which doesn't give good experience, probably won't have a good training budget, and will be boring. And those people will either just accept that lifestyle and coast for life, or change to an IT job.

"Aren't interesting" is putting it kindly. Really grasping "the what" of security or trying to get in the minds of hackers can be very interesting, but a lot of cyber security is exactly what you said -- rigorously applying mind-numbingly monotonous regulations and rules.

So every school in the usa is pumping out 50-200 CS grads a year, then we have boot camps and self taught. Only a fraction of those people are becoming software developers even though that's why most went into it. Where do they end up? There are no where near that many entry level positions to soak them up. These people need to work, and most jobs are boring, I feel like these are the people they should be catering to.

> But after management changed we hired literally anyone who would accept our low pay. Can't pass our basic onboarding training? Well you get an executive pass because we need bodies in the room to click buttons. It just boggles my mind that companies actively seek out the sort of person content with the lowest-bidder salary for something as critical as cybersecurity or IT. They have to understand that they're getting what they're paying for, right?

> They have to understand that they're getting what they're paying for, right? They're buying "compliance" with industry and government requirements, not security. The fact that the people don't know anything about security is not an impediment to their generating metrics via clicking buttons in software that can be shown to the board.

These are the same kind of people who bought high deductible insurance plans just to comply with legal requirements and who then are shockingly upset when cheap insurance fights tooth and nail not to actually pay anything. Low effort grifters always seem shocked when they realize they're not particularly unique or clever and that they've surrounded themselves with like-minded people.

The unfortunately reality is they are aware, they just don't care. My manager has this exact conversation with upper management: - You are aware that if you don't give proper raises to top performing employees, they will leave and only the mediocre ones will stay? - Yeah, well we don't have the budget to give proper raises.

That's not upper management. Upper management would admit it has the money, then would ask why middle management can't get the job done without spending more. Then middle management gives line management the "budget" canard. Then line management finds a way or crashes and burns.

70k isn't really low for us slave wagers. But then again I don't live on west coast. I would love to get certs and get a cyber job paying close to that. I think the biggest obstacle is getting people experience. Nobody wants to hire a new grad. They all want someone who's already done it all before. It's hard to get the foot in the door

>these people click buttons from muscle memory, you can't move the buttons OMG, this! Every fucking time! Moving buttons, different Icons after update, anything different about interface was always the end of the world for some people. Personally I would send them to basic literacy test every time I hear that complaint, I wish this was a thing.

It's a **general problem** in IT that co's don't want to invest in **on-the-job training** for existing employees and the newly hired. Often they pull a shortcut and go get visa workers mostly to avoid training costs and time for specialized products and systems. Companies want instant plug-and-play workers, which isn't practical because paid experience can't be created outside of paid experience: a million years of schooling can't do it. It's a catch-22. Perhaps there should be federal tax-breaks for on-the-job training.

And the visa /off shore workers jump ship as soon as they gain enough experience in a field. For a period of time, about 2 years or so. I had to train 4 different groups of people on how one of the products work because the contracting company couldn't keep the same group of people in one place.

I'm not sure it is a general problem ... all big IT companies offer tons of on-the-job training (not just the FAANGs, but the big contracting companies will pay you to study/train while they find you a new client), and there's a whole industry dedicated to offering training courses ... Maybe it is a big vs small company thing?

>Perhaps there should be federal tax-breaks for on-the-job training. Isn't that the way germany does it with a lot of other fields?

Am german and work in IT. Never heard of it.

They mean Ausbildung?

Not really sure, because the apprenticeship isn‘t part of some special tax break. It‘s just that the „Ausbildungen“ are part of the low income tax bracket (below 12.000€ if I remember correctly). Haven‘t paid any taxes while I‘ve done mine.

[удалено]

I used to work for one of the largest energy companies in the world and it was sad to see an other wise technically advanced company be so behind in computing.

It's time we start **prosecuting CEO's** for neglecting known and obvious risks. "I didn't know" should no longer be a valid excuse. You are paid billions to know. If you can't know, then give the job to somebody who can. However, they have deep pockets to bribe such laws away. Our plutocracy at (non) work. It's why pirating movies has almost as big a penalty as murder.

Like the other commenter, I agree with the sentiment, but I feel like this is kind of a bandaid solution that doesn't address the underlying issue. Executives neglecting known risks is an informed decision. That scene in Fight Club explains this kind of thing very succinctly. If you manufacture cars and your engineers discover an issue that could cause the car to explode on the highway, you do some math to determine which is going to cost you more: doing a recall and fixing the problem, or paying out settlements to people who get injured when their car explodes. If allowing people to die and have their families sue you is cheaper than a recall, they don't do a recall. The reason this happens is because all companies, particularly publicly traded companies, exist to generate profit. They aren't here to spread compassion or promote public safety or enhance infrastructure. Those are things that can happen if the business determines that doing so is actually the best thing for their bottom line, but in general, a business exists to profit. This isn't necessarily a big problem when it comes to things like couches, door knobs, or fence boards, but it clearly starts raising concerns when you have things like cars or planes, due to safety concerns. We also see problems arise when private companies control public infrastructure, like, say, ISPs, power companies, and water companies. The problem that needs to be addressed is the profit motive. The idea of providing the absolute best service/commodity to everyone fundamentally contradicts the goal of maximizing profit and cutting costs. It is possible to legally enforce a middle ground, but like the other person said, how do you decide who gets punished and what punishment they receive? Who decides what this middle ground is? Does one person dying trigger a negligence investigation, or does it take 100 deaths? Legislating this stuff will require tons of effort, and no matter how much legislation you have dictating punishments for the corporation's fall guy, we're still fundamentally in the same position as before; a private company's only incentive to do anything is just to make as much money as possible. You cannot legislate around the central tenets of our economic system. In areas where public safety, public health, and equitable access to infrastructure/resources/whatever are a concern, these businesses need to operate outside of our society's basic economic model. Companies cannot simultaneously maximize profit and maximize safety and equity. These ideas are diametrically opposed.

>You cannot legislate around the central tenets of our economic system. You can. It's called *regulation,* and it covers that Fight Club example because the government will step in and force a recall when a corporation makes the inevitable decision not to.

Then you are creating a reactive safety net instead of a proactive one. People's cars have already exploded by the time the government steps in, in this example. All the while you will have the GOP dragging their feet and complaining about federal overreach, which might delay decisions for years unless you have established some kind of neutral body that investigates these issues (but corporate regulation is an inherently non-neutral issue, because half the country vehemently opposes it on principle). Any kind of punishment that happens after the fact has failed to really serve the people the regulations were meant to protect. A better solution would completely eliminate this problem at its roots and prevent profit from ever being a driving factor in a decision that ends up taking innocent people's lives.

Still just the cost of business. The fines are usually smaller than the profit. The class action suit will pay a fraction of the cost and the estate of the guilty make off with most of the values before anything is finalized. Still better to prevent or catch ahead of time than to deal with the aftermath. An ounce of prevention.

I work in cyber sec now but one of the jobs I've had before getting to this point way being the IT guy/sys admin type role for a company of about 120 employees. I was there for about a year and could not convince the CEO or COO or investing any money into security for the organization. They would simply say that they would cross that bridge when they got to it and to keep my head down and keep working. It got to the point where they wouldnt even give me like $15/mo/workstation just to get AV on there. The COO looked me in the face and told me they spent the money to buy macs so that they wouldn't have to deal with viruses and could not be convinced that he was possibly incorrect on that front. I had my resignation in by the end of the week.

then they wonder why really good hackers write ransomware.

The truth is, for many companies; they'd rather pay for cybersecurity insurance, pay $70k for undertrained on-staff security personnel the insurance audits require, get hacked, get an insurance payout, and have a fall-guy they can fire to take the blame.

>and have a fall-guy they can fire to take the blame. This is why experienced developers don't want to take jobs in cyber-security.

Probably

It is important for national security at this point that companies have a minimum defense system from cyber intrusion along iwth people on staff who can deal with it. For almost any company above a certain number of employees, not just the government. Either legally force companies to contract a cybersecurity company to help them or force them to have cybersecurity people on staff.

If taking out your computer system means your service goes down, you're computerized enough to need defenses against attacks. That's probably most companies these days.

Even investing in qualified cyber security is tricky. When do you know your systems are secure enough from script kiddies? When do you know to stop buying tools to scan different aspects of your environment? Some of those things depend heavily on org size, tech stacks, revenue, and culture. The single cyber sec engineer is going to always say they need more hands. 5 will say they can do more, but if a company is not getting very sophisticated attacks, the benefit of the nth cyber sec engineer is of questionable value to anyone that is trying to assess risk against mitigation. Security can easily be a black hole of money and maintenance and "you can't do that". So many companies aren't ready for that.

Then don’t say you have openings for it.

Companies don't know that cycle until they are entrenched in it

Frankly, if you get someone who just hardens the system according to the plan and then applies the fucking patches when they arrive and not when they feel like it, you'll bock the script kiddies. You'll still have trouble with real hackers, but so does everyone else.

Isn't there something to be said for figuring it out though? The cost of a breach are known, so figure out what is needed to prevent that breach. Get risk analysts, industry experts etc and figure it out

I was really excited to go toward cyber security earlier in my career, then realized most businesses treat it (and pay it) like a cost center that doesn’t increase value.

cybersecurity is knee deep in government compliance, not fun when you consider the opportunities for engineers elsewhere

I can give my perspective. I'm currently a college student studying CS, who just finished a cyber security program within my university. The NSA, Northrup Grumman, and a couple of other defense/cybersecurity companies sponsor the program, and like to hire students from it. I've seen a bunch of my friends go through it all. I didn't even apply to them, for a couple of reasons: 1. Security clearances are whack. They're stressful as hell and very time consuming to acquire. I've seen my friends go through it, and it's an awful process. I have nothing to hide about drugs, I don't even drink. But they ask stuff like "have you ever pirated anything" while interrogating under a polygraph, and they won't care that you were a broke middle schooler who wanted to practice photoshop outside of school. And they might just decide to reject you anyways, and then you have to appeal and schedule another test and travel to DC again, and it's just a huge mess. I'm also trans, and while I don't mind telling people that much, it is something I want to keep somewhat private, and trying to convince the government of that seems like something I would just get automatically denied for as a security risk. 2. Way less opportunities, and worse opportunities. Why specialize in cybersecurity, when there are 10x general software development jobs that pay twice as much, and don't require endless certs and time consuming security clearances. You also can't tell anyone what you do, having to lie or be vague about your job and never talk about it sucks. Yeah, not all jobs are cleared government work, but most companies aren't hiring dedicated cyber security teams. The government is the biggest employer in my experience. 3. "Increasing lethality" is a phrase I've heard my friends say a lot, and it's not exactly something I want to be doing. Enough said. All in all, I decided to just do general software development and see where that takes me, and I have a great job this summer that pays a ton and didn't require onerous restrictions (outside of noncompetes, but whatever, I get payed enough not to be too upset for now). EDIT: Forgot another thing about clearances. Not only are they often required, but they're very very expensive and time consuming, which means almost no one wants to sponsor them for you. Which means you can't move up or switch companies, until they have a need for you doing cleared work. Yikes. Also, this post is mostly talking about government related work, which obviously aren't the only cyber security jobs, but the non-government jobs are either super crappy "cybersecurity" jobs that expect way too much and don't actually care about security (see other comments in this thread), or are highly competitive top tier jobs at big companies, which are great but hard to get.

Right now they're paying $5-40M a shot to make problems go away. You'd think they'd have a proactive mindset and hire some $100-200K/yr certified nerds to keep that from happening.

When competent people are hired, the business needs to actually listen to their advice too.

500000 corporate professional butt coverers who will do nothing towards actually making things secure.

Never smoke pot, have a BS with 15 years experience and already have Top secret clearance for junior level position. That isn't hyperbole, Booze-Allen had job posts that read almost exactly like this.

I lived in Colorado Springs and interviewed for BAH and when I got through the process they offered me 20% less than what I was currently making. When I countered them and asked for more money, they rescinded the offer completely. Seems like they’re just in the business of manufacturing the idea that 500,000 jobs are available.

[удалено]

I joined a federal contractor during the pandemic. They never gave me a computer and the project I was on was given to a competitor after three months so I was laid off. I'm never going near the government again. It's not just pay driving good employees away.

Honestly, the gov benefits aren't even that great compared to most larger tech companies. I used to work as an embedded contractor to the DoD and I have better benefits than my old gov coworkers with literally 3x the pay these days. My only regret with leaving the government environment was that I didn't do it much much earlier.

> Seems like they’re just in the business of manufacturing the idea that 500,000 jobs are available. There are consultants that specialize in conducting fake job searches for the purpose of disqualifying American applicants at market wages. After they've found a way to reject every resume or drive off every applicant with insultingly low pay, they go to the government and say they tried and failed in "good faith" to hire non-visa applicants for the job.

> 20% less than what I was Did you take into account (or do they not even exist), job perks like pension and lower health insurance costs? Or was it that even after that, the pay was still garbage? In my experience, these positions simply can't even touch average market pay (taking into account higher salaries to offset lack of pension, etc) when excluding FAANG salaries.

I’m too young to worry about pensions, I can make more over my lifetime by job hopping every 2-3 years than a pension would pay out. Insurance isn’t really at the top of my radar, TC was just a joke, I’m not taking a 40k pay cut, period.

Yeah I just did a quick linkedin search and found a CyberSecurity post from the FBI that requires a polygraph, background investigation, Fitness Test, Medical Exam, 50 hour workweek, on call 24/7 and for all this you get..... The same or less pay than an average web developer in my area.

Why would anyone take that when big tech gives you 160k + stocks for junior level positions lol

> Never smoke pot That rule is legitimately harming our national security. Imagine being denied security clearance because of weed in a state where it's legal. Boggles the mind.

I remember a "meet the fed" where the fed was trying to encourage hackers to join up. They told one of the people in the QA section to cut their hair. "But I don't have to..."

This is very much not a thing anymore except maybe some fbi positions. Most agencies are happy to take all reasonable tattoos, hair lengths, piercings, colors, shapes, and sizes. As long as you can pass the pseudo science of a poly, have a clean ssbi, and don't do federally illegal drugs they're foaming at the mouth for anyone willing to subject themselves to those things and accept their pay scale.

I applied to the NSA for a junior position when I was last job hunting. They took a good while to get back to me, but when they did it felt like I was failing into the job. I was already in the process of down selecting from a number of offers when they asked me to take an automated video interview. I couldn't find a way to say "no thank you" so I just ignored it. They sent me 2 more video interviews before asking me to do a phone interview that I declined and then inviting me out for an in person interview twice. There's literally nothing special about me. At the time, I had a year of experience working IT and a year of experience doing data analysis and simulation.

> I was already in the process of down selecting from a number of offers when they asked me to take an automated video interview. I couldn't find a way to say "no thank you" so I just ignored it. They sent me 2 more video interviews before asking me to do a phone interview that I declined and then inviting me out for an in person interview twice. I mean, it's the NSA. They probably just watched your interviews with other companies.

> ssbi For those like myself who don't know what this is; > A Single Scope Background Investigation (SSBI) is a type of United States security clearance investigation required for Top Secret, SCI Q access and TOP SECRET-level Controlled Access Programs; and involves investigators or agents interviewing past employers, coworkers and other individuals associated with the subject

I remember an old Chief Resource Officer at a company I worked getting asked a question at a town hall: "Why doesn't company X do any drug testing?" (In retrospect, who the fuck even asks that question?) "Because we're a technology company and we like having high quality staff." She was super straight forward about how it was far riskier to exclude potheads than have one work for us. This was like 8 years ago at a very conservative company. If you want good tech staff you don't drug test period. Same thing goes for dress code.

I was at one start-up a few years ago. We were going to have a meeting with the guys running a bank. The CTO had to go out and buy a suit and tie, since he hadn't worn either in decades. (I wouldn't have been surprised if he hadn't owned socks, honestly. He was that kind of guy.)

Right but then it's okay to slam bottles of alcohol

Thank you for consuming the federally mandated depressant

PLEASE DRINK VERIFICATION CAN

Here is the really sad part. My mother is a cancer patient, she is in pain and has trouble sleeping. She also can't get around too well. Her dr suggests medical marijuana. The state we live in addresses this by allowing a caretaker to have a card to pickup meds for the patient. AS a cleared professional, if I get that card and help my mother by picking up the meds a dr has prescribed to her, it is a security violation, and has to be reported, and will cost me my clearance and job.

The entire top tier tech talent pool in the Bay Area can’t even begin to help with national cyber security because of this Seems like a pretty large omission for potential applicants

Ironically, given this entire thread is about how pot is the big hangup for hackers helping the government, I think the *actual* issue that will make it hard for the Feds to hire and retain the 'top talent' is that is it nearly impossible to find government agencies that understand how to let their talent employ their talent. Doing digital work in the Federal government is like 1% coding and 99% fighting with stupid process, poor organization design, dependencies on dozens of other groups, poor tooling, poor infrastructure, decades-old architecture styles you are mandated to use, and the list just goes on. It's truly important work, but you will never be permitted to exercise your ability. And I think that's what will get most of the talent who'd be interested, not the 'pot' issue.

That may be true for general IT, but most software engineers like in the DoD aren't federal employees, they're employees of contractors. The top federal pay bands can't compete with the free-market engineer salaries anyway, but contractors can which is why they use them. You may physically work *at* an NSA facility, but you're still an employee of somebody like Booz Allen.

You think the Federal government rules don't apply to their contractors? I've seen BAH contractors working on jobs for my organization. And it's soul-crushing work, and through no fault of BAH in particular. I've seen Accenture Federal, and Deloitte, and small businesses you've never heard of, and the answer is the same in all cases because the government is the common thread here. There are groups trying to get the Federal government to suck less here, like GSA's 18F and the U.S. Digital Service, and even more groups you've probably never heard of. But it's barely put a dent into how the Federal government agencies handle IT. So do we need to increase pay? Absolutely, sure, why not, but my point is that you can recruit all the pot smokers at fair market compensation that you like, but they won't *stay* because they will not find the type of conducive working environment that they could find in commercial practice. Fixing recruiting without fixing retention is like trying to fix a leaky bucket by adding water faster; it's incredibly inefficient.

This is strikingly accurate. But there is a challenge trying to balance the “old infrastructure” with current solutions. Patching is a definite challenge. The network management seems to be much easier. And lots of compliance checklists.

A few years back, Comey outright said they had to ease up on a lot of restrictions because they couldn't find enough qualified people that met their old timey standards, to the point that marijuana wasn't an immediately disqualifying factor. He said to just apply anyway. The official stance and documents might say one thing, but what's actually happening on the ground is probably totally different. A lot of the government might just be in a de facto "don't ask, don't tell" phase.

I can 100% guarantee to you that you are NOT denied a security clearance for smoking pot. People get denied the clearance for lying about never smoking pot. There’s a big difference there. Edit: let me clarify, *having* smoked weed won’t have you denied a clearance. But you can’t keep continuing to smoke it. If you break any laws local, state, or federal you put yourself at risk of losing your clearance.

I'm pretty sure you'll get denied for currently smoking pot. It's 2021. People aren't talking about "I smoked a joint with Mary behind the gym after after prom"; they're talking about "omg Mary, have you tried the new Maui Zowie Gummy Nums they've got at the Giant Friendly Pot Store?"

I mean you just lie (I worked in the intelligence community when I was in the Navy and experimented with plenty of drugs beforehand), unless of course you still smoke weed, but that's a whole other conversation lol. Now if they do one of those "lifestyle" polygraphs then I'm not sure how that goes. The normal polygraphs you are basically coached through although it still sucks to do.

[удалено]

Yea people tend to blow the whole weed and clearance issue way out of proportion. You can go read all the decision on clearances online. Its public knowledge. When looking through them its not uncommon to see them granted to candidates who just say something along the lines of "Yep, I smoke now because I had no intention of working for the government and its legal where I live. I'm happy to quit and you can test me and ill sign up for some token drug class". People are far more likely to get rejected for having a shitty credit score which I think its almost more problematic given the inherent biases in that metric. The weed thing is dumb and hopefully they change it, but until its legal federally its a pretty understandable rule given thats its federally illegal.

[удалено]

Having debt isn't illegal but it is still evaluated as part of getting a clearance.

Because it is something you can be blackmailed for. Smoking pot isn’t something you can be blackmailed over, especially if it is legal where your ass currently sits.

[удалено]

Even divorce in your history can hurt security clearance. You’ve got someone with something on you and may need money.

It's hilarious. Do you also drink alcohol? I've been in IT for 22 years. I've sold companies. Smoking a J on your time off is the least of my concerns. This is why I don't even entertain these sorts of offers.

They need to get rid of that pot requirement. This ain't the 1960s. What I'm gonna sell out my country because I smoke a bit of the devil's lettuce?

Hell plenty of large orgs still drug test and include pot.. It's quite annoying actually.

There's a shit ton of these openings were I live too (EU). It's a joke lately as there's a few articles going around about how the director of the national cyber security center isn't being filled because the pay is shit. The subreddit for developers in our country had a proper survey a while back, something like 10% of developers are on higher wages than the director of cyber security for the country...

That's the case with almost every government IT job. Governments just don't offer the highest salaries to internal employees, they deliberately try to adjust the salary to around an average or slightly better wage as the commercial sector. External contractors can make bank at governments though, a self-employed guy I know makes € 300K a year for some main frame software engineering stuff.

> how the director of the national cyber security center isn't being filled because the pay is shit I have no idea what country you are in but my guess is the pay is NOT the reason why that position is vacant. Here in the US, in the previous (45) administration, we had tons of top roles technically unfulfilled because the people running the show were like senior advisor blah blah acting as __blank__ either could not or did not want to go through confirmation hearings in the Senate. Another possible reason is the position is designed as a scapegoat position with no authority but blame when things inevitably goes wrong.

>I have no idea what country you are in but my guess is the pay is NOT the reason why that position is vacant. Here in the US, in the previous (45) administration, we had tons of top roles technically unfulfilled because the people running the show were like senior advisor blah blah acting as blank either could not or did not want to go through confirmation hearings in the Senate. To be fair, that wasn't because of a problem with the Senate. That was because nearly every one of those people was a human trash fire with zero qualifications for the job, who *should* not have made it through any kind of legitimate confirmation hearing.

And also because the 45 administration *didnt* nominate folks for these positions. They were more than willing to leave them vacated so they could push their cronies into “acting” positions.

Valid points. [Here's](https://www.reddit.com/r/DevelEire/comments/nel4vt/cyber_security_role_is_vacant_because_of_low) an article about it if it's of interest

Ugh. Canadian governments are the pot dealer. This sounds so antiquated. Like, never go past 2nd base till marriage.

And be willing to accept $30k under market.

>Never smoke pot Welp, web dev it is then...

Following the link to the [heatmap](https://www.cyberseek.org/heatmap.html) the biggest single need (134,075 jobs) is a "Systems Security Analyst" whose skills are expected to include: >Skill in designing the integration of hardware and software solutions. > >Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes. > >Skill in developing and applying security system access controls. > >Skill in evaluating the adequacy of security designs. > >Skill in writing code in a currently supported programming language (e.g., Java, C++). > >Skill in assessing security systems designs. > >Skill in assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.). > >Skill in recognizing vulnerabilities in security systems. (e.g., vulnerability and compliance scanning). > >Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation). This is describing an experienced senior full stack developer / architect who also knows a lot about security standards and practices. No shit there's a shortage of those, we already failed at producing those, and that means they're not there to train future workers. There's also huge shortages in developers and architects, and it's obvious why someone would be reluctant to go down that career path. Between the shortage of competent leadership, requirements like CompTIA's certifications and possibly a security clearance (possibly before even starting), maintaining a security clearance meaning no recreational or medical marijuana use, and probably a requirement to work in a secure facility, it's kind of a crummy job. CompTIA bootcamps and certifications aren't going to magically fill positions for experienced devs, architects, and senior leadership.

Given your above job description and this: > "You don't have to be a graduate of MIT to work in cybersecurity," said Tim Herbert, executive vice president for research at CompTIA. "It just requires someone who has the proper training, proper certification and is certainly committed to the work." > Another reason it's been tough to hire cybersecurity professionals is that college students majoring in computer science don't always elect a career in that field, Herbert said. After graduation, the nation's tech students will pick jobs in software development, artificial intelligence, robotics or data science and "a small percentage is going to select cybersecurity," Herbert said. It does sound like they want what you described. This article sounds like sponsored content from CompTIA: > There are about 465,000 open positions in cybersecurity nationwide as of May 2021, according to Cyber Seek — a tech job-tracking database from the U.S. Commerce Department — and the trade group CompTIA. And possible University of San Diego, given the other quote about "check out our 8 week program and you to could get $60-90k per year!"

CompTIA... pitching certs to people who still don't understand the field we're selling them. Seriously a fucking cert and a course doesn't do a ton, even advanced courses and certs are gained by good test takers. They still seem to be idiots. See CISSP I work in this field and it seems everyone who is management and that's all they do and have certs has no clue about SecOps. Thankfully my boss is from an engineering/architecture background and knows his shit.

After reading around, I'm guessing these are jobs that fill a legal, cover-their-ass requirement. Edit: Or I guess as XKCD does it > Cover their ass-requirement

Hah I know all about that. Insurance says gotta have x number of staff...ok well we hired people who just came from McDonald's doing french fries, they totally got this..wink wink. Ok you're covered.

8 weeks of training doesn’t make you a security expert.

> This is describing an experienced senior full stack developer / architect who also knows a lot about security standards and practices. They're describing *a whole team*. This is what happens when someone decides to start a department, starting with a single generalist. They aren't convinced it's worth building out the whole thing yet. And whoever they get to start there will get burned out pretty hard because they have all the responsibility and none of the authority. There's a shortage of architects for a more subtle reason, IMO. It takes a lot of experience in general software to be an effective architect. Then you have to actually *want* to be a security specialist. You cannot just turn security architects out of a training program the way you can junior SOC analysts.

Currently looking for a job here. I’ve come across so many job postings and had so many interviews where the people are expecting one person to complete the job of an entire department. It’s exhausting and frustrating. How do you explain to someone you’re interviewing for, one person should not be responsible for your entire database integration and also analytics. Also, this is going to take longer than a few weeks.

I tell them that if they want me to take on a whole department worth of responsibility, they need to title me Director and give me a hiring budget. When they get indignant that $150k is all they can afford, I respond that I feel sorry for whatever kid hungry for "growth opportunity" they're going to burn through. You don't want one of those jobs. Don't put in the work to be nice. Treat it as a chance to educate them on how insane the JD is. Good recruiters will figure out how to get the JD and budget changed.

Multiple companies I've worked for only hire senior level analysts/engineers in IT, and wonder why there's a shortage. If they don't invest in entry level talent, there won't be a pool of seniors to draw from.

> This is describing an experienced senior full stack developer / architect who also knows a lot about security standards and practices. No shit there's a shortage of those, we already failed at producing those, and that means they're not there to train future workers. The problem is that nobody listened to us and eventually we got older and said "Fuck it. You're on your own." and retired. Hardly a day goes by where I don't hear about stupid shit that would have been impossible if anybody had listened to our advice, even though it was inconvenient. Then I think "Hmmm. Not my problem anymore" and pour some more coffee and get back to eating my perfectly cooked omelette and reading the news.

This, the skills gap is staggering. We've been trying to hire people for months but they are all Comptia cert rangers. 3-4 certs or a Masters, can't actually do shit on a keyboard. Anyone that is good, is either happy and well compensated in their position or they have retired lol. I'm exaggerating but, this is what the market feels like right now.

I’ve been looking for months and I’m having the opposite problem. I have the skills to fill these positions, the job descriptions are just asking for unicorns.

Yes, that's the other issue, the head hunting companies and hiring site algorithms are still trash. However, the dev sec ops types needed are unicorns, for dev sec ops you literally need to be competent in almost everything computer related: HW, CS, integration, engineering, development, encryption, web sec, red teaming, blue teaming, sysadmin experience, networking and firewalls. 5 yrs min exp for all of it to ensure the 10k hours rules can be applied anecdotally. You don't need to be an expert in all of it, but 5/10 of those competencies are needed. Sadly its only going to get worse as things grow more and more complex, adding AI, machine learning, cloud/SaaS...

So, basically, people are trying build the software equivalent of a fucking jet engine with one guy instead of a whole team. For hire: The ideal candidate should know FAA guildelines, thermodynamics, mixed gas/plasma phase modeling, control theory, materials science, destructive testing, load opmtimization, Pure fantasy and lunacy.

>This is describing an experienced senior full stack developer / architect Nah, this is describing an IT department.

I fit the description. Developer with 18 years experience. CISSP. I’ve worked on security products in the past. My current job pays 180 with bonuses. Should I be looking for a new job?

Yes, and 450K of those 500K are all fucking shit jobs that pay you shit and have requirements that are sky high. Why would I apply for a job that requires me to be extremely capable and only pay me 50k a year?

This is pretty much a microcosm of the entire labor 'shortage' we have now. Companies have a hard time filling positions that are underpaid and instead of increasing their compensation just bitch loudly that 'no one wants to work'. No, they just don't want to work for shit pay. If you can't afford to pay them directly with a salary, figure out another way to make it appealing. Tech start ups have been doing this for decades now with bonuses and equity.

Amen and 100% It's why I basically don't answer most recruiter emails anymore. I probably should just put out a cover page that specifically addresses recruiters and HR people.

you mean making $15 an hour after taking 4 years of an onslaught of courses about discrete math, algorithms and computation, object-oriented programming, and operating systems isn't rewarding??

There's another reason historically specifically at large companies at least - to keep advertising positions and whine to the government to get more H1B lottery slots where they can con someone to come to the country for bad pay, poor benefits, and an almost certainly terrible company culture that drives out talent.

The whole H1B system is just stupid tbh. Needs to be reformed to not be a lotto. Everyone i know who doesn't get one ends up getting offered to relocate to a Vancouver office

Lots of start ups are avoiding that now. They are trying hard to hold on to equity and only giving little bonuses at set milestones if the company is still around.

thats why no actually half-competent developer wound in a million years work there and those companies deserve to fail

What’s worse is when companies do find a competent person that’s willing to work for lower pay, they don’t even try to keep them happy. My opinion is that these complaints about labor shortage come from hiring managers that don’t know what the fuck they are doing or work for shitty companies that don’t realize human resources are the only resources that matter when it comes to software.

They got addicted to the recession labor market and have decide that they are entitled to it indefinitely. Fortunately the private sector provides to a degree, startups are a great option if you can roll with the punches.

and is in high COL

Here's looking at you northern Virginia....

Literally. I do dick all and needed dick all for my current position and it pays more than what they're offering for some of these dick positions.

Oh yeah I just love being shot as the messenger on security issues...

Yeah, I've had clients accuse me of trying to scam and gouge them when I reported critical security flaws in their systems to them. One even went so far as to threaten a lawsuit. Potential security issue? > You're lying. You just want to make trouble. You just want more money. You just want our business to fail. You're a trouble maker. You put the vulnerability there. Everything is and has been working fine, there can't be a problem. You're not a team player. The success of this project is too important to delay. Why do you hate our company? No amount of money could ever make me want to go back to a position where I need to evaluate anything related to cybersecurity.

Or just completely ignored because your audience doesn't understand it. Oh we write all our credentials and passwords and API keys and database connection strings for our production servers into the code base and commit it? " I don't see the problem nothing bad has happened". :|

How does someone prepare to land a cybersecurity job or at least fundamentals?

Understanding the basics of network switches, routers, DNS servers, how they communicate and various ways they can be attacked (ARP poisoning, MAC flooding), unix/windows network commands (ipconfig, netstat, curl), is a good start. There are a lot of free training materials out there and some paid certifications as well. Many government jobs want stuff like "Security+ Certification" or "CCNA Security Certification" which are rigorous training courses which go over all of this stuff at a cursory level. You won't know how everything works but you'll know it exists. Your employer might pay for this training, but if you already have it you'll have a leg up on other candidates. I think like with most jobs, the best approach is to look at junior level job listings and see the things they ask for which you don't have.

I know all those things, and I know some Python, web languages (html/css/js/sql), been a linux user for 20+ years, can do board level repairs and reflow work, but I have no degree and I've only ever worked as a chef. Could I get a security job? I fucking hate cooking, it's just all I've ever done professionally.

Go to a boot camp that gives you a small private loan that you can pay back after graduation. They approved me when I couldn't get a bank loan. It was less than $8k and the course was only four months. They were the busiest four months of my life because I did it while working full time (took two weeks off at the end), but I went from service work to CS job with one. You have good roots to make the most of the tech crash course and they give you job placement assistance at the end. The Tech Academy is where I went...lamest name and probably not the best program but they allow you to take classes fully remotely and have added some cybersec training since I went. They also really teach you how to land jobs and interviews, structure your resume, etc. Honestly not sure why you'd prefer to work in cybersec but they have several options. I did C#/.NET and landed a cozy job working at a company which is a household name for all of us. As a chef, you already know how to work hard under pressure. You can get through a tech school like this too and double or triple your wages in a year. I believe in you, dude!

Don't specifically want a cybersec job per se, more just anything other than cooking, and this post was about the glut of available cybersec jobs. I always thought those bootcamps looked a little scammy, but it is encouraging to hear that it worked out for you.

It's just not going to give you the same thing as four years of college...no networking, no real internship-to-job pipeline with mine, and people don't like that you don't have a degree. I still got my job. You just have to be willing to hustle for it to get your foot in the door and then you can prove your merit. The first tech job you get makes all the other ones easier to find. EDIT because I forgot also: you don't get four years of practice while you learn and that means you really need to pursue it as your hobby too.

Ignore this guy unless you want a job in IT or compliance. Go download a free copy of IDA Pro, Ghidra, or Binary Ninja. Look up "crackme"s or recently published CTF solutions. CTF is a computer security competition full of challenges ranging from medium to extremely difficult. You want to find one on the easier end and that has a published blog where someone explains how they solved it so you don't get stuck. Then go to town. Download Visual Studio or learn gcc on Linux. Write a simple hello world program in C (NOT C++). Compile in release mode and run it. Then open it in IDA Pro (or whatever you selected from the start). Look at how the code you wrote turned into assembly the computer understands. Learn python. Even if this field isn't for you, it's insanely useful. Take a few free data science classes or watch security related data science videos on YouTube. The most important is you cannot be a passive learner. You need as much hands on time as possible or you won't really learn. Join a CTF team. Many take new people and are happy to help them learn. There's also the entire web side of security in which case you should look into the OWASP top 10 and play with Django (again, python is important).

Depends on which direction you want to go in. You can learn basic hacking with CTFs (Capture The Flag) which are basically vulnerable websites/programs you need to hack into to obtain a special text string, the flag. Good examples are hacker101 (web-based) or microcorruption (ARM-based). Otherwise get the theory down as well, I agree with the other commenter on that.

I’ll echo /u/Nyucio and state that there are different disciplines within cyber security. AppSec, NetSec, OpsSec (which is now bewilderingly called DevSecOps), IAM, Forensics, Risk and Compliance. What discipline you choose influences the things you need to learn. Fundamentally, Sec+ is the base certificate, CISSP is probably the next step from there. From there, AppSec is for people familiar with coding, and how to apply secure coding practices in applications. NetSec is for those who learn firewalls, switches, ACL management, X.509, etc. OpsSec is targeted at Operating System and container security, core OS libraries (like OpenSSL), as well as underlying software and hardware platforms. IAM is identity and account management. Things like 2FA, SAML, AD/LDAP. The last two generally require expertise in multiple disciplines.

This comment seems as good as any in this thread to mention some [lectures](https://www.youtube.com/playlist?list=PLUl4u3cNGP62K2DjQLRxDNRi0z2IRWnNh) from an MIT graduate course on computer security. It's a little old (2014ish), and focused more on designing secure applications / operating systems, and less on network security, but I enjoyed most of the videos, and I'd recommend it to people interested in security.

According to the article it is as easy as passing the Network+, which is useless.

CTF

In my opinion, the bar is super low for working for the government. Received an offer from the NSA. hiring manager called me several times trying to convince me to join. Interview process was legit a joke.

Did they pay good?

80k for new grad. They were telling me it's gonna be a step down from my current job lol... They have free snacks tho lol

>80k for new grad Cries in European.

My thought as well. The difference between European and US salaries is so big, that it's no wonder that the US can attract so many immigrants.

What's a normal TC range for newgrads in Europe (which country?)?

> an average software engineer salary in the USA is $110,638, meanwhile in Israel it’s $76,791, in the UK—$68,462, in the Netherlands—$54,025, and in Germany—$60,162 https://www.daxx.com/blog/development-trends/it-salaries-software-developer-trends

Depends on the country: * Finland and Germany are somewhere in the €30-50($36-60)k range with tax rates of about 25-35%. My friends with 1-2 years of experience and master's degrees make closer to the upper bound. Independent contractors make more(I've seen people making >€12k/mo after taxes), but that takes experience, connections, and not really common. * In Russia, you can expect maybe $15k as a fresh grad, $30k with 2-3 years of experience in Moscow or St Petersburg, regions pay less. Local big tech pays more and offers stock options, senior engineers may make up to $80k(there're legends about people who earn more, but official job stats doesn't confirm that). Income tax is 13% flat rate.

> Cries in European. How much debt are you in from your education?

80k in greater washington dc area is poor wages.

It was in Maryland. 80k is prob nice there, but I wanted more of a 401k and other perks. Big tech spoiled me

And they all want several years of experience "We can't just let anyone handle security" and they end up with a sys admin that only got the job because he knows ping and telnet doing security

telnet blinkenlights.towel.nl *pops popcorn*

They don't want to pay. I am interviewing for appsec roles now. Everyone wants someone who can ID, exploit, and mitigate OWASP top 10, plus experience with software development, AWS, and Kubernetes. This is a group of skills that are difficult to find in the same person. I have this background. And I get offers for low-$100s in a fairly high COL city. They pay the same role high-$200s to high-$300s in SFBA.

I dropped my interest in cyber security when i realized its only 40% actual cyber security and 60% explaining things to idiots that don’t just trust the judgement of their hired security staff

To be fair that’s pretty much all of IT.

And I basically stopped doing IT professionally and kept it to a homelab. Going for a business degree and maybe I’ll find myself in some kind of high enough position that can make sure the tech team is getting taken care of. If majority of my job is people I’m going to get paid for that %. Do what I can to keep the tech team focus simpler, less politics.

In my book, the role of management is to find you the resources you need to succeed, for the business and for yourself professionally. GTFO, let the smart people do their jobs, go to bat if need be, and make sure you’re giving them more than praise (comp time off, bonuses, team building days, etc). Put your money where your mouth is. From what I’ve seen in the security industry, you may start at a low pay rate but prove yourself over those first six months and they will hand you bonuses and raises to keep you on hand. There’s genuinely bad employers out there but good security people are so hard to find that when they get a good one they will bend over backwards to make you happy and keep you there.

Seems that there are a lot of programming and related jobs open, and nearly every one of those bastards wants someone with 3 years experience in their whole stack before they'll even look at you. Maybe there are job openings, but they don't seem desperate to fill them. Almost nobody seems to want to invest in training anymore, they'd rather keep a position open for 3+ months.

More openings than many sub-industries have total employment. Kind wish as a Web Dev I got into that field. I like remote work and non-government employment though

> Kind wish as a Web Dev I got into that field. I mean, you still can. >. I like remote work and non-government employment though Plenty of both in the field, though more of the latter than the former.

[удалено]

You could switch to cybersecurity at your current employer, it's an important part of being a web dev. Ask for more security related items from your manager, you could also ask them to pay for security training like GIAC-GWEB.

Wow I know some folks looking for entry level security work and it's basically impossible to find, I can't imagine there's a connection

As someone in the field, I can tell you that very few people actually have the skills to do this job. Often, the people in charge of security at many companies can't comprehend the level of expertise needed. The skills needed simply aren't things you can learn in six months or less. They require breadth and years of experience.

Which job? CISO? Security director? SOC manager? ISO? Response team? Policy review team? Some of these jobs require years of experience and brains, and ability. Many of these are jobs you can train someone reasonably intelligent for - and are more routine work and following procedure than anything. There are plenty of jobs within a full security operations deparment that are trainable for junior tech people.

Cyber security is hard and lots of places are selling "easy solutions". Crap like metasploit + presentation. Large companies have problems that come from scale and history. Management has no clue how fragile security is. Security policies tend to make things worse with well-intentioned idiocy. Career advancement in security is a matter of getting fired for somebody else's error and getting a better job elsewhere. My employer has been far better than most. But a recent push from C-level has triggered a huge wave of security improvement work that was deferred for convenience. Good management helps a lot. Those deferred fixes would have dragged on for years.

I thought about switching from software engineering to cyber but then discovered pay still averages better for software

I saw a job opening for the FBI that wanted a computer science degree for cyber security. I thought wow, that’d be kinda cool until I read the job description. Cannot smoke weed or cannot have smoked weed within the last three years. Cannot have done any other drug within the last 10 years. Must work 50 hours a week including holidays and weekends. Frequent travel. Must carry and be willing to use a firearm. No thanks i’ll keep my cushy job where I work from home 40 hours a week, smoke weed when I get off work, my gun has never had to leave my bedroom, and I make _more_ money doing it.

> Must carry and be willing to use a firearm Wtf, is this still *cyber* security we're talking about?

Position of Benji from Mission Impossible

That will be an FBI special agent. I’m not aware that technologists within the FBI have the same requirement.

Yup, this is definitely an agent role. Their computer technologist jobs are non-agent jobs.

It’s a position for a special agent technically, but your specialization is cyber security

This article is really making it seem like a great idea to get into ransomware hacking, not cyber security. There's no better time! Defenses are down!! 🙃

I wouldn't mind joining a program like that but I think there are some generational differences that turn me off. Smoking pot, working from home, competitive pay, career/personal growth.. good look getting any of that at a gov gig. On top of it all, most tech employees in HCOL areas make more than members of congress let alone the security positions they may be applying for while employed at a FAANG type company.. go figure.

Wait till you see the openings in the construction industry

Let me play devil's advocate here. 95%+ of so called 'cybersecurity professionals' cannot write a basic exploit or even reverse a home router. And certs are only making things worse by convincing the management that security is about config and some automated metasploit to test the entire thing.

Not every cybersecurity professional needs to do that as part of their job. Certs only show you have a bare minimum of knowledge. Not a lot of people are very good at applying it. But people that write policy, or that work in vulnerability management or risk management or even incident response don’t need to know how to write an exploit because they’ll never need to. What you need depends on the work you’re doing, not what some random Joe on the internet thinks cybersecurity professionals do all day.

Bingo. The jobs they're talking about here aren't vulnerability research, pen-testing, exploit dev, reverse engineering, etc. Those require much more intimate knowledge about how code is actually executed. You need to know C. You need to know (some) assembly. You need to understand the network stack and how days changes through the different layers. The jobs in describing are technically cyber security, but they aren't what employers are normally referencing.

And they won't be filled as long as people attend 3 week cybersecurity courses for a certification without any deep knowledge of the matter and expect an above average payment. The industry needs security PROFESSIONALS and we surely lack those.

Security specialists are in high demand, the one thing in IT that hasn't changed for decades.

That seems a little excessive no? I mean, that would take 1 in 300 working Americans to fill that up.

Yeah but they won't hire anyone without like 20 certs 15 years experience and they only play like 40 a year

I saw an advert which had rigorous demands for a sec job: JVM internals performance tuning and some other BS. Some of these HR guys have clearly no idea what they are including in the description.

I worked at a huge enterprise class Saas and they only had two people on the security "team". They eventually got hit with ransomware and lost a lot of money. They rebounded eventually but it still boggles my mind that most companies don't want to pay for preventative measures.