This is interesting, and not the first time I've seen this sentiment.
I don't take immediate issue with the points made here, but I think the conclusion is not entirely correct. Security isn't full, it's just harder and more competitive than people think.
I'll explain: because of the hype described here, many, many people decided that security would be a great way to make a living. They were told that there was a severe need for security professionals, and that there would be high-paying jobs just waiting for them to apply.
So these people studied security in school, maybe took the Security+ or CEH certs, and applied for jobs. Those that got jobs got laid off (again, mentioned in the article) when times got tough, or never got a job in the first place. Why?
Security is a field of people who love what they do. Go to DEF CON -- or even better, small, regional infosec conferences -- and you'll find people who are extremely talented... some of whom don't even work in the industry. For people like this, there is a talent shortage.
I've been consistently hiring security people for the last 15 years. There is absolutely a talent shortage at high levels of the industry -- but it's really hard to get to that level. Learning the OWASP Top 10 and a few nmap flags isn't going to cut it.
My experience may not be universal, but this is what I've seen over the course of a lifetime in infosec.
I remember years ago when working my way through certs by going to classes, it was abundantly clear who was there because they had a fiendish obsession with computers and who was there because they googled "highest paying jobs you can get without a college degree". The ratio was 1 to 10 respectively.
Even with my first job, I remember being gleeful to be in a "computer nerd" environment, only to learn that my work mate didn't give shit about computers and was just here to do their job.
I don't work in cybersecurity, though I kind of considered it.
Cybersecurity looks fun, I have seen a few DEFCON talks and if it wasn't in a different continent, maybe I would have been there. Finding vulnerabilities, cracking stuff, learning about all the incredibly clever attacks, defenses, and how to overcome them, CTF games, etc... All fun stuff.
But the reality looks more like implementing the latest recommendations from whatever regulatory agency, checking boxes, writing reports. Being hated by everyone else because they are trying to do their job and you are in the way with all your restrictions, some of them you know are useless but you have to put them in place to check a box. Going through who knows how many reports full of false positives.
Of course I guess there is some stressful moment when you are actually under attack, calls in the middle of the night and all that. Not for everyone (and not for me) but at least, that's exciting. But most of the job looks more like doing administrative paperwork in an office than the cool stuff you see at DEFCON.
I was a Linux sysadmin that transitioned to cybersecurity a decade ago. I much prefer this type of work than the new cloud hotness. While there is a lot of check the box security at different companies, that's not what I see or do cybersecurity as. That's more compliance. Granted I am a blue team incident responder and I love the analysis, puzzle and problem solving, and achieving security that's outside the box of _install this tool, good_. I'm lucky that my current company sees our value in that and listens to our recommendations. All that to say, I like this field when it's being done right.
I've always been on the application security side of things, but I'm increasingly interested in hardware hacking. Through some cursory research, I learned that there are a few scattered resources, but the best way to learn is to really work with someone who knows what they're doing.
Putting all these guides, roadmaps, etc. together in a single place is a great resource that I'll definitely use.
This is one of my favorite poems -- perhaps because it was my first in-depth exposure to poetry.
In high school, I was assigned a poetry explication: it was a combination of poetic analysis and public speaking (I had to deliver my work to the class), and it was a major part of my grade.
I chose this poem because it was one of the few poems I'd ever read.
I'd never spent much time with poetry, but the hours I dedicated to really thinking about (and feeling) this poem made a lasting impact. I don't remember the grade I got, but the assignment absolutely kindled my lifelong love of poetry.
I spend more time on translations of older Chinese poetry these days (I highly recommend Red Pine's translation of Wei Ying-wu's In Such Hard Times), but I'll always remember Stopping by Woods on a Snowy Evening.
> An entry-level admin is now unemployed, just before the holidays.
I highly doubt that entry-level admins at Microsoft have access to DNS for their primary domain. My guess is that this incident is a lot more interesting than that.
Yep, this doesn't seem like the kind of thing that you can just toss a couple approvals on and change at a company as big as Microsoft. How this made it through the review process would be very interesting
> The robot doesn't care if you have liaisons over webcam with your lover, or whatever else.
The concern isn't judgement from the AI, but that products from the model trained on your data could expose sensitive information.
Since it's never quite clear exactly how the data could be used in situations like this, there's a chance that very sensitive data could be parroted back to people who were not the intended audience.
I don't take immediate issue with the points made here, but I think the conclusion is not entirely correct. Security isn't full, it's just harder and more competitive than people think.
I'll explain: because of the hype described here, many, many people decided that security would be a great way to make a living. They were told that there was a severe need for security professionals, and that there would be high-paying jobs just waiting for them to apply.
So these people studied security in school, maybe took the Security+ or CEH certs, and applied for jobs. Those that got jobs got laid off (again, mentioned in the article) when times got tough, or never got a job in the first place. Why?
Security is a field of people who love what they do. Go to DEF CON -- or even better, small, regional infosec conferences -- and you'll find people who are extremely talented... some of whom don't even work in the industry. For people like this, there is a talent shortage.
I've been consistently hiring security people for the last 15 years. There is absolutely a talent shortage at high levels of the industry -- but it's really hard to get to that level. Learning the OWASP Top 10 and a few nmap flags isn't going to cut it.
My experience may not be universal, but this is what I've seen over the course of a lifetime in infosec.