> Security threats are growing faster than security teams and budgets can keep up, and there’s already a huge talent shortage.
Can anyone here speak to the "there's already a huge talent shortage" part of this article? Specifically, security is a field I'd love to work in, but I honestly don't see a ton of job postings and I'm unsure as to how one might transition from say a role as a full-stack web developer into a security job.
For example, here's are some things I've been doing as I'm considering a move into a security-focused role:
- Following the industry (podcasts ala Sans mainly)
- Reading books on hacking (currently "The Shellcoder's Handbook")
- Reviewing my comp sci basics (x86 assembly + reading K&R "The C Programming Language")
Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
Based on my experience, there is a huge talent shortage, especially outside of the Bay Area. I'm not a security person myself, but my team tried to hire a security person multiple times.
You'll often find people that have experience running automated scans, filling up compliance paperwork, setting up firewalls and SIEM tools, etc. but don't know how to deal with source code or mitigation. At the other end of the spectrum, there's a small number of people who can review code and write tools, exploits, etc. but hate the bureaucratic work. In the middle, which is the kind of person that a startup or small company would want to hire, there is an even tinier number of candidates.
The kinds of things you are doing sound great. Perhaps try to participate in bug bounties, too. One reason you don't see a ton of job postings is that many companies don't know yet they need them. :-) Also, a lot of recruiting might just happen through word-of-mouth or in an outbound fashion. In my limited interactions, I found that the security community can sometimes work like a club or a society, more than in other tech circles.
>small number of people who can review code and write tools, exploits, etc. but hate the bureaucratic work
Because once you learn enough of the stuff you start to realize its all bullshit. Compliance (hipaa hitech, pci, sox) and most industry standard practices (antivirus, firewalling) are lipstick on a pig.
Very often you have to chose between being secure or standard compliant (for example running antivirus can be a big security hole, or give false sense of security).
>but don't know how to deal with source code or mitigation
actually I have noticed this and so we are spinning up a security consulting practice in 2018 looking to address this gap (staffed with experienced developers or former developers). Time will tell if this is a workable approach..
That sounds like a fantastic idea. Would love to follow the journey / potentially throw my hat in the ring as you start looking for devs. I'm @tradesmanhelix on Twitter if you'd like to chat.
I have a few thoughts on why you "don't see a ton of job postings" for security. First of all, would you notice one if you saw it? For example, my posting on the "Ask HN: Who is hiring? (January 2018)" thread is this:
Note that I describe the sorts of skills we seek. (you don't need to have them all) The word "security" doesn't appear because that isn't too interesting or useful. Lots of good people come from an embedded RTOS background. Somebody who just runs a port scanner would not have the right skills.
Second of all, are you looking in the right places, online or physically? On reddit, try /r/netsec or /r/reverseengineering or similar. Be willing to consider the southeastern states.
Making yourself look good to hire is mainly about showing that you have the skills. We hired somebody who had a great story about hacking an overly-fancy parking meter to run code from the tokens. We hired another person who got invited to talk at a conference about hacking a router. Solving some of the DEFCON CTF challenges would look good; they are considered difficult. Contributing to a project like Wine or Qemu or MAME would look good, particularly if you deal with something undocumented.
That's very interesting. I'm an old-school embedded/C/asm guy who for the last 10 years has worked in mobile dev, and I'm increasingly interested in security work, particularly on legacy systems (mainly because I'd feel comfortable there and I'm fully aware of the potential vulnerabilities).
But if I'd seen that job posting I would have assumed it was some kind of embedded Linux driver development, not a security job.
Florida is the wrong side of the Atlantic for me, but I'll be reading job descriptions more carefully from now on...
I noticed you mentioned the southeastern states. I have actually seen quite a few postings in Baton Rouge and Charleston recently, as well as other cities in the southeast.
Charleston is a very small software market. When I was there a few years ago, it was mostly government consulting firms. There's a military presence there, too. I suspect that is what is driving those postings.
I don't know of any security talent with moderate people skills that has trouble getting a job. However, there does seem to be a huge misunderstanding on how to best break into the "security industry", which is just too generic and really the wrong question to ask. What specifically do you want to do? Then you can identify the most efficient way to get there. Most people I know found their way in through other careers as developers, sysadmins, or network admins..focusing on security where they were first. Things will grow from there.
Hypothetically, if you have solid experience as a full stack web developer then I would suggest finding a way to pivot off that expertise (web application security, infrastructure, etc) rather than diving into the Shellcoders Handbook, x86, and K&R, which are going to be more tailored towards reverse engineering and vulnerability research.
Thank you for the advice - greatly appreciate it! Regarding your comment:
> if you have solid experience as a full stack web developer then I would suggest finding a way to pivot off that expertise (web application security, infrastructure, etc) rather than diving into the Shellcoders Handbook, x86, and K&R, which are going to be more tailored towards reverse engineering and vulnerability research.
I've been focusing on those areas because they are what legitimately fascinate me. I enjoy web dev, but I'm finding my passion (as indicated by what I like to research and learn about in my free time) is low-level stuff: operating systems, C programming and associated vulnerabilities, assembly language, etc.
The interaction between software and hardware has always fascinated me (1997 when we got our fist computer: How does this hunk of plastic and silicon do that??), and I feel like that's where I want to go long-term.
That's great! Certainly not saying you should abandon those efforts, but see if you can find a security shop that has experienced researchers doing what you want do and sell them on your value based on what you already know and have experience with. It's one of many approaches, but it worked for me when I had limited outside time to devote. Good luck!
My own experience here - I am based in London. There is a huge talent shortage and huge skill gap. So not only there are not enough people to cover every single role out there but there is also lack of skill and solid understandings of security and technology in general. Of course, there are plenty of smart people in this industry but this number is small compared to the demand.
If you are serious about security try to get a job in a security consultancy that does penetration testing, APT and that sort of stuff. They often hire people at a junior level too and build them up. I've seen quite a few people progressing from basic level to advanced using this approach.
Also London. I recently hired a security engineer capable of doing code audits and other such things. It took about 6-8 months I think.
One reason for the talent shortage is that security work is to a large degree about keeping up with enormous amounts of information on attack types. If you stop drinking from the firehose for even a few months you're going to miss new types of attacks and new information. And there are precious few systems that help reduce the impact of vulnerabilities... there are some but it's still an area dominated by trivia-like knowledge (I don't mean it's trivial but rather, that there are a lot of "just facts" that you have to know and cannot easily learn or derive on your own).
Ultimately the industries approach to security is not sustainable. We need to systematically move away from insecure infrastructures. Unfortunately nobody wants to do that. First thing that'd have to go - the use of web apps for UI.
> Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
It seems a bit odd to me that this company grew out of X, as I was under the impression that projects in the "Moonshot Factory" were more ambitious. From what I gather, this sounds mostly like an analytics org for enterprise, not something that might change the world (e.g. Waymo, Loon, Project Ara).
Perhaps X is taking on less radical projects than I imagined. Would love to hear others' viewpoints on this as well, though.
Mike Wiacek was the manager of the Google team that worked on APT and nation state attacks in the wake of Aurora. Think of the Gmail notices about state-sponsored attacks on your account, which required new detection tools and technologies. I doubt you'll find many groups with the same experience and expertise.
Not everything has to look "sexy". If it will reduce time to detect computer infections from months to days, like they're implying, it may be a big thing.
Wonder how Google project zero will interact? Google has found Spectre, Meltdown, Broadpwn, Cloudbleed and Heartbleed and makes sense to leverage for but hope does not change from sharing?
Hope just use for branding and not try to directly monetize.
As someone who ran a security firm. Results are much difficult to show/prove in a security firm. Running a development agency, we can break down the project into tasks and the stackholder can review each step from our worklog. Usually, they are happy with the result. I've found the best way to run a development agency is not hire in range of 400-500 developers. This has some trade offs like some devs are not happy when we switch them from project 1 to project 10 just because stackholder lost interest or their funding dried up.
First of all, interesting! Second, this is some sort of security information and event management (SIEM)? At least this is what it looks like from the brief description put online.
doesn't really look like Chronicle provides anything that is already covered by Elasticbeam (which compared to Chronicle has been on the market since 3+ years and works exceptionally well).
disclosure: I have no affiliation with either one but wonder why Google/Alphabet would be _that_ late to the party and offer nothing that isn't already out there. yawn
Does Elasticbeam only do API security? Because there's a lot more to security than API security.
If you're in a large enterprise you can easily be generating hundreds of thousands of events per second (both in terms of network actions and system events) and you need something to make that manageable and able to generate alerts so that your Incident Response team can respond to actual problems.
No idea really, since all the articles about Chronicle are really vague, but it reads more like a Threat Intelligence Platform + a Threat Analytics Platform.
It’s possible that they launched without doing any market research or competitive analysis but doesn’t it seem more likely that the minimal information available now isn’t the sum total of what they’re planning?
That’s like saying it was a fad to “apply software to your existing business” or “move business you already have to the web”.
Sure, that was in vogue at times and some people wasted a lot of money but that over-summarization doesn’t give you an accurate understanding of what actually happened.
I hope I got it wrong, really.
But Google has big (and small) corporate clients using the full GSuite..and a sister company selling "consulting" to the same companies?
"It seems like you have some security issues, it's great that I have this friend who can fix them for you before you get hacked"
Isn't that some sort of conflict of interest for any other industry? Wouldn't selling protection from unknown threats IRL classify as something neither ethical nor legal?...
> "It seems like you have some security issues, it's great that I have this friend who can fix them for you before you get hacked" Isn't that some sort of conflict of interest for any other industry?
Quite the opposite, that's how most consulting & professional service companies do business.
Cloud services & security consulting are complimentary.
Conflict of interest would be if Google was doing the hacking and the securing.
Google loves protection rackets. "It's too bad your competitor down the road is buying your trademarked business name in AdWords, so now all your idiot customers are driving to his business because their phone told them to. All you really have to do to fix this is bid more for your name than he's bidding, every day from now on."
I'm guessing they're going to have some naming disputes with the various newspapers that use Chronicle in their name (like the Houston Chronicle, the 3rd largest paper by Sunday distribution according to wiki and the primary paper for a city of 2.5million people) and the Chronicle of Higher Education - a go-to source of news and information for much of higher ed.
I don't think any of them claim sole ownership of the word 'Chronicle', but I'd imagine there will be some "this will be too confusing" back-and-forth.
Can anyone here speak to the "there's already a huge talent shortage" part of this article? Specifically, security is a field I'd love to work in, but I honestly don't see a ton of job postings and I'm unsure as to how one might transition from say a role as a full-stack web developer into a security job.
For example, here's are some things I've been doing as I'm considering a move into a security-focused role:
- Following the industry (podcasts ala Sans mainly)
- Reading books on hacking (currently "The Shellcoder's Handbook")
- Reviewing my comp sci basics (x86 assembly + reading K&R "The C Programming Language")
- Dabbling in some hacking exercises (https://ropemporium.com and https://canyouhack.us/)
Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
[edit]: List formatting