> Security threats are growing faster than security teams and budgets can keep up, and there’s already a huge talent shortage.
Can anyone here speak to the "there's already a huge talent shortage" part of this article? Specifically, security is a field I'd love to work in, but I honestly don't see a ton of job postings and I'm unsure as to how one might transition from say a role as a full-stack web developer into a security job.
For example, here's are some things I've been doing as I'm considering a move into a security-focused role:
- Following the industry (podcasts ala Sans mainly)
- Reading books on hacking (currently "The Shellcoder's Handbook")
- Reviewing my comp sci basics (x86 assembly + reading K&R "The C Programming Language")
Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
Based on my experience, there is a huge talent shortage, especially outside of the Bay Area. I'm not a security person myself, but my team tried to hire a security person multiple times.
You'll often find people that have experience running automated scans, filling up compliance paperwork, setting up firewalls and SIEM tools, etc. but don't know how to deal with source code or mitigation. At the other end of the spectrum, there's a small number of people who can review code and write tools, exploits, etc. but hate the bureaucratic work. In the middle, which is the kind of person that a startup or small company would want to hire, there is an even tinier number of candidates.
The kinds of things you are doing sound great. Perhaps try to participate in bug bounties, too. One reason you don't see a ton of job postings is that many companies don't know yet they need them. :-) Also, a lot of recruiting might just happen through word-of-mouth or in an outbound fashion. In my limited interactions, I found that the security community can sometimes work like a club or a society, more than in other tech circles.
>small number of people who can review code and write tools, exploits, etc. but hate the bureaucratic work
Because once you learn enough of the stuff you start to realize its all bullshit. Compliance (hipaa hitech, pci, sox) and most industry standard practices (antivirus, firewalling) are lipstick on a pig.
Very often you have to chose between being secure or standard compliant (for example running antivirus can be a big security hole, or give false sense of security).
>but don't know how to deal with source code or mitigation
actually I have noticed this and so we are spinning up a security consulting practice in 2018 looking to address this gap (staffed with experienced developers or former developers). Time will tell if this is a workable approach..
That sounds like a fantastic idea. Would love to follow the journey / potentially throw my hat in the ring as you start looking for devs. I'm @tradesmanhelix on Twitter if you'd like to chat.
I have a few thoughts on why you "don't see a ton of job postings" for security. First of all, would you notice one if you saw it? For example, my posting on the "Ask HN: Who is hiring? (January 2018)" thread is this:
Note that I describe the sorts of skills we seek. (you don't need to have them all) The word "security" doesn't appear because that isn't too interesting or useful. Lots of good people come from an embedded RTOS background. Somebody who just runs a port scanner would not have the right skills.
Second of all, are you looking in the right places, online or physically? On reddit, try /r/netsec or /r/reverseengineering or similar. Be willing to consider the southeastern states.
Making yourself look good to hire is mainly about showing that you have the skills. We hired somebody who had a great story about hacking an overly-fancy parking meter to run code from the tokens. We hired another person who got invited to talk at a conference about hacking a router. Solving some of the DEFCON CTF challenges would look good; they are considered difficult. Contributing to a project like Wine or Qemu or MAME would look good, particularly if you deal with something undocumented.
That's very interesting. I'm an old-school embedded/C/asm guy who for the last 10 years has worked in mobile dev, and I'm increasingly interested in security work, particularly on legacy systems (mainly because I'd feel comfortable there and I'm fully aware of the potential vulnerabilities).
But if I'd seen that job posting I would have assumed it was some kind of embedded Linux driver development, not a security job.
Florida is the wrong side of the Atlantic for me, but I'll be reading job descriptions more carefully from now on...
I noticed you mentioned the southeastern states. I have actually seen quite a few postings in Baton Rouge and Charleston recently, as well as other cities in the southeast.
Charleston is a very small software market. When I was there a few years ago, it was mostly government consulting firms. There's a military presence there, too. I suspect that is what is driving those postings.
I don't know of any security talent with moderate people skills that has trouble getting a job. However, there does seem to be a huge misunderstanding on how to best break into the "security industry", which is just too generic and really the wrong question to ask. What specifically do you want to do? Then you can identify the most efficient way to get there. Most people I know found their way in through other careers as developers, sysadmins, or network admins..focusing on security where they were first. Things will grow from there.
Hypothetically, if you have solid experience as a full stack web developer then I would suggest finding a way to pivot off that expertise (web application security, infrastructure, etc) rather than diving into the Shellcoders Handbook, x86, and K&R, which are going to be more tailored towards reverse engineering and vulnerability research.
Thank you for the advice - greatly appreciate it! Regarding your comment:
> if you have solid experience as a full stack web developer then I would suggest finding a way to pivot off that expertise (web application security, infrastructure, etc) rather than diving into the Shellcoders Handbook, x86, and K&R, which are going to be more tailored towards reverse engineering and vulnerability research.
I've been focusing on those areas because they are what legitimately fascinate me. I enjoy web dev, but I'm finding my passion (as indicated by what I like to research and learn about in my free time) is low-level stuff: operating systems, C programming and associated vulnerabilities, assembly language, etc.
The interaction between software and hardware has always fascinated me (1997 when we got our fist computer: How does this hunk of plastic and silicon do that??), and I feel like that's where I want to go long-term.
That's great! Certainly not saying you should abandon those efforts, but see if you can find a security shop that has experienced researchers doing what you want do and sell them on your value based on what you already know and have experience with. It's one of many approaches, but it worked for me when I had limited outside time to devote. Good luck!
My own experience here - I am based in London. There is a huge talent shortage and huge skill gap. So not only there are not enough people to cover every single role out there but there is also lack of skill and solid understandings of security and technology in general. Of course, there are plenty of smart people in this industry but this number is small compared to the demand.
If you are serious about security try to get a job in a security consultancy that does penetration testing, APT and that sort of stuff. They often hire people at a junior level too and build them up. I've seen quite a few people progressing from basic level to advanced using this approach.
Also London. I recently hired a security engineer capable of doing code audits and other such things. It took about 6-8 months I think.
One reason for the talent shortage is that security work is to a large degree about keeping up with enormous amounts of information on attack types. If you stop drinking from the firehose for even a few months you're going to miss new types of attacks and new information. And there are precious few systems that help reduce the impact of vulnerabilities... there are some but it's still an area dominated by trivia-like knowledge (I don't mean it's trivial but rather, that there are a lot of "just facts" that you have to know and cannot easily learn or derive on your own).
Ultimately the industries approach to security is not sustainable. We need to systematically move away from insecure infrastructures. Unfortunately nobody wants to do that. First thing that'd have to go - the use of web apps for UI.
> Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
Can anyone here speak to the "there's already a huge talent shortage" part of this article? Specifically, security is a field I'd love to work in, but I honestly don't see a ton of job postings and I'm unsure as to how one might transition from say a role as a full-stack web developer into a security job.
For example, here's are some things I've been doing as I'm considering a move into a security-focused role:
- Following the industry (podcasts ala Sans mainly)
- Reading books on hacking (currently "The Shellcoder's Handbook")
- Reviewing my comp sci basics (x86 assembly + reading K&R "The C Programming Language")
- Dabbling in some hacking exercises (https://ropemporium.com and https://canyouhack.us/)
Mainly asking because I see statements like the above regarding the shortage of security talent all the time, yet I can't find a lot of guidance either for exactly how one can get started in this field.
[edit]: List formatting