A deep dive into the problem of so-called "gatekeeping, that explains what actually is happening in the industry, why it is happening, and where we should go from here.
Very well said and clearly very well researched. It's so easy to forget that these problems are systemic and exist in almost every discipline.
When you mentioned software engineer hiring managers figuring out how to screen candidates based on problem-solving, I wondered why such a process didn't exist in security.
But I think it sort of does - entry level certs like Security+ is supposed to be that "this person has the fundamentals and can solve problems" litmus test. Clearly it's not very effective though.
I really loved the thoughtful and non-inflammatory way this was written. Thank you for enhancing the discourse on this subject. I would posit that people have been led to believe there are entry-level security positions and frankly I think there are not. Best analogy I can come up with is it's like going to medical school and, on Day One, advertising as a highly specialized left-hand thumb surgeon before you’ve had a single day as a regular MD.
My time in non-security specific positions was a decade before I felt comfortable myself using that label as part of my job title. I think you move into security after you’ve had experiences that lend themselves to a security career position. For example, start as a sysadmin and gain experience with the daily problems of end users (internal or external) to hone your troubleshooting chops. Spend time as a NW Eng/TechPM/SW Eng and apply security principals until your colleagues are seeking you out for your security acumen. Focus on building block legos (OSCP to figure out how packets actual traverse a computer, PMP to appreciate how projects are managed in a company, etc.) will all help you build a security career path. Its a mosaic.
And sadly companies more often than not *do* treat security as a cost center. And that has many disadvantages, as you wrote about. When you can integrate security into product development effectively, you will not be seen as a cost center and that is key to proving security is AND OUGHT TO BE part of product dev and/or platform engineering. Most places haven't figured out how to do that yet. Hint: it comes down to security automation--does your security team know TF or python? They should.
They myths/challenges of entry level security job opportunities and security-as-a-cost center would have to be addressed at the company level in order to begin to solve the problem covered in the article.
Thank you again for a very thought provoking look at this challenge in our space.
Interesting. But it seems like the lack of _gatekeepers_ is the basis for the article to assert that _gatekeeping_ is not happening. I would argue that there is indeed a “gating function” happening with regard to infosec/cybersecurity. Take, for example, women’s representation in the field or in technology in general. Abysmal. You need look no further than the misguided and mysogenistic Palo Alto marketing event at Black Hat to see fresh signs of talent being discouraged and outright excluded from feeling welcome and equal.
How about man-in-the-middle attacks. For example, say there is a high value person who is constantly coming up with counter measures to an invading oppressive governments methods of installing control over a given population. The person is noticed and it is realized how profitable their ideas and things they are coming up with could be and also how harmful they would be to the opposing government's agenda. A large cyber attack is launched on the individual to the point where they are essentially kidnapped with technology. A good old fashioned smear campaign and lying to the community takes care of the isolation, but then there's the technology to worry about, ie text messages, calls, etc. The person is triangulated upon with people intercepting the person's devices so that every type of electronic communication used by the target is intercepted by a middle man before it reaches the intended destination. calls are blocked, or the person is impersonated, and text messages are manipulated if necessary. The target is effectively being gatekept, in this situation, by the foreign oppressive government. Opportunities are denied, refused, and information is twisted and misused. This to me seems like a situation where there is cyber security gatekeeping.
Very well said and clearly very well researched. It's so easy to forget that these problems are systemic and exist in almost every discipline.
When you mentioned software engineer hiring managers figuring out how to screen candidates based on problem-solving, I wondered why such a process didn't exist in security.
But I think it sort of does - entry level certs like Security+ is supposed to be that "this person has the fundamentals and can solve problems" litmus test. Clearly it's not very effective though.
I really loved the thoughtful and non-inflammatory way this was written. Thank you for enhancing the discourse on this subject. I would posit that people have been led to believe there are entry-level security positions and frankly I think there are not. Best analogy I can come up with is it's like going to medical school and, on Day One, advertising as a highly specialized left-hand thumb surgeon before you’ve had a single day as a regular MD.
My time in non-security specific positions was a decade before I felt comfortable myself using that label as part of my job title. I think you move into security after you’ve had experiences that lend themselves to a security career position. For example, start as a sysadmin and gain experience with the daily problems of end users (internal or external) to hone your troubleshooting chops. Spend time as a NW Eng/TechPM/SW Eng and apply security principals until your colleagues are seeking you out for your security acumen. Focus on building block legos (OSCP to figure out how packets actual traverse a computer, PMP to appreciate how projects are managed in a company, etc.) will all help you build a security career path. Its a mosaic.
And sadly companies more often than not *do* treat security as a cost center. And that has many disadvantages, as you wrote about. When you can integrate security into product development effectively, you will not be seen as a cost center and that is key to proving security is AND OUGHT TO BE part of product dev and/or platform engineering. Most places haven't figured out how to do that yet. Hint: it comes down to security automation--does your security team know TF or python? They should.
They myths/challenges of entry level security job opportunities and security-as-a-cost center would have to be addressed at the company level in order to begin to solve the problem covered in the article.
Thank you again for a very thought provoking look at this challenge in our space.
Interesting. But it seems like the lack of _gatekeepers_ is the basis for the article to assert that _gatekeeping_ is not happening. I would argue that there is indeed a “gating function” happening with regard to infosec/cybersecurity. Take, for example, women’s representation in the field or in technology in general. Abysmal. You need look no further than the misguided and mysogenistic Palo Alto marketing event at Black Hat to see fresh signs of talent being discouraged and outright excluded from feeling welcome and equal.
faxses. its not a skill issue. its an attrition issue. ive taken a figurative dump in the comments a few of these “skill gap alert!!!” cringe posts https://www.linkedin.com/feed/update/urn:li:activity:7191097781808160770?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7191097781808160770%2C7191237581747978241%29&dashCommentUrn=urn%3Ali%3Afsd_comment%3A%287191237581747978241%2Curn%3Ali%3Aactivity%3A7191097781808160770%29
edit: sorry, im late on this post i just realized.
I apologize if you answered this already.
How about man-in-the-middle attacks. For example, say there is a high value person who is constantly coming up with counter measures to an invading oppressive governments methods of installing control over a given population. The person is noticed and it is realized how profitable their ideas and things they are coming up with could be and also how harmful they would be to the opposing government's agenda. A large cyber attack is launched on the individual to the point where they are essentially kidnapped with technology. A good old fashioned smear campaign and lying to the community takes care of the isolation, but then there's the technology to worry about, ie text messages, calls, etc. The person is triangulated upon with people intercepting the person's devices so that every type of electronic communication used by the target is intercepted by a middle man before it reaches the intended destination. calls are blocked, or the person is impersonated, and text messages are manipulated if necessary. The target is effectively being gatekept, in this situation, by the foreign oppressive government. Opportunities are denied, refused, and information is twisted and misused. This to me seems like a situation where there is cyber security gatekeeping.