Newsletter

01.25.2022 | 4'' read

Behind the unsolvable security skills shortage

by Ryan Naraine

* The most clicked link from the last newsletter was this essay by Google Cloud CISO Phil Venables on the main components of successful cybersecurity programs.

Monday blues.

My recent feature on the ‘great resignation’ and labor shortage in cybersecurity touched off a series of conversations with CISOs on leadership, workplace culture, remote work pros-and-cons, and the tough decisions that must be made to slow the exodus of talent.

These conversations have confirmed a very jarring reality: The skills shortage in cybersecurity will never be solved.

Let’s keep it a buck:

  • The .gov sector simply can’t afford high-quality talent on public service salary scales. Fully aware of this, the government is banking on a “sense of mission” to attract (mostly junior) staff.  As soon as they’re senior enough, they leave for Silicon Valley’s rich RSU packages.
  • A handful of BigCos are paying super-salaries to snap up proven security-conscious engineers and architects, creating a dangerous world of “haves” and “have nots.”
  • The rest of the ecosystem, starved for talent, must outsource security and/or turn to AI/ML algorithms to backfill security posts.
  • Senior engineers, bored from maintaining and supporting the AI/ML algorithms and tools, look externally for new challenges.

Now we’re back to square one with nonstop resignations, demands for re-negotiations and staff churn at unimaginable levels.

Separately, the Bill Gates Trustworthy Computing memo is 20 years old. That document helped to create and sustain successful careers for many of us.

Remember to patch and reboot your iPhones.

_ryan

Sponsored.

  • The SecurityWeek Ransomware Resilience & Recovery Summit (tomorrow, Jan 26th) will include a fireside chat with Coveware CEO Bill Siegel on the murky world of negotiating ransom payments; and a CISO panel discussion on a robust ransomware recovery playbook. Listen in here.

UEFI implant in the wild.

Malware hunters at Kaspersky GReAT are showing their notes on a new UEFI implant being used by a prolific Chinese nation-state APT actor:

Must-read headlines. 

Research projects.

  • Project Zero’s Natalie Silvanovich conducts a black-box audit of the Zoom videoconferencing platform and finds a pair of security vulnerabilities the absence of ASLR support.
  • Wearing Many Hats is a paper that attempts to set the historical record of the birth and professionalization of the cybersecurity industry.
  • Shubs Shah has found hardcoded credentials in the Solarwinds Web Help Desk product. “These hardcoded credentials enabled access to sensitive controllers that were capable of executing arbitrary HQL queries. Through this vulnerability, an attacker could extract, update, delete, or insert almost any information in the database.”
  • The U.K. government’s NCSC plans to ship Scanning Made Easy (SME), a collection of NMAP Scripting Engine scripts designed to help find systems with specific, high-impact vulnerabilities.
Essays.

Sponsored.

  • Using Symmetry DataGuard, cloud-security teams tighten IAM policies around data, incident response teams know precisely what data objects are involved in a breach, and governance teams audit every access across every data store. Schedule a demo.
Tangentially.
P.S. Full podcast episodes are available on the SecurityConversations.com home page, and on all major platforms. Subscribe directly: Apple/iPhoneGoogle/AndroidSpotify and Amazon/Audible.
|

This site uses cookies and may process personal data based on our Privacy Policy