
Cybersecurity Ventures predicts 3.5M cybersecurity job openings by 2021 - SteveMorgan
https://cybersecurityventures.com/jobs
======
lev99
1\. This is written and published by Cyber Security Ventures. Their bias
should be obvious.

2\. The 3.5 million is a global number. India is projected to have 1 million
of them.

3\. The article seems to also try to drum up demand for Managed Security
Service Providers, a service Cyber Security Ventures provides.

4\. Many currently open Cybersecurity jobs pay less then what a tech minded
person can get selling clicks or SQL reports. There is a difference between an
"open position" and a position that meets the labor market. Open positions
that stay open most likely are valued below the market. I'm sure many
goverment agencies have open Cybersecurity jobs.

5\. It's 2018, are we really going to keep using the word cyber?

~~~
enervate
fwiw I was once browsing jobs wondering why one in particular had such strange
hours and requirements until I realized that the search had also returned
results for what amounted to security guards

~~~
yeukhon
FWIW, data centers do have guards.

------
lawl
Well, one role in this might be that a lot of cybersecurity jobs are complete
bullshit, and or their certifications are.

I won a free certification course as an EC-Council Certified Security Analyst,
and it's the biggest joke I've ever seen. It's such a massive fucking joke
that I decided to not even renew my certification for free because it would
just have been a waste of time.

Most of these "cybersecurity" jobs are download Metasploit and run autopwn,
install garbage antivirus everywhere. Maybe layer some more bullshit on top
like network intrusion detection and web application firewalls. If you get
still get owned talk some bullshit about how advanced the attack was and that
there was nothing you could have done.

The other option is to go and write exploits and sell these to government
agencies.

I don't really want to do either of those, so I'll stay far away from this
field, even as an infosec enthusiast.

I'm sure theres also some real infosec jobs, but i'd say they're pretty rare.

~~~
tr4cefl0w
> I won a free certification course as an EC-Council Certified Security
> Analyst, and it's the biggest joke I've ever seen. It's such a massive
> fucking joke that I decided to not even renew my certification for free
> because it would just have been a waste of time.

I've been in the field for a couple of years. I work for a global corporation
with 10k+ employees and most of our team members in the security department
are judge on their skills and various other factors and we filter potential
candidates with a small CTF. Certs have very little importance for us, but
we're the exception. Most big compagnies require certifications and oddly they
are the ones getting hacked.

In the field, we all know that EC-Council certs are bullshit. They are, at
best, the laughing stock in infosec because their "Ethical Hacker"
certification is a multiple choice answer and requires little technical
knowledge and no hands-on.

However, there are a few certs out there that need a lot of work and technical
knowledge to be learn for passing it, such as OSCP. It might be easy to get
for someone with 10+ years but for relatively new comers, it's a really good
challenge to tackle. I started with their lab, thinking it was going to be a
piece of cake for me but it's more difficult than I expected, which is a good
thing.

But I see your point and I mostly agree.

Care to explain why you think intrusion detection is bullshit?

~~~
lawl
>Care to explain why you think intrusion detection is bullshit?

If they're signature based they're not better than antivirus. I have zero
faith in signature based systems.

For the stuff that uses machine learning, I have to admit, I have no idea how
that stuff performs. But in general I wouldn't trust a machine learning model
to not be fooled.

Edit: Add to that HTTPS, I don't buy any claim that they can spot malware
traffic from malware that isn't dumb, and I don't think MITMing all traffic is
an acceptable solution.

~~~
tptacek
Anomaly detection doesn't do much better than signature systems do. It finds
real stuff, but it "finds" so much garbage that the signal is swamped by it.

~~~
user5994461
I don't know about network detection systems but antivirus heuristics used to
be terrific.

You can assign 100 students to develop a trojan for a week. At the end of the
week, more than 90% of the software are detected as generic trojan by the
antivirus.

~~~
lawl
> _You can assign 100 students to develop a trojan for a week. At the end of
> the week, more than 90% of the software are detected as generic trojan by
> the antivirus._

Probably because 90 of these 100 students have no idea how AV heuristics work
and what the trivial tricks are to completely stomp them.

~~~
user5994461
Some of them quickly realize that the AV is flagging all their binaries and
they try to evade it. They will soon discover that it is far from trivial.

Don't underestimate the students and don't underestimate the AV. The world is
full of surprises.

~~~
wglb
I had an intern who came to the job with one he had written in his idle time.
Nothing detected this, so I am thinking that it is not hard at all.

------
TheAdamAndChe
Unfilled job postings doesn't mean there's a shortage. There might be a
shortage of experienced IT security experts willing to work for $40k in the
most expensive cities of the world, but if there was an actual job shortage,
degrees and certifications wouldn't be a requirement, they'd just take a risk
hiring people willing to learn.

------
BadassFractal
As an outsider of the security industry, do people feel like the importance of
security is actually going up, or are people becoming progressively less
concerned, given how desensitized we've become to hacks and data leaks?

E.g. the Equifax hack was a pretty big deal, but nobody's that upset,
everybody moved on real quick. Same with hundreds of other major hacks.

~~~
top_post
Your point, well observed, is that there are very little repercussions. It is
becoming important and more prominent (than say 10 years ago) due to constant
media exposure and the constant breaches being seen, so there are a lot of
roles being opened and functions are being built where there weren't any
before. As a whole though, businesses will deprioritize security for increased
business performance, which you can understand.

Regulations like GDPR coming along should have some bite to get people into
action, but until that's actually observed there's not much going on.

------
claudiulodro
Sounds great. But how would I (software engineer) go about moving into those
sorts of jobs? Do bug bounties until I make it?

~~~
sheeshkebab
Talk with ops guys and have a security guy (that typically is on that team)
assign you things to fix.

It’s a bull shit job, as far as software development goes. Sure, you’ll learn
a bunch of hacks and ways to fix them and maybe pass cissp cert if you really
don’t want to code anymore.

~~~
souprock
It's not a bullshit job. It's 3.5 million supposed jobs, many of which are
bullshit. All sorts of unrelated things are being lumped together.

    
    
      a. compliance
      b. red teaming
      c. actually trying to secure stuff
      d. trying to find holes to exploit
      e. etc. etc. etc.
      

Some of these involve lots of code. I posted one of those in the "Who is
hiring?" thread, and that one takes some serious hard-core coding ability.

------
yeukhon
Worked with a security solution, spammed company’s distribution list
specifically for this work with alerts. I ended up analyzed everything and
found not just false positives but also wrong analysis from their analysts...
this is to say the intention to selling security solution out could be good
and genuine, but the values in return can be nothing. So why companies pay?
99% is “let the experts deal with the problem, if shit happens, we know who to
blame, we have done our due diligence so one more thing to check off on
auditor’s radar.”

------
greatamerican
Have they considered paying more?

------
zitterbewegung
Add projected unfulfilled cyber security jobs to the title.

------
vintagegeek66
I am 66, I guess I have plenty of work

------
vintagegeek66
I am 66 I guess I will stick around

------
lawnchair_larry
I’m surprised that blatant spam got so many upvotes/comments.

------
tradesmanhelix
Ironically, going to
[https://www.cybersecurityventures.com](https://www.cybersecurityventures.com)
in Firefox throws an SSL certificate error: SSL_ERROR_BAD_CERT_DOMAIN. This
does not fill me with confidence regarding this company's security prowess.

~~~
quotheth
Do you think there's much overlap between the people generating reports and
the people in charge of hosting their domain/ managing certs?

~~~
tradesmanhelix
I'm just making more of a general comment re. the website/company, not the
specific post this HN thread covers. Granted, it's a minor detail, and most
people probably won't hit the www version of the site, but for whatever reason
it's the version of their site that my search engine surfaced, so FWIW I just
found it ironic.

Peace.

------
angelsl
Ugh. Another site that hijacks scrolling. Why?

