
Cybersecurity Pros Name Their Price as Hacker Attacks Swell - benryon
https://www.bloomberg.com/news/articles/2019-08-07/cybersecurity-pros-name-their-price-as-hacker-attacks-multiply
======
CyberBank
The biggest areas for growth for Cyber at the moment are of the not-so-sexy
jobs. The asset inventory, patch management, vulnerability management, third
party management, risk management, etc. If you are good at any of those and
are innovating in any of those areas, you are as close to naming your own
price as you can get in Cyber.

As for the most "needed" areas of Cyber, it comes down to education. Not your
bachelors degree, but educating and raising awareness to your business, your
IT staff, and even your development teams. It's extremely tricky to measure
your return on investment, but almost always it comes down to a lack of
knowledge causing one massive hole in the fence, leading to a breach.

No amount of controls will stop someone truly motivated and skilled, so you're
better off raising the fence a bit higher and hoping that it deters the truly
malicious.

Disclosure: I run Vulnerability Management and Assessments globally for one of
the largest companies in the world, so my answer may be a bit bias :)

~~~
thorwasdfasdf
I've never understood people who say: "No amount of controls will stop someone
truly motivated and skilled". I don't think that's true.

Correct me if I'm wrong, but If there's no holes in the application/web stack
to be exploited, then there's no getting in. Right? It's not about
hacker/pirate skill. It's about whether or not the target has plugged all
their holes or not.

~~~
graylights
Software is only one part. Do you trust your hardware, your people, your
supply chain, your physical security. "Truly motivated" can mean extreme
resources and willingness to cross all boundaries.

Are you secure if your admin's child is kidnapped and the ransom demand is for
network access? Are you secure from the Secret Police wanting to hijack your
service for their purposes?

Once you accept you CAN'T stop truly all attacks you can be comfortable with
acceptable risk and work to mitigate realistic risks.

~~~
btown
Yep - this is why you might try to limit pivoting based on an assumption that
everything is compromised, you can require coordination from multiple
geographies to unlock access to certain highly sensitive resources, you ensure
that these protocols aren't published, and above all you follow the New York
Times Test: don't type anything that you wouldn't want to see on the front
page of the NYT. This requires _pride in security_ at all levels of your
organization, and it's something that few organizations outside of the
military get right.

~~~
yifanl
It boils down to this: if you can access secured data, then someone following
the same steps can also access it.

So unless you advocate for no secured data, you are vulnerable to a
sufficiently sophisticated attack (I.e. hypnodrones hijack your mind)

------
jedberg
Not surprising. At Netflix, despite the already high salaries, the security
engineers were paid a premium for their skills. The highest paid engineers at
Netflix were security engineers. They did stuff like invent entirely new
security protocols[0][1].

[0] [https://medium.com/netflix-techblog/message-security-
layer-a...](https://medium.com/netflix-techblog/message-security-layer-a-
modern-take-on-securing-communication-f16964b79642)

[1] [https://github.com/Netflix/msl](https://github.com/Netflix/msl)

~~~
lawnchair_larry
How do you know what everyone was paid?

That’s definitely not the norm though - security engineers are typically
classified the same as an SDE for payroll purposes, and tend to have less
negotiating leverage than high level SDEs who build and ship products, except
maybe some very rare exceptions. But most companies also don’t have their
security engineers actually write shipping code.

I think this article, like every security related article from bloomberg, is
pretty much BS.

Also, they use the example of CISO at a large company. CISOs aren’t actually
security experts in the vast majority of companies. They’re usually business
people or outright frauds, disappointingly. The people who hire and interview
them have no way to validate them.

The article makes a case for why CISOs are worth a lot, justifying the cost of
a breach. The problem is that CISOs have virtually no impact on whether or not
you get breached, and they usually bear no responsibility for it. It doesn’t
matter who you pay how much - it isn’t going to affect the outcome much. Alex
Stamos is one of the few that actually has any background in security at all,
and look what good that did Yahoo and Facebook. Not much. The other problem is
CISOs rarely get any actual authority over product, and when they try to flex,
they just get pushed out. The ones who survive are simply master politicians
who manage their messaging and their image.

The real reason for this article, I suspect, which appears to be primarily
sourced from a security recruiting firm, is that they take a cut of every
position they fill. It’s very much in their best interest to pump up the value
to justify their fees.

Most security money is very poorly spent. I think part of the problem is that
hackers are usually bad managers, and tend to be less interested in playing
corporate politics. So the manager jobs go to someone else, who has to make
decisions they don’t understand. The higher up you go, the more this gets
amplified. For every breach you hear about, that company likely has a few
competent security folks saying, “see, I told you...”

~~~
staticassertion
I definitely feel like I have much more negotiating power than eng, as someone
who used to be in an eng role and is now in security. There are more engineers
and eng is a less niche skillset. There are very, very few people with my
skillset. Hiring for my team takes months, minimum, with far far fewer
candidates in our pipe.

I work at an SF company and routinely field offers from other companies that I
can view on levels.fyi, and my colleagues in eng are open with me about their
salaries so I have lots of datapoints to compare to.

To your other comment:

> I seriously question whether you understand how mediocre the mean security
> engineer actually is, even at top tier companies

This seems equally true for eng.

~~~
trhway
>There are very, very few people with my skillset.

"security" seems to be a very wide notion. Can you give some highlights of
what that specific skillset is and what is your job actually consists of.

~~~
staticassertion
I have an engineering background, which is quickly becoming a requirement for
security roles. I do detection and response work.

------
strict9
There is an endless supply "infosec specialists" and "ethical hackers."

But there is a massive shortage in motivated experts that ensure packages are
up to date and fluent enough in code spelunking to ensure the app isn't
trusting user input or allowing privilege escalation.

There's also a shortage in technology leaders willing to spend money on the
mundane aspect of security. It requires regular work, not compliance effort
and periodic audits/pentests that check off boxes.

~~~
cryptica
Software complexity in most companies has exploded. Nobody is doing anything
to try reduce or manage complexity so it's only getting worse. The more
complexity there is, the easier it is to find vulnerabilities.

~~~
CyberBank
>>Nobody is doing anything to try reduce or manage complexity so it's only
getting worse.

I disagree, I see a number of large corporations starting to standardize
either 1) their entire development stack from IDE all the way to how the code
is deploy 2) Reengineering entire languages to have one language be used e.g
Quartz at BofA 3) at the very least, companies are starting to standardize
their middleware stacks, to at least avoid the configuration related issues of
having a development team managing that.

While I do agree, that the complexity of third party libraries has exploded
and is increasingly difficult to manage, I'd say companies are well on their
way to standardizing that, with tools like Nexus, SonaType, Blackduck, etc.

We're obviously a long ways away from being even 75% effective across the
board, but to say nobody is managing the complexity is a bit short sighted :)

~~~
WrtCdEvrydy
> I see a number of large corporations starting to standardize

My current job in a nutshell.

It's like handling children (No, you can't add a new technology because you
want something fancy on your resume)

------
arcboii92
As a software engineer early enough in his career to change tack, how would I
go about venturing into this space? Cybersecurity is something that has always
interested me, but it seems like such a massive feat that I often find myself
overwhelmed and settle back into my comfortable dev job.

Then every time we finish building a new publicly accessible system we send it
off to "the security company" to pen test it. I am always very jealous about
this.

~~~
biztos
There is the serious end of the security business, the service end, and the
fake end. Plus of course all the black-hat ends.

If you want to be in the serious end, which doesn't necessarily pay more than
any other software job but can be really interesting work, I would suggest
learning about anti-virus and similar attacks (there are books and tutorials)
and generally making your server software game as strong as possible. Then get
a job with a security company at whatever level and bust your ass looking for
challenges. You can rise very quickly if you can move the dial for the
customers, and "smart and gets things done" plus "gives a shit about security"
is a rarer combination than you'd think.

The service part, e.g. your pen-test company, is going to be much more
mercenary. Great experience if you can get it, and probably a good space to
start your own company in, but of very limited value in the big world.
Security companies will have huge annual contracts, pen-testers and the like
will be called in occasionally to check off a box on a security audit. Either
one can work for you, but it's best to know what you're getting into.

The fake end of course is companies promising something they won't actually
deliver, or will deliver with gross violations of ethics and/or the law.
Obviously avoid these as best you can -- for the more serious companies,
having your name associated with "SEO" or other spammers can permanently
blacklist you from employment at least in the US, obviously the dodgier the
play the greater risk of blacklisting. Hiring managers worth their salt have a
nose for this, since Ethics is way more important than Skillz for any serious
security job.

In case the black-hat part isn't obvious: in many places word gets around if a
talented hacker is interested in security. Mafia is mafia even for us nerds.
If something sounds suspicious, I strongly suggest you don't take the meeting.
(This may be less of an issue in the US.)

Best of luck to you! The world needs more smart people working for a safer
Internet!

~~~
diminoten
I dunno about some of this; working for a security company in a non-security
software role gets you a lot of adjacent experience (take extra courses
mandated by the company, go to extra talks, work with super smart security
people), but I don't consider myself anything like an actual security expert
after doing this for nearly 8 years.

There's a _lot_ of not-security work to be done in the security industry, and
it's not all work that gives you security-specific experience. I like to think
I'm good at what I do, but it's not security, even though it's to help
security people.

~~~
biztos
I've been working in Security Per Se for more than 10 years and I would also
be reluctant to call myself a "security expert" \-- as would most of the
people I respect in the business. (Free pass for CVs in motion of course.)

This is because many of us have very specific domain knowledge which probably
doesn't map to a layperson's expectation of "security expert" \-- and while I
don't see much "Impostor Syndrome" I would assert that most branches of
Security will humble you if you really know your shit, so a great indicator of
someone who doesn't is their readiness to claim broad expertise.

Yes, most of the work in "security" is just "software engineering" \-- but my
own experience has been that for people who care about the security angle,
plenty of domain knowledge accrues over time. You might not even realize how
much you have, but others do: for me there is a _huge_ difference between
working with an ops person who has internalized the adversarial worldview of
Security and one who is "just a sysadmin."

------
SubiculumCode
I told my son repeatedly that if he ever wanted a secure and high paying job
it coukd be in cybersecurity. We aren't going back to less dependence on
networks, and we are putting more and more valuable assets and operations on
those networks, which will need to be protected. Although, I suppose ut is
possible that computer security could move into the automsted sphere....

------
bulatb
High-profile well-connected people, friends and peers of executives, and
people in a right-place, right-time situation name their own price.

ICs at FAANG get FAANG-level comp. Consultants gladly take dumb money's
budget.

"Cybersecurity Pros" get the standard NDA and noncompete.

Until there's a breach.

------
novok
A lot security issues will boil down to the CISO / consultant saying: You have
to spend a lot more on your software infrastructure, hire more staff and keep
shit up to date and not use bottom barrel $10/hour offshored engineers. It
will have to become company culture to keep shit up to date and do the basics
in security. Like with equifax:

[https://arstechnica.com/information-
technology/2017/10/a-ser...](https://arstechnica.com/information-
technology/2017/10/a-series-of-delays-and-major-errors-led-to-massive-equifax-
breach/)

And when that is the problem you have to deal with, it's more about executive
buy in and management than it's about any sort of security expertise, and that
seems fairly difficult to do at most companies with really large systemic
security culture issues such as that.

------
siculars
“CEOs don’t know what it’s worth until it’s walking out the door,” Comyns
said. “Then they stand in the door and say, ‘You’re not going anywhere.’”

They deserve what they get. If you underfund critical parts of your
infrastructure that you don't even realize are critical, what do you expect?
Pay for talent. End of story.

~~~
Spivak
True, but if it's critically underfunded everywhere then it's what we have now
where it's just the cost of doing business and a risk you account for.

I would imagine most sites on the internet could be exploited by someone
targeted and ultimately relying on the fact that their data/site isn't
valuable enough to attack in the first place.

------
euske
No disrespect to actual security experts, but here are the four common areas
where a lot of dubious/questionable "pros" can pop up:

\- Health experts

\- Education specialists

\- Productivity gurus

\- Security specialists

~~~
freehunter
As a security specialist, 100% agree. It’s just not provable that we are worth
anything. There is so much theory and guesswork and companies still get hacked
because you can’t prove if I’m wrong or right until you actually get hacked.
There’s too much ground to cover and not enough people watching the alarms.
And of course he alarms trigger whenever a stiff wind blows.

Everyone wants to do security but no one knows what security means so they
just cut a fat check and pretend like it is working.

~~~
westpfelia
Plus Security Expert is incredibly vague. Like what do you do? Are you a pen
tester? SIEM analyst? Compliance? Do you work in SecDevOps? Or are just a
firewall/IDS guy? Or maybe you walk around the office and hit your accountants
every time they click on a phishing link with a wiffel ball bat.

The world of info sec is so massive that saying you are a expert in 'Security'
is useless.

~~~
PenguinCoder
> _Or maybe you walk around the office and hit your accountants every time
> they click on a phishing link with a wiffel ball bat._

I would like this job. Please post the job link ;)

~~~
SamuelAdams
Search for "Corporate Controller". They typically report directly to the CFO
and oversee a lot of other financial roles. Every company has one, and they
usually only step out of their office to hit someone with a club or something.

A lot of their job is protecting the company from lawsuits, usually because
someone somewhere did something dumb.

Source: worked closely with a corporate controller for many years.

------
aczerepinski
I'm skeptical about the "more than 300,000 unfilled security jobs" stat. Are
we talking about thousands of empty chairs for each of the big tech companies
and hundreds for each of the remaining fortune 500?

~~~
mr_toad
I don’t know about this particular statistic, but what is often done in these
studies is to survey organisations to ask how many of these staff they want or
need, or how many vacant ‘positions’ they have.

The numbers don’t always reflect how many positions they actually have the
budget for, or whether they’re willing to pay a realistic rate.

Arguably, if they were willing to pay market rates there couldn’t be any
vacancies, because supply and demand.

~~~
bayesian_horse
I rarely see the concept of "supply and demand" used properly.

In introductory economics, it's just two lines crossing somewhere. In reality
though, companies still have to make a buck, so there is a definite limit on
how much a company can pay a "security professional" and still be profitable.

And worse, if we are talking about a labor shortage across an industry or
country, price doesn't really come into it at all. Price is only a competitive
factor, it doesn't create or destroy individual developers. If one employer
"scoops" an employee for a higher price, the shortage moves to where he just
left.

Sucking in talent from other industries or countries also has its limits. And
on top of all of that there seems to be some anti-competitive effects
preventing wage-wars.

------
buboard
cybersecurity is a cat and mouse game, it will never end. If it ends up like
another arms race, it s going to be a huge cost to the markets, bigger than
any national defense budget. The best way to secure data is not to have them
stored in the first place. I think this will be the next big trend, from big
data to small data

~~~
bayesian_horse
Most cybersecurity threats are "simple" crime, rather than government action,
and even the latter is often quite "commercial".

If there is enough law enforcement and enough self-protections by civilians
(companies), criminals should get demotivated and the overall level of
activity should die down, just like "real" crime. We're far from that though.

------
gist
Also sounds like in the old days and somewhat similar to 'nobody ever got
fired for buying IBM'. Why? Well by throwing money a great deal of money to
hire the experts (if that is the case) nobody can be called out as they can if
they didn't pay for that insurance.

------
jamestimmins
I'm curious if anyone has found consistent work doing bug bounty's and things
like HackerOne to a sufficient degree that it would replace a FT engineer
role.

I'd love to hear/learn about someone's experiences if it exists.

~~~
sp_
I co-manage
[https://hackerone.com/googleplay](https://hackerone.com/googleplay) and the
top contributor there probably makes 5x - 10x of an average software
engineering salary for his home country.

Not a lot of hackers care about Android app security so there's barely any
hackers participating and little competition. Most apps have never had anybody
do a security review.

Additionally the scope of the program is so wide that you can look through
hundreds of apps from companies that have no security posture at all. Finding
bugs is easy and payouts are more than generous.

~~~
biztos
> 5x - 10x of an average software engineering salary for his home country.

...which might still be 0.2x of an average Google salary in Mountain View, as
noted above.

The fact that you even mention "home country" pretty much requires that you
give us specifics if you want us to take the claim seriously.

------
slowhand09
I want companies to be held liable for their breach, especially when they are
negligence or easily avoidable. I currently have FREE CREDIT MONITORING as my
PII has been exposed by multiple reputable companies plus the government.
Monitoring x3 doesn't punish them for leaking my data. I doesn't even (in my
mind) give them enough incentive to make it much harder to loose. I'd be happy
if is was encrypted and regularly tested to make sure it was still encrypted,
both at rest and in motion.

~~~
slowhand09
note: monitoring X 3 as multiple leakers each are being "punished".

------
ummonk
>Just last week, Capital One Financial Corp. disclosed that personal data of
about 100 million customers had been illegally accessed by a Seattle woman,
possibly one of the largest breaches affecting a U.S. bank. The firm’s shares
have fallen 8.9% since the intrusion was revealed.

Misleading reporting. The whole stock market went down since then, and banks
particularly so.

------
auiya
Yes and no. The price many cybersecurity pros want, is to be able to live in a
place of their choosing and work remotely. Many will even take lower salaries
than the market would dictate where the company is located to do so. While
this is slowly improving, a majority of companies are still not willing to
accommodate this in my experience.

------
plolio
I'm studying cyber security in Germany. It's the single best decision I've
made so far. The work opportunities seem endless and I love working in the
industry.

Most of my fellow students simply decided to go into this field because of the
high monetary compensation and expect salaries starting from 60k€ upwards with
a Bachelors.

~~~
hwj
Does the name of your university start with an "R"? ;)

------
dandare
The last time my work password expired and I had to increase the number at the
end from 7 to 8, I asked our 6-figure-salary cybersecurity pro what is the
point of password rotation when all it achieves is that regular users stick it
on post-its to their monitors or store it in draft emails in Outlook.

> Compliance.

------
mrdependable
I've been interested in learning cyber security for a while, but I can't help
but feel if there was a successful attack the fallout and pressure would be
intense. Is that a real thing to worry about or is my imagination getting away
with me?

~~~
TACIXAT
There are all hands on deck situations, but you just do what you're good at,
figure stuff out, and fix it asap. Usually it's a team effort. Not awful. If
you're interested I really recommend it.

------
zer0faith
Guess I need a raise.

~~~
commandlinefan
Title is misleading. It should read “Cybersecurity pros who graduated summa
cum laude from Ivy League universities with dozens of contacts in the C-levels
of Fortune 500 companies and are under 30 can name their own price”. Truly
unique times we live in.

