
Introducing Chronicle, a new Alphabet business dedicated to cybersecurity - artsandsci
https://medium.com/chronicle-blog/give-good-the-advantage-75ab2c242e45
======
tradesmanhelix
> Security threats are growing faster than security teams and budgets can keep
> up, and there’s already a huge talent shortage.

Can anyone here speak to the "there's already a huge talent shortage" part of
this article? Specifically, security is a field I'd _love_ to work in, but I
honestly don't see a ton of job postings and I'm unsure as to how one might
transition from say a role as a full-stack web developer into a security job.

For example, here's are some things I've been doing as I'm considering a move
into a security-focused role:

\- Following the industry (podcasts ala Sans mainly)

\- Reading books on hacking (currently "The Shellcoder's Handbook")

\- Reviewing my comp sci basics (x86 assembly + reading K&R "The C Programming
Language")

\- Dabbling in some hacking exercises
([https://ropemporium.com](https://ropemporium.com) and
[https://canyouhack.us/](https://canyouhack.us/))

Mainly asking because I see statements like the above regarding the shortage
of security talent all the time, yet I can't find a lot of guidance either for
exactly how one can get started in this field.

[edit]: List formatting

~~~
puzzle
Based on my experience, there is a huge talent shortage, especially outside of
the Bay Area. I'm not a security person myself, but my team tried to hire a
security person multiple times.

You'll often find people that have experience running automated scans, filling
up compliance paperwork, setting up firewalls and SIEM tools, etc. but don't
know how to deal with source code or mitigation. At the other end of the
spectrum, there's a small number of people who can review code and write
tools, exploits, etc. but hate the bureaucratic work. In the middle, which is
the kind of person that a startup or small company would want to hire, there
is an even tinier number of candidates.

The kinds of things you are doing sound great. Perhaps try to participate in
bug bounties, too. One reason you don't see a ton of job postings is that many
companies don't know yet they need them. :-) Also, a lot of recruiting might
just happen through word-of-mouth or in an outbound fashion. In my limited
interactions, I found that the security community can sometimes work like a
club or a society, more than in other tech circles.

~~~
dboreham
>but don't know how to deal with source code or mitigation

actually I have noticed this and so we are spinning up a security consulting
practice in 2018 looking to address this gap (staffed with experienced
developers or former developers). Time will tell if this is a workable
approach..

~~~
skgoa
That would be awesome. IME people care about security in principle, but no one
really knows how to write secure software.

------
Alextigtig
It seems a bit odd to me that this company grew out of X, as I was under the
impression that projects in the "Moonshot Factory" were more ambitious. From
what I gather, this sounds mostly like an analytics org for enterprise, not
something that might change the world (e.g. Waymo, Loon, Project Ara).

Perhaps X is taking on less radical projects than I imagined. Would love to
hear others' viewpoints on this as well, though.

~~~
puzzle
Mike Wiacek was the manager of the Google team that worked on APT and nation
state attacks in the wake of Aurora. Think of the Gmail notices about state-
sponsored attacks on your account, which required new detection tools and
technologies. I doubt you'll find many groups with the same experience and
expertise.

------
alpb
The blog post from Astro Teller (of X) subtitled "Cybersecurity needs a
moonshot":

[https://blog.x.company/graduation-day-introducing-
chronicle-...](https://blog.x.company/graduation-day-introducing-
chronicle-318d34b80cce)

------
jacksmith21006
Wonder how Google project zero will interact? Google has found Spectre,
Meltdown, Broadpwn, Cloudbleed and Heartbleed and makes sense to leverage for
but hope does not change from sharing?

Hope just use for branding and not try to directly monetize.

------
xstartup
As someone who ran a security firm. Results are much difficult to show/prove
in a security firm. Running a development agency, we can break down the
project into tasks and the stackholder can review each step from our worklog.
Usually, they are happy with the result. I've found the best way to run a
development agency is not hire in range of 400-500 developers. This has some
trade offs like some devs are not happy when we switch them from project 1 to
project 10 just because stackholder lost interest or their funding dried up.

------
_pdp_
First of all, interesting! Second, this is some sort of security information
and event management (SIEM)? At least this is what it looks like from the
brief description put online.

------
mkempe
How does this relate to CrowdStrike -- funded in large part by Google Capital?

------
g-b-r
The gist is probably "[...] Storage — in far greater amounts [...] over years"
(of data that Alphabet might not yet have had access to)

------
DyslexicAtheist
doesn't really look like _Chronicle_ provides anything that is already covered
by _Elasticbeam_ (which compared to Chronicle has been on the market since 3+
years and works exceptionally well).

disclosure: I have no affiliation with either one but wonder why
Google/Alphabet would be _that_ late to the party and offer nothing that isn't
already out there. __yawn __

~~~
acdha
It’s possible that they launched without doing any market research or
competitive analysis but doesn’t it seem more likely that the minimal
information available now isn’t the sum total of what they’re planning?

~~~
DyslexicAtheist
I hope so for them.

------
jbob2000
I guess this is the new fad now, “Apply ML models to data you already have”?

~~~
acdha
That’s like saying it was a fad to “apply software to your existing business”
or “move business you already have to the web”.

Sure, that was in vogue at times and some people wasted a lot of money but
that over-summarization doesn’t give you an accurate understanding of what
actually happened.

------
google_rocks
I hope I got it wrong, really. But Google has big (and small) corporate
clients using the full GSuite..and a sister company selling "consulting" to
the same companies? "It seems like you have some security issues, it's great
that I have this friend who can fix them for you before you get hacked" Isn't
that some sort of conflict of interest for any other industry? Wouldn't
selling protection from unknown threats IRL classify as something neither
ethical nor legal?...

~~~
klodolph
> Wouldn't selling protection from unknown threats IRL classify as something
> neither ethical nor legal?...

Hiring private security or bodyguards is not considered unethical or illegal.
Installing alarm systems is not unethical. Am I misunderstanding this?

Google already sells consulting to cloud customers, this seems perfectly
natural and I'm not sure how you avoid it.

------
grendelt
I'm guessing they're going to have some naming disputes with the various
newspapers that use Chronicle in their name (like the Houston Chronicle, the
3rd largest paper by Sunday distribution according to wiki and the primary
paper for a city of 2.5million people) and the Chronicle of Higher Education -
a go-to source of news and information for much of higher ed.

I don't think any of them claim sole ownership of the word 'Chronicle', but
I'd imagine there will be some "this will be too confusing" back-and-forth.

