topic Widespread Incompetence in the Cybersecurity Field? in Endpoint Security

Widespread Incompetence in the Cybersecurity Field?

ryan45 — Fri, 21 Feb 2020 05:10:40 GMT

First, this post is not intended as that run-of-the-mill elitist "why isn't everyone as smart as me?" kinda post, but I do want a gut check.

I keep meeting "security professionals" who'd struggle to match the technical expertise of a help desk admin.

Cases:

1: My company just brought on someone with a Master's in Cybersecurity from an online school, and had 10 years of experience working risk compliance for a prestigious government contractor. I got to talking with him and he didn't know what a VM was. No, I am not joking. There is plenty more to say about this person, but let's move on.

2: I keep hearing security professionals bring up absurd concerns during meetings with management meant to determine how our budget is spent. Concerns like "if we allow speakers, they can be turned into microphones and steal keystrokes from our air-gapped devices." Yes, we've all read that article talking about that theoretical attack, but when actual pressing issues like {insert pretty serious vulns here} exist. They can't prioritize hypothetically NAC or MFA over expensive countermeasures for the latest scary Wired article.

3: I meet otherwise highly credentialed people who struggle with basic IT concepts. What I will list here is more forgivable than the previous two, but still worth mentioning. Issues like not knowing theoretically how a DMZ is set up, not knowing the difference between a subnet and a VLAN, failing to understand the difference between giving someone limited admin rights vs giving every sysadmin domain admin, etc etc.

Let me make this clear: I am NOT talking about folks with less than 5 years experience. We should embrace our up and coming security professionals. But I feel like I am surrounded by people who have no business being in security who are there simply because organizations can't fill those roles with anyone else.

Thanks for reading my thing.

Re: Widespread Incompetence in the Cybersecurity Field?

Marvin Rhoads — Sun, 01 Sep 2019 06:04:18 GMT

I've been in IT for almost 40 years, most of that time having security as a primary or at least secondary role. I have worked in both public and private sectors - both on the end user and reseller side. In my experience there isn't any one specialty that suffers from a disproportionate share of less than fully-qualified individuals.

There are a very high number (disproportionately so) of cybersecurity vacancies; so many organizations may be struggling with staffing those properly. It sounds you've had the unfortunate experience of interacting with low-performing or lesser qualified cybersecurity professionals. I can say from first hand experience that most of the ones I have dealt with have been doing their jobs to the best of their ability and often with great benefit to the organizations they serve.

Whenever I come across someone who's making unwise choices or recommendations - be it in security or elsewhere - I do my best to inform the discussion with better-reasoned explanations and recommendations so that we collectively advance the status quo to a better place.

Re: Widespread Incompetence in the Cybersecurity Field?

Marvin Rhoads — Wed, 22 Jul 2020 02:03:39 GMT

@dhanushxdhanushx29596 why did you repeat the first paragraph of my earlier reply as your post?

Re: Widespread Incompetence in the Cybersecurity Field?

neil.woodhouse — Mon, 27 Jul 2020 10:46:24 GMT

Presumably so they could spam their link to MXPlayer, whatever that may be

Re: Widespread Incompetence in the Cybersecurity Field?

Marvin Rhoads — Mon, 27 Jul 2020 11:35:07 GMT

@neil.woodhouse thanks - I didn't see that spam link earlier.

Anyhow, it's not posted anymore - I sent the post to moderation limbo. 🙂

Re: Widespread Incompetence in the Cybersecurity Field?

grahamvid — Sat, 26 Feb 2022 06:14:43 GMT

The term "security professional" is too overloaded and broad. Do you want a software engineer who knows how to create secure applications? Do you want a risk/standards/compliance lead? Do you want an IT professional that knows how to keep infrastructure secure? Do you want someone in a SOC? Do you want someone to run a bug bounty program? Do you want a pen-tester that can hack the **bleep** out of your IoT product? do you want a pen-tester than can hack the **bleep** out of your infrastructure? All of these require different skillsets and different people. But they are all "cybersecurity professionals" vidmate instagram video download