Showing results for 
Search instead for 
Did you mean: 

Widespread Incompetence in the Cybersecurity Field?

First, this post is not intended as that run-of-the-mill elitist "why isn't everyone as smart as me?" kinda post, but I do want a gut check.

I keep meeting "security professionals" who'd struggle to match the technical expertise of a help desk admin.


1: My company just brought on someone with a Master's in Cybersecurity from an online school, and had 10 years of experience working risk compliance for a prestigious government contractor. I got to talking with him and he didn't know what a VM was. No, I am not joking. There is plenty more to say about this person, but let's move on.

2: I keep hearing security professionals bring up absurd concerns during meetings with management meant to determine how our budget is spent. Concerns like "if we allow speakers, they can be turned into microphones and steal keystrokes from our air-gapped devices." Yes, we've all read that article talking about that theoretical attack, but when actual pressing issues like {insert pretty serious vulns here} exist. They can't prioritize hypothetically NAC or MFA over expensive countermeasures for the latest scary Wired article.

3: I meet otherwise highly credentialed people who struggle with basic IT concepts. What I will list here is more forgivable than the previous two, but still worth mentioning. Issues like not knowing theoretically how a DMZ is set up, not knowing the difference between a subnet and a VLAN, failing to understand the difference between giving someone limited admin rights vs giving every sysadmin domain admin, etc etc.

Let me make this clear: I am NOT talking about folks with less than 5 years experience. We should embrace our up and coming security professionals. But I feel like I am surrounded by people who have no business being in security who are there simply because organizations can't fill those roles with anyone else.

Thanks for reading my thing.

Everyone's tags (1)
Hall of Fame Guru

Re: Widespread Incompetence in the Cybersecurity Field?

I've been in IT for almost 40 years, most of that time having security as a primary or at least secondary role. I have worked in both public and private sectors - both on the end user and reseller side. In my experience there isn't any one specialty that suffers from a disproportionate share of less than fully-qualified individuals.

There are a very high number (disproportionately so) of cybersecurity vacancies; so many organizations may be struggling with staffing those properly. It sounds you've had the unfortunate experience of interacting with low-performing or lesser qualified cybersecurity professionals. I can say from first hand experience that most of the ones I have dealt with have been doing their jobs to the best of their ability and often with great benefit to the organizations they serve.

Whenever I come across someone who's making unwise choices or recommendations - be it in security or elsewhere - I do my best to inform the discussion with better-reasoned explanations and recommendations so that we collectively advance the status quo to a better place.


Re: Widespread Incompetence in the Cybersecurity Field?

OK, I’m in the government/security area of the business, coming from a desktop, then system admin, then system engineering in previous jobs. I’ve alway thought most security professionals knew very little about the systems they were managing security on. But then these were the DITSCAP and now RMF folks that merely do the crunching of data to get through all the controls in XACTA or eMASS applications to get you the accreditation and authority to operate/connect that you needed to do business in the DoD world. Most had some background in IT then passed a cert to get into that field. Starts as low as the Security + for the lower tiers. They do not need a lot of knowledge of the computer system, just the knowledge of the security controls and how to ask you the expert how they are answered and controlled in your environment. The smart guys were the Security Engineers that had the Server Certs and experience before going into the security world. But then, they do not want to do the accreditation stuff, they would leave that for the lesser experienced guys. I just finished a Masters in Cybersecurity as well, I learned stuff during that program, but nothing that would make me a better system admin or engineer, just like a lot of college education, there is a lot of general knowledge and security ideas, but not a lot of how to. And some folks just interview well....

vidmate apk shareit