Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3962
Views
15
Helpful
5
Replies

Widespread Incompetence in the Cybersecurity Field?

ryan45
Level 1
Level 1

‎08-31-2019 03:47 PM - edited ‎02-20-2020 09:10 PM

First, this post is not intended as that run-of-the-mill elitist "why isn't everyone as smart as me?" kinda post, but I do want a gut check.

I keep meeting "security professionals" who'd struggle to match the technical expertise of a help desk admin.

Cases:

1: My company just brought on someone with a Master's in Cybersecurity from an online school, and had 10 years of experience working risk compliance for a prestigious government contractor. I got to talking with him and he didn't know what a VM was. No, I am not joking. There is plenty more to say about this person, but let's move on.

2: I keep hearing security professionals bring up absurd concerns during meetings with management meant to determine how our budget is spent. Concerns like "if we allow speakers, they can be turned into microphones and steal keystrokes from our air-gapped devices." Yes, we've all read that article talking about that theoretical attack, but when actual pressing issues like {insert pretty serious vulns here} exist. They can't prioritize hypothetically NAC or MFA over expensive countermeasures for the latest scary Wired article.

3: I meet otherwise highly credentialed people who struggle with basic IT concepts. What I will list here is more forgivable than the previous two, but still worth mentioning. Issues like not knowing theoretically how a DMZ is set up, not knowing the difference between a subnet and a VLAN, failing to understand the difference between giving someone limited admin rights vs giving every sysadmin domain admin, etc etc.

Let me make this clear: I am NOT talking about folks with less than 5 years experience. We should embrace our up and coming security professionals. But I feel like I am surrounded by people who have no business being in security who are there simply because organizations can't fill those roles with anyone else.

Thanks for reading my thing.

https://discord.software/ FetLife vshare
3 people had this problem
Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-31-2019 11:04 PM

I've been in IT for almost 40 years, most of that time having security as a primary or at least secondary role. I have worked in both public and private sectors - both on the end user and reseller side. In my experience there isn't any one specialty that suffers from a disproportionate share of less than fully-qualified individuals.

There are a very high number (disproportionately so) of cybersecurity vacancies; so many organizations may be struggling with staffing those properly. It sounds you've had the unfortunate experience of interacting with low-performing or lesser qualified cybersecurity professionals. I can say from first hand experience that most of the ones I have dealt with have been doing their jobs to the best of their ability and often with great benefit to the organizations they serve.

Whenever I come across someone who's making unwise choices or recommendations - be it in security or elsewhere - I do my best to inform the discussion with better-reasoned explanations and recommendations so that we collectively advance the status quo to a better place.

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to barrysingh101

‎07-21-2020 07:03 PM

@dhanushxdhanushx29596 why did you repeat the first paragraph of my earlier reply as your post?

0 Helpful

neil.woodhouse
Level 1
Level 1
In response to Marvin Rhoads

‎07-27-2020 03:46 AM

Presumably so they could spam their link to MXPlayer, whatever that may be

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to neil.woodhouse

‎07-27-2020 04:35 AM

@neil.woodhouse thanks - I didn't see that spam link earlier.

Anyhow, it's not posted anymore - I sent the post to moderation limbo. :)

0 Helpful

grahamvid
Level 1
Level 1

‎02-24-2022 03:24 AM - edited ‎02-25-2022 10:14 PM

The term "security professional" is too overloaded and broad. Do you want a software engineer who knows how to create secure applications? Do you want a risk/standards/compliance lead? Do you want an IT professional that knows how to keep infrastructure secure? Do you want someone in a SOC? Do you want someone to run a bug bounty program? Do you want a pen-tester that can hack the **bleep** out of your IoT product? do you want a pen-tester than can hack the **bleep** out of your infrastructure? All of these require different skillsets and different people. But they are all "cybersecurity professionals" vidmate instagram video download

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents