With 'Massive' Cybersecurity Labor Shortage, Will Corporations Compete with Local Governments?

it's high time for companies to start adding cybersecurity professionals to their teams, reports CNN. "The only hitch: There's a massive, longstanding labor shortage in the cybersecurity industry." "It's a talent war," said Bryan Orme, principal at GuidePoint Security. "There's a shortage of supply and increased demand."

Experts have been tracking the cybersecurity labor shortage for at least a decade — and now, a new surge in companies looking to hire following recent attacks could exacerbate the problem. The stakes are only growing, as technology evolves and bad actors become more advanced. In the United States, there are around 879,000 cybersecurity professionals in the workforce and an unfilled need for another 359,000 workers, according to a 2020 survey by (ISC)2, an international nonprofit that offers cybersecurity training and certification programs. Globally, the gap is even larger at nearly 3.12 million unfilled positions, the group says... The U.S. Bureau of Labor Statistics projects "information security analyst" will be the 10th fastest growing occupation over the next decade, with an employment growth rate of 31% compared to the 4% average growth rate for all occupations.

If demand for cybersecurity professionals in the private sector increases dramatically, some experts say talented workers could leave the government for more lucrative corporate jobs — a risk that is especially acute for smaller, local government agencies that manage critical infrastructure in their communities but have limited budgets. "Think of the criticality of what your local government does: water purification, waste treatment, traffic management, communications for law enforcement, public safety, emergency management," said Mike Hamilton, chief information security officer at Critical Insight. "But Amazon is out there waving around bags of cash to protect their retail operation." Hamilton — who was the former chief information security officer for Seattle, Washington, from 2006 to 2013 — added that local governments "cannot attract and retain these people when the competition for them is so high, which is why we've got to make lots of them."
The article notes educational training/up-skilling programs working to address the shortage, including GuidePoint, which helps train veterans leaving the military for cybersecurity careers. CNN also notes U.S. President Joe Biden's $2 trillion American Jobs Plan included $20 billion for state, local and tribal governments to update and improve cybersecurity controls for their energy systems.

"Still, experts say more needs to be done, suggesting a broad rethinking of education systems from elementary school through higher education to include more cybersecurity training."

Quality [programming] education.

[Ostracus]

We need some training camps and certification mills to meet the increasing demand. Hey it works for doctors and lawyers.

Re:

[ShooterNeo]

I mean it would work to an extent. Lower quality at a tradeoff of having legal and medical help more available might be a worthy tradeoff, so long as you still measure that the resulting doctors and lawyers meet measurable standards of competency.

Re:

[Tom]

I have a couple of certifications and could hold more if I wanted to. The thing with the cybersecurity certifications are that they're basically bullshit. They test knowledge in an age where knowledge is ten seconds on Google away. One of the ones I hold literally tests if you correctly memorized its definitions of terms, despite the fact that there are very few terms in cybersecurity that actually have a globally accepted definition and everyone makes up their own variation. (yes, an ontology in cybersecur

Re:

[Randseed]

That would be any of the CompTIA shit? Screw if you know how exploits work, they want to test you on whether you know the difference between the terms "whaling" and "phishing."

Re:Quality [programming] education.

[Canberra1]

Define professional. Employers want trained people off the street, cheap, and ready to go, expendable cogs. And they expect experience too. They do not want to train up people only to see them leave. They expect bondable, exploitable foreign imports will keep a lid on things. And enable them to tick 'Security' boxes, and be out of the blame loop. But they do not want to bear the cost of failing to do proper succession planning or workforce management. There are plenty of qualified IT professionals, ready to be trained up in a specialization (But refuse to pay for their own training, without a signed employment contract upstream). There are plenty of junior IT admins being held back. May those reap what they deserve.

Still waiting...

[Narcocide]

... for anyone in charge to actually give a shit about security, and not just PR.

And I'll still be waiting patiently when you come back groveling for my help.

Re:Still waiting...

[ShanghaiBill]

... for anyone in charge to actually give a shit about security, and not just PR.

Show me the manager or bureaucrat who was promoted for implementing good security.

If you do it right, it goes unnoticed but still costs money. So why bother?

Re:

[misnohmer]

BINGO! Security only gets negative attention, when security ask for resources and/or delay schedules to implement proper security, and of course when things get hacked.

That said, it is sometimes hard to blame businesses, as they cater to their customers' wishes, who often don't give a flying rat's ass about security. I worked with some people in automotive where the manufacturer tried selling advanced security option to their customers, $3K extra for an advanced security package for an internet connected $1

Re:

[Mattcelt]

Insurance and government regulation are both excellent drivers for this sort of thing - as you say, the market itself doesn't really care about "security".

The problem, oddly enough, is the lack of crime. The amount of crime relevant to a specific technological preventative measure must exceed some threshold before it becomes part of the fabric or framework to pay for the prevention.

That threshold is different for each to trigger: insurance usually notices first, as it hits their bottom line over a broader a

Are they good jobs?

[awwshit]

Do you pay well?

Is there required overtime?

Is there required on-call?

Do you have unreasonable business demands that make it impossible to do maintenance and upgrades?

Do you even have a security budget?

Re:

[varlogmessages]

I moved into sales because of this. I'm paid more and don't have to be a genius.

Re:

[geekmux]

The more relevant question when it comes to cybersecurity:

Within my position do I hold the ability to tell anyone, even the CEO, "No, we can't do that" with a reasonable explanation, and be supported?

If the answer to that is anything other than "Absolutely." then I say good luck to you. You are not ready.

Go find another gullible moron who will pretend to be "in charge" of security.

Re:

[Geoffrey.landis]

If the answer to that is anything other than "Absolutely." then I say good luck to you.

Oh, no question that they'll say "absolutely".

Try it, however...

Re:

[vilain]

Yeah, I told my boss that they had a major security issue because they allowed anyone to ssh into the cloud instances they setup. He told me not to restrict them because he wanted the developers to work from anywhere. A couple weeks later, we had a major break in over the weekend where our account was mining bitcoins on thousands of big, expensive Windows VMs. My boss and the VP of Engineering spent the weekend locking things down.

Re:

[phantomfive]

they allowed anyone to ssh into the cloud instances they setup. He told me not to restrict them because he wanted the developers to work from anywhere.

If I understand you correctly, this is such an utter confusion of a setup that you deserve to get hacked.

Re:

[geekmux]

they allowed anyone to ssh into the cloud instances they setup. He told me not to restrict them because he wanted the developers to work from anywhere.

If I understand you correctly, this is such an utter confusion of a setup that you deserve to get hacked.

Uh, "deserve", is rather harsh when it sounds like you are preaching in the Choir Director's face.

Developer data? I'd still slap ssh behind MFA VPN with certs. Cheap layer(s) of insurance.

Like the fucking planet isn't troll-polling for ssh across the web at 10GHz, source routes brought to you by Billboard's Top 100 POP Hits of the Week with Ransey Ransom...

Re:

[AmiMoJo]

Were you the one mining bitcoins? Forgive me for asking but something makes me think you might be the villain in this story.

Re:Are they good jobs?

[Entrope]

The mindset where a security person just says "No, we can't do that" -- even "with a reasonable explanation" -- and thinks that is the end of a discussion is one reason we are in such a mess. Pencil-pushers do not get to dictate like that, especially to the CEO. The whole idea of security is to manage risk, which means informing people of the relevant trade-offs related to security risks.

Security is not the endpoint. It is a requirement, but it is a cost center, not a profit center. There always needs to be a consideration of what the business's other goals are, and how to advance those goals while meeting the security requirements. If your perspective only extends to security questions, then just shut everything down, lock all the doors, light everything on fire, and go home. If you are willing to help discover "this is how we can solve our problems while managing security risks", then you are qualified to advise on security.

Re:

[geekmux]

The mindset where a security person just says "No, we can't do that" -- even "with a reasonable explanation" -- and thinks that is the end of a discussion is one reason we are in such a mess. Pencil-pushers do not get to dictate like that, especially to the CEO. The whole idea of security is to manage risk, which means informing people of the relevant trade-offs related to security risks.

Couldn't agree more, and we are quite aligned here. I am afforded to work in some environments where the rules are bit more solidified in mandate rather than floating in mere recommendation or best practice. We usually view exceptions to the rule where you must fully mitigate any risk presented, usually with an alternative that does not reduce the security. I do understand not everyone is afforded that, and that is where many of the challenges lie in business today. Trying to shoehorn in good cybersecur

Re:

[Entrope]

Yes, it sounds like you have your head on straight. If a security person says "you cannot do " and has a decent explanation -- listen to them. If they say "and here is a lower-risk way to do what you want" -- make sure they are both paid well and respected. That's a sign of someone who adds a lot of value to the company.

Re:

[Entrope]

Meh. Slashdot's "plain old text" isn't. I meant to say "you cannot do <this very specific thing>".

Re:

[Mattcelt]

I try to never "just say no". That rarely does anything but induce pushback and/or resentment. Whenever I can, I try to understand what the actual goal is, then give them an alternative that meets that goal in a more secure manner. I'd say it works about 80% of the time.

I use a car analogy constantly for security:

"Brakes are the antithesis of what a car is supposed to do. Cars go. Brakes prevent them from going.

...but how fast would you be comfortable going in a car without brakes?

This gets the idea across that security isn't just about preventing things, it's also about enabling - the car can go faster, further, etc. with brakes, because it helps with control - so properly-

Re:

[bn-7bc]

What is this "requiered overime" thing, either the hoers are oart if tge job you where hiered fit, or it's overtime, compensated according to the rates set by your contract and you can't be forced to accept it, or is this the case only here in norway?

Re:

[vilain]

Based on my attempt to get a job with the @SantaClaraCity, I wonder if local governments are in deep sneakers. My non-CS degree disqualified me from applying for an IT role they were desperate to fill. Will a CS degree also be a requirement for their cybersecurity candidates? No one has ever just said "you're not qualified" based solely on my degree. You don't need a CS degree to work in IT here in Silicon Valley, except in local government. So called "cybersecurity" people may not have this problem becaus

Are you being hired as a scapegoat?

[rapjr]

Security and quality assurance people are often hired so management has someone to blame when things go bad. Fire the scapegoat and hire another without having to spend more money. So I predict a lot of churn in the security professional market, which should make people eventually available to those governments and businesses that actually want to improve security. Liability for security breaches would alter everything quickly and then we would really need many more professionals and standards and less n

There's no shortage, just a retention problem.

[Ichijo]

local governments "cannot attract and retain these people when the competition for them is so high, which is why we've got to make lots of them."

Or pay them more.

Re:

[Ostracus]

Pay more? Give them the same advice we give artists. Do it for the love.

Re:

[geekmux]

Pay more? Give them the same advice we give artists. Do it for the love.

(CEO) "Dammit! We've been hacked!"

(Underpaid Security Underling) "Ahh...Can't you just feeel the love.."

Re:

[Mattcelt]

(CEO) "Dammit! We've been hacked!"

(Underpaid Security Underling) "Ahh...Can't you just feeel the love.."

I will now be singing "Can You Feel the Love Tonight", "Whole Lotta Love", and "Love Stinks" during every security incident from now on.

Re:

[Ichijo]

Artists get a certain measure of immortality from their work. A good security professional doesn't get noticed [blogspot.com] because she prevents problems before they occur.

Re:

[phantomfive]

CEOs should do it for the love. As Jeff Bezos said [fortune.com]:

"I find my work meaningful and fun. I still tap dance into the office."

In fact, why pay CEOs at all?

Re:

[Randseed]

local governments "cannot attract and retain these people when the competition for them is so high, which is why we've got to make lots of them."

Or pay them more.

Until they start paying good cybersecurity people >$125,000/yr this will continue to be a problem. Predictably, industry will probably do what it has always done and settle for incompetents, or maybe go load up H1B visas and pull people in from overseas who will work for far less. (This isn't an indictment of H1B visa folks or immigrants. It's just that highly qualified immigrants don't seem to demand what they're worth because it's still a step up.) I've run into so many absolute fucktards, as we all ha

Re:

[Riceballsan]

I mean the 2 are one in the same... What questions do you think people ask when they are deciding what to major in at college. "what career can I get from this, and what does it pay". You make it clear that it's big money, watch the people studying it increase.

reality

[Tristfardd]

Have you driven through America recently and seen the state of small towns? Walmart came and killed small local stores. The towns weathered that, mostly, but it was a hard hit. Amazon came and people can't be bothered to think about their neighbor and buy from Amazon instead. It has hit cities hard. What do you think it does to small towns? Drive through this country. Spend $100,000 on a software security person? In many of these towns nobody makes that much money. Volunteers are all that keep them

Re:

[Ichijo]

Have you driven through America recently and seen the state of small towns? Walmart came and killed small local stores.

Yes, Wal-Mart would find two adjacent small towns and get them to compete with each other to offer the best tax incentives to put a store there. So the "winner" (more on this below) subsidizes the big-box store but not the small, local businesses, who can't compete and so they can't afford to stay in business.

But it doesn't end there. See, the city also granted the Wal-Mart store a deed re

Re:

[Tristfardd]

"but always with the blessing of the town itself" True. I have sympathy for them because, after Walmart had dealt with the first 50 small towns, the 51st small town did not have a chance. What they thought they were giving their blessing to was not what the amoral professionals on the other side were setting up. An experienced predator makes mincemeat of the rabbits and even gets the rabbits to give their blessing.

Re:There's no shortage, just a retention problem.

[bill_mcgonigle]

> Or pay them more.

A good security specialist is largely self-taught and has the equivalent of an engineering PhD in training and experience. Many companies think the pay should be 1/4 that of somebody just out of a 2-year law school.

So they get hacked and make the news.

Insurance companies need to up their game, and it seems like they will soon.

Re:

[geekmux]

> Or pay them more.

A good security specialist is largely self-taught and has the equivalent of an engineering PhD in training and experience. Many companies think the pay should be 1/4 that of somebody just out of a 2-year law school.

So they get hacked and make the news.

Agree with all of this.

Insurance companies need to up their game, and it seems like they will soon.

This however, is not the answer.

Old and busted ransomware hits a company and demands a ransom. New hotness is to steal your IP first, then encrypt all your local data for ransom, along with holding your IP hostage remotely. Insurance will pay once. Insurance is sure as hell not going to shell out for your monthly extortion.

Everything from implementing NIST-level security practices to adopting an insider threat program, and hiring competent personnel to manage it all, will still be

Re:

[Mattcelt]

Everything from implementing NIST-level security practices to adopting an insider threat program, and hiring competent personnel to manage it all, will still be necessary. You won't even be able to justify the insurance premiums without it.

So, essentially, what they should have been doing all along.

*sigh*

Re: There's no shortage, just a retention problem.

[brunes69]

Have you seen the GSA payscales?

Government salaries in the entire IT sector are totally disconnected from reality. Cybersecurity is even worse because it typically demands an even higher premium.

Re:

[brunes69]

You will earn 2x - 3x in the private sector what you earn on the GS pay scale *AFTER* applying the locality pay increases. Government pay is way way way way way way out of wack with the reality of the current labour market.

Yes, you get some benefits. Are those benefits worth $100,000 / year to most people? No they are not.

Re:

[Tom]

This

I know of so many companies looking for security professionals - some of them desperately. And about half of my phone calls with headhunters I cut short by announcing my current salary as the "below this we don't need to continue this conversation" line.

It's amazing at what price companies think they can hire good people - in a seller's market! But when the price of raw materials goes up, they pay what the market asks because there they magically understand that if they don't pay the market price, they

70th Percentile

[aaarrrgggh]

I’ve known a few accomplished professionals in CyberSecurity over the years, and I honestly can’t see how someone in the 70th percentile in the (broader IT) field can possibly be more help than burden even with additional training.

I also fail to see how most organizations (despite their best intentions) will be able to properly address cyber security. Cost is a small part of the equation (well, not really, but let’s pretend). Having proper security means you have additional friction in doing your job, as well as a chain of dependencies that is often far too weak for the task. A truly “secure” system needs almost twice the labor to follow policies.

So, we end up with “best effort” solutions that simply are not. We end up with “that one” vendor that still doesn’t get it or simply prioritizes their own interests above the security of their customers.We end up with systems designed for humans.

Re:70th Percentile

[jythie]

Yep, and this touches on the larger game theory problem of security. Companies that implement it well have difficulty competing with companies that do not, since security is inversely proportional to productivity. As the saying goes, fortune favors the bold. Companies that are careful with lose out to ones that are not.

Re:

[jythie]

On the other hand, all those companies hit by ransomware attacks.. they survived long enough TO be hit, were in strong(er) positions when they were, and still existed afterwards. Ransoms are expensive, but scaled to things that victims can afford, the chances are good that after the attack the victim is still doing better than competitors that implemented stronger procedures since they had the resources to weather the storm.

Re:

[aaarrrgggh]

The magic “right amount of paranoia” is an ever-shifting line. The scary thing (to me at least) is that the rate of change today is huge, and the mitigation measures for advanced threats are extremely limited. Most companies are aware of security today, but implement too many half-measures ([2|M]FA, excessive focus on phishing or patching, etc). I would love to implement a proper document management system for my company, but it simply is not practical for us. (Meanwhile, our asterisk phone sys

Re:

[Tom]

A truly âoesecureâ system needs almost twice the labor to follow policies.

No, it doesn't.

I've built truly secure systems. I also design and implement security processes. It takes a lot of work to design and implement a secure system, and it comes with a few restrictions, but it takes 10% additional labor at most. It does take additional maintenance and administration, 20-50% more, less if you have capable, trained administrators.

What it does need is two things that most companies don't have:

a) an actual understanding of how their people work and what the real-world processes - yo

Re:

[aaarrrgggh]

Interesting. I can comfortably see that being true for things like SAP/Oracle and their ilk, but when it gets down to things like samba, isolated networks, and all the processes needed for identity management and auditing it has always seemed much worse on the user side. Each piece of security only added 5-10% pain, but you quickly have 5-10 pieces impacting workflow resulting in much bigger productivity losses. This was for solutions that were solving fairly generic problems— nothing deeply related t

Re:

[Tom]

You are thinking "pieces". I am thinking entire systems.

Start with what people actually do and how to express that in IT. Typically, if you design a security system you end up with much fewer pieces than if you tack on pieces one by one. But yes, it's not something your average IT department can do. I'm always happy when I find that a company actually has a systems or software architect, instead of just admins and coders. Most IT departments are essentially ships without a navigator. No surprise they come a

Re:

[aaarrrgggh]

Can you help me with a more concrete example? How would you design a security system to address modern malware/ransomeware threats? I get “defense in depth,” and I understand how you can design a process that has a high level of inherent security but taking a common case of Word documents stored on a file server for editing by multiple people in the organization prior to being published as a pdf and emailed to a client you are pretty limited in what you can do.

I can see password protecting the

Re:

[Tom]

It depends too much on the specific case to go too much into detail.

But a few examples: If people need to work remotely, you can add a VPN concentrator to your network, then run AD authentication through it, then tack on 2FA for security, then remember that you need to secure the notebooks as well and add endpoint protection, then you need an MDM... and so on.

In a typical company, all these things arrive at different times, evaluated by different people and are added one after the other.

If instead you look

Re:

[aaarrrgggh]

Thanks for the response. I agree completely on all your examples; simplification is the goal for sure, and not simplification for the benefit of IT but for the benefit of the organization. I think my concern is the parts that remain complex because the process is not consistently definable over time— non-repeated tasks especially.

And, you are right that far too often there is a failure to properly define a process that can be integrated into a cohesive solution.

Re:

[Tom]

I agree that not all complexity can be reduced. I also agree that ad-hoc processes have their place. But not everyone in the company needs to be able to ad-hoc do arbitrary things with arbitrary data.

And, you are right that far too often there is a failure to properly define a process that can be integrated into a cohesive solution.

Probably half the time I design a good solution where previous attempts failed the secret was simply to start by asking what it is they actually want. You know, they come to me saying they need help implementing an MDM, or building a SOC, or rolling out a non-root policy and instead of going with that I ask why

In management, scapegoats get golden parachutes

[Arnonyrnous Covvard]

In IT, they don't. Why oh why is there a shortage. It's a complete mystery.

Re:In management, scapegoats get golden parachutes

[jythie]

I had a similar thought.

Security is mostly a human problem, not a technological one.. most attacks include a degree of social engineering. This means that any security that is effective curtails the ability of users to damage the system, which flipped on its side means effective security results in users having a more difficult time doing their jobs.

Thus you end up with a profession where, if things go right, the security people not only incur direct costs but make everyone else worse at their jobs, thus are a very real liability... if things go wrong, they get the blame. There is no winning, only luck and balancing it against the probability of annoying people. Not a great job to have or keep.

Re:

[AmiMoJo]

That's why most of them with as consultants. That way they can come in, say exactly what is wrong and make recommendations to fix it, and then inevitably the company doesn't implement them all so there is zero liability. When the inevitable hack happens they get paid to sort it out, not blamed.

Companies want people in house, but as you said it's a mug's game.

Re:

[Tom]

Security is mostly a human problem, not a technological one..

No, it isn't.

most attacks include a degree of social engineering.

No, they don't.

There is a human aspect and there are social engineering attacks. But security is largely a failure state and aside from shoddy quality and lowest-bidder attitudes, the main issue is that the non-failure states are ill defined. With a kernel-level RBAC/MAC system like SELinux, and a properly security designed application software, I can lock down a system so tightly that I can hand you the root password and you can't fuck it up, you can't even disturb the business processes runni

Re:

[dromgodis]

There's a bunch of sign-in systems on the market much more convenient and at the same time more secure than the tedious 2FA that is now being rolled out everywhere, for example.

Could you give an example or two? Are they hardware-based?

Re:

[Tom]

MobileIron has something built into their MDM calles Zero Trust, for example. That's a software solution. There are hardware tokens and smartcards, of course, but they largely didn't make it (one exception may be the Austrian e-card which you can use to digitally sign documents in a way that by law is equivalent to a physical signature.

nah, huge cybersecurity corporations will emerge

[elcor]

and see all our data

risky career

[Tablizer]

If there is a breach on your watch, does it ruin your career? Sometimes it's not even your fault, such as the org not spending on a needed resource. But, you may still get the blame.

So we should increase H1B limits?

[140Mandak262Jamuna]

China is ready to ship 1,000,000 cyber security professionals to "help" America to overcome this shortage of cybersecurity professionals. Just have to give them H1B visas, or better yet, let them work from home in China.

Re:

[khchung]

China is ready to ship 1,000,000 cyber security professionals to "help" America to overcome this shortage of cybersecurity professionals. Just have to give them H1B visas, or better yet, let them work from home in China.

You tried to play the China card, but it is actually India that have the most H1B going to the US, and have millions more ready to go.

Obvious reasons being that:
English competency among general Chinese graduates is lower than the general Indian graduates.

Indian general manufacturing industry is way behind China, meaning IT is one of the few well paying fields in India, thus have a high proportion of graduates going into it.

Chinese top tier cities have living standards and wages getting quite close to US lev

if theres a shortage

[Idimmu Xul]

whats the salary?

Pay people better and pay for their school

[rsilvergun]

also pay living expenses while they're in school. That's how you solve the shortage.

Who am I kidding, they'll bring in H1-Bs. And we'll let them because we're distracted with the Culture War.

and sadly

[satsuke]

And sadly my company hiring for those jobs, but only for third shift - in office type duty.

Which after 25 years in the industry, isn't happening without a _strong_ financial incentive.

Maybe drop the background checks.

[Peterus7]

Had an old co-worker get a cushy position working for the ATF, then they ran a background check and part of that included a question about smoking pot. He admitted to doing so in college, and he was terminated for it. I know they've since updated their practices, but that crap alone just shoots them in the foot.

Re:

[feedayeen]

Stuff like that makes me think the U.S. never learned from incidents like deporting Qian Xuesen https://en.wikipedia.org/wiki/... [wikipedia.org]. We're so paranoid about fake security threats, we ignored real ones that would be created.

No

[oldgraybeard]

local government will get the left overs. Come On Man! Is there a local government not running the safe choice WinBlows?

Just like the trucker shortage...

[couchslug]

There was no trucker shortage when the job sucked less and paid well for what did suck.

Work sucks. That's why money or barter is offered to pay for it. Pay what the market will bear and the market will deliver.

Fail to pay that AND despise your workers as an expendable cost center and those who have a choice will catch on then run for greener pastures.

No.

[PPH]

They won't compete. Because governments (local, state and national) will buy "off the shelf" solutions from corporations. Even if those solutions end up losing massive amounts of data to foreign intelligence (I'm thinking of the OPM subcontractor hack [wikipedia.org]). Sure, they may get their knuckles rapped. But once everyone forgets, Congress will push the work right back out the door. And they'll do it all over again.

You can't fix this until you stop Congressional reps from having financial stakes in the subcontractor

No, they won't.

[bjwest]

Corporations will outsource or H1-B their Cybersecurity teams.

Which won't make them any more secure...

[BardBollocks]

... but will shift liability.

Re:

[bjwest]

How will it shift responsibility? H1-B's are still employees, and their outsourcing still leaves them responsible, AFAIK.

Is this post for real??

[brunes69]

You already earn 2x-3x the salary working in the private sector in this area.

This post is living in an alternate reality if it pretends that's not the case already.

Cybersecurity is a shit gig

[BardBollocks]

With the the idiot policies at the various levels of government (wherever you happen to live) it's an impossible job - that's if you want to do it with any level of professionalism or honesty.

If you just want to jump on the gravy train you can make a lot of money if you can pretend that every level of computing isn't already compromised one way or another.

Having dealt with a good bunch of cybersecurity vendors (and seeing them fail at one level or another) I am not confident that any of them are much more t

wrong focus

[Tom]

I work in cybersecurity, have done it most of my life.

Yes, there's a shortage of talent. That's a direct consequence of two things:

a) "IT as a service" - companies have begun looking at IT the way they look at cleaning or canteens - as a service some unit provides to other units. Yeah, soory. That's not what intelligent, passionate people work in, you know? The very people you want to have walk out of such set-ups, because even if you don't outsource it, you push it to the secondary level with less engageme

What?

[sonoronos]

Why does the author not know or understand that state and local US governments already pay the private sector for security ? They are also paying private industry for infrastructure.

When will we stop responding to the flawed premise of these articles? If the story was simply âoeWe need more trained IT security staffâ then it would be a valid point, but to paint it as a private industry vs government labor war, then they lost me as a reader.

Its like journalists literally cannot stop themselves from

1 out of 200 is a cybersecurity professional?

[dromgodis]

In the United States, there are around 879,000 cybersecurity professionals

So one out of ca 190 workers in USA is a cybersecurity professional? That sounds unrealistically high to me unless it includes "AD administrator" and "has the password to the company's firewall".