(no title)

Anyone in cybersecurity who isn't a fucking moron (of which I freely admit there are many), without a doubt knows the problems they solve are not unique. As someone who has done it for nearly 20 years, me and my colleagues absolutely despise having to repeat the same shit, over and over. I want nothing more than to not be necessary.

I liken my job to being a janitor, and people can't seem to stop from pissing, shitting and trashing everything. It's goddamn 2023 and we still can't get people to always validate input or ensure proper constraints are built in.

the actual reason for mandating companies to spend on cyber is because they are cutting costs on SRE/Ops by outsourcing all KTLO work to India and other offshore countries. If you ever looked at average S&P500 company IT Budget, there will be nontrivial amount dedicated to WITCH (Wipro Infosys Tata Cognizant HCL and friends) for outsourced KTLO work.

This makes it impossible to do anything meaningful de-novo on a high level, like create a good security architecture as a platform for all dev teams, or adopt a new security platform.

Outsourced companies do only a piece work on a ticket by ticket basis and require very specific instructions upfront.

Mandating companies to keep inhouse cyber staff makes it possible to grow talent inhouse and do high level designs of platforms to keep stuff secure

Except the fallacy with this premise is that the other teams _haven't_ solved the problems, which is why the cybersecurity teams are necessary in the first place. Cybersecurity doesn't solve any problems that are inherent to computing and are unavoidable, cybersecurity solves problems that are created by the mistakes of other teams. It's an unfortunate truth and it's difficult for many people to swallow, but I have found in my career, which is nearly 20 years at this point, that this is true in every case that I have personally experienced. That is to say, if developers created secure software by design, and if infrastructure teams/operations teams handled their assets and processes in a secure manner, then there would be no need for cybersecurity outside of a few specialized roles.

They aren’t bullshit jobs though in the way the author presents the problem.

Honestly in cybersecurity the big hacks that usually go on is the fact that people can get crypto lockers or a whole host of problems that attack humans. The whole argument of the above shouldn’t even be anything about software. The most effective thing to secure networks is to educate your whole staff on when not to click something suspicious so instead of fighting physics we are fighting human psychology.

I could argue the second is the business group overriding security practices because they accept or don’t care about the risk. So then people who were never born when the service was active have to deal with getting a project in with the vendor that doesn’t give a shit about you.

Security usually even is a technical problem it’s human we just like having cool stuff presented at a con because it’s fun.