DISCLAIMER/STATEMENT OF IGNORANCE: a number of regular readers have asked why I insist on using asterisks for footnotes, and whether I could move to actual links, instead. The official reason I give for sticking with asterisks is that I think it’s a bit quirky and I like that, but the real reason is that I don’t know how to add internal links in WordPress, and can’t be bothered to find out. Apologies.
I don’t know if you’ve noticed, but pretty much everything out there is “next generation”. Or, if you’re really lucky “Next gen”. What I’d like to talk about this week, however, is the actual next generation – that’s people. IT people. IT security people. I was enormously chuffed* to be referred to on an IRC channel a couple of months ago as a “greybeard”***, suggesting, I suppose, that I’m an established expert in the field. Or maybe just that I’m an old fuddy-duddy***** who ought to be put out to pasture. Either way, it was nice to come across young(er) folks with an interest in IT security******.
So, you, dear reader, and I, your beloved protagonist, both know that security as a topic is one which is interesting, fast-moving and undeniably******** sexy – as are all its proponents. However, it seems that this news has not yet spread as widely as we would like – there is a worldwide shortage of IT security professionals, as a quick check on your search engine of choice for “shortage of it security professionals” will tell you.
Last week, I attended the Open Source Summit and Linux Security Summit in LA, and one of the keynotes, as it always seems to be, was Jim Zemlin (head of the Linux Foundation) chatting to Linus Torvalds (inventor of, oh, I don’t know). Linus doesn’t have an entirely positive track record in talking about security, so it was interesting that Jim specifically asked him about it. Part of Linus’ reply was “We need to try to get as many of those smart people before they go to the dark side [sic: I took this from an article by the Register, and they didn’t bother to capitalise. I mean: really?] and improve security that way by having a lot of developers.” Apart from the fact that anyone who references Star Wars in front of a bunch of geeks is onto a winner, Linus had a pretty much captive audience just by nature of who he is, but even given that, this got a positive reaction. And he’s right: we do need to make sure that we catch these smart people early, and get them working on our side.
Later that week, at the Linux Security Summit, one of the speakers asked for a show of hands to find out the number of first-time attendees. I was astonished to note that maybe half of the people there had not come before. And heartened. I was also pleased to note that a good number of them appeared fairly young*********. On the other hand, the number of women and other under-represented demographics seemed worse than in the main Open Source Summit, which was a pity – as I’ve argued in previous posts, I think that diversity is vital for our industry.
This post is wobbling to an end without any great insights, so let me try to come up with a couple which are, if not great, then at least slightly insightful:
- we’ve got a job to do. The industry needs more young (and diverse talent): if you’re in the biz, then go out, be enthusiastic, show what fun it can be.
- if showing people how much fun security can be, encourage them to do a search for “IT security median salaries comparison”. It’s amazing how a pay cheque********** can motivate.
*note to non-British readers: this means “flattered”**.
**but with an extra helping of smugness.
***they may have written “graybeard”, but I translate****.
****or even “gr4yb34rd”: it was one of those sorts of IRC channels.
*****if I translate each of these, we’ll be here for ever. Look it up.
******I managed to convince myself******* that their interest was entirely benign though, as I mentioned above, it was one of those sorts of IRC channels.
*******the glass of whisky may have helped.
********well, maybe a bit deniably.
*********to me, at least. Which, if you listen to my kids, isn’t that hard.
**********who actually gets paid by cheque (or check) any more?
Alice, Eve and Bob - a security blog 
Pay as a motivator is an interesting topic in security right now. It’s been my experience that pay is one of the hardest barriers for attracting new/young talent into a lot of the areas in defensive security.
While this is a bit of a generalization, there is lots of gray area’s and there is jobs that combine both offensive and defensive work (doing defense well really requires understanding good offense after all), there does some seem to be a bit of a trend in the industry that pen-testing, red-teaming and more recently the “develop commercial quality weaponized 0day and intrusion tools” (the “Dark Side”) pay quite a bit better than roles with more of a defense focus.
The “sexy” factor, especially for young people, really seems to lay in the “breaking-into things” side of security and not so much in the other parts.
LikeLike