What's Wrong With Us?

by by lg0p89

People are leaving cybersecurity.

This really isn't news to most of us.  If they aren't leaving, the remainder of this segment are praying for death when they go to bed, so they don't have to endure another day dealing with egos, unrealistic deadlines, and the bosses.

There are consistently large numbers of jobs open on the job boards and an individual company's website, as well as through recruiters calling and emailing at all hours.  Annually, a new graphic is published showing the supply and demand curves with the difference growing larger every year, indicating the need for people is far outpacing the supply (that's you and me).  To assist with the issue, there has been a push to automate as many processes as possible.  While this may be beneficial in the long run, it is problematic for several reasons.  These are symptoms of a larger systemic problem   What's causing this significant loss for the industry?

People Are Leaving Cybersecurity

We hear more and more about the skills gap.

This is going to continue to grow as more technology is introduced and as the technology stack gains depth.  All of this takes time, training, and resources to have the staff get up to speed with the technology.

For example, if you are testing a new product using 5G and the company purchases the equipment for a cell station, not everyone will have the experience with this - setting it up or operating it.  That takes time.  Employers don't want to spend the money or employees' time with the training if they don't have to.

Too many times, people have posted astonishing job descriptions requiring mid-career experience for entry level pay.  They may list the CISSP and years of experience for low analyst level pay.  The HR department expects the certifications, degrees, and certificates and also expects to pay as little as possible.  The company's pay is not commensurate with their expectations.  Just reading this drives certain people in the industry nuts as the lack of HR's grasp of reality kicks in.

Political Forces

This is always a favorite.

Everyone wants to be the CISO.  This is the paramount position for us.  The power and prestige are an eternal draw for some.

For nearly a year, I was in this role at a county municipality.  I loved the work itself.  I was helping secure the county's different networks, consulting with the court's admin to assist in guiding them.

The network's configuration, tools, and most other aspects of IT were overly complex when they didn't need to be, and I was working to simplify this.  While this was absolutely fulfilling, dealing with senior management (i.e., CIO, county board of commissioners, director of administration, et al.) made working there much more difficult than it needed to be.

While there, my focus was doing the job.  There was ample to do, and I worked late and weekends to get things moving forward.  I kept my head down and did the work.

In short, the issue was that I well underestimated the power of politics.  Even doing the right thing, following industry standards, and overtly using common sense will get you in trouble.

For example, the sheriff's department requested a low-level manager to have complete unfettered access to everything and anything on the Internet.  This manager was not out there on the streets trying to solve crimes, find child predators, or track down human traffickers, but was managing an out-of-the-way department that was completely administrative and had no business having open access to the Internet or anything else.

He really didn't like being told no to complete access to everything, so he complained to his manager, a captain, who then directed me to give him the complete access.  The only reason given for this over-the-top access to anything on the Internet with absolutely no accountability was that he needed it for his job, which he obviously didn't.

I put together a very clear document on why this was not a good idea for anyone and, if he needed access to a blocked website, I certainly would look at it right away.  I let the captain know I couldn't do this due to the risks this would create.  That did not go over well at all.

Oh, and by the way, the county a couple of years before had a little issue with ransomware due to misconfiguration and click-happy users.  This was a nationally published story and cost the county a lot, both directly and indirectly.

There was also an instance where a ticket came in requesting two laptops that was clumsily worded and did not attach any documentation that normally would have been required.  This was also from the sheriff's department.  The request was for two director-level county staff.  The laptops were to only have Word and Excel with no access to any county resources, files, folders, etc.  These would pretty much be set up as if you went to a big box store and purchased two laptops along with Microsoft licenses.  There was also no documentation attached for the request.

You know, if you don't get the paperwork prior to delivering the equipment, good luck getting it in a timely manner.  As this was exceptionally odd, and I didn't want to get into yet more trouble with the sheriff's department - this time for treating these two persons differently than any other county employee - I asked questions.

Seemingly, if a ticket is not filled out correctly - or at all - and nothing is attached, you find out why and help the person complete the process correctly.  There are policies and procedures in place for a reason.  The requester refused to respond to any emails on why these two had to have such limited access to everything.

The questions did not go over well, as you can imagine.  It turns out the sheriff had a training plan/program in place for people incarcerated to teach them skills so when their sentence had been fulfilled, they could be gainfully employed, for example a plumber, electrician, or other job.  These two somehow received enough training in this program while incarcerated to be director-level community event planners, even though they were felons (two felonies each for murder and weapons charges) serving approximately 12 and 18 years.  One of the two had applied for a job at the county and was turned down immediately.  The sheriff had elected to override the hiring process.

The CIO was exceptionally irritated that I had followed protocol and asked questions to clarify the request.  To this day when the sheriff talks to the board of commissioners, these two are standing behind him at the podium.  The workers supported me, but senior management made it tough to be concerned with doing the right thing.

This was interesting, and I wrote a screenplay about it.  Maybe you'll see more details of this on the big screen one day.

However, I'll have the usual disclaimer of "This story is fictional.  This does not depict any actual person, entity, or event [yada, yada, yada]."

I could talk about the sheriff's department's "bid" process for security, but this would be beating a dead horse.  This added to my burnout, and lack of accountability by most levels of management was problematic.

For these reasons and too many more (e.g., being told I did not smile as much as I needed to), I decided this was not the place for me.  Also, if anyone thinks this couldn't have happened or I'm making any of this up, I have a complete set of notes for the timeline, notes from the ticketing system with dates and timestamps, meeting notes, etc.

If nothing else, I'm thorough.  One thing those newer to the industry need to appreciate is if you can't document it, it didn't happen.  The printed materials I have will far outlive any of the senior managers' memories.

Loud = Correct?

In meetings, have you noticed the louder people are when discussing a topic, the more passionate they appear to be and the more correct?

In multiple iterations, a manager may claim there are no tools to (fill in the blank).  We accept what the manager says because they are passionate (but really just loud), even though a simple Google search finds four tools that do this and would work in the environment.  When the manager is corrected, it doesn't matter.  The damage is done.  This wears down even the most dedicated, honest people.

In Closing

We need a healthy dose of reality and accountability.

Unless some of the issues are resolved, this is only going to get worse.  People may get upset with the changes; however, this is short-term and less costly than having staff leave due to burnout and idiocy.

Something to think about.