Today is a slow news day. Yes, I know about BadRabbit… I make this statement anyway because it seems to me like BadRabbit is boring. I’m sure it’s not boring to you if you’re impacted by it, but for the unimpacted news reader, it’s neither technically interesting nor necessarily noteworthy from a tradecraft perspective. It uses human intervention to elevate privileges and lays down some dropper malware to encrypt files for Bitcoin. The primary implication I guess is that the first immutable law of security still applies. Murf. In fact, the primary reason I’d be interested in BadRabbit is attribution… which, other than analysis suggesting it’s probably the same people as NotPetya, is still up in the air. So maybe it’ll become more interesting if we learn more about it down the road, but right now I give it a “meh”. Potentially a “meh plus” because of the attribution angle, but it’s on the cusp.
Anyway, because I’m not super interested in that, I’ll continue an exploration I started a while back about the security “skills gap.” Why? Because I came across the research from CompTIA that has implications for this.
But first, a few full disclosure statements and caveats: 1) be advised that my “day job” is with ISACA, an organization that (depending on your point of view) is a direct competitor to CompTIA. I’d argue it really isn’t, but not everyone sees it the same way I do. 2) I have, in the past, highlighted data about – and posited analysis that supports – a security skills gap. I’ve written reports, for example, that conclude that it exists and that it’s an important thing to pay attention to. That either supports or detracts from my credibility on this matter depending on your point of view.
That out of the way, about the CompTIA study. The thing I found most interesting is this (from HRDive coverage of the press release): “The report also found that some professionals worry their skills will soon be obsolete; many, however, said they were interested in careers in cybersecurity (51%) and cutting-edge areas such as the Internet of Things (30%) and artificial intelligence or machine learning (20%).” Note that I did my level best to find this data point in the materials released by CompTIA, but I can’t find it in there — my suspicion is that this data point made it to the press release but didn’t make it into the report summary up on the site. Since I can’t find the full report or the data (the “Access” button points to an executive summary – at least as of now), I’m running with this one.
The reason this is interesting to me is that it demonstrates that cybersecurity is increasing in interest for those in the job market. So this is an interesting data point to me for a few reasons. First, it’s maybe unsurprising as there has been quite a bit of attention out there on why cybersecurity is a “hot” area, how there’s a skills gap (the implication being that it’s super easymode to find a job and that there’s tons of mobility and job security), etc. It also suggests to me that the narrative of the skills gap is gaining traction into broader IT. Though I don’t have direct evidence to support it, I also think it is having a broader impact on the job market more generally. It’s comparatively more appealing to these folks compared to other “hot” areas.
Here’s why I think caution is warranted though. Namely, there are organizations for which there is a direct line between the “security skills gap” narrative and their particular agenda (financial or otherwise). Consulting companies, for example. The more difficult it is (or seems to be) to find good security talent, the more appealing their services appear to be. Also, certification bodies and educational institutions. Those who offer “differentiation vehicles” (like certifications or degrees) for professionals in the space. Their goals are also directly forwarded by the narrative. Technology companies and those who automate security tasks likewise. What I’m saying I guess is that there is a communal bias and interest in believing the narrative. I am NOT saying that anyone is doing this purposefully. But as an exercise to the reader, I would ask you to pay attention to the source of information about the skills gap when you hear it: who is the report coming from and whether they are directly or indirectly served in some way by highlighting it.
Do I personally believe a skills gap exists? I do. But am I biased? Unquestionably.
I also happen to think that the implications of it are, long term, potentially problematic for practitioners in the space. An influx of personnel into the job market absolutely will have a downward pressure on salaries over the long term and have a long term impact on professional mobility. That’s the downside. The upside is that, the less competitive the space becomes the more opportunity there is for safeguards against malpractice. I’ve advocated for professional licensing of security practitioners before.
So, like, if a security pro sucks at their job – and engage in either deliberate or accidental (but grievous) malpractice – we can limit the further damage they can do to others by revoking their ability to practice. As it stands now, those in the profession who aren’t great can continue to be that way until they retire. As long as they can sell how awesome they are to people who don’t know anything about it… and having held an equivalent position at organizations that are heavily disincentivized from sharing their negative experiences with that candidate.
I’ll continue to come back to this topic… Of all the things that are going on security, I think the long-term economic impacts on the job market are potentially the most significant for individual practitioners. When BadRabbit goes away five minutes from now, there will be something else to take its place. The impacts on the job market from the skills gap though? Both the narrative and the actual underlying phenomenon will still be playing out 5 years from now — and still be impacting practitioner’s lives.