“So you want to be a hacker?” is the advertisement from a University teaching cybersecurity. But, training thousands to become hackers is going to have unintended consequences, and the 500K vacant cybersecurity jobs will continue to go unfilled.
The popularity of cybersecurity education is one of those forces. Today, nearly every college and university has a cybersecurity program. Previously pursued by only the technically proficient and curious – many that are attracted to the “hacker” lifestyle are now jumping onboard. Since instruction is in part driven by student demand, “hacking” has skewed the curriculum toward offensive security. The focus is on how to break INTO a network, not necessarily defend one.
At the same time, the InfoSec 'cons' have exploded, cashing in on DEFCON's name, but not necessarily delivering the experience. Newer entrants to the infosec community are making their marks as public speakers – again, primarily talking about how to hack into networks and break things. Conference experiences, anecdotally reported in social media, indicate a culture among practitioners that’s going through some growing pains as well.
So where are these trends going to land?
The “Hacker” Hype and Its Unintended Consequences
The offensive security role is but one of many in the cybersecurity employment ecosystem. A quick check of indeed.com shows 516 US jobs for ‘penetration tester’, 9,062 for ‘information assurance’, and 3,716 for ‘cybersecurity analyst’. According to recent Australian research, the most rapidly growing role looks more like an auditor than a penetration tester. In the UK, the career trends in information security are focused on incident responders, SOC analysts, security architects, and threat intelligence specialists.
To be clear, there will always be ethical hacking opportunities for things like vulnerability discovery, hardware security for new technologies like connected autonomous vehicles, and the hopefully-someday-secure medical devices. However, hiring today is more focused on information assurance and data protection roles, and we should do more to design curriculum that is aligned with the outcomes we want and need. Yes, capture-the-flag competitions are useful in creating the signal that analysts will be searching for, but the ‘we need cyber warriors’ narrative is creating the wrong expectation, and a predictable outcome.
The potential is high for unemployed red-teamers who have skills that will transfer nicely to the darker side of InfoSec. If your skills can't be monetized in the W-2 sense of the word, there are lots of opportunities for a service-based economy to emerge – such as competitive espionage, nation-state gigs, and straight-up theft.
In a cultural sense, the motivation to network and attend professional conferences is laudable in terms of continuing education and product/service awareness. They are also reportedly responsible for many feeling violated in a number of ways, and for public disagreements that turn quite personal. Apart from contributing to the potential for dark side-ism as above, doxx-ing and reputation destruction are on the rise as a result. As an example, note the appearance of organizations like the BadAss Army, with a mission to expose and punish those guilty of revenge porn – some of which is driven by grudges carried over from activities at those very conferences. Is it the environment created by the conferences, or is it the evolving culture of the field? It’s an interesting question.
None of this is pointing in the direction we would preferentially choose. There is certainly a need for offensive security practitioners – notably driven by the military and defense sectors – but let’s be clear: the requirement for a penetration test is once annually. Market forces will mitigate some of it – decreasing demand for offensive security professionals will drive the rise of other roles. As an industry, I think we could do a better job of defining where we need more humans, rather than fanning the @0xh4cktar” flames (if the Twitter metaphor means anything to you).
Additionally, it may be necessary for our community to start talking more openly about standards, ethics, and the expectations that come with the responsibilities with which we are collectively entrusted.
Cybersecurity Education that Works – the PISCES Model
What’s needed right now are practitioners who are good at network monitoring. There is a huge demand for experts who can sift through a prioritized set of network events and investigate them. At CI Security, this is exactly what we do. If an event is confirmed, our experts initiate response with our clients, and optionally take an action to quarantine an asset. This rapid response helps prevent a compromise (a foreseeable event) from resulting in records disclosure, theft, extortion, or service disruption.
We also support cybersecurity education in WA State with our partnership with PISCES (Public Infrastructure Security Cyber Education System). CI Security’s technology is used to monitor small local governments at no charge. In return, multiple universities teach curriculum around the data collected, and students gain operational experience within a "live-fire" setting. In addition to the real-world experience, these students get a chance to see how defending critical services can provide a meaningful way to use their cybersecurity skills. The outcome is that more trained analysts graduate to fill in-demand roles in both the public and private sector, free of the dramatic overtones of being part of the “scene.”
Help InfoSec Students Avoid the Dark Side
This is a better way. We'll always need red team hackers, but businesses must avoid and minimize losses caused by cybercrime and nation-state actions. We can do a better job finding the sweet spot to get talented people trained up for the cybersecurity jobs that are most in-demand.
Talk honestly with students and graduates: there simply aren’t enough ethical hacking jobs to go around, but there are plenty of cybersecurity jobs out there that pay well. These are easy discussions to have with infosec students and job seekers, and we also get to kill two birds with one stone: fill more cybersecurity jobs with skilled people and drain the talent pool available for illegal hack jobs.