Is Security where it's at?

Panther

Is IT Security or auditing where it's at in the (future) job market? Security seems popular.

Or, Cloud (AWS/Azure)?

It'll depend on the company, but my thought Security is not a need [from the company's perspective, again depends on the company], and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

I think it's important. It's good to have internal audit in IT, that audit's IT. You have audit in Finance.

It's just that of the places I've worked, not many, they didn't really have an auditor in IT. They may have self-check (practices), but over time that can go unchecked I think.

jibtech

Security and Cloud will both be future growth areas. I think Security is a need, and companies are now starting to realize that.

Realistically, any organization that has an internal IT audit function likely already has a Security team in place. It is far easier to outsource audit, than it is to outsource security.

Danielm7

Yep, security doesn't only mean audit, there are many different areas of security. Both are good growth areas.

jcundiff

Panther wrote: »

It'll depend on the company, but my thought Security is not a need, and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

Apparently Equifax thought so as well, what with their music major CSO and failure to get anywhere near basic security hygiene/best practices... how did that work out for them?

LordQarlyn

I was thinking the same thing. The "savings" they achieved with minimalist approach to security will be far less than criminal fines and the class action lawsuit that just started. Not to mention reputation hit - I wouldn't trust Equifax with my cancelled credit card numbers lol.

DatabaseHead

Panther wrote: »

Is IT Security or auditing where it's at in the (future) job market? Security seems popular.

Or, Cloud (AWS/Azure)?

It'll depend on the company, but my thought Security is not a need, and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

I think it's important. It's good to have internal audit in IT, that audit's IT. You have audit in Finance.

It's just that of the places I've worked, not many, they didn't really have an auditor in IT. They may have self-check (practices), but over time that can go unchecked I think.

lpppc-mmegen | Kent State Online Master of Music in Music Education

Get this and call it a day......

jibtech

LordQarlyn wrote: »

I was thinking the same thing. The "savings" they achieved with minimalist approach to security will be far less than criminal fines and the class action lawsuit that just started. Not to mention reputation hit - I wouldn't trust Equifax with my cancelled credit card numbers lol.

Unfortunately, you aren't the customer. Your bank is the customer, and they are still comfortable giving your information to Equifax. I will be interested to see how the GDPR gets interpreted for the European consumers who are affected.

TechGuru80

Panther wrote: »

Is IT Security or auditing where it's at in the (future) job market? Security seems popular.

Or, Cloud (AWS/Azure)?

It'll depend on the company, but my thought Security is not a need, and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

I think it's important. It's good to have internal audit in IT, that audit's IT. You have audit in Finance.

It's just that of the places I've worked, not many, they didn't really have an auditor in IT. They may have self-check (practices), but over time that can go unchecked I think.

First of all, the future depends on what you are talking about. Cloud is huge, SDN is on the horizon, and many other things...so it depends on what you are interested in but everything needs people to get trained.

Saying security can get cut is laughable. Generally, the larger a company is, the more there is a need...otherwise a lot of security functions either get omitted or system and network workers have to perform the duties. Larger companies will have dedicated teams. Also the industry is important because there are different regulations for healthcare, financial, payment processing, etc.

Usually only large companies will have auditors on staff, and a lot of times external auditors are utilized...for example PCI requires pentests (a form of audit). Again the size and maturity of a company makes a difference if they have dedicated security and how many.

jcundiff

jibtech wrote: »

Unfortunately, you aren't the customer. Your bank is the customer, and they are still comfortable giving your information to Equifax. I will be interested to see how the GDPR gets interpreted for the European consumers who are affected.

GDPR is not in effect yet... goes into effect May 2018, so it won't get interpreted for European customers... I am sure we will see articles on how this would be handled if GDPR were live.

Stock price and reputation is where they are getting hit the hardest at the moment... their stock pre-announcement was 141.45 it closed today at 98.99, a loss of 42.46 in less than a week (30% of the pre-announcement valuation), I expect to see it continue to drop the rest of the week and possibly even next week

jibtech

jcundiff wrote: »

GDPR is not in effect yet... goes into effect May 2018, so it won't get interpreted for European customers... I am sure we will see articles on how this would be handled if GDPR were live.

Stock price and reputation is where they are getting hit the hardest at the moment... their stock pre-announcement was 141.45 it closed today at 98.99, a loss of 42.46 in less than a week (30% of the pre-announcement valuation), I expect to see it continue to drop the rest of the week and possibly even next week

GDPR was a mistake on my part. Was thinking Dara Protection Directive, but saying GPDR. Oops.

jt2929

Panther wrote: »

Is IT Security or auditing where it's at in the (future) job market? Security seems popular.

Or, Cloud (AWS/Azure)?

It'll depend on the company, but my thought Security is not a need, and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

I think it's important. It's good to have internal audit in IT, that audit's IT. You have audit in Finance.

It's just that of the places I've worked, not many, they didn't really have an auditor in IT. They may have self-check (practices), but over time that can go unchecked I think.

Please see any of the major security breaches, Equifax being the most recent.

jcundiff

jibtech wrote: »

GDPR was a mistake on my part. Was thinking Data Protection Directive, but saying GPDR. Oops.

Yeah, GDPR will have a much bigger bite. It still amazes me, the number of U.S. based companies that have their head in the sand, thinking it doesn't apply to them... they will learn the hard way when they get breached and have European tourists' PCI data in their breach...

infosec123

Software development is where its at. If you are a good software dev, you can make WAY more money than in Infosec.

ITSec14

infosec123 wrote: »

Software development is where its at. If you are a good software dev, you can make WAY more money than in Infosec.

Not always. ISO's and CISO's are making stupid amounts of money. Even senior engineers are pulling in mid six figures. Most software developers in my area are making between $85-$100k, while senior/management level security folks are making $120k+.

DatabaseHead

It's a case by case basis. Software Engineers can work from home A LOT and in my area make ~120 - 130 tops. Usually no bonus.

Add some math or stats to your skill sets and you can become a data engineer which in my area pay ~150,000 but there isn't a lot of those jobs.

I agree directors in my area on average make ~200,000 base with usually a good bonus structure 30% of total gross with potential to double bonus (up to) if the company performs well.

Senior management ( anything lower than director) in the midwest is making around 80 - 110 with a 15 % structure with a chance to double. As a consultant and being a people person I have had the chance to meet A LOT of people and they usually open up to me.

Those have been my findings and they seem to align with Glassdoor for the most part.

Do keep in mind though, the higher you get the more variance there is. I've seen operations directors barely clearing a 100,000 base and I've seen some directors on some specialized high leveraged teams making over 250,000 base. So it can VARY dramatically in the upper ranks.

In fact my senior director at my last position opened up said he was making north of 250,000 base, which isn't the norm in my area.

jcundiff

Great post DBH! those numbers look like about what I see as well

veritas_libertas

I'm just going to say it, we need less people coming to Security because they see job security, money, or think it's sexy.

gespenstern

The short answer is no.

gespenstern

jcundiff wrote: »

Apparently Equifax thought so as well, what with their music major CSO and failure to get anywhere near basic security hygiene/best practices... how did that work out for them?

Too early to tell, but let's count when things settle.

As an example, do you know how much did Target lose because of their breach? Compared to their revenues and net profits? Compared to how much they save by outsourcing majority of their 4K heads IT workforce to India?

In short, the cost of a security breach is surprisingly low and many businesses do the right thing from the business perspective by neglecting security as if they didn't they would lose more on implementing security controls and crippling themselves with them.

Panther

jcundiff wrote: »

Apparently Equifax thought so as well, what with their music major CSO and failure to get anywhere near basic security hygiene/best practices... how did that work out for them?

I think the breach is a good thing for IT Security!

I'm starting to read up on the Equifax breach. Plus, I just came across a very old email that I have an account with Equifax, I believe to look up my Fico score, before credit card companies provided that for free.

There was a patch and it wasn't put in until 2 months later?!

CSO = Never heard of that. Chief Security Officer. Music major. Wow!

I guess I could see that happening. I had a CIO who came from Finance.

Panther

gespenstern wrote: »

Too early to tell, but let's count when things settle.

As an example, do you know how much did Target lose because of their breach? Compared to their revenues and net profits? Compared to how much they save by outsourcing majority of their 4K heads IT workforce to India?

In short, the cost of a security breach is surprisingly low and many businesses do the right thing from the business perspective by neglecting security as if they didn't they would lose more on implementing security controls and crippling themselves with them.

I guess this is kind of where I'm getting. I think Security is important. Heck, even for my own home, I want to be proactive rather than reactive.

I'm interested in Sys Admin/Management/System Engineer. I think even if I don't specialize in Security, it's good to have excellent knowledge and experience with it, and proactive about it.

In desktop support, one of the things I had brought up was, we need to wipe hard drives before sending them off to e-recycle, response I got was why do we need to do that, from the lead in IT. Lead/manager/peers didn't seem to care, so I didn't push it. I didn't want to spend time doing something that wasn't seen as important. I learned later however that you can get a sign-off from the e-recycle company that they will wipe your hard drives.

Panther

I like this statement, "poor security hygiene".

I've observed it. Couldn't update Java clients on desktops cause it breaks another app. When are they going to up date that other app? Not anytime soon.

Source:
https://www.usatoday.com/story/money/2017/09/14/equifax-identity-theft-hackers-apache-struts/665100001/

The process of patching the flaw isn’t as simple as just downloading a new version of Java. It requires searching the company’s entire portfolio of applications to look for known and newly reported vulnerabilities, then updating to the latest version of those applications. It is then often necessary to rewrite the applications so they match the other software the company is using. Then everything must be retested and redeployed.
To some in the industry, it’s not that Equifax had bad security practices, but that such poor security hygiene is all too common.

"A majority of large companies have similar challenges, problems and weakness in their cybersecurity. Most companies still fail to maintain a proper application inventory and thus keep critical vulnerabilities unpatched for months,"

jibtech

The poor application inventory is what really irritates me. These are enterprise systems. There is no reason to not know what applications are sitting on Struts.

There is no reason not to be paying attention to the vulnerabilities that affect core systems.

And if you become aware of a vulnerability and you can't address, get the systems offline. Air gap them. Develop compensating controls. Monitor every single access. Do something until you can get the systems addressed.

This isn't advanced security. This is 101 level stupid.

jcundiff

gespenstern wrote: »

Too early to tell, but let's count when things settle.

As an example, do you know how much did Target lose because of their breach? Compared to their revenues and net profits? Compared to how much they save by outsourcing majority of their 4K heads IT workforce to India?

In short, the cost of a security breach is surprisingly low and many businesses do the right thing from the business perspective by neglecting security as if they didn't they would lose more on implementing security controls and crippling themselves with them.

hmmm, you watched their stock nosedive since the breach? from 142.75 right before the announcement on the 8th, down to below 90 a share (rebounded back to 96 by close today) but loosing about 35% market valuation is a pretty hard hit quick... Will it recover? most likely... I expect them to hire a new CSO, and most likely CFO by the time its over.

Cost of target breach is documented at close to 300 million, but they recovered. most large enterprises do... yahoo lost half a billion ( reduction in selling price)

DatabaseHead

I can't believe the CSO hasn't fallen on the sword yet......

This rolls up under her, she needs to be held accountable.

dmoore44

Panther wrote: »

Is IT Security or auditing where it's at in the (future) job market? Security seems popular.

Or, Cloud (AWS/Azure)?

It'll depend on the company, but my thought Security is not a need [from the company's perspective, again depends on the company], and when cuts comes they can be the first to go--and they'll just have the current people do more, like anything else.

I think it's important. It's good to have internal audit in IT, that audit's IT. You have audit in Finance.

It's just that of the places I've worked, not many, they didn't really have an auditor in IT. They may have self-check (practices), but over time that can go unchecked I think.

Depends on what you mean. If you mean 'are they here to stay', then I would say yes to security, and not so much to cloud.

Security will continue to be adopted by organizations for two big reasons: governments are going to continue to impose laws and regulations requiring it (NY DFS Cybersecurity Regulations, GDPR) and CEO's/corporate boards are going to continue implementing & tightening security programs in an effort to avoid breaches (they are monetarily costly) and impact to reputation. What will be interesting to see is if security winds up going the way of sys and net admins: outsourced.

Cloud, on the other hand, is like most other technologies: transient. In 10 years' time, there will be another technology that will come along and unseat cloud. Or organizations will re-evaluate the risk posed to them by cloud and decide to move away from cloud. We've seen this behavior play out, time and again; in fact, cloud reminds me of that ancient period when mainframes roamed the Earth - shared resources among multiple organizations, remote access by dumb terminals...

jibtech

At the fundamental level, cloud computing is just an extension of the mainframe/terminal model of old, combined with the universal connectivity of the Internet. I don't see that model going away any time in the near or long term future, especially with the growth of software defined networking.

That said, I really, really hope we come up with something else to call it. I am old school. On a network diagram, the cloud was the stuff you didn't want to explain. Not the most reassuring concept....

gespenstern

jcundiff wrote: »

hmmm, you watched their stock nosedive since the breach?

Same was with Target Corp. Now look up how quickly they recovered and how trend picture resembles a line you'd expect if there was no breach at all after roughly 9-10 months.

Yahoo was a failing company for long and had a history of breaches, not as clean an example.

jcundiff wrote: »

Cost of target breach is documented at close to 300 million

Yes, roughly. With net profits per year around 2-2.5bn. Also, about their workforce and how much they save per year from outsourcing to India? It's kinda important because ppl who were supposed to watch security alerts were in India.

IMO, both the public and the security community overestimate the cost of a breach.

Who suffer heavily from malware though are companies like Merck, but not because they lost confidential data, it's because they lost availability and this impacted heavily their manufacturing and logistics.

Equifax will live fine like nothing happened in just several months. And the public and the media move on to the next hype.