There’s not enough smart people in information security, says DHS

dmoore44

Hearing this drives me nuts. I agree that there aren't enough smart people working in INFOSEC, but the hiring managers write the position requirements so onerously that it's incredibly hard for smart people to get those jobs. And if we're going to discuss government billets, then you have to deal with the government hiring process, which is a complete turn-off for a lot of people (smart ones included).

Source: Infosecurity - Black Hat 2012: There

NetworkVeteran

dmoore44 wrote: »

the hiring managers write the position requirements so onerously that it's incredibly hard for smart people to get those jobs.

For those of us not acquainted with government security jobs, can you give some examples? I was curious. The DHS only lists five positions under the INFOSEC category.

The top-paying one ($137k) listed only these requirements--

DHS Job Posting wrote:

knowledge of AIX Systems Administration activities (i.e., installing,
upgrading, configuring services, daily administration, etc.); and

knowledge of project management activities to include tracking and
reporting;

ability to manage storage devices and install/configure application software
and hardware.

Their truly security-heavy jobs look unattractive.

The one I spotted required a masters degree, years of experience, and a top secret clearance but only pays $51,630.00 to $97,333.00. Are they kidding?

WafflesAndRootbeer

INFOSEC hiring managers at DHS and other agencies want to hire the guys who work in the private sector for corporations making six/seven figure salaries. I know a lot of those guys by face and one of them happens to be a neighbor. They don't really look at new talent and the development programs they support with their name do not have access to the equipment and knowledge required to create suitable talent. Real INFOSEC work requires knowledge of three areas. First and foremost computer science. Commonly used programs are compromised all the time by rogue patching or system file replacement with compromised system files that allow access to secure systems. You need people who can identify and pick apart code to see what is what. Second, network security and infrastructure. It's a proven fact that most government and corporate network infrastructure is not properly secured or even mapped out appropriately. How many times have we seen pictures of NOCs and network rooms where there's a huge number of routers and switches and other devices that nobody knows much about. How many times have we heard stories about spending a month trying to figure out what that thing with the blinking lights does and how to access it over the network when there's no ip address sticker on it. Third, particular software applications and associated security protocols. It's no secret that Windows has had vulnerabilities for years. Patching those vulnerabilities is usually not carried out in the private sector and on the government side, it can be willy-nilly or "Don't touch it unless it's glowing red and smoking!" because many IT managers do not have a pro-active attitude or position. Add to that the lack of proper electronic security credentials used in a lot of areas and you have a recipe for easy break-ins.

paul78

I think you nailed it. DHS can't compete with private sector salaries.

xbuzz

Correct me if i'm wrong, but from what i've seen, it seems to be that entry level jobs in security tend to be non existent. The only entry level positions require already a good bit of experience in other areas, so those "smart" enough tend to stay in their current specialisations and alot tend to not want to go back to an "entry" level infosec position.

It's odd that alot of companies blame the talent pool, demand dictates everything. Offer better salaries/benefits, and the "smart" people will come. The industry needs to invest in the future of infosec by creating alot more truly entry level roles for graduates and others, that do not require years of experience.

dmoore44

I would advise against using DHS as a benchmark for requirements... their reputation is less than sterling. Also, most of DHS's processes are so heavily automated, it doesn't take a whole lot of intelligence to do what they want (there are, of course, exceptions - like US-CERT). If you can run Wireshark, Retina, Nessus, or any of the other commonly used scanning/reporting tools - then DHS is just fine.

If you want to truly be on the vanguard of government INFOSEC/CYBERSEC, you need to explore NSA, CIA, or military (civilian) positions. In my experience, they don't post a whole lot of information, so a prospective applicant is kind of left guessing... That being said, CIA provides a little bit of information for an applicant to compare their skill set to, but it's written to the lowest common denominator (i.e. it looks like a private sector listing... but it's not really representative of what the actual job is going to entail).

NetworkVeteran

paul78 wrote: »

I think you nailed it. DHS can't compete with private sector salaries.

For "Information Assurance Security Professionals" who do penetration testing, determine security policies, and what not the CIA pays $51,630 – $115,742. The NSA's pay range for similar roles is $66,910 - $103,434. My employer pays much more for security guys.

For "Network Engineers" who understand WANs, LANs, and have Cisco certifications the CIA pays $86,927 - $133,543. Again, my employer pays more.

I have a hunch where those smart people go.

YuckTheFankees

I agree with NetworkVeteran

demonfurbie

i know who is gonna get hacked next ... they basically called sec pros idiots

dmoore44

NetworkVeteran wrote: »

Again, my employer pays more.

I have a hunch where those smart people go.

Pay is definitely part of the problem... the other issue that I have is this: government personnel are increasingly looked upon as project managers who oversee contract personnel. So, you could go to work for the government, but you're really just going to end up pushing a whole lot of paper and never really getting your hands dirty. So, when pay and poor working conditions are the reality - what's the point?

I'd much rather get paid more and have more fun with my job...

YuckTheFankees

Another great point. I was going down the the "cyber" security route but I quickly changed my mind to become a networking expert. All of the things mentioned above are the reasons I'm sticking with networking..for now.

paul78

dmoore44 wrote: »

government personnel are increasingly looked upon as project managers who oversee contract personnel.

It's interesting that you mentioned it. I contracted for a federal agency about 12 years ago and I had a similar reaction but I thought that it was unique to that particular agency.

I am curious though about the relative salaries of infosec management in the federal/state government versus private sector. I happened to look around a few weeks ago and I only found one example (a CISO open position in a MA agency) it seemed like infosec managers in government are paid a pittance.

JDMurray

The NSA was at DefCon/BlackHat looking for a few good hackers: www.nsa.gov/careers/dc20/

laughing_man

My brother is outprocessing from the Army right now and he has been doing InfoSec (or they call it Information Assurance) for the last 12 years or so. Anyway, he echoed the same thing regarding Gov. jobs being glorified and underpaid PM positions, so basically he and his compatriots essentially write off government work before they even get out of the military. It doesn't help that private companies solicit all these guys with much bigger salaries than what is being seen discussed here. If the Feds are going to take Security seriously, make it more attractive and lucrative. I believe we will eventually see this, but not before there is a serious breach or incident on a national level.

tpatt100

I keep reading articles saying overall the private sector also has a hard time filling positions. Security is not entry level and many companies seem to make security positions a "must have" but don't invest much into it.

rwmidl

Having been in the contracting world for a few years, I can echo the sentiments that Gov (Fed) employees are glorified PM's. Most of the "heavy" work is done by contractors (in quite a few cases, there are exceptions). It can be very difficult to create a new Fed position (almost an act of Congress) as the trend over the past few years has been to reduce the numbers on the Federal payroll and have contractors do most of the work (which in most cases it costs the taxpayers more money to have contractors do the work, but that is a separate discussion). Those Federal positions that do open up priority is given to (in no particular order) Vets, disabled Vets, minorities, former Federal employees. If you don't fall in to one of those categories it is very difficult to get a Federal position!

To add to what Tpatt said above - Infosec is not an entry level position. It takes years of work to gain the experience.

dmoore44

laughing_man wrote: »

...make it more attractive and lucrative.

There's only so much the government can/is willing to pay. Since gov positions are paid for by tax dollars, how much are you (the tax payer) willing to pay someone? Are you ok with paying government workers salaries that are commensurate with the private sector?

the_Grinch

Very rare to see an entry level posting with DHS. To date I have seen one and it was a policy related position. Most want the years of experience, a Masters, or both. While I understand that to a point, it isn't a lack of smart people that is the issue. When I see articles like this I always shake my head. It seems to me that these things are done purposely to create contract positions. I know many people who would take a pay cut for a government position, but either don't qualify to apply or get disqualified along the way. That being said, NSA is the way to go if you are looking for entry level position with little experience. Pay will be a bit lower, but if you can get through the clearance process (it is a bear so be ready for it) you'll gain a ton of experience. They also have some very nice incentives for employees.

tpatt100

When I was working as a government contractor for over a decade most of the time there were government employees that either used to or are supposed to do IT work but are like what is said in a PM position.

Several times I felt like these people were put into these positions because the spot was open but lacked the skills.

At my last contract I would call people in positions that were security related but they would always refer me to the same person. Who was the "real" IT person.... Most of them were just empty suits listening in on conference calls.

Most had big sounding names in the military and got GS positions but really lacked the skills required and contractors became the work horse. I think the government could hire qualified IT people for infosec but that might mean pushing out some dead weight.

rwmidl

Agree with the_Grinch. There are quite a few people who would take a pay cut or be happy with the pay rate to work for the Government (I've been trying for a while to get a GS position).

dmoore44

rwmidl wrote: »

(I've been trying for a while to get a GS position).

Speaking from experience... prepare to be massively disappointed. A job may have a really technical sounding description, but in the end you'll wind up managing lots of contract workers... Also, be prepared for the ultimate job description caveat "...and other duties as assigned" - for example: prepare to supervise a server install on Monday, then start writing statements of work for more contract workers on Tuesday, and then move some other person's cubicle on Wednesday.

paul78

I was re-reading the article and thread. And I couldn't help thinking if it's really smarter users and IT engineers that we need. The number of times that I come across insanely ridiculous gaps in security could have been prevented if the software developer, network admin, sys admin, or any IT consumer simply followed common sense.

JDMurray

The problem is that common sense varies too much among people, so you should never rely on it happening. If it does happen, it's a bonus. Best to have explicit policies, procedures, best practices in the planning, design, and implementation phases, and an auditing process to make sure they are carried out correctly in each phase.

paul78

Very true words. It's probably just my frustration. Even with all the items that you mentioned and the ridiculous amount of money we spend on training, I continue to see boneheaded stuff.

My new interest is "soft security" and how to go about building a culture of security. It may be a better investment in the long run.

xbuzz

The bad thing about common sense, is it isn't that common.

JDMurray

You might try looking into improving the SQA process first. If SQA is turning up security issues in a product or service, it will be up to management to decide to fix them or not. Make it a business decision to--or not to--implement security into what the business produces. Finding and documenting vulnerabilities using the SQA process is where to start.

paul78

Wow JD - I actually had to check to see if you were looking over my shoulder Your comment was extremely perceptive.

Yes, the SQA process is what I am targeting. Luckily for me, I am the management decision maker so it makes it a bit easier since I control the funding. A big source of my frustrations is that as the external team that is augmenting the SQA teams are deliverying their monthly reports, it just exposes all the standards violations. The good news is we can find the problems before they go into production so from a preventative perspective, it's great.

The bad news is how to steer the organization into a stronger security culture without overburdening the business.

the_Grinch

I've always found that it is the rush to get a project completed that is one of the largest causes of security issues. Be it the vendor rushing out the product or those implementing it and doing whatever it takes to make it work. I've been involved in projects where best practice was followed to the letter and after being on with support for six hours them saying "we're at a lose." At that point, you do what you have to do to get it up and running. Sad, but what choice do you have?

The more complex systems and networks get the more attack vectors there are. I had a professor once tell us the following tale:

Doing a risk assessment and they wanted a map of the network. Network team sends them what they add and things just weren't adding up. So they take a few days and start to interview various people from various departments. On a whiteboard they have them point out systems they use and fill in anything missing. Now prior to their arrival, during the initial start up meeting the company maintained that they had no dial up based connections coming in. On the last day of the "mapping" one member from accounting comes in and says "yup everything I use is there." They ask him to review the board one more time and as he looks he says "oh, where is the dial-up connection I use to access the accounting server?" Seems for years he had been using that connection to do work from home. What they ultimately found was there was an issue and one of the admins had set it up as a work around until a fix was found. That admin left and no one knew about it besides the worker who was using it...add to it that it never seemed not to work and you have this situation.

spicy ahi

dmoore44 wrote: »

Pay is definitely part of the problem... the other issue that I have is this: government personnel are increasingly looked upon as project managers who oversee contract personnel. So, you could go to work for the government, but you're really just going to end up pushing a whole lot of paper and never really getting your hands dirty. So, when pay and poor working conditions are the reality - what's the point?

I'd much rather get paid more and have more fun with my job...

+1 to this. I started out as an HBSS/retina scan and patch type and started moving into doing some needed vulnerability assessments for my network. Then they found out I was a network guy and started pushing network stuff to me. With the increased work load, I started to organize some of my effort into manageable and measurable projects. They found THAT out and then started farming out other various projects. So now, I'm a contractor managing projects worked by other contractors, while working network projects that always take precedence over my original duties. Then someone (who was our IAO) had the great idea to pass along the function to "the security guy" so now I have all the wonderful paperwork BS that goes along with it. I barely have enough time now to run a monthly scan and you can forget about patching. I've totally given up on trying to shore up network security. I'm now neck deep in everything BUT my original job, which was to secure the network!

dmoore44 wrote: »

Speaking from experience... prepare to be massively disappointed. A job may have a really technical sounding description, but in the end you'll wind up managing lots of contract workers... Also, be prepared for the ultimate job description caveat "...and other duties as assigned" - for example: prepare to supervise a server install on Monday, then start writing statements of work for more contract workers on Tuesday, and then move some other person's cubicle on Wednesday.

+1 million to this. "...and other duties as assigned" creeps up on you and before you know it (see above) Worse, I can't even say I'm a govvie!

JDMurray

paul78 wrote: »

The good news is we can find the problems before they go into production so from a preventative perspective, it's great.

The bad part of that plan is the later in the development cycle you wait to find something the more costly it is to fix. The problems you find in SQA will be used to introduce corrections at the start of the next planning and design iteration. That's really the best you can do for a mature product in on-going development.

Do you know about the (ISC)2 CSSLP certification?

NightShade03

Gov job is something I've been toying with the idea of for a few years now. The private sector does play better, but I'm finding the hours longer and the politics just as bad. If that is the case I rather take less money, work a 9-5, and have more vacation days then I would know what to do with

For those that have knowledge/experience...do you find that places like NSA/CIA are better than maybe the DHS because the job is more "focused". Most of the postings I have seen don't include the line "other assigned duties".

Just curious...