[bpodgursky]

Meta on the comments: While it's true that the salaries are unreasonably low, it doesn't mean that there are 500k Americans capable of doing cybersecurity work just waiting for the right paycheck.

There can be _both_ a worker shortage and unreasonable salary expectations. A labor market will always have slack on both sides, but even at the extreme, there could be 10 cybersecurity experts, and you'd have people saying "Oh, you can find workers, you just have to be willing to pay $100mm/yr."

[MattGaiser]

I wonder if it is like the rural doctor/nurse/cop shortages though. Those places don't want to pay, so don't care if the jobs are actually filled.

How many of the 465,000 jobs do companies actually care get filled? Or do they just have them open just in case someone cheap walks through the door?

[bpodgursky]

The rural doctor shortage is probably a really good parallel, because as a society we in the abstract agree that it's Very Bad to let people die without reasonable access to healthcare, but poor rural communities simply can't support paying doctor or even nurses to be available.

There's still a ton of society loss / deadweight because of the consequences of not having those services; the question is, how can we restructure the supply side of the argument to make it possible? For doctors+nurses, it's via government subsidies (income-based repayment, federal grants).

ie, the cost of security breaches isn't to the companies being breached -- it's to the consumers who lose their PII/PHI to hackers. Or who lose access to a service they love using, because they can't keep running without a security expert.

[fmajid]

The rural doctor shortage is caused by the American Medical Association cartel deliberately restricting the supply of doctors to keep prices high. When there isn't even enough supply to meet the needs of desirable urban areas, what chances does the middle of nowhere in the Midwest or Alaska have?

I once dated an Indian-born MD who immigrated to the US. A Senator from Missouri went to bat personally (not one of his staff) to get her a green card under the proviso she would settle in rural Missouri, because he understood that's what it takes (she moved to Maryland after a few years).

[MattGaiser]

Rural areas are understaffed in every skilled field, whether it be nursing, EMTs, firefighters, cops, engineers, etc. It is because the people there don't want to pay any taxes so they would rather do without.

[whoknew1122]

> There can be _both_ a worker shortage and unreasonable salary expectations.

This is true, but unreasonable salary expectations exacerbates a worker shortage.

I can either try to find security work with reasonable expectations and salary, or I can take the skills I learned in security to learn IaaC, CI/CD, and Docker (which takes maybe a couple months?) and go do DevOps to make a lot more money. Sure I'm not passionate about DevOps, nor do I feel I'll be making more of a societal impact in DevOps. But I'll be materially better off and won't have to sift through hundreds of job postings to find a posting with reasonable expectations.

The end result? Another qualified, passionate person outside of the job pool.

[coryrc]

Then they need to get off the Internet if they truly can't secure their systems.

Or, goodness, so many people became unemployed during the pandemic, they could train them for the job they "need".

[bpodgursky]

We don't put this financial burden-of-self-defense on any other industry though. Why is cybersecurity different than physical retailers?

Walgreens isn't responsible for providing their own police force. Sure, they put locks on the doors, but the burden of protecting businesses is on the police, which they (and we) pay for via taxes.

You could say "Oh, a business which can't defend itself against looting doesn't deserve to be in business", and maybe you end up with like 5 mega-Walmarts who can afford heavily armed guards, but this isn't actually a better society in the end than one with robust small businesses.

It's the same with cybersecurity -- you can take everyone except Google, Amazon, and Facebook off the internet, because only those three can hire top-of-the-line security professionals, but that's not actually a better internet than the one we have now.

[coryrc]

In San Francisco, Walgreens is responsible for providing their own security force, so they decided to stop operating there.

Companies that can't secure their operations can hire others, like Shopify, Paypal, etc to conduct online operations for them. We've all heard the many stories of professionals making security recommendations and being overruled. If you don't want to invest in security, then don't have valuable data in computers connected to the Internet. Experian exposed our data and faced basically zero consequences, so I don't have any sympathy.

[bpodgursky]

Are you seriously arguing that Walgreens leaving SF over rampant shoplifting is natural, healthy outcome?

Literally every sane person agrees this is a symbol of utter dysfunction that should never happen in a functioning city.

[mistrial9]

San Francisco neighborhoods did not want mall-like corporate chains at all, a few decades ago. The companies paid for the privelege and prevailed over time. Meanwhile economics changed and left a lot of people out of the benefits, wages for working people stayed even, and the pain-killer drugs and organized crime grew strong. Toxic cocktail to be sure, but SF has always been a cocktail town, from the early days. In some ways The City has reaped what it sowed, socially.

[coryrc]

Oh, no, it's terrible.

But government can't secure the Internet like they could physical space, so operating on the Internet is like operating in SF.

[Jiro]

Cybersecurity drastically varies depending on the actions of a business in a way which physical security doesn't, short of the business failing to lock its doors at night. And if the business does fail to lock its doors, the business is directly hurt, giving businesses incentives to treat security properly, while security breaches often hurt the customers, but not the company.

Also, you don't generally see the police demanding that retailers have windows that are easy to break because the police might want to rob them themselves someday, but the equivalent is routine with the government and cybersecurity.

[drewcoo]

Walgreens - great example! That's a pharmacy. Pharmacies have to follow strict safety regulations and are constantly worried about both those and the threat of lawsuits for endangering customers. And there are also both internal and external threats to the business (drugs are a valuable, easily portable asset).

Oversimplifying a lot, Walgreens has these well-paid, trained workers they call "pharmacists" to deal with it.

[bpodgursky]

You are trying to whatabout this, ignoring the actual point. Let's not do that.

The Pharmacists make only effort to prevent someone from breaking into the Pharmacy with a crowbar and stealing all the drugs + prescriptions. In fact, I would be shocked if Walgreens even _allowed_ staff to physically detain shoplifters -- that's a huge legal liability.

Defending those goods is the job of the police.

[pixl97]

You pretty much have no clue what your talking about when it comes with the duty of the police. The police have no charge to protect you or your business, at all, whatsoever. This has been decided in the high courts in the US. Pretty much everything you stated is completely incorrect.

[fmajid]

Well, that's one of the drivers for companies migrating their apps to the cloud.