| As someone who works specifically in this subgenera of computer security (ir) I can say a few things that might add to conversation in a meaningful way. 1.) There is a cottage industry in this space that sells kits for these randomware compromises. Everything provided is off the shelf, this is why you’re seeing such an emergence in this space. It’s not that the barrier to exit from a ransomware attack cost decreased (cryptocurrency). The barrier to entry lowered, any jerk can pay a small amount of funds to buy a software kit and instructions on how to do it. Furthermore this is also why you’re seeing so many public defacement go politically neutral (ironic given the times). It’s simply a relatively lucrative, with a low amount of risk, and only requires the technical aptitude of someone capable of using BitTorrent/Tor/Warez. 2.) Hiring / Managing security teams - unless you’re in technology or selling security as a part of a product you can’t afford a quality team/tools. Most business are trying to optimize their cost centers to maximize their profits. As such most of the time that means it’s a race to the bottom to get them to be “insurable”. Salary + Software is expensive. 500k minimum investment for an meat processing company or whatever is not the easiest pill to swallow. 3.) companies that pay this are not good judges of security talent. They don’t know if the herjavec group really is an effective detection company. They judge almost entirely on feeling. Same with that one fast talking hoodie wearing self proclaimed hacker talking out of their ass. Not understanding what you’re hiring for also creates friction, since any deviation from the fantasy security hire they imagined will be met with extreme resistance. “I thought they were going to sure up our servers, why do we have to log in on our email every 8 hours now”. Often times when an executive leader does not understand why security trade offs are made they just make the decision themselves (pro tip they’ll accept the risk) and you’ve failed regardless as an employer and employee. 4.) the industry does very little in a practical sense in preparing people for these job functions (with a few exceptions). Security engineers often have technical skills in spades.However, if they don’t understand anything outside of security they are going to fail. Civil Communication/ debate, the ability to navigate political issues, understanding the business etc are actually super important. The biggest tragedy was that someone internally probably saw this coming but couldn’t actually get the messaging across. When you combine all of these elements you have a confluence of shit. It’s once again getting less expensive to perform a wide attack with little know how intersecting an industry that has yet to course correct. |