[abixb]

Seems like a rage-bait title, but I kind of agree with the general premise that cybersecurity teams shouldn't treat themselves as solving unique problems that other auxiliary teams (like SRE/platform engineering) haven't already come across and/or already solved.

I am of the opinion that this massive push by big organizations (coupled with mandates for C-suite roles like CISO) into building a dedicated army of staffers for "cybersecurity" feels like just another attempt to bloat up the size of an organization and create more 'bullshit' jobs, as David Graeber put it over half a decade ago.

[genmud]

Anyone in cybersecurity who isn't a fucking moron (of which I freely admit there are many), without a doubt knows the problems they solve are not unique. As someone who has done it for nearly 20 years, me and my colleagues absolutely despise having to repeat the same shit, over and over. I want nothing more than to not be necessary.

I liken my job to being a janitor, and people can't seem to stop from pissing, shitting and trashing everything. It's goddamn 2023 and we still can't get people to always validate input or ensure proper constraints are built in.

[slt2021]

Computer Janitor is a more correct description that Security Engineer. Because at the end of the day we are cleaning up and tidying others' mess that they left. Whether it is random software dependencies, or glaring holes in firewall config, or missing OS patches/whatever.

[Ekaros]

Time after time most basic things are forgotten. Like should this user be able to do this action or read this data.

I don't expect magic, but at least cover the absolute basics. Then I might be able to figure out something more interesting or rare.

Or if I get report that something has CVE, just tell me if that is a problem for you or not.

[slt2021]

the actual reason for mandating companies to spend on cyber is because they are cutting costs on SRE/Ops by outsourcing all KTLO work to India and other offshore countries. If you ever looked at average S&P500 company IT Budget, there will be nontrivial amount dedicated to WITCH (Wipro Infosys Tata Cognizant HCL and friends) for outsourced KTLO work.

This makes it impossible to do anything meaningful de-novo on a high level, like create a good security architecture as a platform for all dev teams, or adopt a new security platform.

Outsourced companies do only a piece work on a ticket by ticket basis and require very specific instructions upfront.

Mandating companies to keep inhouse cyber staff makes it possible to grow talent inhouse and do high level designs of platforms to keep stuff secure

[makeitdouble]

Are there any provision stopping them from outsourcing the cyber security team as well ?

[slt2021]

mainly two:

1. Outsource companies are NOT known to be staffed with cyber pros, you won't be able to get a meaningful return on your money. Good security pros will NEVER work for body shop like Infosys who only focus on minimizing staff costs.

2. Trust issues. Much easier to hire inhouse person whom you know and who shows up in the office (and you can sue him US court in case of malice), than some offshore Dunder Mifflin Corp which can disappear and show up under different name

[makeitdouble]

Feels like your argument is that they _shouldn't_ outsource cybersecurity, especially if they care about the results.

That never stopped any of these companies from doing it IMHO.

[slt2021]

there is valid use case for outsourcing cybersecurity like MDR (managed detection response) and managed IT.

but consider them like any retail fastfood place - you will get standardized BigMac, and no ala carte steak

[red-iron-pine]

Legal enforcement of NDAs, non-competes, and being able to chase down some a-hole who steals your intellectual property and sue them. Don't share your secret sauce with people you don't trust, and even you don't fully trust them, you can at least have legal recourse if they sell your access keys.

Compliance issues. Auditors love hearing that your security and auditing team is a revolving door of random Indian guys.

Quality, as you want your Sec Teams to really give a shit, push back on stuff, and not do the absolute minimum to close a ticket. You get what you pay for, and if you want to pay shit you'll get shit security.

Business integration, as ultimately it's about risk and talking to the business as to what they think is important. The distance from Mgmt and Security is often a lot smaller, and they'll have the "keys to the castle".

[makeitdouble]

The interesting take to me is those could all apply to legal or accounting. These fields are also vital to a company above a certain size, yet partial or full outsourcing/contracting to an external cabinet is common.

At the end of the day it's a matter of trust ("you get what you pay for" feels weird to apply to Deloitte for instance. You absolutely get less than what you paid for and they get to pocket the most of it, you just don't care enough about the money to want to handle it yourself)

[hazmazlaz]

Except the fallacy with this premise is that the other teams _haven't_ solved the problems, which is why the cybersecurity teams are necessary in the first place. Cybersecurity doesn't solve any problems that are inherent to computing and are unavoidable, cybersecurity solves problems that are created by the mistakes of other teams. It's an unfortunate truth and it's difficult for many people to swallow, but I have found in my career, which is nearly 20 years at this point, that this is true in every case that I have personally experienced. That is to say, if developers created secure software by design, and if infrastructure teams/operations teams handled their assets and processes in a secure manner, then there would be no need for cybersecurity outside of a few specialized roles.

[zitterbewegung]

They aren’t bullshit jobs though in the way the author presents the problem.

Honestly in cybersecurity the big hacks that usually go on is the fact that people can get crypto lockers or a whole host of problems that attack humans. The whole argument of the above shouldn’t even be anything about software. The most effective thing to secure networks is to educate your whole staff on when not to click something suspicious so instead of fighting physics we are fighting human psychology.

I could argue the second is the business group overriding security practices because they accept or don’t care about the risk. So then people who were never born when the service was active have to deal with getting a project in with the vendor that doesn’t give a shit about you.

Security usually even is a technical problem it’s human we just like having cool stuff presented at a con because it’s fun.