alt Hacker NewsCybersec is a thankless job: expanding workload and shrinking pay packet
Comments
Just commented this elsewhere but my takes on cybersecurity today: Its about to blow up in high demand with so many skiddies being able to hack anybody with an LLM. We are seeing an increase in websites, systems and companies being compromised at an alarming rate. I suspect one of these days we will see a headline of a compromise that will shock and horrify us all. Anyone sleeping on cyber security is a ticking timebomb.
Honestly, if you wanted to make a YC company today that targets AI in a meaningdful way, I'd say make it focused on cyber security analysis. ;)
Companies don't fundamentally care about cybersecurity. Most of them see cybersecurity as being similar to waste management; it's not something you get excited about. Sure, your company _must_ have a waste management plan, but it only exists out of pure necessity. It's required to do the real work of the company, but if you had a magic wand and never had to deal with it, you'd choose that option. And, like waste management, plenty of companies outsource their cybersecurity, since it's cheaper and they don't really care about it.
With Claude writing so much of the software in big companies, Anthropic is well-positioned to eat up SAST, DAST and a lot of the supply chain analysis. EDR and proactive security are still going to be massive businesses, however.
"Show me the incentives, and I'll show you the outcomes." - Charlie Munger
Right now, if you have a security breach, at least in the US, you send out a letter telling the person that their data could be God-knows-where and offer them two free years of credit monitoring. Victims aren't going to really use that because it's essentially useless. If they've got absolutely, positively nothing better to do with their time, I guess you could file a lawsuit. Who knows what the outcome would be. Probably not in their favor.
In other words, it's cheaper for them to overwork the InfoSec guys/gals and barely care about what is happening outside of day-to-day operations, than it is to really secure their stuff. So they don't spend that money.
If you saw corporate valuation-cratering fines being implemented - the kind that would end the c-suite's careers and bring shame to their family lines for seven generations - I bet that they'd start catering lunches for the InfoSec team.
Yep. I had a chance to go for a cybersecurity degree. And every time ive looked at that, the career path is basically an applied insurance job.
Cybersecurity does not make money. They do not raise the profit for a company. Instead, they are compliance, contractual, and legal defences to repel lawsuits and keep data boundaries clean.
And who's the first to go? Groups that dont make money. Like cybersec.
The industry culture related to security work and career paths seem just f'd up.
Instead of ensuring we build systems with robust foundations, people end up in a swamp of frustrating roles like SOC staff chasing alarms about false positives all day, peddling ineffective add-on security products, management CISO roles where you're expected to take responsibility of existing insecure Microsoft etc infrastructure without power to change things, working on demotivating compliance bureucracy that don't actually improve security.
I'd argue work on meaningful security improvements is mostly available outside industry security roles.