Inside insights on the state of cybersecurity that you won't find in textbooks
How do cybersecurity professionals see the current state of security when they are discussing with their peers?
Last weekend I attended my fourth Hackfest. This is Canada's biggest offensive security event, with over 1,300 attendees. I joined developer colleagues for the Capture the Flag contest and we landed in the top 20 out of 50+ teams, which was cool. Our offensive security team won the whole thing by a decent margin, congrats to them!
Gathering like this matters so much in this line of work. I wrote about why cybersecurity has one of the highest rates of burnout: the conflicts with business imperatives, being overwhelmed by cyber-attacks, the lack of recognition, etc. My solution was to lean on the community to share over common roadblocks. This is why such events exist.
I spoke at length with fellow information security professionals, recruiters and vendors. The Hackfest has this chance of being a community-driven, small-ish event, so you get more passionate people and less "business development" types. Here's a cheat code for your security career: the best knowledge you'll get is conversations with seasoned pros about the problems they encounter in real life.
So this week, I will tell you these stories. What are some preoccupations on the field? How can real-world insights help you become a better professional? What does it tell about your career? About your organizations?
Career advice: look beyond the flashy stuff
Unpopular opinion: penetration testing is overrated. I understand. It's cool to break things. But here's the issue: the market needs fixers and builders. Here are some roles companies were seeking:
- Consultants to implement endpoint detection response (EDR) software;
- SOC analysts for managed security services providers (MSSP);
- Software developers with an interest in security;
- SecOps specialists (vulnerability and patch management);
Here's another phenomenon: government jobs in Canada are underrated. I was impressed by the breadth of challenges coming from the protectors of our critical infrastructures. Governments also carry a strong appeal to our sense of duty: protecting fellow citizens and public services feels like a worthwhile purpose.
Yes, the lacklustre pay and general sclerosis will drive you away after two years. But those two years could provide valuable teachings.
The economic slowdown is real. Attendance was a bit less than in 2019 (pre-Covid), especially among US-based individuals. The booths felt more minimalistic. I was aghast seeing some of the "usual suspects" being absent: banks, telecoms, and large accounting firms. On the flip side, nobody reported layoffs happening in security teams.
Want a clue about the security budget's increased tightness? Vendors had their "battle cards" ready to address the necessary "Microsoft 365 Advanced security" comparison. If there's one thing I learned in the previous years: during hard times, investments will consolidate over Microsoft.
The cloud unknown
Despite everything you read online, I evaluate the overall cloud adoption as still somewhat low. One quote I heard summarized it all for me: "I don't know any business whose most critical apps run in the public cloud."
I still heard tales of "moving to the cloud" like I was hearing back in 2015. I saw a presentation that brought up the "someone else's computer" argument too. I debunk that myth in "10 harsh truths about cloud security", by the way.
The CTF's "cloud heaviness" likely explains my colleagues' triumph as well, since they work full-time with AWS.
I find the overall cloud hesitation perplexing. On-prem workloads are a mess. The talk of the town was Windows Server 2012's end of life. 2012!
The lesson? Now is the time to build your cloud knowledge, if you've not already begun. You're not a laggard. The state of the cloud inspired me to commit further to my own AWS training!
The on-prem scares also reminded me about...
In security, when one compares one another, one consoles one another
Every security specialist I've met experienced bitterness over nagging problems in their organizations. "Why won't they ever fix this?" "Having three blogging platforms, so totally us, duh!" "We don't want to slow down developers!" (say that out loud in the silly parody voice of your choice)
So it's always a boon to meet organizations that are much worse than yours. Call it schadenfreude if you will. Yes, I am concerned about these organizations. Still. Having somebody tell me they've found 20,000 critical vulnerabilities when they ran a scan in a client's internal network soothed me nevertheless.
Sharing these "horror stories" helps me get things into perspective.
See, there's this weird masquerade from every business in the world. No one wants to share their weakness publicly for obvious reasons. But everyone wants to appear secure. For marketing motives, everyone is boasting about security. Worse, if a company acknowledged their shortcomings, they could be pointed out as negligent! I have audited over 300 software vendors. 100% of them presented their security as: "This is what we do, that's enough, we're good".
Only in these off-the-record conversations between members of the community can you get an accurate picture of what's really going on.
If everybody was as good as they say in their brochures, we wouldn't get breaches every day in the headlines.
Speaking of headlines...
AI's concerns have yet to materialize in organizations
It was refreshing not to hear about generative AI. But also, a bit weird. Why aren't cybersecurity professionals all over this?
I thought ChatGPT becoming the fastest-growing application in history would have sparked debate. I attended one conference about generative AI, whose contents were similar to what I had already researched back in March. Yes, ppfosec readers, I am providing you with cutting-edge knowledge!
Another example: my reflections from my article about LLM hacking appeared "avant-garde" in the current context. No one was talking about prompt hacking.
Okay, I'll stop patting myself on the back here.
I think the larger issue is that most organizations are still in the early experiments stage about all things generative AI. Sure, they wrote a "ChatGPT policy". But the real applications that will inject AI into business processes are still brewing.
This means that building your knowledge about AI will put you ahead of the curve and make you a much more attractive candidate down the line.
The even better news? Many of the best practices about LLM security are the same practices we've been looking at forever: access controls, logical separation, secure development, data lifecycle... Prompt engineering might be new (and totally off-putting) but the fundamentals can be adapted, provided you gain sufficient knowledge about AI.
Everybody enjoys a good conversation
Conferences are interesting but they are passive, one-way communication (speaker to audience). The most valuable insight might just be to look to your neighbour once the conference stops and ask their take on the whole thing.
Ever been to a security gathering? Tell me in the comments! Do like myself, hang out at the coffee machine, and chat! You'll be rewarded!
If you like my content, subscribe to the newsletter with the form below.
Cheers,
Pierre-Paul