Careers and money in InfoSec
News, thoughts, and puns about bug bounty's future, starting out in cybersecurity, women in infosec, compensation in high tech, NFTs, supply-chain attacks, Tiktok, and the Kardashians!
🧮Check out my review of Airtable. Many table puns for your enjoyment.
🐦Follow me on Twitter and LinkedIn. I am close to figuring out how I want to shape my messages there. Good stuff ahead!
🔦This week's spotlight: blabbering bug bounty
Bug bounty programs are a practice by which ethical hackers can receive compensation for discovering security vulnerabilities on applications and websites based on the flaw's severity. In the 2010s, platforms such as HackerOne emerged to facilitate the disclosure process, leading to mainstream success. As a matter of fact, even the Pentagon recently joined the party with a $110,000 commitment! Experts believe the space will grow 20-times over in the next five years, becoming a $5 billion business.
However, Katie Moussouris, who pioneered Microsoft's program, predicts dimmer days. She points out fatigue as responsible for the collapse of the practice: security analysts wrestle with a torrent of false positives and struggle to ensure bugs are fixed. When you know that nearly 12,000 vulnerabilities were reported in 2022 alone, one has to wonder how humans can keep up. Moussouris coins the term "bug bounty Botox" to illustrate how companies use them as a "cool" security feature while ignoring the underlying need for asset management and internal teams alignment.
Things are similarly grim from the point of view of researchers. While it certainly is sexy to showcase how 9 hackers earned over $1 million on the HackerOne platform in 2020, the fact remains that the overwhelming majority of the hundreds of thousands of active hackers spend countless hours for little to no reward. Organizations lowering the severity to cheap out on bounties have also been pointed out as a discouraging move.
Moussouris, whose last name is way too unbelievably funny to be real ("Souris" is "Mouse" in French), believes solutions will emerge from building a better mousetrap: better developer training, mentorship for security analysts, and new incentives for researchers.
On my end, I envision bug bounties evolving from "part-timers with silly nicknames sharing tools on GitHub" to a full-fledged commercial endeavour. Agencies will recruit and train full-time hunters along with writers, negotiators and project managers. When such agencies start "owning" the supply of experts, I expect bug bounties to slowly grow back into the traditional pentests, albeit with a cool platform to back them up. When you receive a bug from "Henry of The Houston Hack House™"️, think of me!
🎓This week's second spotlight: Starting out in cybersecurity and Women in Cybersecurity
Want to get into infosec? Here is a nice piece on how to start in security, DIY-style. I have read lots of debates around the value of self-taught versus degrees. Both sides raise good points. I personally chose the degree route because the university is quite affordable in Canada and internships in computer sciences are paid. Plus, I had two toddlers when I decided to get into IT and without the structure of a degree, I never would have made it.
"Here's what happens if you look too much at your computer, dad."
Despite not directly using 90% of the curriculum in my day-to-day, I still believe academic training works as an "accelerator" thanks to the well-structured nature of programs and the development of foundational skills. On the other hand, any organization that requires diplomas nowadays is missing out on tons of top talent and they absolutely deserve their self-inflicted recruiting pains.
As a complement, CISO Helen Patton wrote a superb post on her own hiring strategy, which drifts from the traditional engineers and architects towards less technical roles such as "storytellers", "funding wizards" and "industry analysts". These roles allow supporting "organizational management and design" rather than standard security operations. I love this mindset because it shifts the "why" of security from not getting breached (which is not totally in our control) to building a security culture, which protects you even if you get breached because everybody is aligned on a mission and identity.
Pictured: A fun ding-wizard
Patton's new strategy can be linked to the conclusions of this recent article from Karin Ophir Zimet, the HR leader of security automation firm Torq, that attributes the rise of women in cybersecurity to 25% of the workforce to the emergence of such "non-tech" roles. Some people may take exception to that statement, saying it's not "real" progress until women are equally represented in all IT and Engineering. I believe they are committing a "no true Scotsman" fallacy. As Zimet wrote: "everyone has a piece of the digital pie"... as long as women are paid fairly vis-à-vis their male counterparts - more on that in the rant.
🥑Legal Jam
Changes to the regulatory landscape with regards to technology, privacy, security, and more.
☕Tim Hortons wants to settle a data breach with coffee and doughnuts
This is not an April's Fool in August! The Canadian restaurant that collected geo-location data of all its mobile app customers without their permission for a year negotiated a deal to settle multiple class action lawsuits by providing victims with a "free hot beverage and baked good". I guess we finally know how much our privacy is worth!
Pictured: a dozen privacy law violations
🍪Google Delays Third-Party Cookie Deprecation to 2024
From doughnuts to cookies! Third-party cookies have been famously used by ad agencies such as Facebook to track users across sites they visit to better target them. The practice rightfully upsets people: while receiving ads on Facebook while you browse your feed is something most people would accept, it is, to me, ethically wrong to take something from users (their online behaviour) while not directly providing them with a service.
European courts agree. To comply with both the GDPR and upcoming ePrivacy regulation, Google is working on a "privacy sandbox", which looks similar to what Apple offers in the iPhone, to support phasing out third-party cookies while not annihilating the ad industry.
Considering Meta will lose $10 billion in 2022 due to Apple requiring users to consent to be tracked, I hope the "ultra-personalized ads" of the early 21st century will fade into the "what the hell were we thinking" category. Do we really want the ability to target people based on their marriage and divorce status or racial proxies?
🌴Oasis Labs teams with Meta for AI fairness
Not all is bad with Meta! The company recently announced an interesting partnership with Oasis Labs to assess fairness in its AI algorithms. While Oasis Lab's medium article name drops "cryptography" as some type of magic word every two lines, I can read between the lines that the companies will use homomorphic encryption, which allows performing actions on data without decrypting it. Hopefully, the approach goes mainstream in a few years.
👜This bag is not a bag: NFT edition
There is interesting litigation over the IP value of NFTs going on, which could go to trial. Fashion company Hermès is suing an individual over NFT pictures of their handbags, claiming the NFTs violate copyright. The NTFer (I just coined that term!) sees his minted pictures similarly to Andy Warhol's Campbell Soup paintings.
Pictured: a handbag that would be more useful in NFT form
💒Marriages in the Metaverse
Speaking of crypto, Singapore seems to be willing to recognize "metaverse" weddings as "real" weddings. I can't help but picture many trolls trying to marry their "waifu".
🎯Quick Hits
A series of relevant news items from the week, with my grain of salt.
⛓️NFT Domains Platform Unstoppable valued at $1B
As a naïve content creator, I thought it was a good idea to engage online with web3 and crypto circles. Within minutes, I got lambasted by anti-crypto people on my idea to use blockchain to improve DNS. When I saw this piece on a company raising $65 million to provide people with a domain name for their crypto wallets, I have to admit I wasn't very objective: shove it, you internet people!
This anecdote furthers my point that blockchain technology, which has real potential, must not be conflated with its minority of very vocal asshole apostles.
🦜JusT-Don't
The electronic messaging app JusTalk, which claimed to use end-to-end encryption, just left a database full of unencrypted user data publicly accessible. The database not only was easy to find on the popular search engine for exposed servers Shodan but it was hosted on a Huawei server in China. If you work in IT, I urge you to scan your corporate mobile devices for the presence of JusTalk and have the app removed.
😘SBOM, SBOM, You're my SBOM
If your organization is not working right now on building a Software Bill of Materials (SBOM), the market will come back to get you in a world of hurt. Both Microsoft and Google (along with Citi, VMWare, Datadog and Intel) have been working on generators to ensure organizations can produce a list of their software dependencies and assess risks. Mark my words: insurance companies will require these SBOMS of their clients, they will keep them synchronized in their own systems, and they will ask you to upgrade your libs. SBOOM!
📷Kardashians save Instagram from itself and more Tiktokery
Following last week's report of Meta ripping off Tiktok, notable influencers Kim Kardashian and Kylie Jenner weren't having any of that and strong-armed Meta back to the drawing board. I could make the same "Kardashians are better product managers than Meta's own, lulz" joke as everybody else, but seeing the matter from the Kardashian's perspective made me side with them even more. These individuals built their whole empires on these platforms, which can change on a whim without them being consulted. I think it shows how valuable a direct connection to consumers is and why the Kardashians should run their own platforms.
Meanwhile, Tiktok is ploughing on just fine: it plans to introduce mobile gaming and music streaming to its offer. This actually shows me that Meta probably needs the Kardashians more than the Kardashians need Meta. Tiktok being the new "cool kid" on the block, could you imagine if Kim and co became Tiktok exclusive? Maybe they could rename the app Kitkot to keep up with the "K" alliteration?
This week I learned Kardashians own Pomeranians. Couldn't resist putting such a puppy pic!
💸This week's rant: Let's figure this money thing out together
For me, the post-COVID correction of tech valuation and the so-called "crypto winter" are the biggest stories of 2022 so far. A number of layoffs have happened in the past few months with Canadian e-commerce behemoth Shopify being the latest to join, cutting 10% of its employees.
Where do these macro-economic events leave us as workers? What should we think about our compensation? I believe the fundamental difficulty of assessing compensation is due to information asymmetry. Individuals do not have access to their organization's payroll, budgets, and in many cases revenues. They will not have access to their peer's compensations as benchmarks either. If you are a woman, you do not know whether your organization has a gender wage gap (hint: in cybersecurity, probably).
Luckily valuable information is emerging online about the market. For example, I came across levels.fyi which provides crowd-sourced salary insights. Private companies such as salary.com do have better data, which they sell to employers, but we usually can get good aggregate information from them as well. In the same vein, compensation analysts Carta recently published their startups' compensation report for 2022. The report does confirm intuitions about layoffs by showing a near-doubling of involuntary terminations in 2022. On the salary front, it seems that sales, data, customer success and engineering remain relatively untouched while typical "cost centers" such as marketing, HR, finances and support have suffered massive compensation hits.
While recent estimates by Cyberseek suggest there are still way more job openings in security than actual people to do the work, tough economics nevertheless means employers will have hard decisions to make. After all, security does remain a "cost center" as well and competes with engineering, sales and data for the same shrinking pie.
I AM NOT SHRINKING, I HAVE INFINITE DECIMALS!
What should we do about compensation in such a fickle market? One interesting avenue I found in my research is to build a "brag doc" through the year to document your wins. "DUH", I hear you say! I think the blog post I've linked shows new insights by emphasizing not only business and technical outcomes but also relationships and collaboration which are often less visible. It also suggests that the brag doc may not only be used by you in your discussions with your manager but by your manager as well when debating their fellow managers on who gets a salary bump.
At the end of the day, recessions suck. We should all acquire the necessary information to act proactively about compensation, whatever our position in tech or infosec is. Your brag doc could be an important differentiator. Brag it! (Not to be confounded with the French word "braguette").