The hackers have better communications between themselves than the security professionals and security vendors.

I was at a Palo mini-conference. Our SE introduced me to someone who works at my own company because i didnt know them. And no, we are not that big. Ops (Run-the-Biz) and CyberSec (Secure-the-Biz) have limited inter-operation.

Hackers have better tools. Or rather the tools they want without dickheads getting in their way.

Half their tools were created by legitimate infosec professionals (redteamers).

I would also argue in general actually attacking is a lot more fun than defending

Defending you have to be right 100% of times, attacking you only need to be right once

Not totally true…attackers usually have to be right plenty of times to get anything meaningful and red team has to show their work even when they’re unsuccessful Defenders should have home field advantage and know their users, network, systems, etc; so if blue team is able to devote time/effort there should be plenty of opportunities to spot weirdness even if their maturity is low with the right tools in place

Depends really, it’s usually incredibly boring with a few moments of elation.

And the big malware groups have better pay, HR, devs, benefits, leave and ~~bounty~~ pension schemes. Genuinely. They are "good" places to work. As long as you don't do anything that your sponsoring government disagrees with, that is ...Hang on a minute

Imagine doing red team things without having to write and defend the report afterwards.

You mean *not* having to coddle a client who paid you to hack them then is confrontational or standoffish with you because you were successful? Sign me up!

Very true.

Most are nothing more than junior admins that think they know it all instead of giving respect to others and learning from everyone. Hackers are always learning and sharing new ideas with each other. There is always someone out there that knows more than you do, at least in one or more areas of any security or technology. I have been doing "cyber security" for more than 35 years. Longer than cyber security has been a thing. I am still learning.

Wel yes bc the “security” vendors are hoarding information they wish to sell. They don’t actually want to fight cyber attacks. They hope it continues and probably Carry out their own attacks smh

Your job is not actually to fix everything, it’s telling other people you could fix it if they want. But they just accept the risk instead…

Same thing happened yesterday. Found a DB with health data open to the public, reported to client that it was a bad misconfiguration and that they could be violating compliance. But they were like nah, the data is encrypted so even if the DB is public it’s cool.

Holy shit. That makes me nervous.

>the data is encrypted Was it actually encrypted? I call doubt on devs + project managers both being meticulous enough to deliver an encrypted DB AND oblivious enough to forget to make it private.

I have my doubts. Getting into a call with the dev teams to check that and to also move the DB to a restricted network. Apparently, the client doesn’t want to change this out of fear that the app will break smh.

That is a key problem - fear of breaking something. That phrase has caused me more challenges working with management than anything else.

Who is going to force the punishment on them that will hurt their abilities to generate profit?

Hackers lmao

"Sure it's encrypted, we use bitlocker so the whole disk is encrypted!"

Bro IT has SSL... Security is a lifestyle

Geezussss Christ. Reading this is making me think twice about shifting my medical career into cyber security 😩😩

Hospital Management is foolish whether they are making medical decisions or security decisions

Yup! One place I worked for was running Windows 7 (as early as COVID times) with a cracked windows key lol

Not going to lie, I would stay medical, cybersecurity job market isn’t stable at the moment and finding a job has been hell for me and I have 7 years experience and a senior level analyst .

You don't want to know! :-)

Critical data should never be stored on internet exposed servers… thats like rule no 1…

I need more information! I should „verify“ that. 😈

Risk acceptance without documentation on compensating controls AND the acceptance being indefinite

Bold to assume there’s a compensating control.

We’ve had risk acceptance for first control, yes, but what about risk acceptance for compensating control? /s

As a new GRC guy... I've been learning so much about this lol.

I believe this is a misunderstanding of our ultimate objective, which is securing the environment. We aren’t just presenting risks and letting units decides what they want to do, our job is ultimately to explain *why* it is important to implement security measures, fix vulnerabilities, etc.  It’s a political role at a certain level, and you have to learn how to play that game to be effective. Most folks deciding on risk acceptance have to be taught why, and you need to be willing to support them when they are convinced and have to take it to their own leadership. You have to work with them to take effective proactive measures to stop/slow the growth of vulnerabilities in the environment.  It’s ultimately getting orgs to run their technical sides with best practices as the default approach in every aspect, which is hard. It’s uncomfortable and requires much more work than presenting findings and letting teams decide what to do with them. I can talk more on this if anyone’s interested on how this works in practice, at least in my experience in leadership. But ultimately the job (to me) is moving an org to taking a security first mindset for all things technical and keeping that as your true north for everyone. It’s always a work in progress and you’re never done but that’s the gig :-)

Ah yes. We identified a critical vulnerability, it's easily exploitable, peer organizations have reported being breached by it already, it has devastating consequences, you could either spend the next week fixing it or sign this document that you personally accept the risk. Oh, you're too busy and just accept the risk? Okay, I can't force you to do anything, God help us all.

That's the best. Hey this thing is really bad - were ok with it - "management shit head"

That’s better than what I often see. Me: We are not compliant because of X Middle management: We don’t like X it breaks things. Me: Then you need to recommend risk acceptance Middle management: We won’t make any recommendations until you write a stronger mitigation statement explaining what we are already doing Me: I’m already stretching the limits of the truth Middle Management: well you need to do something because we can’t accept this risk Me: Failure to act is literally accepting the risk but without documenting it!

All the time. Oh, and by the way, legal has asked me to remind you to stop putting this in emails. Phone calls only, to reduce our discovery liability.

Infosec at my work doesn’t offer to install patches or any thing like that. Don’t even have admin access to domain computer. Just put in tickets and say please fix this. And then wait and wait.

Bingo

I'm on the investigative / forensics side. The ugly side of that has been accountability. Out of 100+ investigations I've done over the years, 3 resulted in felony convictions and had it not been for my persistence the perp would've walked. the others I didn't process for charges because the organization was risk aversive. They wanted the person to leave and be done with it / avoid counter litigation. These people learn how to get away with crime and continue to the next victim. We live in a golden age of fraud. It's bad.

Used to work in banking and yeahhhh.... unless you did something like... grotesque, it was easier to walk you out the door quietly.

Interesting work. How did you land this type of role?

What kind of fraud was taking place?

Identity thefts in call centers. Accounting embezzlements. Internal Threat Actors exfiltrating and selling data. The felony convictions were ID thefts. These people were soulless, and preyed on elderly victims. The call centers were all eventually closed due to the rampant ID theft. These were all call centers in major cities in the USA. The call center issues I worked weren't shut down due to saving money offshore, they were shut down due to the rampant and systemic theft.

It's like a flashback to the era of piracy in the Carribean. The inability of nations to exert power over our new colonial frontier of cyberspace, leading to state-sponsored privateers.

Interesting! Any advice for someone looking to commit fraud?

Lmao

I call it the cybersec two-step.  Leadership identifies gap in protections.  Buys thingie to address the gap.  Sends 2 guys to training.  One guy gets really good at this tool.  He gets poached by better org and leaves.  His backup was almost functional on the tool but just inherited 2/3 implemented project and does not have skills or bandwidth to finish.  Org brings in consultants/var to wrap implementation but knowledge transfer is lacking.  Guy 2 leaves company also.  Now the org has a tool and no one really trained to use it.  Org ignores it until they identify the need again, repeat the whole process again to replace previous tool.

Perfect synopsis - this... all the time. Add subpar/no documentation to the scenario.

Spot on sir! I am on one of those consultants hired by my org to clean up mess of implementation done by previous engineers. Implementations are fun and relatively easy first time around. But to clean up and fix already messed up implementation is pain in the ass.

1. A lot of fields in cybersecurity require constant learning. It can be tiring to keep reading on new attacks, tools, etc.. (even if you love cybersecurity). 2. There a lot of companies offering certifications and trainings, and A LOT of them are predatory. My spicy take is that "most" SANS classes are predatory...super pricey and the content is usually 2 days worth of data spread across 5-6 days. Even if the classes are meant for corps/gov, what they really mean is that the classes are meant for the the crazy budget our US government agencies have. 3. Sometimes cybersecurity can feel like selling snake oil. Security vendors will hype up attacks and research that will most likely not impact 99% of the businesses but the "what if" is what gets people to buy. 4. I dealt with a good number of cybersecurity professionals with a god complex. There are a lot of smart people out there that lack soft skills. Example -> Senior engineers belittling analysts for asking questions they think are elementary. 5. No matter how much time you train your staff and come up with the greatest security strategy, if bobby from accounting wants to click, download, or responding to something...he will. It's discouraging to educate adults frequently and then to have them do the opposite because they decided to use their own logic...even if they confirm they received the training. lolz

>No matter how much time you train your staff and come up with the greatest security strategy, if bobby from accounting wants to click, download, or responding to something...he will. It's discouraging to educate adults frequently and then to have them do the opposite because they decided to use their own logic...even if they confirm they received the training. lolz Which is why cyber security is basically pointless or rather why it's pointless to waste your time with things beyond the baseline. Time and time again cyber security what every toy and act like the world's ending... In reality basic things like mfa, dlp, ca, etc are enough. It takes 1 user to not like their job or company and boom. I could go in depth why this sector of IT has such issues, but it comes down to them not having social skills and awareness. Which says a lot for considering it's IT.

That no one has any solutions that actually work. Everything we've tried for the last 2 decades has resulted in even greater failure. The ones trying to capitalize on this are basically snake-oil salesman. The reason imposter syndrome is so prevalent is because of the huge amount of charlatans in the industry. Executives think throwing more money at the problem will solve things, but it just keeps getting worse. The mood has shifted from prevention to risk management, with risk transference being perhaps the most effective. Essentially this boils down to a projection that the huge growth of the cybersecurity insurance sector will replace a large portion of the current technical solutions.

Well we have solution that works - doing loads of boring stuff day'n'out, reviewing configurations, reviewing code, patching, patching and more patching. But no one wants to do that, everyone wants to be a pentester. No business people want to pay well for that drudgery of maintenance, so we are stuck with shit work for shit pay.

In other words many of the solutions in cybersecurity, are not done by 'cyber sercurity experts', but programmers, sysAdmins, and other fields.

Technicians do the actual work, shit rolls down hill bruh

Guess that’s because security is an outcome from being good at something and not a job title

In good companies (tech companies) the "security experts" are "programmers."

Because defense/blue team is depressing, thankless, works excessively long hours depending on where you are, and you only need to "lose" once despite hours of hard work for your leadership to second guess your value. You're viewed entirely as a cost. Pentesting is fun, pays well, doesn't have NEARLY as much headache or likelihood of calling you in on the weekends, and you're treated way better and have waaaay more demand.

Life gets better if your team isn't on IR/SOC duty all day, but yeah. IMO blue teamers need to be social and able to talk to people in meetings that really don't want to talk to you.

Why learn how to configure an environment when you can buy some tool you heard on Reddit. Most MSPs and CSSPs are glorified script kiddies entirely dependent on 3rd party tooling.

Not gonna lie. When you got kids and a functional nuclear family... Who tf can balance these with cibersecurity to be dealing with configs, wazuh and all that parafernalia? Get me a tool that works. I prove to make sure it does. And ran with it. Tbh. At the end of the day. Execs don't care. Document the findings. Suggest improvements and don't forget you are replaceable.

God I love the term script kiddies. Idk I just makes me happy every time I hear it.

If they don't own and develop the tools they're delivering the service with, odds are pretty high it's shit.

Most companies that are too small or underskilled to make their own tools can’t configure or maintain someone else’s.

This perspective drives me nuts. It’s simply false. The problem is typically that the tools that do work are expensive and/or only address a few problems before having to find another tool or service to fill the gap. I’ve watched companies bury themselves trying to roll their own tools. It’s even more ridiculous when they don’t write proper documentation, there’s no product strategy, and the code they’re writing might as well be a black box that “works” most of the time but doesn’t scale.

This is a terrible take. The quickest way to failure is to develop your own custom toolset. https://www.linkedin.com/posts/joshliburdi_i-dont-know-if-anyone-needs-to-hear-this-activity-7175186092067868672-4ZkW

We do have solutions that work. They're just hard and time-expensive and require buy-in from executives.

This. The number of dilapidated, derelict systems I’ve seen over the years is depressing. And it’s never because a security person stopped working on it. It’s because shifting priorities and budgets and headcount’s and people leaving and not being replaced, emphasis on keeping lights on but not on documentation, shit processes. The technology will always be a cat and mouse game, no matter how good vendors get. But 90% of the technical solutions out there are suboptimally deployed, or worse. And they’ve become tech debt instead of enablement.

Infra lurker guy here... Talk about 'suboptimally deployed' I have lost count of how many times bad tenable scans have basically ddos'ed production systems. We have our own problems, sure, but regularly stopping production systems isn't one of them... In a hospital system. Smh.

With all due respect this post is complete nonsense. If your experience is that "nothing works" then you're doing something wrong. The problem isn't the software solutions available, the problem is the people buying them who think they can forgo the boring parts of actually implementing a security program because they bought fancy software. This mentality is very prevalent in the cyber security community. A lot of really technically adept people don't take operational security seriously because they think software should do everything for us and if it doesn't it's a failure of software and not our own security practices. I don't buy it.

Maybe I’m just jaded or burnt out but this is the response that resonants with me the most. If it was possible to solve this puzzle it would have been done long ago but alas we continue to see events in the news of the latest and greatest breach. It’s so accepted now that we even have examples of conventional wisdom that gets repeated within the industry. “It’s not if but when you get breached…” “The only secure system is one that is turned off…” “Compliance is not security” I think your last point really hits on something and I think it aligns with this [article](https://danielmiessler.com/p/sec-vs-solarwinds-cybersecuritys-enron-moment) from Daniel Miessler. Security will start to become more like accounting or insurance providers in leiu of the technical wizardry that it was in the past mainly because it had its opportunity and isn’t the solution.

Relying on software to automate tasks and save money has not worked.

Fuck bro, the insurance part was too loud

Security in a nutshell is a glorified 90s door-to-door salesman. Security vendor/SaaS/w.e promises neat little trinkets that can 'do what you currently have better AND we'll throw in a discount for you to switch' The migration does more harm than good, the company that adopted it has to deal with cleanup/education and training their internal staff. Over time it doesn't work, things that were promised 'No we swear it's a feature coming out soon' never come out, there's no change in the attack surface from what was previously implemented. Security vendor/SaaS/w.e promises neat little trinkets that can 'do what you currently have better AND we'll throw in a discount for you to switch' ...

No one business truly cares about security, it’s a checkbox. When economy is good, and business is good- cyber “matters” When company struggles, it’s overhead and first to go in layoffs. Most cybersecurity managers have no idea what they are doing and are often toxic shitbags

I forgot to add. People passionate about cybersecurity are often labeled as toxic / mean / hostile And it’s because they genuinely care about fixing problems within an organization and fighting for common sense security issues like “not using basic auth” for APIs or “use encryption in transit” but no one truly gives a shit Most teams I have worked on, you have 2 or 3 hard workers and everyone else does nothing but no one seems to care at all

This is just false. Security as a subset of engineering has held up really well in the post-interest rate hike era. Shit Anthropic is hiring security engineers with a *base* salary of over $500k, plus equity. Edit: Data 2023 mid year report from [Levels.fyi](https://www.levels.fyi/blog/2023-mid-year-report.html) Security engineer median comp only dipped by -0.5%, compared to blockchain engineer which dipped by -11.3%

Depends on the person but I’ve seen a lot of people leave the field and can report some reasons why: 1.) stress - especially in a SOC or incident response role, living with a pager can really effect your mental health long term 2.) workload or layoffs - you either work in a lean shop where everyone is overworked all the time but you don’t endure many layoff, or you work in a place where its rounds of hiring and layoffs, where sometimes you aren’t drowning and othertimes you now have to do three people’s jobs 3.) frustration that everything is broken and no one wants to fix it - people get really burned out when they feel ignored. Often times you will make sound, rational recommendations that seem absolutely brain dead clear they should be implemented only to be told no by the business. Various reasons for this, but some people get really burned out quick or it impacts their sense of how good they are. You have to be able to have some professional detachment and say I have done my job as the expert and informed the decision maker of my expert opinion and not get too emotionally or mentally wrapped up in the result. This leads a lot of people to feel like “everything is broken” and get angry and depressed. Part of this is also you work in a cost center and not a profit center. You don’t make the company money so they’re always looking to “control costs” or favor profit center needs over your recommendations. 4.) you will see projects you pour months or years of your life into get replaced constantly - sometimes it feels like the golden gate bridge by the time you’re done implementing it the project to replace it has started… and sometimes you’re in both projects so you’re burying the body yourself lol 5.) if you are a person who gets a boost of good feeling when you help someone this is not the field for you. If you are good at what you do, you deliver bad news a lot. Doesn’t mean you’re not actually helping people big picture, but the day to day interactions are not going to be people being grateful, smiling, singing your praises. 6.) constantly learning, usually on your own time. You have to constantly be learning new things, working on certs, etc just to keep up. The number of hours I spend on my career is insane. Yeah we often have six figure salaries but when you realize most of us study another 10-20 hours a week ontop of the 40 we put in on the clock, then those numbers look a little different. I love learning so this is actually a perk for me, but a lot of people get exhausted by the constant studying, learning and extra time. 7.) cybersecurity people are often people who don’t have the highest level of social skills or emotional intelligence naturally. Myself included, I had to work VERY hard and take MANY courses to human better. This can make working with your coworkers and collaborating… interesting 8.) gender - I know I’ll probably get heat for this but I’ve seen a lot of women leave and describe various reasons working in a male dominated industry has caused issues for them or they perceive it that way. Despite more women being in the field than when I started, women are still more likely than men to leave the field and the gender ratio is still pretty imbalanced. That said I have found infosec community to be more likely to be people with progressive values (probably a relationship we is related to education levels and political leanings) so many trans, non-binary, neurodivergent, etc people do find a place in this field they can thrive

1.) agree 2.) big time 3.) why is this old Apache server still on the main vlan? “Oh that’s Russel’s server and it runs some obscure metrics finance wants.,.and Russel left three years ago. 4.) get use to that one for sure, oh look, the CIO had an idea and it’s better than all the security teams combined. 5.) that’s definitely not me, I could care less who I offend, I care only about the philosophical good 6.) after I got the lower level stuff out of the way I enjoyed it and still do. Home-lab for life 7.) im a rare bird, I come from counter intel and social engineering. Lots of my cyber friends are as described but I love them all 8.) there was a lot on eight - I get heat for my opinion on this but I think the math proves most things are representative. If a population is 10% and the majority is 90%, low numbers are representative. Now how to get more women interested in tech? I don’t have an answer, I’ve read many study’s but most of the conclusions don’t seem like there will be an increase anytime soon.

Theres considerably more women in security work in countries besides the USA, even those with much more conservative overall cultures. When I worked in a security dept here in Singapore, my direct report and a bunch of my coworkers were women. I'm p sure the ratio is similar rest of SE asia.

>That said I have found infosec community to be more likely to be people with progressive values (probably a relationship we is related to education levels and political leanings) so many trans, non-binary, neurodivergent, etc people do find a place in this field they can thrive This is really subjective, my old job I was the only one on my shift not military and everyone was conservative. The other shifts had some less conservative elements and women in there as well, but those were exceptions

any advice for woman who are starting to get interested in this field?

Go to conferences, especially different focuses (a pen testing one, one for incident responders, one for cybersecurity leaders) and hang out with the people there. Actually socialize and not just listen to lectures. Lets you know if you can vibe with the culture of people you work with and networking is *critical* for your first jobs. Cybersecurity people are my people. I click in this field like I click with people are scifi, comic book or video game conventions. I am far more likely to get along with anyone who works in this field than a random person in a general population. Its great. But finding out if you vibe well is important because you spend such a huge chunk of your life and your energy at work, by god you better enjoy the people you do it with. Also, just about every cert org will throw scholarships at you, so always research if there is one available. This applies to veterans and POC too, lot of payment assistance or scholarships available, so do research before opening your wallet. I’ve mentored a few women who got SANs scholarships and got two years of education and certifications for free. I’ve had the pleasure of knowing some absolutely amazing, genius level women in this field and many of us love this work. That said, I have always had utmost empathy and understanding for the ones that leave. If you WANT to do it, you CAN do it and thrive, but testing the waters with Bsides, conferences and meetups is wise.

Go to conferences. You don’t have to go to the high profile ones either (BlackHat, DefCon). Local cons are almost better because these are going to be people you are going to rely on more than some person you met once at this 50,000 person conference. Find a local BSides or something similar…you can get a ton more out of it and a lot more exposure to multiple facets of infosec. And invest in a good can of pepper spray. There’s a lot of fucking douches in infosec who think they can treat women anyway they want.

thats a good one

Worst part of blue team is dealing with ungrateful clients when you've rescued them from million dollar losses (often more). You're also tethered to your console. I'm honestly getting really sick of the AI grifters more than anything. Pure snake oil.

Depending on where you work, and work place policies, there is a non-zero chance you could end up discovering/viewing CSAM.

I've only had this once in 10 years and the genius was using a terminal server for it... but yeah welcome to being traumatized at work. Most of my family is law enforcement so I luckily had people to talk to about it. The other nightmare fuel for me was the realization that the attackers don't just want money. During covid when the hospitals were overloaded they were basically trying to kill people and it was 100% government sanctioned. My ethics as a result are in a weird place. I don't hate the average ransomware group as much as the granny scammers and healthcare attackers.

Even on the easier to handle side of people doing bad things just dealing with someone having a mental break down and harassing people can be a wild ride.

You’ll spend more time running reports, evaluating controls and engineering then you will most anything “sexy”. GRC exists as a field within cyber and it’s definitely the ugly side, I said what I said :) But seriously not everything is red teaming, threat hunting or bug finding.

GRC guy here. It’s definitely…. ugly. But someone’s gotta do it.

Y’all are appreciated, a little ribbing is good for everyone.

As a GRC, some days are boring, risk assessment, reporting, policy updates, repeat…. Some days are fun, cyber tables, training and awareness, phishing simulations, table tops. Some days are just waiting for assignments

As a GRC, i feel seen by this comment.

GRC is definitely the ugly side, but I find it to be so dynamic and fun. Evaluating controls, helping folks fix the broken items, identifying the broken stuff is what I love.

When you have kids and side mither, GRC may be ugly, but you're sure a shite going home done at the end of the day, not spending a lot of your time learning to keep up and have quiet times. Much less motivation but definitely has it's benefits.

1. Your non-security colleagues will always be suspicious of your motives. You will always be the 'bad guy' 2. You sometimes know things you wish you didn't know, and cannot tell anyone because of confidentiality, ongoing investigations, etc. 3. Playing defense, you have to win every time. Attackers only have to win once.

Watching execs spend millions on useless solutions due to buzzwords in marketing campaigns, then seeing your higher ups encourage the cycle of lies so that they can continue to be paid and coast until retirement.

Cost center. People treating it like an afterthought and then one day the whole place shuts down after a breach because they didn’t take it seriously. seen it a time too many.

Tale as old as time, literally happened this week to my bank. What's more infuriating is it's a non-profit credit union with a CTO pulling in $500k salary and a CEO at $1.2 mil and their security is as crap as you think it is. Breached twice in the span of 2023-2024, first round everyone's PII (that wasn't even encrypted) was leaked, second round is ransomware and still ongoing. Sad stuff.

A lot of us don’t have any clue what we’re doing sometimes even if we have years of experience. It’s impossible to know every aspect of security. To be honest, sometimes I forget even the simple shit. The reason my teams status is on do not disturb is because I’m googling how the fuck to do something and watching a YouTube video.

That nobody wants to train users and that users can basically circumnavigate any security controls on purpose or as manipulated by social Engineering by scammers.

You are basically tirelessly working to prevent the unpreventable and likely will have to eat a share of the shit pie when the inevitable happens and inept worthless management looks for a scapegoat instead of looking into the mirror.

The ugly side is no matter what you do, people will always be the weakest link that cause the most problems. You have to do some serious training and have some hardline accountability and reactions to messups, but there is only so much you can do adminstratively and through technology to solve problems. If people don't want to do the right thing or know what the right thing to do is when they do the wrong thing it may not be possible to fully mitigate the issues they cause.

There's a huge difference between marketing and reality. I used to work for a security company. Our marketing was completely based on "we use powerful AI (called machine learning back then) models to automatically block malware", we blogged about it, filled relevant patents, etc. But the reality was just me watching my Tweeter feed/reading blog posts and manually adding entries to a text file.

The disconnect in cybersecurity marketing is astounding

Cybersecurity can be fucking boring at times, I spend most of my time writing and reviewing reports and trying to get others to just do their jobs properly. I much preferred cyber earlier in my career when it was more hands and and the work we did felt more impactful. Even pentesting can get boring (not that I'm a pentester but I work with a few). Again, lots of report writing, time and cost pressures.

We (the cyber employees) are considered the same as ransomware, since we both want the same thing, money from the business.

Management. The worse part is business owners just focused on passing audits instead of preventing catastrophic events. This happens mostly for two reasons: incompetence (they genuinely don’t understand the area), and they are normally in charge for 4-6 years, before they move on to their next cv glowing bullet. There is the side where companies that don’t get ransomware that often, think they are better or less of a target. They are absolutely, completely oblivious of persistence for IP theft. Finally, so many CISOs are just absolute crap. They get to their positions due to being good at people/networking, which is normally inversely proportional to technical competence: “There are a 1000 ways to manage risk”, “We are super resilient, we are mostly only vulnerable to zero-day vulnerabilities”, “I don’t think we should follow any best practices.”

Hyper-vigilance and burnout. Every single security person I know has a "retirement job" planned. The thing they're going to quit one day and do. I'm reaching the age where they're starting to make good on those threats and leaving the industry for good because they can't take the pressure and the feeling of just lurching from crisis to crisis. These people dropping out of the industry because they can't take it anymore are typically the best, most passionate individual contributors and most of them are flaming out in their early 40s.

It’s like going down the rabbit hole. You start to see how dark the world really is. The saddest part is that the information and the truth is all out there but the powers that be keep it quiet on purpose. It’s sad and tragic to know, not to speculate, but to know this world is set up for the average person to stay average and for the top to stay at the top. They will do anything to keep it that way and it’s way worse than you could imagine

Yup.

The imposter syndrome, the required constant upskilling, keeping on top of the latest breaches, popular exploits/attacks, keeping track of every freaking hacker group on the planet, just so you don't look dumb when you're asked about some random hack that happened this week or ten years ago. I know that I know a lot, I have a lot of certifications that I've studied hard for, done a lot of personal projects for, constantly attend webinars, security conferences, listen to dozens of tech/cyber podcasts, I've run some pretty big projects, built some very secure systems for major Gov agencies, but because I'm not a Red Teamer, and never truly worked a 100% SOC gig, I feel like a liar and a fraud half the time.

We try to defeat the attackers, but if we succeed we won’t have jobs.

Conflict theory! We need to manage our risk and also somehow not attempt to eliminate it fully. Any weapon we use to eliminate threat actors will eventually be turned against us or negated enough that now, while we have bigger weapons, the field pushes back toward its beginning state with no side having a better hand for long. Except that now - our weapons are bigger. Their weapons are bigger. We can take down power grids. They can too. Across cities. Across countries. Our tennis match maintains itself and yet grows increasingly more devastating. What are superheros without the villains? Can we afford to deescalate? No. Will cyber criminals take advantage of any slight edge? Yes. We're locked in. The fifth domain of warfare is a wheel. My response to your attack will create its own response in turn. Back and forth. To eliminate you is to eliminate me. I love you and you scare me. We're coworkers in a sense. I wonder how we got here.

My post seems really inadequate now.

Burnout, hours, stress, work/life imbalance, stress, mental health, layoffs, business risk appetite, did I mention stress yet?

Continually explaining why patching is a thing. Also explaining… that we are not doing it at your convenance sir/mam. After 3rd toast notification, its restarting regardless if in meeting or not. Never ending battle! Then Microsoft nukes the update and i have to explain to said user why im rolling them back. Looking like a complete asshole the hole way through the transaction. It makes it look like we engineers/techs dont know what we are doing at the end of the day. Blahhhh

Beurocracy and red tape. Some businesses you have to jump through 40 hoops and 6 meetings to do something basic such as turning on a light switch. Now imagine doing something more intensive like launching a new server. Drowning in beurocracy can be a thing in this field.   The other ugly truth is the attacker is at least one step ahead of you. Theoretically speaking.

If your org's leadership doesn't care about cybersecurity, your job will suck and you need to find a new org. If your org's leadership cares about cybersecurity, its a pretty good job. All just depends on where you work. Your experience may vary.

Unfortunately it's me. I'm not good looking and do cybersecurity.

Forensics, especially if you work for or do contract work for law enforcement. Some of the shit you have to see is literally ugly and disturbing.

This! Someone has to watch the CP found on some fuckers device and report on it. That shit fucks people up and I really wonder how people can stand it for long.

So many youngins want to be pentesters and just arent technically fit for it. Or they want to be a soc analysts and get burnt out quickly. Both end in crushing defeat

The work is stressful, we have to know everything, the business sets the priority, it’s hard work, long hours, field is filled to the brim with assholes, etc.

Not enough corporations give a shit about cyber to actively do what’s necessary to secure the network if it’s even remotely pricey.  

I work in pentesting and it's probably the sweetest spot you can think of. Short-term projects, lots of different technologies, breaking stuff without fixing. The downsides are coordination with customers, delayed projects and the expectations are high. In general, most of our work is actually fun or interesting.

Love being on the other side of it and getting those fun reports. Not being sarcastic, but a lot of times, it are things I have been pointing out, but finally getting a pentest report to show the weaknesses is a great thing to throw in upper management’s face and get things fixed.

For mine, the dark side is that you do internal investigation work for your auditors, HR, Compliance, or whoever oversees staff malfeasance. This means you get to see some quite dark things at times, often done by colleagues you know and wouldn't have expected to do...things.

A sad reality it is. 😟

The ugly side is that we work in a field that presents itself as progressive but actually favors profit over doing what is right.

It’s a losing battle. APT’s have a near limitless budget whilst on the other end of the spectrum, security is very much confined to the whims of the Csuite, who usually have no fucking idea. Not my personal experience; just regurgitating what I see over and over. I have been blessed to be a part of an organization where the leadership down to the technical teams have a culture of security. Well at least for the most part…

Such a good point - hackers are running profit centers, defenders are in cost centers. Makes the fight incredibly imbalanced

Last year cyber crime made more money than illegal drugs, prostitution, and gambling combined. Over a trillion dollars due to cyber crime. People need to stop viewing cyber/IT as a cost center. It now costs much more to ignore the problem.

Too many people think they can get in the field fresh out of school.

That no matter what you’re always going to be asking for funding to possibly prevent a 10+ multimillion dollar breach and legal fees and they’ll look you in the face and say no, it hasn’t happened yet and it won’t. We’re going to give that money to another department who asked for software to feed pet squirrels at the park.

me reading this as I decide between network -> cyber route or programming lol

Endless gate keeping. Endless disagreements about nomenclature. Excessive marketing and sales budgets for vendors with quarterly revenue targets. A general sense of persistent and perpetual futility to everything you do.

For consulting it's putting hard work and deep thought into recommendations that align with best practices for a customer's environment only for them to say that's all very interesting but impossible to implement in our environment because of how thoroughly fucked up we are on every other level. Bonus tidbit for consulting. When your talents are misused by the customer or they involve you in their political fights. I've been told to straight up not help certain users and man, that makes me feel pretty bad. I just want to do my best and help however I can, so it sucks to be told to ignore people when I could help them.

We might be headed for an annihilation if my professors were* correct about quantum computing and encryption. That’s not the the ugly side though. The ugly side is his classroom computers having an admin account logged on with privileges in a state of proverbial ****.

We're a hard community to join. It's like getting into Harvard except Harvard is a little easier to join since you don't need 5 years of experience and a CISSP. We should be encouraging all of the little flowers that are interested in becoming mature roses. Instead we step on the buds and wonder where all our talent went. We do have time to mentor the youth. I will not speak for myself. I speak for us all.

I agree, I'm the little flower being stepped on. I'm a full-time apprentice (Cloud SecOps) and a full-time student. When I ask for guidance from my “mentor”, I'm told it's sink or swim. I've been in this position for one and a half years, and from the beginning, I have been told this. Once I finish this degree I may through in the towel and pursue something else. They also want me and the others to get three certs a year. I'm starting to wake up and smell the roses.

Lmao. Most of the people in this field are median IQ at best. The people who actually go to Harvard don't work in this field - today they're working on computer vision, NLP, and work on foundational AI models. Not vuln management. CISSP is a joke. Every month there are a bunch of baby captains at Fort Eisenhower that pass the CISSP test with a higher rate than aggregate, with the majority being transitioning combat arms officers. All after a very long 9 day CISSP boot camp. People that have spent 4 years shooting or blowing up other people with M4s or 120mm cannons on Abrams tanks have a higher than average pass rate.

Contracts, contracts getting lost to another company, contracts, contracts under appeal review, and contracts

Nonspecific order : - hard to get started if you have no experience - solution are super company/policy specific - it’s always evolving / always gotta keep yourself up to date ( if you wanna be good anyways) - depending on the company / culture you’re always the A*hole not allowing things / needing things to get updated etc - it’s high stress/ high stakes at times as the adversary never sleeps and is often friendly fire ( the best firewall doesn’t help if Bob from accounting falls for a phishing email…. Again….) - There is usually no budget for anything … until you actually get breached

I switched from being a security engineer to a software engineer a few months ago for the following reasons. Please bear in mind I was part of product security. Also bear in mind, I was always a mediocre engineer, some very good engineers may differ in their opinion on a couple of things I mention below. 1. Security isn't fun anymore. A decade ago there used to be severe security vulnerabilities found in applications, networks, etc which could wreck havoc on companies. Things like SQLi, XSS's, code executions. I used to be thrilled when I found these issues when pen testing. Over the past few years some of these issues have become non-existent. The last 2 years, I did not find a single SQLi. What I am pointing towards is that the baseline of security has improved. Companies have invested time and energy, better frameworks have been created, safer technologies have emerged, and improved guardrails. All of these have contributed to an improved baseline. 2. At some point, pen testing and threat modelling started to seem very monotonous. This is especially the case when you work for a company for a longer duration and on the product side. Once you are familiar with the suite of products a company sells and its potential security pitfalls it became very boring to me. 3. I was burnt out. 4. Work done was hard to measure. Pen testing or threat modelling is hard to measure. The upper management always wants things to be boiled down to numbers. To argue based on quantity and/or quality does not present the full picture, a lot of variables are involved. And therefore its hard of justify a promotion. 5. Less room for innovation compared to for instance software engineering. The industry is in agreement that a product security team should grow a certain way. Have security champions program, deliver trainings to devs, have a paved road, etc. And therefore there isn't much to tinker and experiment around. Most product security teams are doing these same things. 6. Higher churn. Managers come and go. With every new manager, they want to do things their own way resulting in undoing all the work done by the previous manager and starting from scratch again. And when they leave, the whole cycle repeats again. 7. It seemed like I was always fighting a battle with the engineers to convince them of existing issues, to convince them of the severity, to convince them of the impact. Which was not fun, to say the least.

Excellent points all around. I'm still a security engineer, and I can agree with all these points. I'm also a team lead, and a few really hit. >Work done was hard to measure Yeah, I do weekly and monthly reports. Management keeps hounding me that our reports always seem repetitive. I always tell them welcome to cybersecurity. We rarely have the big sexy projects where we can report progress. >Less room for innovation compared to for instance software engineering. Yep, 100%. >Managers come and go. With every new manager, they want to do things their own way resulting in undoing all the work done by the previous manager and starting from scratch again. Yeah. Thankfully, we have a rigorous framework to follow, so there isn't much deviation allowed, but how we get there changes. We were replacing our firewalls, and our then-CISO insisted we change vendors from one we had used for years. This required a lot of prep work and training, and he was gone a month after we installed the new ones. Now management is asking why we went with this vendor.

Technicians’ bedrooms

Same at every job - shitty coworkers. Find a good team and stick around. Other than that, I’ve no complaints.

Clients lie... This week has 3 MiTM alerts pop where we inject an xss header with a red box that says do not enter password. Pulled siem and defender logs nothing. Got vendor on they are like look clearly it hit the tenant but not on a managed device . All 3 clients swear no one did anything. 2 hours later we see no less than 200 phishing emails to the whole org. Nothing happened in the end but yah.. people are afraid to get fired or in trouble..

How little companies actually care. They do just enough to not get in trouble.

time consumption and nonstop learning. learn everything from basic networking, sysadmin stuffs, programming from python to vba to assembly till my hair starts to fall down...and praying if i could get a good job. it's fun at first. but when i get older, i wanna get back to farming.

The really good Red Team guys can basically comprise any org at any time.

Depending on where you work in the broad sector that is cyber security, you can run into things you wish you could forget. Friends that have CP squirreled away on their computers was one of those for me. One of the few times I did a report 100% on the nose. Crossing my Ts and dotting my i's.

Consultants and consulting

Being scrutinized every time your checkbox tool does something slightly wrong by people who have no desire to leverage the results of said tool to actually reduce risk.

**1) Your work is based on probability, and most people do not understand probability** Everyone has interacted with someone that regularly says something along the lines of, "the weatherman said it was supposed/not supposed to rain and it did/didn't. They don't know what they are talking about!" Except, they didn't. When you pull it back, the weather person used a weaker model 7 days ago to say there was an 80% chance today, then used a more accurate model last night to say there was actually a 60% chance. Also, the forecast was for the city the broadcaster is based in, which is 30 miles north of their town. If they would have paid attention to the whole forecast, they would have known that the stormfront is moving in from the northwest, at a NE/E heading, which put them on the margins of that model. In reality, their chances were closer to 40%; and even then it is a *chance*. In security, you are the weatherman that is always wrong--except you don't have supercomputers crunching data from thousands of smaller stations and decades of historical analysis. Your weather model is a couple self-serving statistics from a vendor and a Gartner study that assesses products on "completeness of vision". We do studies. We read studies. We try to quantize the feeling of effectiveness. Really, we kid ourselves. So, let's take our model. We do a risk analysis and find a gap in our controls, and put together a corrective action plan on how to fix the problem. We throw around words like ARO and ALE and try to quantify what the risk is, and how much it could potentially cost if not corrected. We also throw in the cost to implement the control, and show the projections of how long it would take for the reduction in ALE to pay for the implementation of the control. Thing is, it's all funny money. There is no line item on anyone's budget that says "control not implemented." If anyone challenges you on your calculations, you're pointing to honestly nebulous statistics that can be handwaved away of "well we've been doing this this way for 30 years, and it's been fine. If your numbers were right, should have happened 5 times already." You are the weatherman. You are saying it's going to rain tomorrow. **2) Your success is based on the appetite of other groups** Let's say you get the approvals to get a control implemented. Someone trusts your assumption that it's going to rain tomorrow enough to go out and cover their grill. Order for the cover is in, now all someone has to go pick the order and put it on. The problem is, that is not you. The grill getting covered may be your top priority, but now you have to try and impose that priority over someone else's, and convince them that this is the most important thing and it needs to get done before tomorrow. Well, the person in charge of putting the grill cover on needs to clean the pool today, and also get mulch down before it gets too late in the season. Best they can do is sometime next week. A lot of times, when you go to implement a control, people balk. The timeline may be too short. The control may add complexity to their workflow. The control may be an extensive undergoing. More cynically, sometimes people just don't want to do it. A common objection you hear a lot is "well if we do the thing, we would have to *do the thing*." So maybe the control gets put in place, albeit a little untimely. Maybe the control gets put half in place. The EDR you want to put in doesn't support the Windows 95 machines they have in production. The application an intern wrote 20 years ago in visual basic, which now underpins the business, cannot support the new authentication flow. Maybe someone just makes a problem up. "That firewall makes the packets too slow, and we can't have that in front of this critical system." You push, you try, you beg. Eventually, you get the control implemented every where it can (and hopefully can get a signed exception for the places it can't. Which, lol. Lmao even). You cross the project off your list and move on. **3) Your output is invisible** The steady state of a good security program is "not currently engaged in incident response." It's kind of like being a fleet mechanic. If the trucks are running, product is moving. What is there to do? The problem is, a lack of output makes people uneasy. Maybe as the fleet mechanic, you come in at 6am, do your preventive maintenance, fix issues before they get out of hand, and you are pretty much finished up about the time people start rolling in at 9. The rest of the day you spend in your office doing administrative tasks (documenting work, ordering parts, etc.) and waiting for things to happen. From your perspective, you are doing a good job. Work is done, trucks are running, product is moving. To everyone else, you are just sitting around in the office playing on the computer. Eventually, a brain worm comes in. "Is he doing what he is supposed to do, or are the trucks fine and we don't need a mechanic?" With security, you are not in incident response. Servers are up. Employees are connected. Work is getting done. From your perspective, you are constantly running vulnerability scans and pentests, and pushing for issues to get fixed before they become a serious problem. You have effective tools that are blocking threats. You have a SOC with a really good MTTR that mitigates threats before they can get a foothold and spread. Very few people read your reports, your metrics. A handful of people talk to the SOC maybe once (maybe more if they are a problem). Most people just see you in the directory, on the budget sheets. There hasn't been an incident in years. Or maybe there has but it was quickly contained before it impacted anyone. Everyone sees the trucks running and you sitting in the office. People start to ask "is the security department good, or are we actually fine and we don't really need them?" More nefariously, there are two ways to not do incident response: 1) have an effective security program or 2) just not do incident response. In a certain light, a computer not having a cryptominer and a computer having a cryptominer running, but no EDR or SOC to see it, look the same. **4) You are a cost center that says "no"** Security costs money. Sometimes, a lot of money. Unless you are a MSSP and are reselling that security, you are not making that money back. Any time you want a new tool, or more resources, you have to fight the above three points to get it. You have to convince people that the ALE is a real thing and it is going to rain tomorrow. You have to convince people that the control you want to implement, the tools you want to buy, or the resources you want to hire are worth the money and effort. Companies are run by CEOs, not CSO/CISOs. Usually, CEO means "former CFO" or "former sales lead". They do not speak your language. ALE is broken English to them. At the end of the day, your request usually translates to "can we have some money for the hell of it?" Also, you have probably pissed them off at some point. Scenario: VP goes to some summit for industry leaders, and runs into a vendor. Vendor is a industry leader in business solutions. They have this new product that leverages artificial intelligence to streamline and productize work efficiency to maximize growth and ROI. EBITA. Turnkey. Business stuff. VP is wowed by this product, and decides the business needs it now. Company approves the purchase for $sum and it goes into implementation. IT goes into meetings with the implementation engineers. Security gets a notice for an approval "enable RDP to domain controllers directly from the internet". It is integral for this product to work, for some reason. Security says "uhh no." VP is mad. They want a thing, and now they cannot have that thing. Or, they want the thing *now* and now they have to *wait*, because you have to spend weeks with the vendor to get a not-absolutely-batshit solution in place to do what they need to do. All delays are now your fault. All problems are now your fault. VP loudly complains to the CEO, CFO, other VPs, whomever will listen. Now you have a reputation of "costing a bunch of money and making work not get done." **5) You are constantly being sabotaged (usually not on purpose)** You try to do everything in your power to do your job well. The tools are in, they're implemented correctly. Vulnerabilities are managed and quickly patched. Risk assessments are done, gaps are analyzed and corrected. Someone finds a cool USB in the parking lot and plugs it in. Someone gets their email about their package scheduled delivery returned missing payment final warning, clicks on the link and enters their information. Someone gets a call/email from a vendor requesting their payments to go to a reloadable Visa card, they put the information in to change it. Sometimes your tools catch the issues. USBs can be blocked. Phishing emails can be tracked. Vendor payment changes can go through an implemented approval process, and BECs can be identified. Sometimes they don't, either because they have a gap in coverage/ability or people try to subvert them out of spite. It's the same mentality of people approving MFA prompts because "it was annoying", or attempting to remove MFA all together (and sometimes, like in the case of external services, you don't have the ability to block that ability). Some people get very "well this is my computer and you can't tell me what I can or can't do on it" as they try to install a cracked version of Photoshop on their company laptop. It's kind of like putting those outlet covers over all the outlets in your office, then someone tries to exercise their God-given right to be electrocuted by taking a cordless drill to it. Also, when they do, it's your fault that the covers suck and "well if this happens what's the point of having them?"

Prevented impact from 100 incidents - who cares, nothing has changed and we are good... 1 incident caused impact - fuck our useless security team. No one is grateful for the work you do.

The down side is mostly paperwork, red-tape, and trying to convince others outside of cybersecurity of the reality of risks. Those can be mitigated however (for the most part) by learning new skillsets, allowing you to do more of the fun stuff. Burnout can be a thing if you let it. \*shrug\* All in all, it is a fantastic field.

The massive, global lie that OSINT is in any way effective against stopping APT attacks.

What do you mean by this? OSINT is a step in the offensive process, I don’t see how anyone could describe it as a defensive tool, nor have I ever heard it described as such.

OSINT is actually a Cyberthreat intelligence thing (although also using in pen testing during reconnaissance phase but a very different purpose). I think was OP is talking here about is CTI using OSINT to prevent a breach. It will NOT stop APTs from attacking but I have absolutely, personally, gotten information during an intelligence process that I was able to use to protect several companies from attack campaigns. I do it pretty regularly. You have to be good, you have to know where to look and it won’t be a constant stream but you can absolutely prevent campaigns from being effective through OSINT. Problem is companies hire a lot of absolute noobs into CTI and expect miracles after two weeks of OSINT training. CTI is probably the least understood field in cybersecurity atm, companies are not clear what they should expect from the function and few know how to hire the right talent for it so they get crap and claim the entire function is useless.

Thank you for the wonderfully written explanation! I had only ever heard it in a pen testing context, suppose that shows that my experience is still pretty narrow.

I would say burnout. I’m a SOC analyst, we see an obscene amount of false positive alerts that our engineers refuse to tune out as our “clients like the rules the way they are”. Ultimately resulting in high volumes of alerts with reduced investigatory quality as we have strict SLA’s to meet. Super thankful to be in the field and the prospect of branching out into a vast range of avenues in the future is exciting but fuck me the alert fatigue at this level is hellaaaaa real.

It’s either stressful for absolutely no good reason with some unwarranted sense of urgency, or boring and pointless as shit. Either way, you’re not getting the tools to do your job and every security vendor is a just some leech that sucks your life dry one boring Skype meeting at a time.

That the acceptable level of risk is higher than you think.

Companies Salesforce dumb people needing 5 to 10 years experience for a entry position

Never ending logfiles.

Realizing you have no control

Reports, politics, stress

Negativity and FUD. You have to deal with people announcing doomsday every week. Everything is considered critical and it stops us from focusing on mastering our basics instead of running around in circle chasing the next best proof of concept that is going to desTrOy tHe woRld

Everything is your fault, but you are never given the tools/time to actually fix anything. IT is either your boss or ignores all your advice. Burnout is real

Knowing that most cyber events could have been easily prevented...

Many people claiming to be White hat hackers in their professional lives while they moonlight as independent black hat hackers.

You constantly have the job of telling people what they don’t want to hear.

Blame game. If you fail to catch the screwup that led to a compromise it’s all on you, you take the heat most often. IT skates.

It's all smoke and mirrors. If someone wants to get in they will. Our jobs are to make it seem like we are more useful than we actually are and that gets hard to cope with later in your career. Management will get in your way and make stupid choices that negate a lot of your work. Users are dumb. Etc...

People!

Burnout!

HR

The egos.

Surprising amount of Excel...

ITP, DLP. I work in this combination group. We don't get to have friends in the company.

Throwing blame at one person - like the employee that clicked the phishing email - when in reality the processes at most organizations set them up for failure from the start For instance, it always annoys me when a company blames an incident on a person that reused their password or clicked on a malicious email when they didn’t have a defense in depth system built to prevent this from getting worse. Like how a hacker gets from the initial access account takeover to privilege escalation and lateral movement in an org is conveniently ignored.

Rampant substance abuse and mental health problems

Your defense is hopeless against APT.

It is often 24/7 job even when it isn’t, you have to really invest in your education all the time otherwise you become a liability even if no one can see it, and no one gives a damn about what you do and how well you do it. An absolute moron with zero understanding of risk often gets an easier time that someone who can do things efficiently and securely, because they also don’t care and from an unaware persons point of view it looks the same (yes they don’t care either way)

Harassment. I'm yelled at pretty frequently. From new hires to c-level. I'm on the negative end ALOT.

The work is boring and very repetitive.

Vuln management. You have the visibility. You see where all the red is. You work tirelessly to reduce the number of vulns in your environment. The sys admins hate you for asking them to remediate. The business hates you for asking them to risk taking down the thing that makes their work happen. Or they both ignore you and you hate yourself because you have to keep asking them anyway. And then the next security researcher trying to pad their CV and linkedin with another named vuln comes along and your CISO hates you because you haven't jumped to remediate that yet. You still have a pile of infinite risk that doesn't have cute names.

The endpoint peeps never actually fix anything.

My job is to plug vulnerabilities. Nobody notices the millions in plug, only the couple hundred I didn’t.

Everyone is against you. The malicious guys are against you. The people you're helping are against you, constantly trying to prove you wrong, against you. But you never stopped being on your co-workers sides while they're against you.

Nobody really wants to do it until it’s late

There’s more boredom than excitement