I get frustrated with all the headlines hyping up “cybersecurity salaries” and “massive talent shortage!”
None of that makes a difference if your employer doesn’t understand security, or is only interested in compliance.
Sure, it’s my job -as the security expert- to help them understand. But the phrase, “You can lead a horse to water, but you can’t make it drink,” comes to mind. Every executive I’ve worked with shares the same opinion: *security costs too much money and needs to get out of the way of the business.*
If you’re looking at joining the field, don’t join because you love security. You will be constantly frustrated at how much “that’s always been fine previously,” and “it’s good enough,” are the final answers you get from management…until the breach happens and it’s YOUR fault. ESPECIALLY if you’ve documented that you knew how to secure things a year ago…because you should’ve had the balls to stick to your guns and figured out how to make management understand the risk and spend that money.
And they have no clue why cybersecurity turnover is so high. Why so many of us are abandoning the field completely.
Even if the money is amazing….If you do a personal risk assessment, you’ll find that you’re not being paid nearly enough for the amount of risk you’re personally taking on (as #1 in line to be fired or resign after a public breach) trying to secure a company that isn’t giving you the resources you need to keep them out of the news.
The only reason “cybersecurity talent shortage,” is in the news all the time is because “executives would rather have a large personal bonus than remediate business risk,” is old news.