Cyber Sam Wants You.
Before I say anything, let me say something: I am truly #blessed to be employed by a money laundering operation because there's absolutely no way in fuck that this corporation can be profitable simply doing what they say they do. I am #blessed because there is no shortage of inspiration for a shitty blog when you work with buffoons and for a clown. And I wish I could be either of those things. Buffoonery and clowning do pay well. However, if you're in cYbEr, and you're unemployed right now, you're fucked. Companies have discovered a simple trick job searchers hate: they don't really have to hire anyone.
You see, hiring people and paying them a salary is some expensive shit. If you're in the business of making money, you don't want to do things that are going to reduce the amount of money going into the big boss' pocket. Secret apartments Garçonières need upkeep, cocaine is expensive, and that dead sex worker will not dispose of her body herself. If you're a smart (in a sense) CISO, your line of thinking might go a little like this after you stop posturing on twitter for a minute: If the cost of dealing with the fallout of a breach or any kind of undesirable security event is less than the cost of preventing said breach or undesirable security event, don't do it. If all you need to do after your company gets ravished by people light-years ahead of you in technical capabilities and professionalism is to pay a fine and send some letters, why bother? Let's say a moderately competent infosec team goes for $10/year (one can dream). If your incident response efforts average out to $6/year...
But! But! Reputational Impact something something!
LOL. Okay, sport. Go around and ask what happened to companies that got their shit rocked. I'm talking about corporations, not your mom's Etsy storefront. Nothing. Corporations mishandle their data all the fucking time, they don't care one iota about your data, and there are no significant consequences. If there were, CISOs would have to do their actual jobs, and we can't have that. We need to keep things as they are: cybersecurity theater run by mediocre men. And god forbid some broad who actually knows their shit says something uncouth like "if someone clicking a thing on the thing-clicking machine leads to security failure, they are not the foolish one."
But! But! Something about regulators and audits
LOL. Settle down, bud. You just tell them this (feel free to copy and paste this exact verbiage):
Mr. <Regulator/Auditor>, sir. I've posted this job on LinkedIn with a ridiculous list of requirements, shit pay, full onsite, and got 389 applications in 5 minutes. We can't hire anyone. There's a lack of talent.
EZ. GG. You're welcome. Hold on. I can hear the recruiters muttering something. What's that? That's not accurate and I'm mischaracterizing the recruiting professionals? Well, you fucks mischaracterize people by (I hope) looking at a PDF for 3 seconds, so fuck you very much. Just because you know how to send an In-Mail doesn't mean you know what a good cybersecurity professional looks like. Also, fuck your Workday ATS. And fuck you again, while we're at it. That guy on LinkedIn posting 10 $400k/year jobs a day is not hiring anyone, good buddies.
What do we do, then? We need to fucking eat, right?
- Round up your bros, start a co-op.
- Work for a cybersecurity company run by people you respect.
- Go do something else.
- Don't work for assholes.
- Don't work for motherfuckers.
- Don't work for or with sociopaths.
- Don't work for people who think your work is meaningless and cybersecurity just a cost center.
- Make your very existence an act of rebellion.
Wanna do a co-op? I'm game. sc at crankysec.com. If all fails, let's join a cybercrime gang. I'm sure we'll learn a lot more.
- Previous: Oh no! Accountability!
- Next: Let the games begin!