Unshakeable Salt

Roll up, Roll up,  Roll up. Come and have a go at being a security expert in the Internet of Connected Bandwagons. Now with Bluetooth LE!  Jump on board for little outlay and see how you too can affect the price of InfoSec. You too can be a social engineer or a pen-tester!  Be what you want to be on the great Internet of Connected Bandwagons. No previous experience necessary,  just complete this online course! You too can put some initials after your name and make £££’s!!!

I was recently at an InfoSec evening in Manchester, organised by RANT Events about “How we have broken the industry”.  Jay Abbott from Falanx talked primarily about the Pen testing side of our trade,  but his points were valid across all domains of Information Security.

Just take a look at the conveyor belts coming out of universities. They are producing a stream of graduates idolised on their right to everything that modern society has to offer. They’ve been taught the theory to get them their first job, but our industry still looks for qualifications that demonstrate hands on experience. Pen-testing is a quick route to success, as the qualifications can be taken quickly.  Those qualifications also come with high reward due to the shortage of qualified people. Do each qualification in turn with the minimum time span between each,  and these kids could be on £60k with 5 years.  As a comparison, at that time point in my own life, I was still in the Armed Forces and my house didn’t cost £60k.

This is a problem though. We have a hoard of young professionals who are earning high salaries before they have the necessary experience to take our certified professional exams.  If they pass those exams, then their salary only goes up. That in turn pushes up the daily rate for contractors who also have those professional qualifications and a further 20 years’ experience.

I’ve been contracting since the late 90’s and I’ve seen this before.  The first .com “boom & bust” and I fear that InfoSec is about to see the same happen again.  More and more people are jumping on the bandwagon and pushing up the price of InfoSec.

I get called by agencies most days trying to place me at various UK locations with ‘interesting’ rates. London weighting has always been high, but nationally agencies are trying to get anywhere from £550 to £950 a day for Architects and Consultants.

I have a love/hate relationship with agencies.  There are a few I trust, use and recommend. Then there are those who have gained my details without consent, scrapping job sites and stealing CV’s. They insist on calling, emailing & texting with offers of a pot of gold.

They want that 5-10% of the current inflated rates.  Who cares if it isn’t my skill set, something I’m interested in or at the other end of the country.  They have my name and I could be a pound of flesh for them to feast upon.

What is the Price of Infosec ?

This again is the problem. If they are calling me with these promises,  they are also calling Keith the “Script Kiddie” and Penelope the “Social Engineer“.  Bang for buck,  skill and experience will diminish as a cost effective security control.  It soon won’t take many contracted days where the cost of a breach is more attractive than paying for a contractor to implement controls.

Normally in a blog piece,  I would now lay out potential steps to resolving these issue.

For this blog,  I don’t think I have a solution.  Maybe we need to look at other industries and how they maintain their stability. Maybe we need regulation or better certification. Perhaps a governing body might work,  should we all be certified by the CESG before we are allowed to be called Consultants ?

Conclusion

Whilst there is the shortage of qualified people in the UK, then the rates are going to go up.  Whilst the rates are up,  the industry is going to be attractive to people to make the quick buck.   At this pace a wheel isn’t only going to come flying off,  but the entire bandwagon is going to catch fire and explode.

What we need to do now is look what a post-exploding bandwagon looks like.  We need to be teaching businesses how to sift through the bandwagon ashes of Keith and Penelope.

We all need to be planning sustainable security strategies.

Next Post